Saturday, March 19, 2011

Gateway FreeBSD Using ipfw + natd

Here are steps to make the Gateway:

Login to your FreeBSD box as root, compile the kernel freebsd

# cd / usr/src/sys/i386/conf
# cp GENERIC INDOFREEBSD
# pico INDOFREEBSD

When you do the editing part of the kernel configuration file please edit the customize to your wishes and support your machine. or if you do not understand and do not want to bother you enough to edit or add to what we need to create a gateway only. example

1. ident INDOFREEBSD

2. IPFIREWALL # enable ipfw options as part of the kernel

3. IPFIREWALL_VERBOSE options # log the net

4. options IPFIREWALL_DEFAULT_TO_ACCEPT # just what it say

5. IPFIREWALL_VERBOSE_LIMIT = 100 # options to prevent flooding syslog

6. IPFIREWALL_FORWARD options

7. IPDIVERT options

sequence 1 is the ident that usually this option already exists by default in the GENERIC kernel by name, please change your own. in this case I turn into KERNELKU.

sequence 2,3,4,5,6 is the option we need to add to our kernel configuration.

After you finish editing, then save.

Indofreebsd guest: Sir ogeb why we must compile the kernel, it is not already installed by default ipfw?

ogeb: neither will I try to answer, the first thing you please open http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls-ipfw.html

there are very clear that "IPFW is included in the basic FreeBSD install as a separate run time loadable module. The system will from dynamically load the kernel module Pls the rc.conf statement firewall_enable =" YES "is Used. You do not need to compile IPFW into the FreeBSD kernel unless You Want NAT function enabled. "
so for the sake of this we really need to compile the kernel for nat function went well and accept the default firewall, so the advise to the beginner who is still dimly lit against ipfw rule-making.
let us continue.

moved to / usr / src directory.

# Cd / usr / src

Compile the kernel.

# Make buildkernel KERNCONF = INDOFREEBSD

Install the new kernel.

# Make installkernel KERNCONF = INDOFREEBSD

this stage until you've managed to compile the kernel.

The next stage is to enable the firewall through rc.conf

# Pico / etc / rc.conf

router_enable = "YES"

router = "/ sbin / routed"

router_flags = "-q"


gateway_enable = "YES"

firewall_enable = "YES"

firewall_script = "/ etc / ipfw.rules"

natd_enable = "YES" # Enable NATD function

natd_interface = "rl0" # interface name of public Internet NIC

natd_flags = "-dynamic-m" #-m = preserve port numbers if possible

then save ...



His next step edit sysctl

# Pico / etc / sysctl.conf

net.inet.ip.fw.verbose = 1

net.inet.ip.fw.verbose_limit = 100

then save ....

His next step is to create firewall rules

# Pico / etc / ipfw.rules

#! / Bin / sh

cmd = "ipfw-q add"

skip = "skipto 500"

PIF = rl0

ks = "keep-state"

good_tcpo = "22,25,37,43,53,80,443,110,119,5050,5051,5100"

ipfw-q-f flush

$ Cmd 002 allow all from any to any via xl0 # exclude LAN traffic

$ Cmd 003 allow all from any to any via lo0 # exclude loopback traffic

$ Cmd 100 divert natd ip from any to any in via $ PIF

$ Cmd 101 check-state

# Authorized outbound packets

$ Cmd $ 120 skip udp from any to xx.168.240.2 53 out via $ PIF $ ks

$ Cmd $ 121 skip udp from any to xx.168.240.5 53 out via $ PIF $ ks

$ Cmd $ 125 skip tcp from any to any out via $ $ good_tcpo PIF setup $ ks

$ Cmd $ 130 skip icmp from any to any out via $ PIF $ ks

$ Cmd $ 135 skip udp from any to any 123 out via $ PIF $ ks

# Deny all inbound traffic from non-routable reserved address spaces

$ Cmd 300 deny all from 192.168.0.0/16 to any in via $ PIF # RFC 1918 private IP

$ Cmd 301 deny all from 172.16.0.0/12 to any in via $ PIF # RFC 1918 private IP

$ Cmd 302 deny all from 10.0.0.0 / 8 to any in via $ PIF # RFC 1918 private IP

$ Cmd 303 deny all from 127.0.0.0 / 8 to any in via $ PIF # loopback

$ Cmd 304 deny all from 0.0.0.0 / 8 to any in via $ PIF # loopback

$ Cmd 305 deny all from 169.254.0.0/16 to any in via $ PIF # DHCP auto-config

$ Cmd 306 deny all from 192.0.2.0/24 to any in via $ PIF # reserved for docs

$ Cmd 307 deny all from 204.152.64.0/23 to any in via $ PIF # Sun cluster

$ Cmd 308 deny all from 224.0.0.0 / 3 to any in via $ PIF # Class D & E multicast

# Authorized inbound packets

$ Cmd 420 allow tcp from any to me 80 in via $ PIF setup limit src-addr 1

$ Cmd 450 deny log ip from any to any

# This is skipto location for outbound stateful rules

$ Cmd 500 divert natd ip from any to any out via $ PIF

$ Cmd 510 allow ip from any to any

################## ######################## End of rules

then save ........

The next step is to reboot and try your gateway.

# Reboot

0 comments: