From: Subject: Guide to Building an OpenBSD PPPoE Gateway Date: Fri, 16 Mar 2001 02:20:24 -0500 MIME-Version: 1.0 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Location: http://real.ath.cx/BSDinstall.html X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Guide to Building an OpenBSD PPPoE Gateway

A Step-by-Step Guide to Building an OpenBSD PPPoE Gateway

by Real Ouellet (hello@real.ath.cx)=20

Last changes:

Version 1.10=20 [2001-03-14]=20
DONT=20 call "do_ipcheck" from "ppp.linkup".=20
"ppp"=20 source code: replaced the convoluted CVS download method with a = simple, direct=20 URL.

Full = Changelog

Introduction

Why would one install his own personal gateway to the Internet? = Because one=20 can! And also because it simply is the most reliable, safest way to = connect=20 machines to a dedicated xDSL modem. Moreover, we can stash a whole bunch = of=20 useful features in such a little box. Here is a list:

PPPoE Gateway=20
PPPoE is a curious beast forced down our throats by some DSL = providers. On=20 one side, it does not really break anything, has low overhead and = allows you=20 to change IP adresses very easily & quickly. On the other side, it = sucks=20 big time because it does add overhead to the IP packets, is=20 proprietary, non-standard, forces you to change IP adresses = unpredictably, and=20 is unsupported in most operating systems. A good PPPoE gateway simply = hides=20 PPPoE from the machines on your internal network. It makes life much = easier=20 because you don't have to install any special "access manager" = software on=20 your windoze boxen. They will just work (provided you set their IP = address and=20 MTU correctly).
Firewall=20
A firewall is quite mandatory for any machine directly connected = to the=20 Big Bad Internet. We want an industrial-strength stateful inspection = firewall=20 and this is what we'll get.
NAT (Network Adress Translation)=20
The name seems complex, but it is really quite simple: this allows = the=20 gateway machine to act on the internet on behalf of all the machines = located=20 on the intranet (your internal home network). Even though you might = have two,=20 three or even ten computers on your local network, a NAT equipped = gateway will=20 hide them to outside observers. They will only see a single very = busy=20 machine, with a single IP address.
DNS (Domain Name Service) cache=20
Having your own DNS server will lower the latency of getting DNS=20 translations for all the machines on your intranet. This will not = really=20 decrease the traffic on your DSL modem by a large percentage, but it = will=20 improve the quality of the "internet experience" on your local = network.
Dynamic DNS tracker=20
Free dynamic DNS services are extremely useful to xDSL customers. = They=20 allow you to have your very own domain name, free of charge, which = will follow=20 in real-time your IP address changes. The catch is that the top-level = part of=20 your domain must be one of their supplied choices. They are not = that=20 bad, really... Personally, I use DYNDNS but any of the multiple = free dynamic=20 DNS providers out there will do just fine. Simply make sure they have = a client=20 "updater" which can compile and run under OpenBSD.
WEB server=20
Most ISP's only allow a few megabytes of disk for web service. = Moreover,=20 they never give you direct access to the web logs. Having your own web = server=20 allows you the luxury of using all the disk space you want, plus the = added=20 advantage of complete control over the web service (cgi-bin) and its = logs.=20 Moreover, OpenBSD comes with a crypto-enabled version of Apache and = all the=20 tools you need to create RSA-keyed certificates.
Mail server=20
Have you ever wanted to create a temporary email address just to = receive=20 some password? Or simply wanted addresses tailored for specific = domains of=20 interest? These are only a few of the many advantages of having your = own mail=20 server.
NTP server=20
The Network Time Protocol allow you to synchronize the gateway's = clock to=20 one of the numerous atomic time references available on the internet.=20 Moreover, the same program is also used as a local time server, so = that all=20 your intranet machines can themselves synchronize their clocks to the=20 gateway's clock. NTP synchronizations are made in tiers, like this, in = order=20 to lower the burden on the public time servers.


This page is for all those of you who have are lucky enough to enjoy = a=20 dedicated xDSL connection and would like to have a small firewall = installation.=20 In my search for the holy grail, i found the answer to most of my wishes = in the=20 OpenBSD package. This step-by-step guide is a collection of notes taken = while I=20 was installing the thing. They are intended to help my friends do their = own=20 setups very quickly and easily, without having to bug me too much ;) =  They=20 should help you too.=20

Constructive comments can be sent there ... Have fun and GOOD LUCK!=20

Getting some hardware

The first thing to think about when one embarks on the firewalling = adventure=20 is to establish on what hardware you are going to install the thing. = This seems=20 unimportant at first, but don't forget that this box will be turned on = 24/7, so=20 the components you use must be reliable.=20

What are the minimum requirements? My system uses about 50% of its = CPU to=20 support Sympatico's ADSL rate (around 900 kbps). It is built with the = following=20 components:=20

  1. An ancient 486 motherboard (with an ISA bus) given to me by a = friend=20 (thanks Christian!). It runs at 66 MHz.=20
  2. 32 MB of brand new RAM i bought for it.=20
  3. A 200 MB hard disk, which was dying after about 1 year of faithful = use (it=20 came with the motherboard). This disk was recently replaced with the = cheapest=20 brand new drive i could find. I didn't know they still made those slow = 3600=20 RPM drives ;) Anyway, the old drive is kept as a kind of extreme = emergency=20 backup.=20
  4. Two ISA-bus ethernet cards. I'll talk more about this later.=20
  5. A CD-ROM drive. Very optional, but can make life easier.=20
  6. A "home" grade hub & cat5 cabling. This is not strictly = necessary if=20 you'll have only one machine connected to your firewall: you can make = do with=20 a special "crossover= "=20 cat5 cable instead. The cable that comes with xDSL modems is = usually=20 (always?) a crossover cable. Anyway, for two or more machines, the hub = is=20 mandatory. Small hubs can be bought for a very reasonable price (~40$ = cdn).=20
    or
    Alternatively, many older ethernet cards come with a = BNC=20 female connector. This can be used to connect the machines on your = network=20 with coax cables, without any hub. However, be warned that a = 10base-2=20 network must follow certain rules if you want it to work flawlessly. = Follow th= em.=20

This gives a good approximation of what you need. The MOST important = part is=20 the RAM. Make absolutely sure that whatever RAM you use is reliable. Old = boxen=20 were usually setup to run Windoze, and it was not a big deal if the = machine had=20 flaky RAM because of the way Windoze works...=20

OpenBSD (like any real OS out there) is much less tolerant of flaky = RAM,=20 because it actually uses all of it. It will crash quite quickly = if your=20 RAM is marginal, probably within 5-10 minutes. You have been warned.=20

Finally, the OpenBSD hardware list is there. Try to make sure = that=20 whatever hardware you use in your gateway box figures on that list. It's = a long=20 list ;)=20

