Building Router On FreeBSD With IPFW

Install FreeBSD(If u need help installing, Click here
2. Compile kernel with aditional options for ipfw router:

3. execute at prompt:
#cd /usr/src/sys/i386/conf
#cp GENERIC ROUTER
#edit ROUTER

4. —- add in file ROUTER, at the end the following lines ———-
options IPDIVERT
options IPFIREWALL
options IPFIREWALL_VERBOSE
options IPFIREWALL_FORWARD
options DUMMYNET
options HZ=1000
—- end of file router

5. execute at prompt:
# config ROUTER
# cd ../compile/ROUTER
#make depend
#make
#make install

6. —- edit /etc/rc.conf —————————————————-
defaultrouter=”86.124.80.1″
gateway_enable=”YES”
hostname=”router”
ifconfig_fxp0=”inet 83.123.213.23 netmask 255.255.255.252″
ifconfig_fxp1=”inet 10.0.0.1 netmask 255.255.255.0″
sshd_enable=”YES”
natd_enable=”YES”
natd_flags=””
named_enable=”YES”
natd_interface=”fxp0″
firewall_enable=”YES”
firewall_quiet=”NO”
firewall_script=”/etc/router.firewall”
firewall_logging=”YES”
inetd_enable=”YES”
kern_securelevel_enable=”NO”
—- end of rc.conf

7. —- edit /etc/resolv.conf ————————————————
nameserver ip_of_your_dns
—- end of resolv.conf ———————————————

8. —- edit /etc/router.firewall———————————————-
fwcmd=/sbin/ipfw
$fwcmd add 00010 divert 8668 ip from any to any via fxp0
$fwcmd add 00020 allow ip from any to any via lo0
$fwcmd add 00030 deny ip from any to 127.0.0.0/8
$fwcmd add 00040 deny ip from 127.0.0.0/8 to any

$fwcmd add 50 allow ip from 10.0.0.2 to any
$fwcmd add 60 allow ip from any to 10.0.0.2

$fwcmd add 70 allow ip from 10.0.0.3 to any
$fwcmd add 80 allow ip from any to 10.0.0.3

$fwcmd add 90 allow ip from 10.0.0.4 to any
$fwcmd add 100 allow ip from any to 10.0.0.4

$fwcmd add 110 allow ip from 10.0.0.5 to any
$fwcmd add 120 allow ip from any to 10.0.0.5

$fwcmd add 35000 allow ip from me to any
$fwcmd add 35001 allow ip from any to me
—- end of router.firewall——————————————–

Comments:
fpx0 is external interface, you should assign your public ip here
fxp1 is internal interface

fxp0 and fxp1 are intel network cards, you should use your own devices here, if you have other types of cards then your nic device will not be fxp.
To check the name of your devices type ifconfig or dmesg | more.

The file /etc/router.firewall is the firewall rule file, in this example I’ve allowed only ips 10.0.0.2-10.0.0.5 to use the router.

In the file /etc/resolv.conf you must put your dns servers, so instead of ip_of_your_dns here in example you should have the ip of your dns D

After compiling the kernel don’t forget to reboot.

Setting Dial-up Internet Gateway on FreeBSD

order to fulfill the demand of NAT(Network Address Translation ) and Firewall, FREEBSD provides 2 different filtering default packets; one IPFW for firewalling and NATD for NAT. For further information you can , visit http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls.html . it might help you for a better understanding of IPFW and NATD.On the other hand, we are here not to discuss about using either NATD or IPFW, rather we are going to discuss about IPFilter to replace IPFW and NATD.We can go to the IPFILTER official site, http://coombs.anu.edu.au/ipfilter/ , download the source and we need to rebuild the kernel to install IPFILTER, It is recommended for us to read the README file before installing IPFilter due to different versions that exist: each version has its own way of installing . As an example I used IPFilter v3.4.20, I do these following steps :

#tar -xzvf ipfilter-xxx.tar.gz

#cd ipfilter-xxx/

#make freebsd4

#make install-bsd

#FreeBSD-4/kinstall

And now it’s time to rebuild your kernel :

#cd /usr/src/sys/i386/conf/

edit the kernel configuration file (e.g. GENERIC ). advisable for you to make a backup , copy the GENERIC to the file called KERNIPF. Open KERNIPF file with your editor and add this :


options IPFILTER
options IPFILTER_LOG

change the ident section :

ident KERNIPF

save the file and exit, afterwards :

#config KERNIPF

#cd ../../compile/KERNIPF

#make depend

#make

#make install

#reboot

After rebooting, make sure that your IPFilter already been installed. To know whether you have already installed your IPFilter
type #dmesg | grep IP , If the program response : “IP Filter: v3.4.x initialized. Default = pass all Logging =enabled”, meaning, that your IPFilter has been successfully installed. All we need now is creating the rules for ipf and ipnat. Visit the IPFilter’s howto in http://www.obfuscation.org/ipf/ for details. These are some of the following samples :

# ipf.rules sample
block in log all
pass out all
pass in on rl0 all
pass in on lo0 all
block in log quick on tun0 from 0.0.0.0/32 to any
block in log quick on tun0 from 255.255.255.255/32 to any
block in log quick on tun0 from 127.0.0.0/8 to any
block in log quick on tun0 from any to 0.0.0.0/32
block in log quick on tun0 from any to 255.255.255.255/32
block in log quick on tun0 from any to 127.0.0.0/8
block in log quick on tun0 from 192.168.0.0/16 to any
block in log quick on tun0 from 172.16.0.0/12 to any
block in log quick on tun0 from 10.0.0.0/8 to any
pass in quick on tun0 proto icmp all icmp-type 0
pass in quick on tun0 proto icmp all icmp-type 3
pass in quick on tun0 proto icmp all icmp-type 11
pass in quick proto tcp from any to any port = 113
pass in quick proto udp from any to any port = 113
pass out on tun0 proto tcp all keep state
pass in on tun0 proto udp from any port = 53 to any
block in quick on tun0 proto tcp all flags S/SA
block out quick on tun0 proto tcp all flags SA/SA
#END

—————————————————————————————————————————–

#ipnat.rules sample
map tun0 192.168.0.0/24 -> 0.0.0.0/32
#end

Note : rl0 = ethernet interface , tun0 = external interface/ PPP tunnel ( the interface which connect to internet ), lo0 = loopback

Put the ipf.rules and ipnat.rules files in /etc/ , to make the rules work each time the system rebooted , open your rc.local file and put these command :

/sbin/ipf -f /etc/ipf.rules
/sbin/ipnat -f /etc/ipnat.rules

Reboot your computer . To check and make sure whether the rules are loaded , type :

#ipfstat -hio

#ipnat -l

The IPFILTER should work well now. As a gateway for your clients we have to enable net.inet.ip.fowarding by putting gateway_enable=”YES” in your rc.conf file.

Setting Up Squid on FreeBSD

Introduction

This article will explain how to configure Squid and tweak a FreeBSD box for web caching and conserving bandwidth. Usually, Squid will reduce the traffic 30% or more from normal usage (without squid), and enhance response time.

This configuration and setting has been tested and the Squid FreeBSD boxes are running at several colleges in Sydney, Australia. Each Squid FreeBSD box serves about 100+ nodes.
Requirements

Squid needs a lot of memory. More is better but 128 MB of memory is good to start with. Squid also needs fast disk storage. Use SCSI drives if you can, though IDE drives will do the job. Also have a FreeBSD 4.5 box setup and running! You will need to recompile the kernel with additional options and components.


1. Installing Squid

You can install Squid using Ports but you can’t play with configure options, so I’ll cover the steps to install from a tarball.

You can download the Squid source from http://www.squid-cache.org. The lastest version is squid-2.4.STABLE6-src.tar.gz. Run the following commands as root.

# cd /path/to/tarball
# tar zxvf squid-2.4.STABLE6-src.tar.gz
# cd squid-2.4.STABLE6
# ./configure --enable-delay-pools --enable-ipf-transparent \
--enable-storeio=diskd,ufs --enable-storeio=diskd,ufs \
--disable-ident-lookups --enable-snmp --enable-removal-policies
# make all
# make install

The explaination of configure script options are below:

–enable-delay-pools - Enable delay pools to limit bandwidth usage.
You need to enable the option in order to use Squid to limit bandwith usage. It will give fair bandwith usage for everybody. In my case, I don’t want one person sucking all of the available bandwidth by downloading a big movie, causing others to suffer.
–enable-ipf-transparent - Enable Transparent Proxy support for systems using IP Filter network address redirection.
With this option, you don’t have to configure the client’s browser proxy setting. Also it is a good way to force the client to use the proxy everytime.
–enable-storeio=diskd,ufs - Enable diskd
Improve disk I/O performance. According to the Squid FAQ, if you enable diskd you can gain a 400% increase of perfomance. However, you would need to recompile the kernel because your operating system must support message queues and shared memory.
–enable-removal-policies - Build support for the list of removal policies.
By default, Squid uses LRU, but there are two better policies: GDSF and LFUDA. See the Squid config for a more detailed explanation.
–disable-ident-lookups - This allows you to remove code that performs Ident (RFC 931) lookups.
Not really important. By the way, if you do transparent proxy, ident lookups won’t work.
–enable-snmp
Optional: enable this and you can monitor Squid with mrtg or rrdtool. How to do this is outside of this article’s scope. Perhaps in my next one.

2. Edit Squid Configuration File /usr/local/squid/etc/squid.conf



# Need for transparent proxy
# You need to --enable-ipf-transparent
http_port 3128
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on

# Physical memory / 3
cache_mem 128 MB
# Max out Squid I/O perfomance, 15 GB cache and use Squid special diskd but you need to recompile the kernel
# To use disk you need to --enable-storeio=diskd,ufs
# Reasonable values for Q1 and Q2 are 72 and 64, respectively.
# Q1 value must bigger Q2
cache_dir diskd /usr/local/squid/cache 15360 16 256 Q1=72 Q2=64

# You can use normal ufs instead
#cache_dir ufs /usr/local/squid/cache 15360 16 256

# I dont want to log anything
# The reason is to save some expensive I/O operation.
cache_access_log /dev/null
cache_store_log none
cache_log /dev/null

# Cache replacement policy
# The heap GDSF policy optimizes object-hit rate by keeping smaller popular
# objects in cache, so it has a better chance of getting a hit. It achieves a
# lower byte hit rate than LFUDA, though, since it evicts larger (possibly popular)
# objects.
# The heap LFUDA ( Least Frequently Used with Dynamic Aging ) policy keeps
# popular objects in cache regardless of their size and thus optimizes byte hit
# rate at the expense of hit rate since one large, popular object will prevent
# many smaller, slightly less popular objects from being cached.
# You need to --enable-removal-policies
cache_replacement_policy GDSF

# Standard Access List
# I have two subnets, one for student and another one for admin
# Modify this according to your network
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl outgoing src 192.168.10.2/255.255.255.255
acl student src 192.168.0.0/255.255.255.0
acl admin src 192.168.1.0/255.255.255.0
acl SSL_ports port 443 563
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT

http_access allow manager
http_access allow localhost
http_access allow outgoing
http_access allow student
http_access allow admin
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny all

icp_access allow localhost
icp_access allow student
icp_access allow admin
icp_access deny all

