| 
 A NAT Router Firewall IPSec Gateway with FreeBSD 5.1-RELEASEA typical setup for home users and small businesses is to have a single
machine connected to the internet as a router that serves as gateway for
the private network behind it. Obviously, this router has to "hide" the whole
net behind its own external address, which can even be dynamically assigned via
an ISP's DHCP service. This article describes the steps necessary for setting this up on a machine 
with two network cards running FreeBSD 5.1-RELEASE. It is largely equivalent 
to the setup described for the same machine running Linux in another article here. Additionally, the FreeBSD Router
serves as IPSec gateway, encrypting traffic to networks behind other routers
on the internet. Warning! 
 This article contains just the steps that it took me to set up the router. Neither 
does it cover the whole underlying concepts of networking, security, IPSec, and
the state of the world as such, nor does it necessarily protect your machines
from security risks (even though it is designed to do so). I might have overlooked
something, might have opened a security hole in my configuration. I might be
an absolute nincompoop. So do not simply read the text and follow the steps. 
Follow the links in it, try Google and freebsd.org to understand for yourself 
what it is you're doing. If you find any flaw in my configuration, please let 
me know (address at bottom).
 
 You've been warned.
 
 
 
Preparing the system
 1.1. Install FreeBSD 5.1-RELEASE. I used the ISO image here.
Do read the Handbook!. Make sure to install the kernel sources and the ports collection.
 
 1.2. Recompile the kernel. How to do this is described in detail in the Handbook!. Because
stock 5.1-RELEASE comes without firewall and IPSec support in the kernel, we have to compile that in. Those are the necessary options:
 
 
    # Firewall support added 
    options         IPFIREWALL
    # Divert support added (necessary for natd)
    options         IPDIVERT
    # IPSec support added
    options         IPSEC
    options         IPSEC_ESP
    options         IPSEC_DEBUG
Compile, install and reboot.
 
Set up the firewall(This setup uses
 ipfw, a dynamically assigned external address and a local net of 192.168.1.0/24.)
 2.1. Enable all necessary services and functions in
 /etc/rc.conf(adopt addresses and interface names for your setup):
    # use DHCP for external interface
    ifconfig_ep0="DHCP"
    # static address for internal interface
    ifconfig_ep1="inet 192.168.1.1 netmask 255.255.255.0 \
	broadcast 192.168.1.255
    # enable IP forwarding
    gateway_enable="YES"
    # enable firewall
    firewall_enable="YES"
    # set path to custom firewall config
    firewall_type="/etc/fw/rc.firewall.rules"
    # be non-verbose? set to YES after testing
    firewall_quiet="NO"
    # enable natd, the NAT daemon
    natd_enable="YES"
    # which is the interface to the internet that we hide behind?
    natd_interface="ep0"
    # flags for natd
    natd_flags="-f /etc/fw/natd.conf"
2.2 Edit/etc/fw/rc.firewall.rules(or whatever you set firewall_type to)
 
    # be quiet and flush all rules on start
    -q flush
    
    # allow local traffic, deny RFC 1918 addresses on the outside
    add 00100 allow ip from any to any via lo0
    add 00110 deny ip from any to 127.0.0.0/8
    add 00120 deny ip from any to any not verrevpath in
    add 00301 deny ip from 10.0.0.0/8 to any in via ep0
    add 00302 deny ip from 172.16.0.0/12 to any in via ep0
    add 00303 deny ip from 192.168.0.0/16 to any in via ep0
                                                                                    
    # check if incoming packets belong to a natted session, allow through if yes
    add 01000 divert natd ip from any to me in via ep0
    add 01001 check-state
    
    # allow some traffic from the local net to the router 
    # SSH
    add 04000 allow tcp from 192.168.1.0/24 to me dst-port 22 in via ep1 setup keep-state
    # ICMP
    add 04001 allow icmp from 192.168.1.0/24 to me in via ep1
    # NTP
    add 04002 allow tcp from 192.168.1.0/24 to me dst-port 123 in via ep1 setup keep-state
    add 04003 allow udp from 192.168.1.0/24 to me dst-port 123 in via ep1 keep-state
    # DNS
    add 04006 allow udp from 192.168.1.0/24 to me dst-port 53 in via ep1
    