The ethernet cards

There is a boring thing of which we must talk about here. You see, = there are=20 many kinds of ethernet cards, and you must make sure you have the right = ones for=20 your machine. If you have a PCI-based machine, then all is well. = Whatever=20 ethernet card you put in there will probably be supported by OpenBSD. = However,=20 you must be a bit more careful if you have an ISA-based machine.=20

It is most likely that your box will not have any ethernet cards to = start=20 with since most people did not have networks at home in the pre-historic = era of=20 4 years ago. You need two cards. One will be connected to the DSL modem = (the=20 big, bad outerworld), while the other is connected to your internal = network hub=20 (your intranet). The gateway's job will be to pass (or block) packets = between=20 those two network cards. For security, its very important that the = outside world=20 packets cannot reach directly any of the intranet machines. This is the = reason=20 why we use two ethernet cards: complete logical and electrical = isolation.=20 Why so much isolation? For example, if someone(s) were launching a full=20 (distributed or not) denial of service attack on your gateway box, its=20 internet-connected ethernet card would be extremely busy, but your = intranet=20 would see nothing of this. While any communication with the outside = world would=20 probably fail, at least your intranet machines would still be able to = talk to=20 each other.=20

ISA cards use dedicated I/O ports and IRQ's in your machine. Those = must be=20 setup either with jumpers directly on the card, or with a special DOS = program if=20 the card is of the more recent "Plug & Play" type. This DOS program = is=20 always supplied with the card, when purchased brand new.=20

If your card is Plug&Play, you must disable the = Plug&Play, and=20 program specific I/O port and IRQ values with the setup software that = comes with=20 the card. Make sure that you program both cards with different sets of = I/O ports=20 and IRQs! Otherwise they will battle each other for cycles on the bus = and the=20 result will not be pretty. Once you have set the parameters on the card = it will=20 remember them and you don't have to reprogram anything later on, even if = the=20 computer is turned off.=20

It is good at this point to know a few magic numbers:=20
Card Type I/O #1 IRQ #1 Mem #1 I/O #2 IRQ #2 Mem #2
NE2000 (ne) 0x240 9 -- 0x300 10 --
SMC WD-8003 (we) 0x280 9 0xd0000 0x300 10 0xcc000

For example, i use two cards made by AOpen: the model ALN-101. They = are=20 Plug&Play and use the NE2000 chip. The first one is setup at I/O = port 0x240,=20 IRQ 9. It is known as "ne0" in the GENERIC openBSD kernel. The second = one is set=20 at I/O port 0x300, IRQ 10. It is known as "ne1". If the cards were = programmed=20 differently, the GENERIC kernel would not recognize them "out of the = box" and=20 you would have to re-configure the kernel. It can be done, but its much = easier=20 to setup the hardware once than re-configure the kernel every time it = gets=20 upgraded.=20

One more thing: some cards can be used in the so-called "full-duplex" = mode.=20 Be aware that if you want to use an ethernet card in full-duplex, your=20 hub must also be full-duplex, as well as the other ethernet cards = in the=20 system. A full-duplex hub is much more expensive and not necessary at = all.=20 Unless you know what you are doing, program your ethernet cards to use = the=20 half-duplex mode, otherwise it won't play nice with the other = components=20 in your local network, including the xDSL modem ;)=20

The hard disk

The most secure storage medium is one which can't be erased. Some = firewalls=20 actually use setups like this (with CD-ROMS) but we'll build our = firewall with a=20 classic, writeable hard drive because:=20

  1. We don't need "Absolute Security", do we? We can't have it anyway = ;)=20
  2. We want to use an "out-of-the-box" OpenBSD distro. This will make = security=20 maintenance much easier.

Almost any hard disk out there will work OK, since 200 MB is a safe = minimum=20 size. The only thing you must remember is that this disk will run 24/7, = so if=20 you use an old drive, it will likely die relatively soon. The = venerable=20 drive my friend gave me lasted 6 months before i had to change it, YMMV. =

No keyboard?

Of course you'll need a keyboard... and a monitor too, but just for = the=20 installation. After the firewall is successfully installed, you will be = able to=20 talk to it through encrypted ssh connections over your internal = network,=20 so a keyboard & monitor will not be really useful at that point.=20

Getting the software

We will be using OpenBSD.=20 Why? Because it is the most secure freely available operating system out = there.=20 It could also be the most secure operating system, but i don't want to = go into=20 that... All the source code included in the mainstream distribution CD's = has=20 been audited for years by the OpenBSD team, which is why = sometimes an=20 exploit published on BugTraq is found not to work on OpenBSD simply = because the=20 faulty code was already fixed months ago.=20

I strongly suggest you buy their CD-ROM kit as it comes with a set of = very=20 cool stickers... You can also download their stuff for free, of course, = but you=20 won't have the stickers then ;)=20

This FAQ was initially written with OpenBSD version 2.7, but since = then i got=20 and installed release 2.8 on my system and all is well.=20

The easiest way to install the software is to use a CD-ROM drive on = your=20 firewall box. If you don't have that, you can do a network install with = the=20 "ftp" protocol, either directly to an outside OpenBSD mirror, or to one of = your own=20 internal machines equipped with an ftp server. Be aware that if your DSL = provider forces you to use PPPoE (boooo!), then of course your link to = the=20 outside world will not be functional yet at installation time, which is = one more=20 reason to use the CD-ROM. If your machine can boot a CD-ROM, great! It = will=20 gladly boot the OpenBSD disc. Otherwise, simply create a boot diskette = according=20 to the README and boot that. This diskette is also your rescue disk, so = don't=20 lose it.=20

Installing OpenBSD

The installation of OpenBSD is very easy, once you have the right = hardware,=20 and the right answers to some of the questions. In the following steps, = i'll=20 assume you can follow the instructions of the install program and focus = only on=20 the tricky little things you should know to make your life easier.=20

fdisk & disklabel

After you boot the installer, one of the very first things you'll = have to=20 do is partition your disk. This is done with the "fdisk" and = "disklabel"=20 programs. The installer will ask you if you want to use the entire = hard disk=20 for OpenBSD. Answer No, even if it is not entirely true. If you = say=20 yes, the whole fdisk step will be bypassed, and you will not be able = to change=20 the default cylinder/head/sector configuration in order to boot off = the hard=20 disk without resorting to the silly "FDISK /MBR" DOS command which is = a stupid=20 solution to a stupid problem.=20

The default OpenBSD fdisk partition setup choice is in slot #3... = If you=20 want, you can move your OpenBSD partition in slot #0 with no ill = effect. No=20 good effect, either. Its just a "feel good" thingie.=20

This is more important:  to make sure your system boots off = the hard=20 disk, you must set the starting CHS (cylinder/head/sector) to C=3D0, = H=3D0,=20 S=3D1, because fdisk suggested an incorrect value for H in OpenBSD = 2.7, and=20 still does in 2.8 ... If you use "1", as it suggests, your system will = not be=20 able to boot from the hard disk.=20

