cd /usr/src/sys/i386/conf cp GENERIC MYKERNEL edit MYKERNEL maxusers 32 <==========See Below options IPFIREWALL options IPFIREWALL_FORWARD options IPDIVERT config MYKERNEL cd ../../compile/MYKERNEL make depend make make install
[Warning]One process per one client is resident. Be care of MAXIMUM processes.
NPROC=(20+16*MAXUSERS) MAXUSERS=32MAXUSER can be set automatically, if maxusers defines as 0. The maximum of clients can also be limited by permitted rule counts.
Modification is recommended about the following two values. kern.ipc.somaxconn Maximum number of TCP connections(default=128). As Opengate server keeps TCP connection with each terminal, the number must be set larger than the number of terminals. kern.ipc.nmbclusters Maximum number of mbuf clusters (1cluster=2KB). It needs "send/recv buffer size(default=32KB)" x "number of connections". The usage statistics is shown by "netstat -m". For example, these values are set as follows. Be care about the memory size for mbuf (following setting needs 128MB). Add two lines in the file "/etc/sysctl.conf". kern.ipc.somaxconn=4096 kern.ipc.nmbclusters=65536
essential: Apache, ipfw optional: NATD, DHCP, SSL, Perl etc
doc: Documentations conf: configuration file sample, firewall control perl script sample javahtml: Client Java Programs and HTML files. opengatesrv: Server CGI programs
javac Opengate.java jar cvf Opengate.jar *.class
topindex.html : first html which describe the jump to Authentication page. index.html : Authentication page deny.html : page sent at authentication denyed. accept.html,accept2.html : pages sent at authntication accepted. Don't remove mark "**OpengateAppletHere**", where Java Applet description is inserted. %%HOSTADDR%% is replaced with address at installation. %%OPENGATEDIR%% is replaced with install directory.
cd opengatesrv : Move to opengatesrv directory edit Makefile : Modify Makefile HOSTADDR must be changed to IP address of your machine's client side interface. edit opengatesrv.h : Modify header file make : Compile su : Change to Root make install : Installation
Setup of Related Software
gateway_enable="YES" firewall_enable="YES" firewall_type="simple" natd_enable="YES" <==If NATD is used natd_interface="sis0" <== "
Example description in /etc/firewall [Ss][Ii][Mm][Pp][Ll][Ee]) # set these to your outside interface network and netmask and ip oif="fxp0" onet="133.49.20.0" omask="255.255.252.0" oip="133.49.22.5" # set these to your inside interface network and netmask and ip iif="fxp1" inet="192.168.0.0" imask="255.255.255.0" iip="192.168.0.1" # divert packet to NATD ################################ $fwcmd add 1 divert natd ip from any to any via ${oif} # Stop spoofing $fwcmd add deny all from ${inet}:${imask} to any in via ${oif} $fwcmd add deny all from ${onet}:${omask} to any in via ${iif} # Allow from / to myself $fwcmd add pass all from ${iip} to any via ${iif} $fwcmd add pass all from ${oip} to any via ${oif} $fwcmd add pass all from any to ${iip} via ${iif} $fwcmd add pass all from any to ${oip} via ${oif} # Allow DNS queries out in the world # (if DNS is on localhost, delete passDNS) $fwcmd add pass udp from any 53 to any $fwcmd add pass udp from any to any 53 # Forwarding http connection from unauth client ############### $fwcmd add 60000 fwd localhost tcp from ${inet}:${imask} to any http # Allow TCP through if setup succeeded ######################## $fwcmd add 60100 pass tcp from any to any establishedCaution
Web access control
order deny,allow deny from all allow from 133.49.0.0/255.255.0.0 (Example) allow from 192.168.0.0/255.255.0.0CGI enable
#ScriptAlias /cgi-bin/ "/usr/local/www/cgi-bin/" | V ScriptAlias /cgi-bin/ "/usr/local/www/cgi-bin/"Jump to Top at Page NotFound
#ErrorDocument 404 /missing.html | V ErrorDocument 404 /index.html
local1.* /var/log/opengate.log --Separated by TAB keyMake corresponding file.
touch /var/log/opengate.log
ID:address=hostname|hostaddr:[port=portno:]protocol=ftp|pop3|pop3s: ID:protocol=radius:[conffile=filepath:] ID:protocol=pam:[servicename=name:]where each term indicates following.
