The FreeBSD 'zine

June 2000 : System Administration

FreeBSD Intranet PPP Firewall How-To
by Brian 'Astrolox' Wojtczak <[email protected]>

Purpose

The purpose of this document is to explain how to connect an intranet to the internet via a PPP link with a firewall. This document is created from personal experience in setting up Firewalls on FreeBSD and covers Network Translation.

Assumptions

This document makes the following assumptions:

  1. You know what a firewall is.
  2. You know the very basic of unix commands including how to create, edit, copy, move and remove files.
  3. The computer you wish to install a firewall on is installed and boots up in to multi user mode ok.
  4. You have console access to the computer.
  5. That the firewall will be connecting an intranet to the internet via a PPP connection.

If you are connecting to the internet via some means other than PPP, then you may find this document can still help you. Most of it, however, will be irrelevant.

If you are not connecting an intranet to the internet then I think you will probably not benefit from this document.

Configuration

You will need to know the following information to be able to configure the firewall correctly:

  1. Root password :->
  2. Intranet IP address(es)
  3. PPP dial-up user name, password and phone number
  4. Which computers should be allowed access to the internet and which should not
  5. Which, if any, of the intranet computers will be running ICQ

Overview

During the installation the following steps will be taken:

  • Install the necessary files
  • Configure the kernel
  • Configure the firewall rules
  • Configure the gateway
  • Configure the ppp link
  • Modify the startup files
  • Recompile the kernel

Step One - Install the necessary files

To install a firewall you will need the source code for the kernel, natd and ipfw. You should find that both natd and ipfw are installed along with the base system. If they are not installed you will need to install them with the kernel source. To see if they are installed, do the following as root:

	# find / -name natd -print
	# find / -name ipfw -print

You can use the sysinstall program to install these files if they are missing from your system. When in the menu select Configure, then Packages, then All. Then find the files in the list and press space to select them for installation. To install the kernel source you may find it easier to select Configure, then Distributions, then Source. To run sysinstall, do the following:

	# /stand/sysinstall

Step Two - Configure the kernel

Note:��If you are not using an Intel-based computer, then replace i386 with the architecture of the computer you are using. Either i386, alpha, or pc98.

	# cd /usr/src/sys/i386/conf
	# cp GENERIC MYKERNEL

Now edit the MYKERNEL file and add the following to it:

	options IPFIREWALL
	options IPFIREWALL_VERBOSE
	options IPFIREWALL_VERBOSE_LIMIT=20
	options IPDIVERT

Now, look through the file for a line that looks like the one below. N will be a number, if this number is 0 or less then make it equal to 1. If it is 1 or more then leave it alone.

	pseudo-device   tun     N

Save the file.

Step Three - Configure the firewall rules

For now, I suggest that you use an open firewall. One which lets anything through. Although this is not secure, it is simple to understand and very easy to reconfigure once you are sure that the new kernel works ok. To make an open file edit the /etc/rc.firewall file so that it looks like this:

	# Start
	# Allow Network Translation, DO NOT change this ever!
	/sbin/ipfw -f flush
	/sbin/ipfw add divert natd all from any to any via tun0

	# Allow Everything, Change this at a later date
	/sbin/ipfw add pass all from any to any

	# Allow loopback, DO NOT change this ever!
	/sbin/ipfw add 100 pass all from any to any via lo0
	/sbin/ipfw add 200 deny all from any to 127.0.0.0/8

	# End

Step Four - Configure the gateway

Configuring the gateway would be simple if it were not for ICQ. If none of your intranet computers are running ICQ, you can relax for a while ;-)

To start, create a /etc/natd.conf file to hold the configuration. It's mode should be 644, which looks like this if you do an ``ls -l'':

	-rw-r--r--	1 root	wheel	0 May 12 16:31	/etc/natd.conf

In the file you just created, add the following:

	# Start
	log no
	deny_incoming no
	same_ports yes
	dynamic yes
	verbose no
	interface tun0

	# ICQ stuff goes here

	# End

For every machine on the intranet that wants to run ICQ, you must add one line to this file which looks like the one below. Remember to replace ``IP'' with the IP address of the computer that wishes to run ICQ. Also change the port number ranges so that they are different on each line. A simple way to do this is to just add 100 to the numbers of the last line. Both ranges on the same line MUST be equal. For example:

	redirect_port tcp IP:2000-2100 2000-2100

If you have an NT machine on your intranet that wishes to be a VPN host, you must add the following:

	pptpalias IP

Again, replace the ``IP'' above with the machine's IP address.

The gateway configuration is now done.

Step Five - Configure the ppp link

PPP is not simple to explain when you are trying to cater for an the entire world. It has so many different configurations that it makes baked beans on toast look easy :-> You will need to edit the file /etc/ppp/ppp.conf. If the file does not exist, then copy the sample to it and edit that instead.

If your ISP accepts PAP and does not require anything special (most do) then you can use my example below. However you may need to change the device name. /dev/cuaa0 for COM 1 and /dev/cuaa1 for COM 2, etc... If you are unsure which com port your modem is on then the easy way to find out is to send lots of data to each comport in turn and watch to see if the lights flash on the modem or not. If your modem is internal then I suggest you upgrade or play trial and error.

  # /etc/ppp/ppp.conf - Start

  default:
   set device /dev/cuaa1
   set speed 115200

   # the following string should all be on one line - HINT HINT!
   set dial "ABORT BUSY ABORT NO\\sCARRIER TIMEOUT 5 \"\" OK-AT-OK
   	ATE1Q0L0M0 OK \\dATDT\\T TIMEOUT 40 CONNECT"

[note:  The above should all be on one line]

   set timeout 30
   set ifaddr 10.0.0.1/0 10.0.0.2/0 255.255.255.0 0.0.0.0
   add default HISADDR
   enable dns

  myisp:
   set phone "PUT THE PHONE NUMBER HERE"
   set authname "PUT YOUR USER NAME HERE"
   set authkey "PUT YOUR PASSWORD HERE"

  # End

Step Six - Modify the startup files

In the file /etc/rc.conf place the following lines at the bottom.

	firewall_enable="YES"
	firewall_type="OPEN"
	gateway_enable="YES"
	natd_enable="YES"
	natd_interface="tun0"
	natd_flags ="-f /etc/natd.conf"
	ppp_enable="YES"
	ppp_mode="auto"
	ppp_profile="myisp"
	ppp_nat="NO"

	# End

The auto in that file will make the ppp program automatically dial every time someone tries to connect to anywhere not on the local intranet. If you want the link to be active all the time use ddial instead.

Step Seven - Recompile the kernel

Use the following commands:

	# cd /usr/src/sys/i386/conf
	# /usr/sbin/config MYKERNEL
	# cd ../../compile/MYKERNEL
	# make depend
	# make
	# make install
	# shutdown -r now

When the system comes back up, it will be your intranet's firewall. However, you will notice that recompiling the kernel can take a very long time. If you are short on time then put the above commands in a shell script and run that, however if something goes wrong then you will have a hell of a time finding how what it was.

Comments / Disclaimer

All amendments to this document will be posted on the internet to the web site http://www.astrolox.com/. If you have noticed any mistakes I may have made please send the corrections to my email address with the subject containing "FreeBSD Tutorial" somewhere. Thank you.

I think that is all. If this doesn't work for you then read the correct docs. If it does then brilliant. If you loose data, money or anything else because of this (including but not limited to sanity, life, happiness) then I am not to blame. Thanks for reading.


The author of this document is Brian 'Astrolox' Wojtczak and can be contacted via his web page at http://www.astrlox.com/. This document may be copied, redistributed and updated with the condition that the author is given credit for the original work. The disclaimer is at the bottom of the file.

Current Issue
. Issue #05 : June 2000

Old Issues
. Issue #01 : February 2000
. Issue #02 : March 2000
. Issue #03 : April 2000
. Issue #04 : May 2000

Quick Links
. Table of Contents
. Mailing Lists
. FreeBSD Events
. User Group Calendar
. Site Statistics
. Old Articles
. Latest News
. Press Releases
. Contribute
. Send us Feedback
. Other Resources
. Submit an Article
. Submit an Event

Today's Fortune
You might have mail

FreeBSD 'zine Poll
Are you going to BSDCon?
Yes.
No.
Maybe.
What the hell is BSDCon?
Results More polls

Sponsors
. VicFUG

Download
. Issue #01 : Download
. Issue #02 : Download
. Issue #03 : Download
. Issue #04 : Download
. Issue #05 : Download

Search

Runs on FreeBSD

Add Channel to My Netscape

DaemonNews

Contact: <[email protected]>
This site and the tarballs are built every 6 hours.
Copyright � 1998-2000, The FreeBSD 'zine
Code revision: 07/07/2000��All rights reserved.