After the disk is partitioned with fdisk, you use disklabel to further organize the partition. A = label=20 behaves like a traditional partition (as used in Linux, for example), = except=20 that you can put as many labels as you want in the single OpenBSD = partition.=20 This is useful.=20

On my old 2.7 system, the disk labels looked like = this:

  a:  2097648        0    4.2BSD     1024  8192  =
  16   # /               1 GB
  b:   262080  2097648      swap                        # SWAP          =
128 MB
  c: 20015856        0    unused        0     0         # (whole disk)   =
10 GB
  d:  2097648  2359728    4.2BSD     1024  8192    16   # /usr           =
 1 GB
  e:  2097648  4457376    4.2BSD     1024  8192    16   # /tmp           =
 1 GB
  f:  2097648  6555024    4.2BSD     1024  8192    16   # /var           =
 1 GB
  g:  4194288  8652672    4.2BSD     1024  8192    16   # /usr/local     =
 2 GB
  h:  7168896 12846960    4.2BSD     1024  8192    16   # /home          =
 3 GB

Now, on my new 2.8 system, they are much simpler and = look=20 like this: 

#        size   offset  =
  fstype   [fsize bsize   cpg]
  a: 18874800        0    4.2BSD     1024  8192    16   # (Cyl.    0 - =
18724)
  b:  1141056 18874800      swap                        # (Cyl. 18725 - =
19856)
  c: 20015856        0    unused        0     0         # (Cyl.    0 - =
19856)

As you see, the 'c' label is a placeholder for the whole disk, in = all=20 cases. Don't delete or otherwise change this, or you'll be in trouble. = Or so=20 they say... ;)=20

The "df" command said this (old system), after the OS is installed, = with=20 its complete source trees: 

Filesystem  =
    1K-blocks     Used    Avail Capacity  Mounted on
/dev/wd0a         1015269    25985   938521     3%    /
/dev/wd0d         1015269   480284   484222    50%    /usr
/dev/wd0e         1015269        1   964505     0%    /tmp
/dev/wd0f         1015269     5141   959365     1%    /var
/dev/wd0g         2030307     8698  1920094     0%    /usr/local
/dev/wd0h         3470505       27  3296953     0%    /home

and now says this on my new system:=20 

Filesystem                           =
1K-blocks     Used    Avail Capacity  Mounted on
/dev/wd0a                              9137589   503054  8177656     6%  =
  /

In this example, the full OpenBSD source tree is installed, which = explains=20 why the thing uses up about 500 MB. Without the source tree, you only = need=20 about 120 MB in there, but having the source tree allows you to make = security=20 patches as they are published. This is important and i'll talk about = it more=20 later.

Active FTP

If you do an FTP install to a private FTP server, it might be = necessary to=20 use active FTP.=20

Don't forget SSL!

The crytographic packages are very important, don't forget to = install them=20 as well. In release 2.7, they were installed after the first set of = packages,=20 in a second round of ftp downloads. With release 2.8, they are = automatically=20 installed, without special efforts.=20

UTC time zone

Keep your server in the UTC time zone. This way, your firewall = logs will=20 be timestamped in UTC time and it will be simpler to have them = interpreted by=20 the abuse@... services of ISP's. Also, = it is=20 important to make sure the gateway is time-synchronized to one of the = numerous=20 public NTP servers out there, because having only an IP address is not = enough=20 to pin down internet abusers. In this age of dynamic IP allocations = you need=20 both IP address and exact time in order to positively identify = the=20 origin of an IP packet. Keep your gateway synchronized.=20

Why not GMT instead? Read all about it there.=20

How to change the timezone? Simply by making /etc/localtime point to /usr/share/zoneinfo/UTC with a soft link: =

ln -s /usr/share/zoneinfo/UTC /etc/localtime=20

First Boot

reboot ... did your machine boot = correctly? If=20 not, please consult the numerous FAQ's available at the OpenBSD site. Are you sure = you set=20 H=3D0 in fdisk? By the way, if it doesn't boot from hard disk, = you can=20 probably still force it by first booting the install diskette, and = entering=20 "boot wd0a:/bsd" at the initial prompt. = You have=20 about 5 seconds to make your mind, when you see this prompt, so act = quickly.=20

On first boot, you will probably get a message like "ssh-keygen: = generating=20 new DSA host key...", followed with an equivalent message for the RSA = host=20 key. They might take quite a long time on a 486 (5-10 minutes), so = Don't=20 Panic! (tm) , the machine is not crashed, = and the=20 boot process will eventually follow its course, given time. This will = happen=20 only on the first boot.=20

Kernel extra configuration

If, at this point, the kernel sees all you devices (including both = ethernet cards), congratulations. If not, you can reconfigure the = kernel=20 without having to recompile it by simply using the config utility. Typically, you would copy your = current=20 kernel (the "/bsd" file) to an = appropriate backup=20 name (e.g. "/bsd.ORIGINAL"), and issue = this=20 command: 

config -e -f =
/bsd

and make whatever=20 changes you need. You should know what you're doing in order to use = this=20 command without blowing your system up into tiny bits & pieces. = Don't=20 forget to save your changes. If this modified kernel doesn't work OK, = just=20 boot the "/bsd.ORIGINAL" kernel instead, = and you=20 will have another chance.

Sys control files

The services allowed by OpenBSD are configured by a couple of = files in the=20 /etc directory. Actually, this directory = contains=20 all the configuration files of OpenBSD, for your convenience, = but this=20 is something you'll only appreciate later, when you become an = experienced BSD=20 maintainer... We'll come back to that /etc=20 directory quite often.=20

For now, just make sure that the following are enabled:=20

In the file /etc/sysctl.conf  :=20 
net.inet.ip.forwarding=3D1

and in /etc/rc.conf  : = 
sendmail_flags=3D"-bd -q30m"
named_flags=3D""
httpd_flags=3D"-DSSL"
ipmon_flags=3D-Ds

PPP & PPPoE

Ahhhh... the Evil Beast. Installing a good, working PPP and PPPoE = can be=20 quite a tricky task. In OpenBSD version 2.7, PPPoE was not included, = you had=20 to download it. Now, in OpenBSD 2.8, it is included, but i would=20 strongly advise in favor of installing and compiling the latest = CVS=20 versions. Most essentially, the updated PPP supports the "mssfixup"=20 instruction which magically allows you to avoid setting MTU's at 1492 = or less=20 on all of your intranet's machines. This is very recommended as it = avoids a=20 whole bunch of problems.=20

