Purpose:

The purpose of this document is to explain how to connect an intranet to the internet via a PPP link with a firewall. This document is created from personal experience in setting up Firewalls on FreeBSD and covers Network Translation.

Assumptions:

This document makes the following assumptions;

1. You know what a firewall is.
2. You know the very basic of unix commands including how to create, edit, copy, move and remove files.
3. The computer you wish to install a firewall on is installed and boots up in to multi user mode ok.
4. You have console access to the computer.
5. That the firewall will be connecting an intranet to the internet via a PPP connection.

If you are connecting to the internet via some means other than PPP then you may find this document can still help you but most of it will be irrelevant. If you are not connecting an intranet to the internet then I think you will probably not benefit from this document. Also this document looks at modems not ISDN so you will only find parts of this document relevant.

Configuration:

You will need to know the following information to be able to configure the firewall correctly;

1. Root password :>
2. Computers intranet IP address
3. Computers PPP dial up user name, password and phone number
4. Which computers should be allowed access to the internet and which should not
5. Which, if any, of the intranet computers will be running ICQ

Overview:

During the installation the following steps will be taken;

1. Install the necessary files
2. Configure the kernel
3. Configure the firewall rules
4. Configure the gateway
5. Configure the ppp link
6. Modify the startup files
7. Recompile the kernel

Step One – Install the necessary files:

To install a firewall you will need the source code for the kernel, natd and ipfw. You should find that both natd and ipfw are installed along with the base system. If they are not installed you will need to install them with the kernel source. To see if they are installed do the following commands.

# find / -name natd -print
# find / -name ipfw -print

Ignoring all permission denied messages (of which you should have got none because you are in the root account) if you get no output then it needs to be installed.

To install these files you can use the sysinstall program. When in the menu select Configure, Packages, All. Then find the files in the list and press space to select them for installation. To install the kernel source you may find it simpler to select Configure, Distributions, Source. To run sysinstall under FreeBSD 3.3 use the following command.

# /stand/sysinstall

Step Two – Configure the kernel:

Use the following commands.

Note: if you are not using an Intel computer then replace i386 with the arch of the computer you are using. Either i386, alpha or pc98.

# cd /usr/src/sys/i386/conf
# cp GENERIC MYKERNEL

Now edit the file MYKERNEL. Generally unless you know what you are doing leave the contents of the file as it is. You must add the following files in to the file under the command config kernel root on ???

options IPFIREWALL
options IPFIREWALL_VERBOSE
options IPFIREWALL_VERBOSE_LIMIT=20
options IPDIVERT

Now look through the file for a line that looks like the following. N will be a number, if this number is 0 or less then make it equal to 1. If it is 1 or more then leave it alone.

pesudo-device tun N

Save the file and the kernel is configured. The new settings will take affect after it is recompiled which we will do later.

Step Three – Configure the firewall rules:

For now I suggest that you use an open firewall. One which lets anything through. Although this is not secure it is simple to understand and very easy to reconfigure once you are sure that the new kernel works ok. To make an open file edit the /etc/rc.firewall file so that is looks like this;

# Start
# Allow Network Translation, DO NOT change this ever!
/sbin/ipfw -f flush
/sbin/ipfw add divert natd all from any to any via tun0

# Allow Everything, Change this at a later date
/sbin/ipfw add pass all from any to any

# Allow loopback, DO NOT change this ever!
/sbin/ipfw add 100 pass all from any to any via lo0
/sbin/ipfw add 200 deny all from any to 127.0.0.0/8

# End

Step Four – Configure the gateway:

Configuring the gateway would be simple if it were not for ICQ. If none of your intranet computers are running ICQ then you can relax.

