|
Building an Application Level Gateway with IPFILTER (v1.0) By Flattie McGee (ZA) © 2000 Globelinks Communications. ChangeLog: v1.0 - Original Release (11.22.00) by Flattie 1.0 - Introduction
This How-To documents the steps I took to build an Application Level Gateway (Firewall & NAT) on a FreeBSD 4.1.1-STABLE system. I recommend reading a few RFC's to familiarize yourself with the functions of this setup, as well as some other fun RFC's in the event you ever implement split DNS or decide to use NAT with IPv6.
* RFC1631 - The IP Network Address Translator * RFC1918 - Address Allocation for Private Networks * RFC2647 - Benchmarking Terminology for Firewall Performance * RFC2663 - IP Network Address Translator (NAT) Terminology and Considerations * RFC2694 - DNS extensions to Network Address Translator (DNS_ALG) * RFC2766 - Network Address Translation - Protocol Translation (NAT-PT) * RFC2795 - The Infinite Monkey Protocol Suite (IMPS)
1.1 - What will I need to make this work? First of all, you will need atleast 2 (two) NIC cards. FreeBSD 4.x, and the latest version of IPFILTER. At the time of writing, version 3.4.14 was the latest. 1.2 - Thanks and how to contact me. If you wish to comment, contribute or suggest something to improve this document, then please email me at flattie@globelinks.com with the subject of 'IPFILTER HOWTO' and I will give you credit if I include it here. If you have problems with this HOW-TO or IPFILTER in general, feel free to come to IRC Efnet #freebsdhelp, or check the IPFILTER mailing list archive @ http://www.false.net/ Special thanks to the Darren Reed, Dan L, Loco-, and a few other people in #freebsdhelp. 1.3 - Disclaimer & Copyright. Yada yada yada, I am not responsible for any action you take in following through with this HOWTO. Use at your own risk. This HOWTO is Copyright © 2000 Globelinks Communications - Permission for redistribution is granted under the OpenContent License. 2.0 - Our Example Network. Our FreeBSD box will have 3 NIC cards. I am using three 3Com cards, which are powered by the xl device. Thus, we have xl0 (External), xl1 (Private Network), xl2 (DMZ/External). You can add more NIC cards to further subnet your networks. Or you can remove one of the NICs if you don't want to do anything too complex. [INTERNET] (200.200.200.1) [xl0] (200.200.200.2) [FreeBSD FW/GW] [xl1] --> Internal Network (192.168.0.0/16) [xl2] --> De-Milertized Zone (DMZ) (200.200.200.240) 2.1 - Obtain IPFILTER. I can, and will only recommend IPFilter for our firewall control and NAT (or NAPT). There are other firewall applications out there, NT Gaurd, Checkpoint Firewall-1, IPFW, and countless others. # cd ~/ 2.2 - Install It. Lets uncompress our tarbel, and go into our source directory, where we will do a few steps to install IPFilter. # tar -zxvf ip_fil3.4.14.tar.gz The next command will essentially update some system files, and insert the following lines into the kernel config file, thus saving you the hassle of having to do it yourself. I think new versions of IPFILTER.are smart enough to detect the IPFILTER strings to see if they already exist in the kernel config file. options IPFILTER 2.3 - Edit the orseldate line. Note, this is a rather annoying bug that has yet to be fully fixed. You will need to edit the following files (note, I use pico without word wrap, as I gear all my How-To's toward newbies who have yet to grasp vi or other editors) # pico -w /usr/src/sys/netinet/ip_compat.h /usr/include/osreldate.h 2.4 - Enable Bridging in Kernel. We'll need to enable bridging in our kernel config file, as it is a very useful feature. Edit the kernel config file, and insert the following line: options BRIDGE 2.5 - Enable Bridging @ Startup. # pico -w /usr/local/etc/rc.d/bridge.sh 2.6 - Compile the Kernel. Lets compile our kernel, like we've never compiled it before! POP that cherry! # cd /usr/src/sys/i386/conf 3.0 - Edit Necessary Files. We'll need to edit our main configuration file so things can run smooth upon boot up. I recommend you change a few of these, or things will be broken. We'll need to add an external IP to the default router, this is usually yer uplink. # pico -w /etc/rc.conf hostname="Insert_your_box_name_here" 3.1 - Enable ipf @ Startup. # pico -w /usr/local/etc/rc.d/ipf.sh (Insert into file) 3.2 - Enable ipnat @ Startup. # pico /usr/local/etc/rc.d/ipnat.sh (Insert into file) 3.3 - Edit /etc/ipnat.rules map xl0 192.168.0.0/16 -> 200.200.200.2/32 proxy port ftp ftp/tcp rdr xl0 200.200.200.2/32 port 22 -> 192.168.0.1 port 22 3.4 - Edit /etc/ipf.rules Since IPF rules are beyond the scope of this document, I will use a very simple 6 line rule to demonstrate the functionality of the firewall. It should allow traffic in and out of any of the three NIC's. pass in log on xl0 all pass out log on xl0 all pass in log on xl1 all pass out log on xl1 all pass in log on xl2 all pass out log on xl2 all |
|
|
|
|
|
|
|
|
[Home] [FBSD Articles] [Scripts Corner] [Contribute] [Search] [FBSD Links] [Files]
About Us
FreeBSD Articles
*Hardware
*Networking
*Security
*Software
*X Windows
Forums
Defcon1 Forum
Files / Scripts
Newbies Corner
Tech. Talk
Tips and Tricks
FreeBSD Links
Articles in other
Languages :
*French Articles
*Spanish Articles
Want to Help ?
Click Here
Email Users
This site cannot be duplicated without permission
© 1998 - 2008 Defcon1, www.defcon1.org , Copyrights for all materials on this web site are held by the individual authors, artists, photographers or creators. Materials may not be reproduced or otherwise distributed without permission
of www.defcon1.org and the content's original author.