The source files for PPP and PPPoE are there. =

The configuration file for ppp is in /etc/ppp/ppp.conf. Mine contains exactly this: = 

default:
 set log Phase Chat IPCP CCP tun command
 set redial 15 0
 set reconnect 15 10000

pppoe:
 set device "!/usr/sbin/pppoe -i ne0"
 disable acfcomp protocomp
 deny acfcomp
 set mtu 1488
 set speed sync
 enable lqr
 set lqrperiod 5
 set cd 5
 set dial
 set login
 set timeout 0
 set authname xxxxxxx
 set authkey xxxxxx
 add default HISADDR
 enable dns
 enable mssfixup

Notice how we specify the real network interface ne0 to pppoe (with double quotes), and that i = use 1488=20 for the MTU value. Also, no value is specified for the MRU, the PPP = network=20 address translation is not enabled, and the magic "mssfixup" is = enabled.=20

Also notice that the authname and = authkey fields don't contain double-quote = characters.=20 You should put in there your own ISP identification and password.=20

VERY IMPORTANT!=20

For some reason, it seems that the routes setup automatically by = ppp at=20 linkup time are not quite correctly defined. This does not prevent the = machines on your intranet from accessing the Internet through the the = gateway,=20 however it might cause problems to people accessing a WEB server in = your=20 intranet.=20

Issuing the command "netstat -rn" = should show=20 you something like this: 

Routing tables

Internet:
Destination        Gateway            Flags     Refs     Use    Mtu  =
Interface
default            64.229.199.1       UGS         3    90847   1500  =
tun0
64.229.199.1       64.229.199.131     UH          1        0   1500  =
tun0
127/8              127.0.0.1          UGRS        0        0  32972  lo0
127.0.0.1          127.0.0.1          UH          3     1174  32972  lo0
...

Notice the spurious route (64.229.199.1) which never gets used, as = well as=20 the MTU set to 1500 on the default route! This is definitely = not=20 normal, and will cause many weird problems. In order to have a = properly set=20 MTU, simply edit the file /etc/ppp/ppp.linkup and=20 put this in there.=20 

MYADDR:
 ! sh -c "/sbin/route change default -mtu 1488"

This will reset the route's MTU to 1488 whenever the ppp link comes = up. It=20 has solved a problem I had with some ZoneAlarm users trying to access = this web=20 site. Now the problem is fixed. ;)=20

Note: I consider this PPP/PPPoE setup to be a work in = progress. I=20 continually discover new things about it... so, please bear with me = and=20 do send me your feedback about your own experience regarding = PPP/PPPoE.=20 It really is a pain, but apparently we will be stuck with it for a = long long=20 time, so we might as well learn how to tame the thing!=20

Second Boot

reboot ... your machine should boot = correctly.=20 You won't have internet access yet because the ppp program is not = activated.=20 If you want to try it out, just issue=20 

ppp -ddial pppoe

and ping/telnet away. Be careful, though, because at this point you = have no=20 firewall rules set, so you are very vulnerable. Also, make sure = your=20 xDSL modem is plugged in the correct ethernet card...

The afterboot phase

Follow the instructions obtained by issuing the "man=20 afterboot"=20 command. Actually, quoting FAQ section 2.3, here is a list = of the=20 most useful man pages for new users:=20 

     * [15]afterboot(8) - things to check after the first =
complete boot
     * [16]boot(8) - system boot strapping procedures
     * [17]passwd.conf(5) - format of the password configuration file
     * [18]adduser_proc(8) - procedure for adding new users
     * [19]adduser(8) - command for adding new users
     * [20]vipw(8) - edit the pass word file
     * [21]man(1) - display the on-line manual pages
     * [22]sendbug(1) - send a problem report (PR) about OpenBSD to a
       central support site.
     * [23]disklabel(8) - Read and write disk pack label.
     * [24]ifconfig(8) - configure network interface parameters.
     * [25]route(8) - manually manipulate the routing tables.
     * [26]netstat(1) - show network status.
     * [27]reboot, halt(8) - Stopping and restarting the system.
     * [28]shutdown(8) - close down the system at a given time.
     * [29]boot_config(8) - how to change kernel configuration at boot

One of the first things you should do at this point is to add an=20 unprivileged user and make him member of the wheel group. This is = because, for=20 security reasons, it is never a good idea to log in directly as root. = The=20 preferred way to gain root privileges is to login as a wheel member, = and then=20 use the "su -" command to gain root = privileges.=20

OpenBSD will not prevent you from logging in directly as root, but = will=20 warn you every time against doing it.=20

Have fun!=20

Firewall and NAT rule sets

This is a tricky one. Many people earn a good living just by = knowing how=20 to write firewall rule sets! Here are my own ipf rules, in all their = glory. Be=20 aware that they might be either too restrictive, or not enough, = depending on=20 your context. My philosophy about this is to disallow everything by = default,=20 and only open whatever is known to be useful.=20

The original ipf site is there, and an excellent firewall = HOW-TO is=20 available there. = Don't forget=20 to send me your tips = for better=20 rules... Thanks!=20

/etc/ipnat.rules=20 
# $OpenBSD: ipnat.rules,v 1.2 1999/05/08 16:33:10 jason Exp =
$
#
# See /usr/share/ipf/nat.1 for examples.
# edit the ipnat=3D line in /etc/rc.conf to enable Network Address =
Translation

map tun0 192.168.1.0/24 -> tun0/32 proxy port ftp ftp/tcp
map tun0 192.168.1.0/24 -> tun0/32 portmap tcp/udp auto
map tun0 192.168.1.0/24 -> tun0/32

Note that, for some people, performance was improved by replacing = the=20 second line in ipnat.rules by this one: 

map tun0 192.168.1.0/24 -> tun0/32 portmap tcp/udp =
10000:20000

/etc/ipf.rules=20 = 
#---------------------------------------------------------------=
-----------
# tun0 - external interface
# ne1 - internal interface
#------------------------------------------------------------------------=
--
# First, nasty pakets which we don't want near us at all
# pakets which are too short to be real except echo replies on lo0
block in log quick all with short
block in log quick all with opt lsrr
block in log quick all with opt ssrr
block in log quick all with ipopts
block in log quick on tun0 all with frags

block in quick on tun1 all
block out quick on tun1  all

#------------------------------------------------------------------------=
-
# fuzz any 'nmap' attempt
block in log quick on tun0 proto tcp from any to any flags FUP
block in log quick on tun0 proto tcp from any to any flags SF/SFRA
block in log quick on tun0 proto tcp from any to any flags /SFRA
#------------------------------------------------------------------------=
-

#------------------------------------------------------------------------=
--
# loopback packets left unmolested
pass in  quick on lo0 all
pass out  quick on lo0 all
#------------------------------------------------------------------------=
--


#------------------------------------------------------------------------=
--
# Group setup:
# 100 incoming tun0
# 150 outgoing tun0
# 200 incoming ne1
# 250 outgoing ne1
#------------------------------------------------------------------------=
--
block in log body on tun0 all head 100
block out log body on tun0 all head 150
#------------------------------------------------------------------------=
--
block in log on ne1 all head 200
block out log on ne1 all head 250
#------------------------------------------------------------------------=
--