ID:Identification keyword for authentication server. address: IP address of the authentication server. protocol: protocol for authentication, At present, ftp,pop3,pop3s,radius,pam are available. port: port number for authentication. If ignored, follows to /etc/services. conffile: path to "config file at RADIUS. default is "/etc/radius.conf". servicename: service name at PAM. default is "opengate".Following example sets four authentication servers. If user entered as [userID], authentication is turned to [default(=cs)] server. If user entered as [userID@cc], authentication turned to [cc] server.
default:tc=cs cs:address=noah.cs.is.saga-u.ac.jp:protocol=pop3: cc:address=himiko.cc.saga-u.ac.jp:protocol=ftp:port=21: pam:protocol=pam: rad:protocol=radius:Following is an example of pam.conf. Opengate checks auth and account. Please read [man pam.conf] for detail.
opengate auth required pam_radius.so opengate account required pam_permit.soFollowing is an example of radius.conf. Please read [man radius.conf] for detail.
auth radius1.foo.bar "password1" 5 6 auth radius2.foo.bar "password2" 5 6
If you want to control firewall state with some user property in a database, edit the skeleton routine comm-userdb.c, though the function can be implemented in this script.
Parameteres in Makefile
HOSTADDR = IP address of gateway interfaced to client network. HTMLTOP1 = Web top directory HTMLTOP2 = Web top directort (for SSL) OPENGATEDIR = Opengate install directory (from Web top) CGIPATH = CGI directory CGIPROG = CGi program name CONFIGFILE = Configuration file name USEFWSCRIPT= Enable(1) or disable(0) Perl script to control firewall open FWSCRIPT = Firewall control Perl script name FWSCRIPTPATH = Perl script path LOCKFILE= Lock file for exclusive execution HTMLDOCS= HTML files DENYDOC = HTML file sent at denying ACCEPTDOC = HTML file sent at accepting HTMLLANGS= Languages of HTML files ARPPATH= Path to arp command IPFWPATH= Path to ipfw command
Parameters in opengatesrv.h
DEBUG : If set to 1, program trace log is put out to syslog. DURATIONDEFAULT : Server waiting time from Java sending to TCP connection. If no connection, then the network is closed. It is default. The waiting time can be changed in auth page. (second) DURATIONMAX : At no java, the network is opened between the duration entered by the user in auth page. DURATIONMAX is the maximum limit to be entered. If no need, set it the same value as DARATIONDEFAULT and remove the field in auth page. (second) ACTIVECHECKINTERVAL : Time interval of checking the terminal.(second) In no java mode, check by MAC address and packet count for the terminal's IP address. In java mode, check by HELLO exchange and packet count. COMMWAITTIMEOUT : Server waiting time for communication reply.(second) NOREPLYMAX : Permitted count of no reply to hello. If the client does not send back hello more than NOREPLYMAX times, then the network is closed. NOPACKETINTERVAL : If no packet is passed for this time interval, then the network is closed.(second) LOCKTIMEOUT : Maximum locking time for exclusive ipfw action.(second) IPFWMIN : Minimum ipfw rule number used by opengate. IPFWMAX : Maximum ipfw rule number used by opengate. IPFWINTERVAL : Rule number interval used by opengate. The maximum terminals/processes can be controled by these value. PORTMIN : minimum port value used by opengate. PORTMAX : maximum port value used by opengate. Set unused port range. FACILITY : syslog facility PAMSERVICENAME : default service name at PAM. RADIUSCONF : default path to radius.conf.