FreeBSD Intranet PPP Firewall How-To
by Brian 'Astrolox' Wojtczak <[email protected]>
Purpose
The purpose of this document is to explain how to connect an intranet
to the internet via a PPP link with a firewall. This document is created
from personal experience in setting up Firewalls on FreeBSD and covers
Network Translation.
Assumptions
This document makes the following assumptions:
- You know what a firewall is.
- You know the very basic of unix commands including how to create, edit,
copy, move and remove files.
- The computer you wish to install a firewall on is installed and boots
up in to multi user mode ok.
- You have console access to the computer.
- That the firewall will be connecting an intranet to the internet via
a PPP connection.
If you are connecting to the internet via some means other than PPP, then
you may find this document can still help you. Most of it, however, will
be irrelevant.
If you are not connecting an intranet to the internet then I think you
will probably not benefit from this document.
Configuration
You will need to know the following information to be able to configure
the firewall correctly:
- Root password :->
- Intranet IP address(es)
- PPP dial-up user name, password and phone number
- Which computers should be allowed access to the internet and which
should not
- Which, if any, of the intranet computers will be running ICQ
Overview
During the installation the following steps will be taken:
- Install the necessary files
- Configure the kernel
- Configure the firewall rules
- Configure the gateway
- Configure the ppp link
- Modify the startup files
- Recompile the kernel
Step One - Install the necessary files
To install a firewall you will need the source code for the kernel,
natd and ipfw. You should find that both natd and ipfw are installed
along with the base system. If they are not installed you will need to
install them with the kernel source. To see if they are installed, do
the following as root:
# find / -name natd -print
# find / -name ipfw -print
You can use the sysinstall program to install these files if they are
missing from your system. When in the menu select Configure, then
Packages, then All. Then find the files in the list and press space
to select them for installation. To install the kernel source you may
find it easier to select Configure, then Distributions, then Source. To
run sysinstall, do the following:
# /stand/sysinstall
Step Two - Configure the kernel
Note:��If you are not using an Intel-based computer,
then replace i386 with the architecture of the computer you are using.
Either i386, alpha, or pc98.
# cd /usr/src/sys/i386/conf
# cp GENERIC MYKERNEL
Now edit the MYKERNEL file and add the following to it:
options IPFIREWALL
options IPFIREWALL_VERBOSE
options IPFIREWALL_VERBOSE_LIMIT=20
options IPDIVERT
Now, look through the file for a line that looks like the one below.
N will be a number, if this number is 0 or less then make it equal to
1. If it is 1 or more then leave it alone.
pseudo-device tun N
Save the file.
Step Three - Configure the firewall rules
For now, I suggest that you use an open firewall. One which lets
anything through. Although this is not secure, it is simple to
understand and very easy to reconfigure once you are sure that the
new kernel works ok. To make an open file edit the
/etc/rc.firewall file so that it looks like this:
# Start
# Allow Network Translation, DO NOT change this ever!
/sbin/ipfw -f flush
/sbin/ipfw add divert natd all from any to any via tun0
# Allow Everything, Change this at a later date
/sbin/ipfw add pass all from any to any
# Allow loopback, DO NOT change this ever!
/sbin/ipfw add 100 pass all from any to any via lo0
/sbin/ipfw add 200 deny all from any to 127.0.0.0/8
# End
Step Four - Configure the gateway
Configuring the gateway would be simple if it were not for ICQ. If
none of your intranet computers are running ICQ, you can relax for a
while ;-)
To start, create a /etc/natd.conf file to hold the
configuration. It's mode should be 644, which looks like this if you do
an ``ls -l'':
-rw-r--r-- 1 root wheel 0 May 12 16:31 /etc/natd.conf
In the file you just created, add the following:
# Start
log no
deny_incoming no
same_ports yes
dynamic yes
verbose no
interface tun0
# ICQ stuff goes here
# End
For every machine on the intranet that wants to run ICQ, you must add
one line to this file which looks like the one below. Remember to
replace ``IP'' with the IP address of the computer that wishes to run
ICQ. Also change the port number ranges so that they are different on
each line. A simple way to do this is to just add 100 to the numbers
of the last line. Both ranges on the same line MUST be equal.
For example:
redirect_port tcp IP:2000-2100 2000-2100
If you have an NT machine on your intranet that wishes to be a VPN
host, you must add the following:
pptpalias IP
Again, replace the ``IP'' above with the machine's IP address.
The gateway configuration is now done.
Step Five - Configure the ppp link
PPP is not simple to explain when you are trying to cater for an the
entire world. It has so many different configurations that it makes
baked beans on toast look easy :-> You will need to edit the file
/etc/ppp/ppp.conf. If the file does not exist, then copy the
sample to it and edit that instead.
If your ISP accepts PAP and does not require anything special (most do)
then you can use my example below. However you may need to change the
device name. /dev/cuaa0 for COM 1 and /dev/cuaa1
for COM 2, etc... If you are unsure which com port your modem is on
then the easy way to find out is to send lots of data to each comport
in turn and watch to see if the lights flash on the modem or not. If
your modem is internal then I suggest you upgrade or play trial and
error.
# /etc/ppp/ppp.conf - Start
default:
set device /dev/cuaa1
set speed 115200
# the following string should all be on one line - HINT HINT!
set dial "ABORT BUSY ABORT NO\\sCARRIER TIMEOUT 5 \"\" OK-AT-OK
ATE1Q0L0M0 OK \\dATDT\\T TIMEOUT 40 CONNECT"
[note: The above should all be on one line]
set timeout 30
set ifaddr 10.0.0.1/0 10.0.0.2/0 255.255.255.0 0.0.0.0
add default HISADDR
enable dns
myisp:
set phone "PUT THE PHONE NUMBER HERE"
set authname "PUT YOUR USER NAME HERE"
set authkey "PUT YOUR PASSWORD HERE"
# End
Step Six - Modify the startup files
In the file /etc/rc.conf place the following lines at the
bottom.
firewall_enable="YES"
firewall_type="OPEN"
gateway_enable="YES"
natd_enable="YES"
natd_interface="tun0"
natd_flags ="-f /etc/natd.conf"
ppp_enable="YES"
ppp_mode="auto"
ppp_profile="myisp"
ppp_nat="NO"
# End
The auto in that file will make the ppp program automatically dial
every time someone tries to connect to anywhere not on the local
intranet. If you want the link to be active all the time use ddial
instead.
Step Seven - Recompile the kernel
Use the following commands:
# cd /usr/src/sys/i386/conf
# /usr/sbin/config MYKERNEL
# cd ../../compile/MYKERNEL
# make depend
# make
# make install
# shutdown -r now
When the system comes back up, it will be your intranet's firewall.
However, you will notice that recompiling the kernel can take a very
long time. If you are short on time then put the above commands in
a shell script and run that, however if something goes wrong then
you will have a hell of a time finding how what it was.
Comments / Disclaimer
All amendments to this document will be posted on the internet to
the web site http://www.astrolox.com/. If you
have noticed any mistakes I may have made please send the corrections
to my email address
with the subject containing "FreeBSD Tutorial" somewhere.
Thank you.
I think that is all. If this doesn't work for you then read the
correct docs. If it does then brilliant. If you loose data, money
or anything else because of this (including but not limited to
sanity, life, happiness) then I am not to blame. Thanks for
reading.
The author of this document is Brian 'Astrolox' Wojtczak and can be
contacted via his web page at http://www.astrlox.com/. This
document may be copied, redistributed and updated with the condition
that the author is given credit for the original work. The disclaimer
is at the bottom of the file. |