#------------------------------------------------------------------------=
--
# incoming tun0 traffic - group 100
#------------------------------------------------------------------------=
--
# 1) prevent localhost spoofing
block in log quick from 127.0.0.1/32 to 192.168.1.0/24 group 100
block in log quick from any to 127.0.0.1/8 group 100
#------------------------------------------------------------------------=
--
# 2) deny pakets which should not be seen on th internet (paranoid)
block in log quick from 10.0.0.0/8 to any group 100
block in log quick from any to 10.0.0.0/8 group 100
block in log quick from 172.16.0.0/16 to any group 100
block in log quick from any to 172.16.0.0/16 group 100
block in log quick from 192.168.0.0/16 to any group 100
block in log quick from any to 192.168.0.0/16 group 100
#------------------------------------------------------------------------=
--
# 3) Implemented  Policy

# Allow WEB
pass in quick proto tcp from any to any port =3D 80 flags S/SA keep =
state group 100
pass in quick proto tcp from any to any port =3D 443 flags S/SA keep =
state group 100

# allow Mail
pass in quick proto tcp from any to any port =3D 25 flags S/SA keep =
state group 100

# allow certain classes of ICMP
pass in log quick  proto icmp all icmp-type 0 group 100
pass in log quick  proto icmp all icmp-type 3 group 100
pass in log quick  proto icmp all icmp-type 11 group 100
block in  log proto icmp all group 100

# if nothing applies, block and return icmp-replies (unreachable and =
rst)
block return-icmp(net-unr) in log proto udp from any to any group 100
block return-rst in log proto tcp from any to any group 100


#------------------------------------------------------------------------=
--
# outgoing tun0 traffic - group 150
#------------------------------------------------------------------------=
--

# ALL !!
#pass out log proto tcp/udp from any to any flags S/SA keep state keep =
frags group 150

# CVS
pass out quick proto tcp from any to any port =3D 2401 flags S/SA keep =
state group 150

# DNS
pass out quick proto tcp/udp from any to any port =3D 53 keep state =
group 150

# http-service
pass out quick proto tcp from any to any port =3D 80 flags S/SA keep =
state keep frags group 150
pass out quick proto tcp from any to any port =3D 443 flags S/SA keep =
state keep frags group 150

# smtp
pass out quick proto tcp from any to any port =3D 25 flags S/SA keep =
state group 150

# identd (that we get)
pass out quick proto tcp from any to any port =3D 113 flags S/SA keep =
state group 150

# pop3
pass out quick proto tcp from any to any port =3D 110 flags S/SA keep =
state group 150

# ftp
pass out quick proto tcp/udp from any to any port =3D 21 keep state =
group 150

# NTP
pass out quick proto udp from any to any port =3D 123  keep state group =
150

# nntp
pass out quick proto tcp from any to any port =3D 119 flags S/SA keep =
state keep frags group 150

# XMMS
pass out quick proto tcp from any to any port =3D 8000 flags S/SA keep =
state group 150
pass out quick proto tcp from any to any port =3D 7500 flags S/SA keep =
state group 150

# Napster
#pass out quick proto tcp from any to any port =3D 8888 flags S/SA keep =
state keep frags group 150
#pass out quick proto tcp from any to any port =3D 8875 flags S/SA keep =
state keep frags group 150

# IRC chat
pass out quick proto tcp from any to any port =3D 6667 flags S/SA keep =
state keep frags group 150

# Pings
pass out quick proto icmp from any to any keep state group 150

# RealAudio
pass out quick proto tcp from any to any port =3D 7070 flags S/SA keep =
state keep frags group 150
pass out quick proto tcp from any to any port =3D 8080 flags S/SA keep =
state keep frags group 150
pass out quick proto tcp from any to any port =3D 554 flags S/SA keep =
state keep frags group 150

# SHOUTCAST
pass out quick proto tcp from any to any port =3D 8038 flags S/SA keep =
state keep frags group 150


#------------------------------------------------------------------------=
--

#------------------------------------------------------------------------=
--
# incoming traffic on ne1 - group 200
#------------------------------------------------------------------------=
--
# 1) prevent localhost spoofing
block in log quick from 127.0.0.0/8 to any group 200
#block in log quick from 192.168.0.1/32 to any group 200
block in log quick from 192.168.1.2/32 to any group 200
pass in quick from 192.168.1.0/24 to any  group 200
#------------------------------------------------------------------------=
--
# outgoing traffic on ne1 - group 250
#------------------------------------------------------------------------=
--
block out log quick from 127.0.0.0/8 to any group 250
block out log quick from any to 127.0.0.0/8 group 250
#block out log quick from any to 192.168.0.1/32 group 250
pass out quick from any to any group 250
#------------------------------------------------------------------------=
--

That's it! Nothing too painful, as you see. Since = ipf is a stateful inspection firewall, we can = keep our=20 ingress rules to a strict minimum. Moreover, notice the use of the ftp = proxy=20 capability of ipnat. It works very well. =

One last thing: in order to automagically enable your firewall when = the=20 link comes up, you can put the following lines in the /etc/ppp/ppp.linkup file: 

MYADDR:
 ! sh -c "/sbin/route change default -mtu 1488"
 ! sh -c "/sbin/ipf -Fs -FS -Fa -f  /etc/ipf.rules"
 ! sh -c "/sbin/ipnat -CF -f /etc/ipnat.rules"

Adding stuff to /etc/rc.local

This is where our custom startup instructions go. Those things are = started=20 while the kernel is in secure level 1. If you need anything started in = a lower=20 security level, modify /etc/rc.securelevel=20 instead. In order to start up PPPoE correctly, I added this at the end = of my=20 /etc/rc.local   :=20 

ifconfig ne0 up
ppp -ddial pppoe

This starts PPP, PPPoE, the firewall and the NAT translator = (because the=20 firewall and the NAT are started automatically in the ppp.linkup file). If you're curious, you can = reboot at=20 this point, and confirm that you have a fully firewalled internet = access:=20 

