Defcon-1-Logo

           [Home]    [FBSD Articles]    [Scripts Corner]    [Contribute]    [Search]    [FBSD Links]    [Files]

About Us

FreeBSD Articles
  *Hardware
  *Networking
  *Security
  *Software
  *X Windows


Files / Scripts
Newbies Corner
Tech. Talk
Tips and Tricks


FreeBSD Links

Articles in other
Languages :
  *French Articles
  *Spanish Articles

Want to Help ?
 
   Click Here

Email Users5

Search:
 

 


FreeBSD Search:


 

 

Powered-By-Apache-Logo

Building an Application Level Gateway with IPFILTER (v1.0)

 By Flattie McGee (ZA) © 2000 Globelinks Communications.

ChangeLog:

    v1.0 - Original Release (11.22.00) by Flattie 

 1.0 - Introduction
 1.1 - What will I need to make this work?
 1.2 - Thanks and how to contact me.
 1.3 - Disclaimer & Copyright.
 2.0 - Our Example Network.
 2.1 - Disclaimer & Copyright
  2.2 - Install It.
 2.3 - Edit the orseldate line.
 2.4 - Enable Bridging in Kernel.
 2.5 - Enable Bridging @ Startup
  2.6 - Compile the Kernel.
 3.0 - Edit Necessary Files.
  3.1 - Enable ipf @ Startup
 3.2 - Enable ipnat @ Startup
  3.3 - Edit /etc/ipnat.rules
 3.4 - Edit /etc/ipf.rules

1.0 - Introduction.

 

This How-To documents the steps I took to build an Application Level Gateway (Firewall & NAT) on a FreeBSD 4.1.1-STABLE system. I recommend reading a few RFC's to familiarize yourself with the functions of this setup, as well as some other fun RFC's in the event you ever implement split DNS or decide to use NAT with IPv6.

 

    *  RFC1631 - The IP Network Address Translator 

    *  RFC1918 - Address Allocation for Private Networks 

    *  RFC2647 - Benchmarking Terminology for Firewall Performance 

    *  RFC2663 - IP Network Address Translator (NAT) Terminology and Considerations 

    *  RFC2694 - DNS extensions to Network Address Translator (DNS_ALG) 

    *  RFC2766 - Network Address Translation - Protocol Translation (NAT-PT) 

    *  RFC2795 - The Infinite Monkey Protocol Suite (IMPS) 

 

 1.1 - What will I need to make this work?

 First of all, you will need atleast 2 (two) NIC cards. FreeBSD 4.x, and the latest version of IPFILTER. At the time of writing, version 3.4.14 was the latest.

 1.2 - Thanks and how to contact me.

 If you wish to comment, contribute or suggest something to improve this document, then please email me at flattie@globelinks.com with the subject of 'IPFILTER HOWTO' and I will give you credit if I include it here.

 If you have problems with this HOW-TO or IPFILTER in general, feel free to come to IRC Efnet #freebsdhelp, or check the IPFILTER mailing list archive @ http://www.false.net/

 Special thanks to the Darren Reed, Dan L, Loco-, and a few other people in #freebsdhelp.

 1.3 - Disclaimer & Copyright.

 Yada yada yada, I am not responsible for any action you take in following through with this HOWTO. Use at your own risk.

 This HOWTO is Copyright © 2000 Globelinks Communications - Permission for redistribution is granted under the OpenContent License.

 2.0 - Our Example Network.

  Our FreeBSD box will have 3 NIC cards. I am using three 3Com cards, which are powered by the xl device. Thus, we have xl0 (External), xl1 (Private Network), xl2 (DMZ/External). You can add more NIC cards to further subnet your networks. Or you can remove one of the NICs if you don't want to do anything too complex.

  [INTERNET] (200.200.200.1)

  [xl0] (200.200.200.2)

  [FreeBSD FW/GW]

  [xl1] --> Internal Network (192.168.0.0/16)

  [xl2] --> De-Milertized Zone (DMZ) (200.200.200.240)

  2.1 - Obtain IPFILTER.

  I can, and will only recommend IPFilter for our firewall control and NAT (or NAPT). There are other firewall applications out there, NT Gaurd, Checkpoint Firewall-1, IPFW, and countless others.

 # cd ~/
 # mkdir ~/temp
 # ftp coombs.anu.edu.au (anonymous login)
 # cd /pub/net/ip-filter/
 # ls (search for latest version)
 # get ip_fil3.4.14.tar.gz
 # quit (leave FTP)

  2.2 - Install It.