# Avoid caching cgi scripts
acl QUERY urlpath_regex cgi-bin
no_cache deny QUERY

acl magic_words1 url_regex -i 192.168
acl magic_words2 url_regex -i ftp .exe .mp3 .vqf .tar.gz .gz .rpm .zip .rar .avi .mpeg .mpe .mpg .qt .ram .rm .iso .raw .wav .mov

# Delay Pool
# For delay pool, you need to --enable-delay-pools
delay_pools 2

# I have ADSL 2Mbits line
# 2 mbits == 256 kbytes per second
# 256 KB/s, 5 KB/s
# It means 256 KB/s bandwith for the whole network, but 5 KB/s for each node, which is fair for everybody
delay_class 1 2
delay_parameters 1 256000/256000 5000/256000
delay_access 1 allow magic_words2
delay_access 1 allow student
delay_access 1 allow admin

# -1/-1 means that there are no limits for local traffic.
delay_class 2 2
delay_parameters 2 -1/-1 -1/-1
delay_access 2 allow magic_words1

# Cancel download if file is bigger than 1MB
reply_body_max_size 1024 KB

# snmp stuff
acl snmppublic snmp_community public
snmp_access allow snmppublic localhost
snmp_access deny all

# Change to your domain
# visible_hostname yourdomain.domain.com
# cache_mgr yourname@youremail.com

3. Create cache dir and create swap



# mkdir /usr/local/squid/cache
# chown nobody:nogroup cache
# /usr/local/squid/bin/squid -k parse
# /usr/local/squid/bin/squid -z

4. Configure transparent proxy with ipfilter
4.1 Edit /etc/rc.conf



# add these lines to enable ipfilter
ipfilter_enable="YES"
ipnat_enable="YES"
ipmon_enable="YES"
ipfs_enable="YES"

4.2 Edit /etc/ipnat.rules



# add this line
# I assume rl0 is your internal nic
# Redirect everything else to squid on port 3128
rdr rl0 0/0 port 80 -> 127.0.0.1 port 3128 tcp

5. Reconfigure kernel for squid diskd support

Consult the Freebsd Handbook for recompiling the kernel and add the following lines. Your kernel must have:

options SYSVMSG

You can set the parameters in the kernel as follows. This is just an example. Make sure the values are appropriate for your system:

options MSGMNB=8192 # max # of bytes in a queue
options MSGMNI=40 # number of message queue identifiers
options MSGSEG=512 # number of message segments per queue
options MSGSSZ=64 # size of a message segment
options MSGTQL=2048 # max messages in system

The following is the explanation of the kernel options from the Squid FAQ:

The messages between Squid and diskd are 32 bytes for 32-bit CPUs and 40 bytes for 64-bit CPUs. Thus, MSGSSZ should be 32 or greater. You may want to set it to a larger value, just to be safe.

We’ll have two queues for each cache_dir, one in each direction. So, MSGMNI needs to be at least two times the number of cache_dir’s.

I’ve found that 75 messages per queue is about the limit of decent performance. If each diskd message consists of just one segment (depending on your value of MSGSSZ), then MSGSEG should be greater than 75.

MSGMNB and MSGTQL affect how many messages can be in the queues at one time. Diskd messages shouldn’t be more than 40 bytes, but let’s use 64 bytes to be safe. MSGMNB should be at least 64*75. I recommend rounding up to the nearest power of two, or 8192.

MSGTQL should be at least 75 times the number of cache_dir’s that you’ll have.

Also you can tweak the kernel by commenting out unnecessary lines in the kernel config to gain extra perfomance. Then recompile the kernel.
6. Create start-up script /usr/local/etc/rc.d/squid.sh



#!/bin/sh

echo -n ' Squid '

case "$1" in
start)
/usr/local/squid/bin/squid -D
;;
stop)
/usr/local/squid/bin/squid -k shutdown
;;
restart)
/usr/local/squid/bin/squid -k reconfigure
;;
*)
echo "Usage: `basename $0` {start|stop|restart}"
;;
esac

7. All Done!