pcreal# ifconfig -a
lo0: flags=3D8009 mtu 32972
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4
        inet6 ::1 prefixlen 128
        inet 127.0.0.1 netmask 0xff000000
lo1: flags=3D8008 mtu 32972
ne0: flags=3D8863 mtu =
1500
        media: Ethernet autoselect (10baseT)
        inet6 fe80::260:67ff:fe25:5c86%ne0 prefixlen 64 scopeid 0x1
ne1: flags=3D8863 mtu =
1500
        media: Ethernet autoselect (10baseT)
        inet 192.168.1.2 netmask 0xffffff00 broadcast 192.168.1.255
        inet6 fe80::260:67ff:fe25:283a%ne1 prefixlen 64 scopeid 0x2
sl0: flags=3Dc010 mtu 296
sl1: flags=3Dc010 mtu 296
ppp0: flags=3D8010 mtu 1500
ppp1: flags=3D8010 mtu 1500
tun0: flags=3D11 mtu 1488
        inet 64.229.199.131 --> 64.229.199.1 netmask 0xff000000
tun1: flags=3D10 mtu 1500
enc0: flags=3D0<> mtu 1536
enc1: flags=3D0<> mtu 1536
enc2: flags=3D0<> mtu 1536
enc3: flags=3D0<> mtu 1536
bridge0: flags=3D0<> mtu 1500
bridge1: flags=3D0<> mtu 1500
gre0: flags=3D8010 mtu 1450
gif0: flags=3D8010 mtu 1280
gif1: flags=3D8010 mtu 1280
gif2: flags=3D8010 mtu 1280
gif3: flags=3D8010 mtu 1280


pcreal# ipfstat -hi
0 block in log quick from any to any with short
0 block in log quick from any to any with opt lsrr
0 block in log quick from any to any with opt ssrr
0 block in log quick from any to any with ipopt
0 block in log quick on tun0 from any to any with frag
0 block in quick on tun1 from any to any
0 block in log quick on tun0 proto tcp from any to any flags FPU/FSRPAU
0 block in log quick on tun0 proto tcp from any to any flags FS/FSRA
0 block in log quick on tun0 proto tcp from any to any flags /FSRA
1 pass in quick on lo0 from any to any
1 block in log body on tun0 from any to any head 100
0 block in log quick from 127.0.0.1/32 to 192.168.1.0/24 group 100
0 block in log quick from any to 127.0.0.0/8 group 100
0 block in log quick from 10.0.0.0/8 to any group 100
0 block in log quick from any to 10.0.0.0/8 group 100
0 block in log quick from 172.16.0.0/16 to any group 100
0 block in log quick from any to 172.16.0.0/16 group 100
0 block in log quick from 192.168.0.0/16 to any group 100
0 block in log quick from any to 192.168.0.0/16 group 100
0 pass in quick proto tcp from any to any port =3D 80 flags S/SA keep =
state group 100
0 pass in quick proto tcp from any to any port =3D 443 flags S/SA keep =
state group 100
1 pass in quick proto tcp from any to any port =3D 25 flags S/SA keep =
state group 100
0 pass in log quick proto icmp from any to any icmp-type echorep group =
100
0 pass in log quick proto icmp from any to any icmp-type unreach group =
100
0 pass in log quick proto icmp from any to any icmp-type timex group 100
0 block in log proto icmp from any to any group 100
0 block return-icmp in log proto udp from any to any group 100
0 block return-rst in log proto tcp from any to any group 100
307 block in log on ne1 from any to any head 200
0 block in log quick from 127.0.0.0/8 to any group 200
0 block in log quick from 192.168.1.2/32 to any group 200
443 pass in quick from 192.168.1.0/24 to any group 200


pcreal# ipfstat -ho
0 block out quick on tun1 from any to any
1 pass out quick on lo0 from any to any
26 block out log body on tun0 from any to any head 150
0 pass out quick proto tcp from any to any port =3D 2401 flags S/SA keep =
state group 150
17 pass out quick proto tcp/udp from any to any port =3D domain keep =
state group 150
3 pass out quick proto tcp from any to any port =3D 80 flags S/SA keep =
state keep frags group 150
0 pass out quick proto tcp from any to any port =3D 443 flags S/SA keep =
state keep frags group 150
0 pass out quick proto tcp from any to any port =3D 25 flags S/SA keep =
state group 150
1 pass out quick proto tcp from any to any port =3D 113 flags S/SA keep =
state group 150
0 pass out quick proto tcp from any to any port =3D 110 flags S/SA keep =
state group 150
0 pass out quick proto tcp/udp from any to any port =3D 21 keep state =
group 150
0 pass out quick proto udp from any to any port =3D 123 keep state group =
150
0 pass out quick proto tcp from any to any port =3D 119 flags S/SA keep =
state keep frags group 150
0 pass out quick proto tcp from any to any port =3D 8000 flags S/SA keep =
state group 150
0 pass out quick proto tcp from any to any port =3D 7500 flags S/SA keep =
state group 150
0 pass out quick proto tcp from any to any port =3D 6667 flags S/SA keep =
state keep frags group 150
0 pass out quick proto icmp from any to any keep state group 150
0 pass out quick proto tcp from any to any port =3D 7070 flags S/SA keep =
state keep frags group 150
0 pass out quick proto tcp from any to any port =3D 8080 flags S/SA keep =
state keep frags group 150
0 pass out quick proto tcp from any to any port =3D 554 flags S/SA keep =
state keep frags group 150
0 pass out quick proto tcp from any to any port =3D 8038 flags S/SA keep =
state keep frags group 150
457 block out log on ne1 from any to any head 250
0 block out log quick from 127.0.0.0/8 to any group 250
0 block out log quick from any to 127.0.0.0/8 group 250
557 pass out quick from any to any group 250

The NTP daemon

In version 2.7 of OpenBSD, the ntpd daemon is not included. = However, you=20 can download it = as a=20 package, and install it with the pkg_add=20 command. Since you have internet connectivity by now, you can download = &=20 install it in a single command:=20 

pkg_add =
ftp://ftp.openbsd.org/pub/OpenBSD/2.7/packages/i386/xntp3-5.93e-export.tg=
z

Once the package is installed, in order to make it work correctly, = you must=20 add "-A" to ntp's startup script, and = replace it=20 with xntpd:=20 

rc.securelevel:       echo -n ' ntpd';       =
/usr/local/sbin/xntpd -A

Moreover, you will need a valid /etc/ntp.conf=20 file:=20 

pcreal# cat /etc/ntp.conf
server 128.100.102.201
driftfile /etc/ntp.drift

Feel free to use any other atomic time server if you want. Also, = the drift=20 file will be created & maintained automagically.

