|
Lines 39-61
Link Here
|
| 39 |
|
39 |
|
| 40 |
<para>Dialup Firewalling with FreeBSD</para> |
40 |
<para>Dialup Firewalling with FreeBSD</para> |
| 41 |
|
41 |
|
| 42 |
<para>This document aims to cover the process that is required in |
42 |
<para>This document covers the process that is required to setup |
| 43 |
order to setup firewalling with FreeBSD when are dynamically |
43 |
firewalling with FreeBSD when an IP address is assigned dynamically |
| 44 |
assigned an IP address by your ISP. While every effort has been |
44 |
by your ISP. While every effort has been made to make this document |
| 45 |
made to make this document as informative and correct as possible, |
45 |
as informative and correct as possible, you are welcome to mail your |
| 46 |
you are welcome to mail your comments/suggestions to the |
46 |
comments/suggestions to the <email>marcs@draenor.org</email>.</para> |
| 47 |
<email>marcs@draenor.org</email>.</para> |
|
|
| 48 |
</sect1> |
47 |
</sect1> |
| 49 |
|
48 |
|
| 50 |
<sect1 id="kernel"> |
49 |
<sect1 id="kernel"> |
| 51 |
<title>Kernel Options</title> |
50 |
<title>Kernel Options</title> |
| 52 |
|
51 |
|
| 53 |
<para>The first thing you'll need to do is recompile your kernel in |
52 |
<para>The first thing you'll need to do is recompile your kernel. |
| 54 |
FreeBSD. If you need more information on how to recompile the kernel, |
53 |
If you need more information on how to recompile the kernel, |
| 55 |
then the best place to start is the <ulink |
54 |
then the best place to start is the <ulink |
| 56 |
URL="http://www.freebsd.org/handbook/kernelconfig.html">kernel |
55 |
URL="http://www.freebsd.org/handbook/kernelconfig.html">kernel |
| 57 |
configuration section in the Handbook</ulink>. You need to compile the |
56 |
configuration section in the Handbook</ulink>. You need to add the |
| 58 |
following options into the kernel: </para> |
57 |
following options into your kernel config: </para> |
| 59 |
|
58 |
|
| 60 |
<variablelist> |
59 |
<variablelist> |
| 61 |
<varlistentry> |
60 |
<varlistentry> |
|
Lines 80-86
Link Here
|
| 80 |
|
79 |
|
| 81 |
<listitem> |
80 |
<listitem> |
| 82 |
<para>Limits the number of times a matching entry is logged. This |
81 |
<para>Limits the number of times a matching entry is logged. This |
| 83 |
stops your log files filling up with lots of repetitive entries. |
82 |
prevents your log file from filling up with lots of repetitive entries. |
| 84 |
<replaceable>100</replaceable> is a reasonable number to use, but |
83 |
<replaceable>100</replaceable> is a reasonable number to use, but |
| 85 |
you can adjust it based on your requirements.</para> |
84 |
you can adjust it based on your requirements.</para> |
| 86 |
</listitem> |
85 |
</listitem> |
|
Lines 96-102
Link Here
|
| 96 |
</varlistentry> |
95 |
</varlistentry> |
| 97 |
</variablelist> |
96 |
</variablelist> |
| 98 |
|
97 |
|
| 99 |
<para>There are also some other OPTIONAL items that you can compile |
98 |
<para>There are some other OPTIONAL items that you can compile |
| 100 |
into the kernel for some added security. These are not required in |
99 |
into the kernel for some added security. These are not required in |
| 101 |
order to get firewalling to work, but some more paranoid users may |
100 |
order to get firewalling to work, but some more paranoid users may |
| 102 |
want to use them.</para> |
101 |
want to use them.</para> |
|
Lines 115-122
Link Here
|
| 115 |
</varlistentry> |
114 |
</varlistentry> |
| 116 |
</variablelist> |
115 |
</variablelist> |
| 117 |
|
116 |
|
| 118 |
<para>Don't reboot once you have recompiled the kernel. Hopefully, we will |
117 |
<para>Don't reboot once you have recompiled the kernel. Hopefully, |
| 119 |
need to reboot just once in order to complete the installing of the |
118 |
we will only need to reboot once to complete the installation of the |
| 120 |
firewall.</para> |
119 |
firewall.</para> |
| 121 |
</sect1> |
120 |
</sect1> |
| 122 |
|
121 |
|
|
Lines 126-132
Link Here
|
| 126 |
|
125 |
|
| 127 |
<para>We now need to make some changes to |
126 |
<para>We now need to make some changes to |
| 128 |
<filename>/etc/rc.conf</filename> in order to tell it about the |
127 |
<filename>/etc/rc.conf</filename> in order to tell it about the |
| 129 |
firewall. Simply add the following lines:</para> |
128 |
firewall. Simply add the following lines:</para> |
| 130 |
|
129 |
|
| 131 |
<programlisting>firewall_enable="YES" |
130 |
<programlisting>firewall_enable="YES" |
| 132 |
firewall_script="/etc/firewall/fwrules" |
131 |
firewall_script="/etc/firewall/fwrules" |
|
Lines 134-141
Link Here
|
| 134 |