    # drop everything else
    add 04009 deny ip from 192.168.1.0/24 to me
         
    # pass outgoing packets (to be natted) on to a special NAT rule
    add 04109 skipto 61000 ip from 192.168.1.0/24 to any in via ep1 keep-state
                                                                                    
    # allow all outgoing traffic from the router (maybe you should be more restrictive)
    add 05010 allow ip from me to any out keep-state
    
    # drop everything that has come so far. This means it doesn't belong to an 
    established connection, don't log the most noisy scans.
    add 59998 deny icmp from any to me
    add 59999 deny ip from any to me dst-port 135,137-139,445,4665
    add 60000 deny log tcp from any to any established
    add 60000 deny log ip from any to any
    
    # this is the NAT rule. Only outgoing packets from the local net will come here.
    # First, nat them, then pass them on (again, you may choose to be more restrictive)
    add 61000 divert natd ip from 192.168.1.0/24 to any out via ep0
    add 61001 allow ip from any to any
2.3 Edit/etc/fw/natd.conf(or whatever you set natd_flags -f to)
 
    unregistered_only
    interface ep0
    use_sockets
    dynamic
    # dyamically open fw for ftp, irc
    punch_fw 2000:50
2.4. Start the firewall
 Run
 /etc/rc.d/ipfw start. If you have the DHCP client running,
you should have an external address and your firewall router will be functional. Else start it with /etc/rc.d/dhclient startor reboot. 
Rebooting would be a good idea at this point anyway.Time to get yourself a nice cold beer. You've deserved it!
 
 2.5. Tuning
 
 It may be useful to set some connection related parameters in the kernel.
I did this in
 /etc/sysctl.conf(you can of course call sysctl directly).
  
    security.bsd.see_other_uids=0
    net.inet.ip.fw.dyn_ack_lifetime=3600
    net.inet.ip.fw.dyn_udp_lifetime=10
    net.inet.ip.fw.dyn_buckets=1024
This sets the session lifetime for TCP sessions without any traffic to 1 hour, 
for UDP to 10 seconds.
 
Set up IPSec
 3.1. Get and install
 racoon
 (Also take a look at http://www.x-itec.de/projects/tuts/ipsec-howto.txt)
 
 Go to
 /usr/ports/security/racoon.Enter
 make all install clean. This will install racoon and clean
up afterwards. Racoon is 
used for managing the key exchange needed for IPSec. The encryption itself 
is done in the kernel.
 3.2. Enable
 racoon
 Add the following line to
 /etc/rc.conf
 
    racoon_enable="YES"
This will startracoonat boot time by running /usr/local/etc/rc.d/racoon.sh. I simply edited this file and set my options there: it now calls /usr/local/sbin/racoon -f /etc/ipsec/racoon.conf -l /var/log/racoon. This means that config is in /etc/ipsec, logs go to /var/log.
 3.3. Configure
 racoon
 Now we have to edit racoon's config file. In my case this is
 /etc/ipsec/racoon.conf, per default it is/usr/local/etc/racoon/racoon.conf.
 Very good documentation has been written on how to configure racoon. Google
knows it, and you might also take a look at http://www.kame.net/newsletter/20001119/. Below is just
what I changed in
 /etc/ipsec/racoon.conf.
 
    [....]
    path certificate "/etc/ipsec/cert" ;
    [....]
    log info;
    [....]
    # this is the other gateway's address
    remote aaa.bbb.ccc.ddd 
{
	# it's freeswan, so it doesn't support aggressive mode
        exchange_mode main,aggressive; 
        doi ipsec_doi;
        situation identity_only;
                                                                                
        my_identifier asn1dn ;
	# Subject of other gateway's certificate
        peers_identifier asn1dn "C=XY/O=XY Org/CN=xy.org.org";
	# my own X.509 certificate and key
        certificate_type x509 "mycert.crt" "mykey.key";
 
        nonce_size 16;
        lifetime time 1 min;    # sec,min,hour
        initial_contact on;
        support_mip6 on;
        proposal_check obey;    # obey, strict or claim
 
        proposal {
                encryption_algorithm 3des;
                hash_algorithm sha1;
                authentication_method rsasig ;
                dh_group 2 ;
        }
}
3.4. Install the certificates
 