The Dynamic DNS

Dynamic DNS is wonderful thing. Basically, you just go to a dyndns = provider like those = nice=20 people and 10 minutes later you have your very own domain, for = free. In=20 order to make that domain dynamically follow your IP address changes, = you must=20 use a special client program which must be called whenever your IP = changes.=20

Until recently I liked ddup,=20 but now i use ipcheck. The latter is = truly=20 compliant with all of dyndns's client specification, and maintains its = state=20 automatically in system files. You will have to install the python package if = you use=20 "ipcheck". Also, you'll need your user ID and password from the dyndns = provider.=20

One more advice: it is perfectly acceptable to have more than one = domain=20 pointing at the same IP address. Remember this when choosing one or = more=20 domain names...=20

Keeping your xDSL link alive 24/7

xDSL connections are very reliable, but ISP's are not ;) =    For=20 many reasons unfathomable, you will sometimes lose your connection. = There are=20 many methods of re-establishing that connection automatically, and = i'll=20 describe here two of them.=20

Method 1 (The one I use, now)

Make sure you initialise ppp with the "-ddial" command, and NOT the = "-background" command...=20

This is the simpler method. The automatic restart of the ppp link = is=20 handled by ppp itself (using the "-ddial" command), which is quite = handy. This=20 leaves us with the dyndns updates, which are performed intelligently = by ipcheck.py . An easy way of doing it is to = create an=20 executable file named "do_ipcheck" which contains this: 

#!/bin/sh
/usr/local/sbin/ipcheck.py -q -d /etc/ipcheck -i tun0  -w Username =
Password DomainName1,DomainName2

with your own Username, Password and Domain names, of course. Then, = all you=20 have to do is to add the following line to crontab: 

*/5     *     =
  *       *       *       /usr/local/sbin/do_ipcheck

Also, don't forget to create the directory /etc/ipcheck and make sure your /etc/ppp/ppp.linkup file looks like this: = 

MYADDR:
 ! sh -c "/sbin/route change default -mtu 1488"
 ! sh -c "/sbin/ipf -Fs -FS -Fa -f  /etc/ipf.rules"
 ! sh -c "/sbin/ipnat -CF -f /etc/ipnat.rules"

DON'T call "do_ipcheck" from "ppp.linkup" ... For some reason, the = python=20 script messes up with the ppp link establishment in a rather nasty = way. Just=20 rely on the cron job firing up within 5 minutes instead and all should = be OK.=20

This setup should garantee the proper restart of the firewall & = ipnat=20 each time the ppp link is brought up again.=20

Method 2 (Deprecated, i'm not doing this = anymore even=20 if it worked reliably)

This is the "complicated method"... If you use this method, do NOT=20 initialize ppp with the "-ddial" command. Instead, use the = "-background"=20 command.=20

The trick here is to have a couple of scripts working in the = background=20 which will try to re-establish your link automatically. I use two = scripts for=20 this. One monitors the DSL link proper: /usr/local/sbin/test_hse   while the = other is used=20 to monitor & maintain the dynamic DNS: /usr/local/sbin/test_ddns  . Both = must be=20 included in the root crontab file by issuing the command "crontab -e" and adding these two lines: = 

*/1     *       *       *       *       =
/usr/local/sbin/test_hse
*/5     *       *       *       *       /usr/local/sbin/test_ddns

Here are my scripts. Consider them still experimental because they = are not=20 quite perfect yet. Yes.. i know i am no shell guru. If you = happen to be=20 one, i'll be pleased to use your scripts and put them up here. Oh, and = don't=20 forget to change them with domain names & parameters that apply to = your=20 own setup!

/usr/local/sbin/test_hse=20 
#!/bin/sh


# Change IFACE to your network interface name
IFACE=3D"tun0"

IFCHECK=3D$(/sbin/ifconfig -a | grep -2 $IFACE |  cut -s -d ' ' -f 2 | =
grep '\.')

if [ "x$IFCHECK"  =3D "x" ]; then
        IFCHECK=3D"Error"
fi

DNSCHECK=3D$(host www.sympatico.ca | grep '.')



if [ "x$DNSCHECK" =3D "x" ]; then
#if ! [ "x$IFCHECK" !=3D "xError" ]; then
    #echo "We're ok, current IP is $IFCHECK"
    #/usr/bin/logger "dyndns: OK"
#else
        echo "We seem to have lost HSE connectivity..."
        /usr/bin/logger "test_hse: *** Detected loss of HSE, trying to =
restart PPPoE"
        ps ax | grep "[p]pp -" | awk '{system("kill " $1)}'
        sleep 30
        /usr/sbin/ppp -background pppoe
        IFCHECK=3D$(/sbin/ifconfig -a | grep -2 $IFACE |  cut -s -d ' ' =
-f 2 | grep '\.')
        if [ "x$IFCHECK" =3D "x" ]; then
            echo "Timeout on ppp, aborting without an IP"
        else
            sleep 1
            /sbin/ipf -FS -Fa -f  /etc/ipf.rules
            /usr/bin/logger "test_hse: Firewall restarted with new IP: =
$IFCHECK"
            echo "Before ipnat:"
            /sbin/ipnat -l
            echo "After new ipnat:"
            /sbin/ipnat -CF -f /etc/ipnat.rules
            /sbin/ifconfig -a
            /sbin/ipnat -l
        fi
fi


/usr/local/sbin/test_ddns=20 



#!/bin/sh

# This defines the host as the first argument
HOST=3Dreal.ath.cx

# Change IFACE to your network interface name
IFACE=3D"tun0"

IFCHECK=3D$(/sbin/ifconfig -a | grep -2 $IFACE |  cut -s -d ' ' -f 2 | =
grep '\.')
DNSCHECK=3D$(host $HOST|cut -f3)

# We keep the old IP address somewhere safe...
OLDIP=3D$(cat /var/log/IFCHECK)

if [ "x$IFCHECK"  =3D "x" ]; then
        echo "No IP!"
        /usr/bin/logger "test_ddns: No HSE connection!"
        exit
fi

if [ "x$OLDIP" =3D "x$IFCHECK" ]; then
#       echo "IP's did not change!  We do nothing."
        exit
fi

if ! [ "x$IFCHECK" =3D "x$DNSCHECK" ]; then
        echo "NOT OK! DYNDNS UPDATE from $DNSCHECK to $IFCHECK."
        echo $IFCHECK > /var/log/IFCHECK
        /usr/bin/logger "test_ddns: Updating dyndns to $IFCHECK"
        /usr/local/sbin/ddup --host pcreal.dyndns.org  --wildcard
        /usr/local/sbin/ddup --host real.ath.cx --wildcard
fi

Apache

Now would be a good time to install your htdocs directory. The way i like to do this is = to mount=20 a read-only NFS file system over the current htdocs. This is easily=20 accomplished by adding a line like this to your /etc/fstab   : = 
192.168.1.1:/usr/local/Apache/htdocs /var/www/htdocs nfs ro

Moreover, the web logs are kept in /var/www/logs . Interesting stuff. =

Sendmail

If you have followed all the steps of the recipe so far, your = sendmail=20 should be configured & ready to receive mail from the internet, = however=20 you should know a few more things about this. First, if you want your = gateway=20 to receive mail for more than one domain, you must list the = other fully=20 qualified domains in the file /etc/mail/local-host-names   . = Finally, if you=20 want sendmail to relay mail from your intranet machines to the outside = internet you must have this file: 
pcreal# cat =
/etc/mail/relay-domains
192.168.1

Notice that it allows relaying for the whole 192.168.1.xxx range of = IP's.=20 You should adapt this to you own intranet IP scheme.

