Home Networking With HALNet ADSL
Home       Print this page
FreeBSD - Router / Firewall

     Are you sick and tired of those unreliable, plastic, so-called routers? Why not use a real firewall/router? This section covers configuring a FreeBSD machine to provide firewall, NAT, and DHCP services on your local network in order to replace your "network in a box". There are some products, such as Sygate Home Network, that are designed to do the same thing and run on top of Windows, but they don't work nearly as well (they forget your settings each time you restart and they are expensive), which is why I'm not going to discuss them.
     You will need 2 ethernet cards and a computer (at least a pentium 90 with 32mb ram, 850mb-1gig disk drive), have FreeBSD already installed, and make a note of the cards' names when you boot up. If you miss it on boot then you can see the kernel messages again with "dmesg | more". Your LAN adapter (ethernet card facing your local network) and your WAN adapter (card facing the DSL modem) will here by be refered to as LAN and WAN respectivly.


Section 1 KERNEL:

The first thing we need to do is compile the kernel so that it supports firewall and routing features.
 As root: cd /usr/src/sys/i386/conf
cp GENERIC KERNELNAME

Edit KERNELNAME with your favorite text editor and ADD the following lines: options IPFIREWALL
options IPDIVERT

If you plan to add wireless capabilities to your router, then go ahead and add the following as well: options BRIDGE

Now to compile it: config ./KERNELNAME
cd ../../compile/KERNELNAME      (In 5.x this would be cd ../compile/KERNELNAME instead)
make depend && make && make install && make clean
Section 2 STARTUP:

Now we need to enable our new toy. As root: cd /etc

ADD the following to "rc.conf" then save (Totally unrelated to ADSL, but for dialup look here as well.): gateway_enable="YES"
firewall_enable="YES"
firewall_type="OPEN"
natd_enable="YES"
natd_interface="WAN"
natd_flags="-m -f /etc/natd.conf"
ifconfig_LAN="inet 10.0.0.1 netmask 0xffffff00"      # See: RFC1918 for more information on private addresses.
ifconfig_WAN="DHCP"

Section 3 DHCP:

Now that we have configured the NAT and firewall features you will need to install a DHCP server. This step is not required, however it is HIGHLY recommended. It will allow for "plug & play" opperation with all of your client machines. If you are going to set STATIC IPs on each of your workstations instead, then skip to section 4. As root and while connected to the internet: Run /stand/sysinstall
Select Configure
Select Packages
Select FTP
Select Primary Site
Answer YES to any questions that may pop up here
Select net
Select isc-dhcpx-x.x.x...
Press TAB to select OK and press RETURN
Press TAB 2 more times to select INSTALL and press RETURN
Once complete then exit the "sysinstall" program

This example configuration file should be copied to /usr/local/etc/dhcpd.conf. Replace the server-name with the name of your computer and the domain-name with the name of your network. server-name "gateway" ;

ddns-update-style none;
server-identifier 10.0.0.1 ;
option domain-name "mydomain" ;
option routers 10.0.0.1 ;

subnet 10.0.0.0 netmask 255.255.255.0 {
option domain-name-servers 204.52.135.21, 204.52.135.2, 204.52.135.1 ;
option broadcast-address 10.0.0.255 ;
range 10.0.0.100 10.0.0.254 ;
use-host-decl-names true ;
 }

Now to create the dhcpd.leases file: touch /var/db/dhcpd.leases

Now to enable the startup script: cd /usr/local/etc/rc.d
cp isc-dhcpd.sh.sample isc-dhcpd.sh
chmod ugo+x isc-dhcpd.sh      (Make sure it's executable)
Section 4 Firewall:

Now we need to set our firewall rules. As root: cd /etc

Edit "rc.conf" and look for the OPEN|CLIENT section (around line 120 or so). Add the rules listed under #services, #local net, and #deny ALL so that it will look like the following: case ${firewall_type} in
[Oo][Pp][Ee][Nn]|[Cc][Ll][Ii][Ee][Nn][Tt])
case ${natd_enable} in
[Yy][Ee][Ss])
if [ -n "${natd_interface}" ]; then
${fwcmd} add 2000 divert natd all from any to any via ${natd_interface}
#services - change the port numbers to match the services your machine is providing (if any)
${fwcmd} add 62000 allow icmp from any to any
${fwcmd} add 63000 allow tcp from any to any 21,22,80,515
${fwcmd} add 64000 allow tcp from any to any established
#local net - change the subnet to match the one you selected in the DHCP configuration
${fwcmd} add 63001 allow all from 10.0.0.0/24 to any
${fwcmd} add 63002 allow all from any to 10.0.0.0/24
#deny ALL - change WAN to match your WAN interface as described earlier
${fwcmd} add 65200 deny tcp from any to any via WAN in setup
#ASIA BLOCKS - optional, but highly recommended
${fwcmd} add 50001 deny tcp from 58.0.0.0/8 to me setup
${fwcmd} add 50001 deny tcp from 59.0.0.0/8 to me setup
${fwcmd} add 50001 deny tcp from 60.0.0.0/8 to me setup
${fwcmd} add 50001 deny tcp from 61.0.0.0/8 to me setup
${fwcmd} add 50001 deny tcp from 124.0.0.0/8 to me setup
${fwcmd} add 50001 deny tcp from 125.0.0.0/8 to me setup
${fwcmd} add 50001 deny tcp from 126.0.0.0/8 to me setup
${fwcmd} add 50001 deny tcp from 202.0.0.0/8 to me setup
${fwcmd} add 50001 deny tcp from 203.0.0.0/8 to me setup
${fwcmd} add 50001 deny tcp from 210.0.0.0/8 to me setup
${fwcmd} add 50001 deny tcp from 211.0.0.0/8 to me setup
${fwcmd} add 50001 deny tcp from 218.0.0.0/8 to me setup
${fwcmd} add 50001 deny tcp from 219.0.0.0/8 to me setup
${fwcmd} add 50001 deny tcp from 220.0.0.0/8 to me setup
${fwcmd} add 50001 deny tcp from 221.0.0.0/8 to me setup
${fwcmd} add 50001 deny tcp from 222.0.0.0/8 to me setup

 #RIPE BLOCKS - optional, but highly recommended
${fwcmd} add 50002 deny tcp from 62.0.0.0/8 to me setup
${fwcmd} add 50002 deny tcp from 80.0.0.0/8 to me setup
${fwcmd} add 50002 deny tcp from 81.0.0.0/8 to me setup
${fwcmd} add 50002 deny tcp from 82.0.0.0/8 to me setup
${fwcmd} add 50002 deny tcp from 83.0.0.0/8 to me setup
${fwcmd} add 50002 deny tcp from 84.0.0.0/8 to me setup
${fwcmd} add 50002 deny tcp from 85.0.0.0/8 to me setup
${fwcmd} add 50002 deny tcp from 86.0.0.0/8 to me setup
${fwcmd} add 50002 deny tcp from 87.0.0.0/8 to me setup
${fwcmd} add 50002 deny tcp from 88.0.0.0/8 to me setup
${fwcmd} add 50002 deny tcp from 193.0.0.0/8 to me setup
${fwcmd} add 50002 deny tcp from 194.0.0.0/8 to me setup
${fwcmd} add 50002 deny tcp from 195.0.0.0/8 to me setup
${fwcmd} add 50002 deny tcp from 212.0.0.0/8 to me setup
${fwcmd} add 50002 deny tcp from 213.0.0.0/8 to me setup
${fwcmd} add 50002 deny tcp from 217.0.0.0/8 to me setup
fi
;;
 esac
 esac

 Let me explain these rules a litle better:
     The first rule (#2000) makes NAT work.
      The #services section defines the services running on this machine. In this example rule 63000 allows connections to a FTP server (21), SSH login (22), Web server (80), and Printer services (515). See /etc/services for more information on what services use what port numbers. If you do not want any of these services running, then omit that rule. Rule 62000 specificly allows ICMP packets in and out. This allows PINGs and other such things. LEAVE THIS!! You can't be hurt with a ping, unless you're running Windows NT :) . The last rule is required for outbound connections to work. You wouldn't be able to browse the net without rule 64000.
      The #local net section allows traffic between the local computers and the router, but more importantly it allows protocols that use reverse connections, like active FTP and chat program file transfers.
      The last section, #deny ALL, will block ALL incomming connection attempts on the WAN interface that were not previously approved by a lower number rule. The #ASIA and #RIPE blocks cover most of the eastern hemisphere and should take take of the majority of hack attempts against your machine.
      With these rules in place you're just about as protected as you're going to get from just about any attack from the outside world. Just remember... If they want to get in bad enough, then they'll find a way. No network is 100% secure. PLEASE install additional firewall software on your Windows machines.

      All set! All you need to do now is connect your WAN card to your ADSL modem and connect your LAN card to a switch or hub. Connect the rest of your computers to the switch or hub as well. Reboot your new router then the other computers and you're done!
     There is a ton of additional information on this topic found in the FreeBSD Handbook.


Join HAL-PC
http://www.hal-pc.org
4543 Post Oak Place Dr. Suite 200
Houston, Tx 77027-3103
713/993-3300


This site is designed to be of some assistance, however is not meant to be your sole source of information. By following the suggestions given on this page you understand that you do these things at your own risk. The steps mentioned here may or may not work for your purposes. There is no warranty or support of any kind provided by HAL-PC for the topics discussed in this site. The only support for your home network that is given is by me personally, at my choosing, on my own time, and via email only.
I know... I hate disclaimers too.

[Powered by FreeBSD]