natd_interface="tun0" |
133 |
natd_interface="tun0" |
| 135 |
natd_flags="-dynamic"</programlisting> |
134 |
natd_flags="-dynamic"</programlisting> |
| 136 |
|
135 |
|
| 137 |
<para>For more information on what the above do take a look at |
136 |
<para>For more information on the functions of these statements take |
| 138 |
<filename>/etc/defaults/rc.conf</filename> and read |
137 |
a look at <filename>/etc/defaults/rc.conf</filename> and read |
| 139 |
&man.rc.conf.5;</para> |
138 |
&man.rc.conf.5;</para> |
| 140 |
</sect1> |
139 |
</sect1> |
| 141 |
|
140 |
|
|
Lines 143-153
Link Here
|
| 143 |
<title>Disable PPP's network address translation</title> |
142 |
<title>Disable PPP's network address translation</title> |
| 144 |
|
143 |
|
| 145 |
<para>You may already be using PPP's built in network address |
144 |
<para>You may already be using PPP's built in network address |
| 146 |
translation (NAT). If that is the case you will have to disable it, |
145 |
translation (NAT). If that is the case then you will have to disable |
| 147 |
as these examples use &man.natd.8; to do the same.</para> |
146 |
it, as these examples use &man.natd.8; to do the same.</para> |
| 148 |
|
147 |
|
| 149 |
<para>If you already have a block of entries to |
148 |
<para>If you already have a block of entries to |
| 150 |
automatically start PPP it probably looks like this:</para> |
149 |
automatically start PPP, it probably looks like this:</para> |
| 151 |
|
150 |
|
| 152 |
<programlisting>ppp_enable="YES" |
151 |
<programlisting>ppp_enable="YES" |
| 153 |
ppp_mode="auto" |
152 |
ppp_mode="auto" |
|
Lines 163-188
Link Here
|
| 163 |
<sect1 id="rules"> |
162 |
<sect1 id="rules"> |
| 164 |
<title>The ruleset for the firewall</title> |
163 |
<title>The ruleset for the firewall</title> |
| 165 |
|
164 |
|
| 166 |
<para>We're nearly done now. All that remains now is to define the |
165 |
<para>We're nearly done now. All that remains now is to define the |
| 167 |
firewall rules and then we can reboot and the firewall should be up and |
166 |
firewall rules and then we can reboot and the firewall should be up and |
| 168 |
running. I realize that everyone will want something slightly different |
167 |
running. I realize that everyone will want something slightly different |
| 169 |
when it comes to their rulebase. What I've tried to do is write a |
168 |
when it comes to their rulebase. What I've tried to do is write a |
| 170 |
rulebase that suits most dialup users. You can obviously modify it to |
169 |
rulebase that suits most dialup users. You can obviously modify it to |
| 171 |
your needs by simply using the following rules as the foundation for |
170 |
your needs by using the following rules as the foundation for |
| 172 |
your own rulebase. First, let's start with the basics of closed |
171 |
your own rulebase. First, let's start with the basics of closed |
| 173 |
firewalling. What you want to do is deny everything by default and then |
172 |
firewalling. What you want to do is deny everything by default and then |
| 174 |
only open up for the things you really need. Rules should be in the |
173 |
only open up for the things you really need. Rules should be in the |
| 175 |
order of allow first and then deny. The premise is that you add the |
174 |
order of allow first and then deny. The premise is that you add the |
| 176 |
rules for your allows, and then everything else is denied. :)</para> |
175 |
rules for your allows, and then everything else is denied. :)</para> |
| 177 |
|
176 |
|
| 178 |
<para>Now, let's make the dir /etc/firewall. Change into the directory and |
177 |
<para>Now, let's make the dir /etc/firewall. Change into the directory and |
| 179 |
edit the file <filename>fwrules</filename> as we specified in |
178 |
edit the file <filename>fwrules</filename> as we specified in |
| 180 |
<filename>rc.conf</filename>. Please note that you can change this |
179 |
<filename>rc.conf</filename>. Please note that you can change this |
| 181 |
filename to be anything you wish. This guide just gives an example of a |
180 |
filename to anything you wish. This guide just gives an example of a |
| 182 |
filename. </para> |
181 |
filename. </para> |
| 183 |
|
182 |
|
| 184 |
<para>Now, let's look at a sample firewall file, and we'll detail |
183 |
<para>Now, let's look at a sample firewall file, that is commented nicely. |
| 185 |
everything in it. </para> |
184 |
</para> |
| 186 |
|
185 |
|
| 187 |
<programlisting># Firewall rules |
186 |
<programlisting># Firewall rules |
| 188 |
# Written by Marc Silver (marcs@draenor.org) |
187 |
# Written by Marc Silver (marcs@draenor.org) |