The mail popper

All ingress mail is received & kept on the gateway untill some = POP=20 client on the intranet gets it. I use the popa3d=20 server package because it is written with security in mind. You can = install it=20 very easily on your gateway with this single command: 
pkg_add =
ftp://ftp.openbsd.org/pub/OpenBSD/2.7/packages/i386/popa3d-0.4.tgz

Don't forget to add this line to the file /etc/inetd.conf   : 

pop3    =
        stream  tcp     nowait  root    /usr/local/libexec/popa3d popa3d

The installed packages

Just to do a quick check, here are the packages you should have = installed=20 on your system:=20

On the version 2.7 installation: 

pcreal# pkg_info
ssl-2.7-intl       ssl-2.7-intl, libraries that include the RSA =
algorithm.
xntp3-5.93e-export Network Time Protocol implementation
popa3d-0.4         security first POP3 daemon

and on the version 2.8 installation: 

pcreal# pkg_info
popa3d-0.4         security first POP3 daemon
xntp3-5.93e        Network Time Protocol implementation

The Secure Shell

The secure shell looks & feels exactly like telnet, except = that all=20 communication between the client and the server is encrypted. It is = the only=20 possible way to access your gateway, because the telnet daemon is = disabled by=20 default. Usage is very simple: just like telnet!=20 

[real@pcreal Projects]$ ssh 192.168.1.2
real@192.168.1.2's password:
Warning: Remote host denied X11 forwarding.
Last login: Sun Nov  5 12:58:08 2000 from 192.168.1.1
OpenBSD 2.7 (GENERIC) #1: Thu Nov  2 16:05:11 GMT 2000

pcreal:real {39}

Once you are logged in as an unprivileged user, member of the wheel = group,=20 you can use su to gain superuser = privileges: 

pcreal:real {39} su -
Password:
Terminal type? [nxterm]
pcreal#

The log files

There are many log files of high interest maintained automatically = by your=20 gateway. It is usually convenient to look at them with the "tail -f" command. The files i look at often = are:=20 

/var/log/messages
/var/log/maillog
/var/log/secure
/var/www/logs/access_log

Moreover, you can grab interesting info about the blocked packets = on your=20 firewall with the "ipmon" utility.=20

There are many other log files available for all kinds of things. = Dig=20 around to find more about them.=20

Apply the security patches!

Security patches are published there. APPLY THEM = RELIGIOUSLY!=20

It is not really difficult, but you will need a copy of the = complete,=20 original source tree of the distribution. The compressed source = archives are=20 to be found with the distribution files. These are the 2.8 source files: = 

-r--r--r--   1 service  service  64901523 Nov 27 13:04 src.tar.gz
-r--r--r--   1 service  service  14941534 Nov 27 13:04 srcsys.tar.gz

They total about 80 MB. Once you have them, simply unpack them to = '/usr/src' and '/usr/src/sys'. The latter is the kernel = proper.=20

Once you have your source tree, you can start downloading the = patches, and=20 apply them. Usually, all the currently published patches are availble = in a=20 single file. For 2.7, it is there. = After=20 that, simply watch the patch page from time to time, to keep updated.=20

Patches are either applied to an application (in '/usr/src'), or to the kernel ( in '/usr/src/sys'). Since all kernel = patches should=20 be installed, the thing i do is to apply all the kernel patches in one = session, then i recompile my kernel once.=20

The applications you don't use (e.g. 'X11', for example) don't have = to be=20 patched & recompiled.=20

Reboot and enjoy!

You should be able to ssh into your new gateway from any machine = on the=20 intranet.

Stuff that is not essential, but useful to know about

Using "mtree" to check on files

As suggested by Camiel Dobbelaar on = the=20 openbsd list.=20

The idea here is to create a unique fingerprint of each of your = files at a=20 point in time. Later on, when you suspect someone might have modified = one of=20 your files in a malicious way, you re-compute the fingerprints and = compare=20 with your previously stored set of fingerprints. Obviously you must be = careful=20 to encrypt the original set of fingerprints, or store them someplace = safe.=20

The way to create the fingerprints is like this:=20

mtree -c -Ksha1digest -p / > = fingerprint=20

Later=20 on, to check your files against the fingerprint file, you simply do:=20

mtree -f fingerprint -p /=20

Of course, many files will be different (e.g. the log files, = etc...). You will have to use your judgement in how to interpret the = results.=20 One thing is for sure: none of the basic operating system binary = utilities=20 should have changed, unless you did it yourself.=20

Using application proxies to help gard agains trojans

If you want to increase even more the security of your firewall, = you might=20 want to install application proxies. This subject is rather = complicated, but=20 if you want to know more about it, just go there. Source code included... ;)=20

Seting up the MTU in Windows

This is not needed anymore with the new version of ppp!=20

In order to use your shiny new PPPoE gateway with windoze machines = on your=20 intranet, you must specify the maximum MTU in each windows machine. = This is=20 very well explained there.=20

Another "Firewall Building" page

Matthew Patton, a nice guy who works for netsec.net has put = together a=20 good presentation on firewall building, available there. You will = also find=20 there info about how to build a firewall on a floppy. Very cool stuff. =

Full Changelog:


Version 1.10=20 [2001-03-14]=20
DONT=20 call "do_ipcheck" from "ppp.linkup".=20
"ppp"=20 source code: replaced the convoluted CVS download method with a = simple, direct=20 URL.
Version 1.09=20 [2001-03-12]=20
New=20 method for automatic dyndns updates=20
Better=20 usage of the "ppp.linkup" facility=20
Usage=20 of "-ddial" instead of "-background" with ppp
Version 1.08=20 [2001-02-22]=20
Added a "ipnat" rule to allow maping of ICMP = requests from=20 the intranet
Version 1.07=20 [2001-02-21]=20
Updated PPP/PPPoE procedure=20
Improved firewall (ipf) rules (again...)
Version 1.06=20 [2001-02-04]=20
Slightly improved firewall (ipf) rules
Version 1.05=20 [2001-01-31]=20
Time zone recommendation changed from GMT to UTC = (thanks=20 Thierry!)
Version 1.04=20 [2001-01-24]=20
Added info about how to specify the physical = ethernet=20 interface to pppoe=20
Added info about how to set the MTU in Windoze =
Version 1.03=20 [2001-01-15]=20
Added info about how to use "mtree" as an alternative to the tripwire = utility=20
Added info about "fwtk.org"
Version 1.02=20 [2001-01-04]=20
Modified the "test_ddns"=20 script=20
Minor changes for release 2.8
Version 1.01=20 [2000-11-11]=20
Modified the "test_hse"=20 script=20
Added improvements suggested by outside = readers
Version 1.0=20 [2000-11-07]=20
Modified the "test_hse"=20 script
Draft = [2000-11-05]=20
Draft

Back to=20 TOP

Copyright (c) 2001    Real Ouellet =