3 <title>Opegnate Install</title>
4 <meta http-equiv="content-type" content="text/html;charset=Shift_JIS">
5 <link rel="stylesheet" type="text/css" media="screen" href="style.css">
8 <body bgcolor="#BBEECC">
10 <!-- Start:Setup ipfw,ip6fw -->
11 <h3>B Setup ipfw,ip6fw<a name="ipfw0" href="#ipfw0" class="anchor">†</a></h3>
14 <li class="list_num"><a href="#ipfw1">Prepare kernel</a></li>
15 <li class="list_num"><a href="#ipfw2">Setup ipfw</a></li>
16 <li class="list_num"><a href="#ipfw3">Setup ip6fw</a></li>
19 <!-- ************ 1 ************** -->
20 <h4>B.1 Prepare kernel<a name="ipfw1" href="#ipfw1" class="anchor">†</a></h4>
22 <p>Prepare kernel having ipfw and ip6fw functions.</p>
24 <p>Copy kernel options file.</p>
27 # cd /usr/src/sys/i386/conf
29 </pre></td></tr></table>
31 <p>Add next lines.</p>
37 options IPFIREWALL_FORWARD
38 options IPFIREWALL_VERBOSE
39 options IPFIREWALL_VERBOSE_LIMIT=100
42 options IPV6FIREWALL_VERBOSE
43 options IPV6FIREWALL_VERBOSE_LIMIT=100
47 options TCP_DROP_SYSFIN
48 </pre></td></tr></table>
50 <li>When use NAT, IPDIVERT is necessary.</li>
51 <li>When need firewal log, *VERBOSE is necessary.</li>
52 <li>When use IPSEC, *IPSEC is nnecessary.</li>
54 <p>compile and install kernel having ipfw and ip6fw functions.</p>
58 # cd ../compile/MYKERNEL
62 </pre></td></tr></table>
64 <p>Add next lines to "/etc/rc.conf".</p>
68 firewall_script="/etc/rc.firewall"
70 ipv6_firewall_enable="YES"
71 ipv6_firewall_script="/etc/rc.firewall6"
75 </pre></td></tr></table>
77 <p>Validate a ipfw and ip6fw. And setup configuration script path.
78 When use NAT, Validate natd and setup natd interface.</p>
80 <div align="right"><a href="#ipfw0">top</a></div>
82 <!-- ************ 2 ************** -->
83 <h4>B.2 Setup ipfw<a name="ipfw2" href="#ipfw2" class="anchor">†</a></h4>
85 <p>Write a rule of ipfw for Opengate. This is example "/etc/rc.firewall".</p>
88 ### set these to your outside interface network and netmask and ip
94 ### set these to your inside interface network and netmask and ip
102 ### divert packet to NATD
103 $fwcmd add 1 divert natd ip from any to any via ${oif}
106 $fwcmd add deny all from ${inet}:${imask} to any in via ${oif}
107 $fwcmd add deny all from ${onet}:${omask} to any in via ${iif}
109 ### Stop http from softeather
110 $fwcmd add deny tcp from 192.168.0.0:255.255.255.0 to ${oip} 80
111 $fwcmd add deny tcp from 192.168.0.0:255.255.255.0 to ${oip} 443
113 ### Allow from / to myself
114 $fwcmd add pass all from ${iip} to any via ${iif}
115 $fwcmd add pass all from ${oip} to any via ${oif}
116 $fwcmd add pass all from any to ${iip} via ${iif}
117 $fwcmd add pass all from any to ${oip} via ${oif}
119 ### Allow DNS queries out in the world
120 ### (if DNS is on localhost, delete passDNS)
121 $fwcmd add pass udp from any 53 to any
122 $fwcmd add pass udp from any to any 53
123 $fwcmd add pass tcp from any to any 53
124 $fwcmd add pass tcp from any 53 to any
126 ### Forwarding http connection from unauth client
127 $fwcmd add 60000 fwd localhost tcp from ${inet}:${imask} to any 80
128 $fwcmd add 60010 fwd localhost tcp from ${inet}:${imask} to any 443
130 ### Allow TCP through if setup succeeded
131 $fwcmd add 60100 pass tcp from any to any established
132 </pre></td></tr></table>
134 <p>Rule number for [forward] Command must be larger than the rule numbers used in opengate(10000-40000).
135 Rule number for [divert to natd] must be smaller than most rules.</p>
137 <p>The file [conf/opengatefw.conf] is the script describing the above rules.
138 You can edit and use this script instead of rc.firewall. </p>
140 <p>Be falimiar with ipfw command. Opengate is a software to send out the ipfw command like above one.</p>
142 <div align="right"><a href="#ipfw0">top</a></div>
144 <!-- ************ 3 ************** -->
145 <h4>B.3 Setup ip6fw<a name="ipfw3" href="#ipfw3" class="anchor">†</a></h4>
147 <p>Write a rule of ip6fw for Opengate. This is example "/etc/rc.firewall6".</p>
150 ### set these to your outside interface network and prefixlen and ip
152 onet="2001:e38:3661:1a0::"
154 oip="2001:e38:3661:1a0::34"
156 ### set these to your inside interface network and prefixlen and ip
158 inet="2001:e38:3661:1a5::"
160 iip="2001:e38:3661:1a5::1"
162 ### path to command "ip6fw"
165 ${fw6cmd} add pass all from ${iip} to any
166 ${fw6cmd} add pass all from any to ${iip}
167 ${fw6cmd} add pass all from ${oip} to any
168 ${fw6cmd} add pass all from any to ${oip}
170 ### Allow RA RS NS NA Redirect...
171 ${fw6cmd} add pass ipv6-icmp from any to any
173 # Allow IP fragments to pass through
174 ${fw6cmd} add pass all from any to any frag
177 ${fw6cmd} add pass udp from fe80::/10 521 to ff02::9 521
178 ${fw6cmd} add pass udp from fe80::/10 521 to fe80::/10 521
180 ### Allow TCP through if setup succeeded
181 ${fw6cmd} add 60100 pass tcp from any to any established
183 # TCP reset notice message
184 ${fw6cmd} add 60200 reset tcp from any to any 80
185 ${fw6cmd} add 60300 reset tcp from any to any 443
186 </pre></td></tr></table>
188 <p>ip6fw dose not have [forward] function. Threrfore Opengate waits for
189 timeout of IPv6 HTTP request. And uses [forward] function of ipfw.</p>
191 <p>When use FreeBSD 5.2 more, ip6fw has TCP reset function.
192 TCP reset try to send a TCP reset (RST) notice.</p>
194 <p>The file [conf/opengatefw6.conf] is the script describing the above rules.
195 You can edit and use this script instead of rc.firewall6. </p>
197 <p>Be falimiar with ip6fw command too.</p>
200 <div align="right"><a href="#ipfw0">top</a></div>