Building an Application Level Gateway with IPFILTER (v1.0)
By Flattie McGee (ZA) © 2000 Globelinks Communications.
ChangeLog:
1.0 - Introduction 1.1 - What will I need to make this work?
1.2 - Thanks and how to contact me. 1.3 - Disclaimer & Copyright.
2.0 - Our Example Network. 2.1 - Disclaimer & Copyright 2.2 - Install It. 2.3 - Edit the orseldate line. 2.4 - Enable Bridging in Kernel.
2.5 - Enable Bridging @ Startup 2.6 - Compile the Kernel. 3.0 - Edit Necessary Files. 3.1 - Enable ipf @ Startup 3.2 - Enable ipnat @ Startup 3.3 - Edit /etc/ipnat.rules 3.4 - Edit /etc/ipf.rules
1.0 - Introduction.
This How-To documents the steps I took to build an Application Level Gateway (Firewall & NAT) on a FreeBSD 4.1.1-STABLE system. I recommend reading a few RFC's to familiarize yourself with the functions of this setup, as well as some other fun RFC's in the event you ever implement split DNS or decide to use NAT with IPv6.
* RFC1631 - The IP Network Address Translator
* RFC1918 - Address Allocation for Private Networks
* RFC2647 - Benchmarking Terminology for Firewall Performance
* RFC2663 - IP Network Address Translator (NAT) Terminology and Considerations
* RFC2694 - DNS extensions to Network Address Translator (DNS_ALG)
* RFC2766 - Network Address Translation - Protocol Translation (NAT-PT)
* RFC2795 - The Infinite Monkey Protocol Suite (IMPS)
1.1 - What will I need to make this work?
First of all, you will need atleast 2 (two) NIC cards. FreeBSD 4.x, and the latest version of IPFILTER. At the time of writing, version 3.4.14 was the latest.
1.2 - Thanks and how to contact me.
If you wish to comment, contribute or suggest something to improve this document, then please email me at flattie@globelinks.com with the subject of 'IPFILTER HOWTO' and I will give you credit if I include it here.
If you have problems with this HOW-TO or IPFILTER in general, feel free to come to IRC Efnet #freebsdhelp, or check the IPFILTER mailing list archive @ http://www.false.net/
Special thanks to the Darren Reed, Dan L, Loco-, and a few other people in #freebsdhelp.
1.3 - Disclaimer & Copyright.
Yada yada yada, I am not responsible for any action you take in following through with this HOWTO. Use at your own risk.
This HOWTO is Copyright © 2000 Globelinks Communications - Permission for redistribution is granted under the OpenContent License.
2.0 - Our Example Network.
Our FreeBSD box will have 3 NIC cards. I am using three 3Com cards, which are powered by the xl device. Thus, we have xl0 (External),
xl1 (Private Network), xl2 (DMZ/External). You can add more NIC cards to further subnet your networks. Or you can remove one of the NICs if you don't want to do anything too complex.
[INTERNET] (200.200.200.1)
[xl0] (200.200.200.2)
[FreeBSD FW/GW]
[xl1] --> Internal Network (192.168.0.0/16)
[xl2] --> De-Milertized Zone (DMZ) (200.200.200.240)
2.1 - Obtain IPFILTER.
I can, and will only recommend IPFilter for our firewall control and NAT (or NAPT). There are other firewall applications out there, NT
Gaurd, Checkpoint Firewall-1, IPFW, and countless others.
# cd ~/ # mkdir ~/temp # ftp coombs.anu.edu.au (anonymous login) # cd /pub/net/ip-filter/
# ls (search for latest version) # get ip_fil3.4.14.tar.gz # quit (leave FTP)
2.2 - Install It.
Lets uncompress our tarbel, and go into our source directory, where we will do a few steps to install IPFilter.
# tar -zxvf ip_fil3.4.14.tar.gz # cd ip_fil3.4.14/ # make freebsd4 # make install-bsd
The next command will essentially update some system files, and insert the following lines into the kernel config file, thus saving you
the hassle of having to do it yourself. I think new versions of IPFILTER.are smart enough to detect the IPFILTER strings to see if they already exist in the kernel config file.
options IPFILTER options IPFILTER_LOG # FreeBSD-4.0/kinstall
2.3 - Edit the orseldate line.
Note, this is a rather annoying bug that has yet to be fully fixed. You will need to edit the following files (note, I use pico without
word wrap, as I gear all my How-To's toward newbies who have yet to grasp vi or other editors)
# pico -w /usr/src/sys/netinet/ip_compat.h # pico -w /usr/src/sys/modules/ipfilter/../../netinet/ip_log.c
Modify
the osreldate.h lines to include the actual path to the program, generally located in /usr/include/. .ie:
/usr/include/osreldate.h
2.4 - Enable Bridging in Kernel.
We'll need to enable bridging in our kernel config file, as it is a very useful feature. Edit the kernel config file, and insert the
following line:
options BRIDGE
2.5 - Enable Bridging @ Startup.
# pico -w /usr/local/etc/rc.d/bridge.sh echo -c "Enabling bridging: "
if sysctl -w net.link.ether.bridge=1 > /dev/null 2>&1; then echo "activated ." else echo "failed ." fi
2.6 - Compile the Kernel.
Lets compile our kernel, like we've never compiled it before! POP that cherry!
# cd /usr/src/sys/i386/conf # /usr/sbin/config KERNEL_NAME # cd ../../compile/KERNEL_NAME # make depend
# make # make install
3.0 - Edit Necessary Files.
We'll need to edit our main configuration file so things can run smooth upon boot up. I recommend you change a few of these, or things
will be broken. We'll need to add an external IP to the default router, this is usually yer uplink.
# pico -w /etc/rc.conf
hostname="Insert_your_box_name_here" gateway_enable=YES defaultrouter="200.100.100.1"
network_interfaces="xl0 xl1 xl2 lo0" ifconfig_xl0="inet 200.200.200.2 netmask 255.255.255.0"
ifconfig_xl1="inet 192.168.0.1 netmask 255.255.0.0" ifconfig_xl2="inet 200.200.200.240 netmask 255.255.255.0"
3.1 - Enable ipf @ Startup.
# pico -w /usr/local/etc/rc.d/ipf.sh (Insert into file) #!/bin/sh ipf -f /etc/ipf.rules -E
# chmod 751 /usr/local/etc/rc.d/ipf.sh
3.2 - Enable ipnat @ Startup.
# pico /usr/local/etc/rc.d/ipnat.sh (Insert into file) #!/bin/sh ipnat -f /etc/ipnat.rules
# chmod 751 /usr/local/etc/rc.d/ipnat.sh
3.3 - Edit /etc/ipnat.rules
map xl0 192.168.0.0/16 -> 200.200.200.2/32 proxy port ftp ftp/tcp
map xl0 192.168.0.0/16 -> 200.200.200.2/32 portmap tcp/udp 10000:65000 map xl0 192.168.0.0/16 -> 200.200.200.2/32
rdr xl0 200.200.200.2/32 port 22 -> 192.168.0.1 port 22 rdr xl0 200.200.200.2/32 port 80 -> 192.168.0.1 port 80
3.4 - Edit /etc/ipf.rules
Since IPF rules are beyond the scope of this document, I will use a very simple 6 line rule to demonstrate the functionality of the firewall.
It should allow traffic in and out of any of the three NIC's.
pass in log on xl0 all
pass out log on xl0 all
pass in log on xl1 all
pass out log on xl1 all
pass in log on xl2 all
pass out log on xl2 all
Flattie
|