  Lets uncompress our tarbel, and go into our source directory, where we will do a few steps to install IPFilter.

 # tar -zxvf ip_fil3.4.14.tar.gz
 # cd ip_fil3.4.14/
 # make freebsd4
 # make install-bsd

 The next command will essentially update some system files, and insert the following lines into the kernel config file, thus saving you the hassle of having to do it yourself. I think new versions of IPFILTER.are smart enough to detect the IPFILTER strings to see if they already exist in the kernel config file.

  options IPFILTER
 options IPFILTER_LOG
 # FreeBSD-4.0/kinstall

  2.3 - Edit the orseldate line.

 Note, this is a rather annoying bug that has yet to be fully fixed. You will need to edit the following files (note, I use pico without word wrap, as I gear all my How-To's toward newbies who have yet to grasp vi or other editors)

 # pico -w /usr/src/sys/netinet/ip_compat.h
 # pico -w /usr/src/sys/modules/ipfilter/../../netinet/ip_log.c

 Modify the osreldate.h lines to include the actual path to the program, generally located in /usr/include/. .ie:

 /usr/include/osreldate.h

  2.4 - Enable Bridging in Kernel.

  We'll need to enable bridging in our kernel config file, as it is a very useful feature. Edit the kernel config file, and insert the following line:

  options BRIDGE

  2.5 - Enable Bridging @ Startup.

  # pico -w /usr/local/etc/rc.d/bridge.sh
  echo -c "Enabling bridging: "
 if sysctl -w net.link.ether.bridge=1 > /dev/null 2>&1; then
 echo "activated ."
 else
 echo "failed ."
 fi
 

 2.6 - Compile the Kernel.

  Lets compile our kernel, like we've never compiled it before! POP that cherry!

 # cd /usr/src/sys/i386/conf
 # /usr/sbin/config KERNEL_NAME
 # cd ../../compile/KERNEL_NAME
 # make depend
 # make
 # make install

  3.0 - Edit Necessary Files.

 We'll need to edit our main configuration file so things can run smooth upon boot up. I recommend you change a few of these, or things will be broken. We'll need to add an external IP to the default router, this is usually yer uplink.

 # pico -w /etc/rc.conf

 hostname="Insert_your_box_name_here"
 gateway_enable=YES
 defaultrouter="200.100.100.1"
 network_interfaces="xl0 xl1 xl2 lo0"
 ifconfig_xl0="inet 200.200.200.2 netmask 255.255.255.0"
 ifconfig_xl1="inet 192.168.0.1 netmask 255.255.0.0"
 ifconfig_xl2="inet 200.200.200.240 netmask 255.255.255.0"

 3.1 - Enable ipf @ Startup.

# pico -w /usr/local/etc/rc.d/ipf.sh (Insert into file)
#!/bin/sh
 ipf -f /etc/ipf.rules -E
 # chmod 751 /usr/local/etc/rc.d/ipf.sh

  3.2 - Enable ipnat @ Startup.

 # pico /usr/local/etc/rc.d/ipnat.sh (Insert into file)
 #!/bin/sh
 ipnat -f /etc/ipnat.rules
 # chmod 751 /usr/local/etc/rc.d/ipnat.sh

  3.3 - Edit /etc/ipnat.rules

 map xl0 192.168.0.0/16 -> 200.200.200.2/32 proxy port ftp ftp/tcp
 map xl0 192.168.0.0/16 -> 200.200.200.2/32 portmap tcp/udp 10000:65000
 map xl0 192.168.0.0/16 -> 200.200.200.2/32

 rdr xl0 200.200.200.2/32 port 22 -> 192.168.0.1 port 22
 rdr xl0 200.200.200.2/32 port 80 -> 192.168.0.1 port 80

  3.4 - Edit /etc/ipf.rules

 Since IPF rules are beyond the scope of this document, I will use a very simple 6 line rule to demonstrate the functionality of the firewall. It should allow traffic in and out of any of the three NIC's.

 pass in log on xl0 all

 pass out log on xl0 all

 pass in log on xl1 all

 pass out log on xl1 all

 pass in log on xl2 all

 pass out log on xl2 all

   Flattie

Email Us

ghostrdr@defcon1.org

This site cannot be duplicated without permission

© 1998 - 2010 Defcon1, www.defcon1.org. Copyrights for all materials on this web site are held by the individual authors, artists, photographers or creators. Materials may not be reproduced or otherwise distributed without permission of www.defcon1.org and the content's original author.