To start create a file called natd.conf in /etc to hold the configuration, it should be set to -rw-r–r– and owned by root. In the file place the following configuration:

# Start
log no
deny_incoming no
same_ports yes
dynamic yes
verbose no
interface tun0

# ICQ stuff goes here

# End

Also for every machine on the intranet that wants to run icq you must add one line to this file which looks like the following. Replace IP with the ip address of the computer that wishes to run ICQ. Also change the number ranges so that they are different on each file. A simple way is to just add 100 to the numbers of the last line. Both ranges on the same line MUST be equal, it is just plain stupid to think otherwise.

redirect_port tcp IP:2000-2100 2000-2100

If on your intranet you have an NT machine which wishes to be a VPN host, that is accept connections from the internet then you must add the following line. Again replace IP with the ip address of the machine in question. You are only allowed ONE of these lines.

pptpalias IP

The gateway configuration is now done.

Step Five – Configure the ppp link:

PPP is not simple to explain when you are trying to cater for an the entire world. It has so many different configurations that it makes baked beans on toast look easy :> You will need to edit the file /etc/ppp/ppp.conf If the file don’t exist then edit the sample file and save it with the correct name ( I didn’t really need to tell you that because you knew to do that already, right? >: ).

If your isp accepts PAP and does not require anything special ( most do ) then you can use my example below. However you may need to change the device name. /dev/cuaa0 for COM 1 and /dev/cuaa1 for COM 2, etc… If you are unsure which com port your modem is on then the easy way to find out is to send lots of data to each comport in turn and watch to see if the lights flash on the modem or not – However, if your modem is internal then I suggest you upgrade or play trial and error.

# /etc/ppp/ppp.conf – Start

default:
set device /dev/cuaa1
set speed 115200

# the following string should all be on one line – HINT HINT!
set dial “ABORT BUSY ABORT NO\\sCARRIER TIMEOUT 5 \”\” OK-AT-OK ATE1Q0L0M0
OK \\dATDT\\T TIMEOUT 40 CONNECT”

set timeout 30
set ifaddr 10.0.0.1/0 10.0.0.2/0 255.255.255.0 0.0.0.0
add default HISADDR
enable dns

myisp:
set phone “PUT THE PHONE NUMBER HERE”
set authname “PUT YOUR USER NAME HERE”
set authkey “PUT YOUR PASSWORD HERE”

# End

Step Six – Modify the startup files:

In the file /etc/rc.conf place the following lines at the bottom.

firewall_enable=”YES”
firewall_type=”OPEN”
gateway_enable=”YES”
natd_enable=”YES”
natd_interface=”tun0″
natd_flags =”-f /etc/natd.conf”
ppp_enable=”YES”
ppp_mode=”auto”
ppp_profile=”myisp”
ppp_nat=”NO”

# End

The auto in that file will make the ppp program automatically dial every time someone tries to connect to anywhere not on the local intranet. If you want the link to be active all the time use ddial instead.

Step Seven – Recompile the kernel:

Use the following commands.

Note: if you are not using an Intel computer then replace i386 with the arch of the computer you are using. Either i386, alpha or pc98.

# cd /usr/src/sys/i386/conf
# /usr/sbin/config MYKERNEL
# cd ../../compile/MYKERNEL
# make depend
# make
# make install
# shutdown -r now

When the system comes back up it will be your intranets firewall. However, you will notice that recompiling the kernel can take a very long time. If you are short on time then put the above commands in a shell script and run that, however if something goes wrong then you will have a hell of a time finding how what it was.

Comments / Disclaimer:

All amendments to this document will be posted on the internet to the web site https://www.astrolox.com/. If you have noticed any mistakes I may have made please send the corrections to my email address astrolox@innocent.com with the subject containing “FreeBSD Tutorial” somewhere. Thank you.

I think that is all. If this don’t work for you then read the correct docs. If it does then brilliant. If you loose data, money or anything else because of this (including but not limited to sanity, life, happiness) then I am not to blame. Thanks for reading.

Original Document:

This article was orginally written and published in PGP signed plain text format. You may download the original document: fbsdfire.txt

Leave a reply

required

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>