 Also take a look at http://www.kame.net/newsletter/20001119b/
 
 Copy the following files to
 /etc/ipsec/cert/(or whatever you setpath certificateto above):
 
Your certificate (named "mycert.crt"above)
Your private key (mykey.key; make this-rw------- root)
The other gateway's CA's public certificate.
 Then make a link to the other gateway's CA's certificate (I assume in the following example that the certificate file is named
 ca.pem). This link must be
named after the hash value of the file itself. You can create it with
 
    # ln -s ca.pem `openssl x509 -noout -hash -in ca.pem`.0
3.5. Tell the kernel to use IPSec
 
 You should have read the above links before you proceed.
 
 Now you must tell the kernel to use IPSec when communicating with the other 
gateway. You do this by creating a file which is then used by
 /etc/rc.d/ipsecon startup. I put the file in/etc/ipsec/ipsec.confand entered the following in/etc/rc.conf
 
    ipsec_enable="YES"
    ipsec_file="/etc/ipsec/ipsec.conf"
/etc/ipsec/ipsec.confcontains the parameters for thesetkey (8)command that adds, updates, dumps, or flushes Security Association
Database (SAD) entries as well as Security Policy Database (SPD) entries
in the kernel.
 
    # First, flush all SAD and SPD
                                                                                
    flush;
    spdflush;
                                                                                
    # Then, set up SPD for the local net and the net behind the other gateway
    # www.xxx.yyy.zzz is my own external address
    # aaa.bbb.ccc.ddd is the other gateway's address as given in
    # /etc/ipsec/racoon.conf
    spdadd 192.168.1.0/24 192.168.100.0/24 any -P out ipsec \
        esp/tunnel/www.xxx.yyy.zzz-aaa.bbb.ccc.ddd/require ;
    spdadd 192.168.100.0/24 192.168.1.0/24 any -P in ipsec \
        esp/tunnel/aaa.bbb.ccc.ddd-www.xxx.yyy.zzz/require ;
This tells the kernel to use the ESP tunnel between www.xxx.yyy.zzz (the router) and aaa.bbb.ccc.ddd (the other gateway) when routing between the subnets 192.168.1.0/24 (local) and 192.168.100.0/24 (remote).
 This is the only place in the whole configuration where my own external IP address
is used. Since this is a dynamically assigned address which can change, I had to provide some mechanism to restart IPSec when the address changes. I did this 
by configuring dhclient to run a script which rewrites
 /etc/ipsec/ipsec.confand restarts/etc/rc.d/ipsec. I found it to be the easiest
way to name the script/etc/dhclient-exit-hooks, as the ISC
dhclient will look for this file everytime it has to update anything (see dhclient-script(8)). 
Somebody is likely to come up with a better solution.
 3.6. Amend the firewall rules for IPSec
 
 Add the following lines to your firewall config (
 /etc/fw/rc.firewall.rulesin this example)
 
    add 05020 allow udp from any 500 to me dst-port 500 in via ep0 keep-state
    add 05021 allow esp from any to me in via ep0 keep-state
    add 05022 allow ah from any to me in via ep0 keep-state
This will allow racoon to exchange keys on UDP port 500 and the kernel to
talk via ESP and AH with the outside world (AH is actually not needed in my setup, but I keep it there for completeness and portability).
 3.7. Start all required services and enjoy
 
 You may want to add a DHCP, NTP, and DNS server to your router (I did, as the above firewall rules imply). I will not cover
this here, though. The configuration files are about the same as in the Linux setup article.
 
 Now start all services manually with their respective scripts in
 /etc/rc.d/or simply reboot. This should do.
 In case you're also in charge of the other IPSec gateway, here are its
 /etc/ipsec.confand/etc/ipsec.secrets. In my case it was RedHat Linux, Kernel 2.4.18-3, and the super-freeswan-1.99.8 patch from http://www.freeswan.ca/.
 
 Markus Wernig (public at wernig dot net) 
 
 Webmaster at lugbe.chDie Artikel dieser Seite stehen unter Copyleft ihrer jeweiligen Autor*innen.
Ihre Nutzung, Wiedergabe etc. untersteht den Bedingungen der GNU Free Documentation License (http://www.gnu.org/copyleft/fdl.html), wo nicht explizit anders vermerkt. |