Configuring a firewall based on ADSL

My goal is to do an ADSL dial-up gateway, this network is closed by MPD as a VPN gateway daemon, using the PPTP protocol as a transport protocol, because this machine has a Samba server, so I can not open all my ports, I must block all the unwanted ports. That's why it took a long time to study what the PPTP protocols need to pass through those ports on the firewall and those protocols. The purpose of the configuration has been told to you, the following is the process of configuration.

First from the PPP dial ADSL, if you are using PPP connection PPPoE (that is, ADSL use of the connection method) is very familiar with, you can skip this paragraph directly to look behind.

Using PPP to connect PPPoE is very simple, FreeBSD after installation you will be in the/etc/ppp/directory to see a file called ppp.conf, you modify this file to the following look can be connected to PPPoE, the file contents are as follows:

default:
Set log Phase Chat LCP IPCP CCP tun command
Ident user-ppp VERSION (built compilationdate) # Ensure that ' device ' references the correct serial port
# for your modem. (cuaa0 = COM1, Cuaa1 = COM2) 　　
#
Set device pppoe:rl0
Set speed Sync
Set MRU 1492
Set MTU 1492
Set Ctsrts off
　　Set Timeout # 3 minute idle timer (the default)
Enable DNS # request DNS info (for resolv.conf)
Papchap:
#
# Edit the next three lines and replace the items in caps with
# The values which have been assigned by yo ur ISP.
#
Set authname #username #
Set Authkey #password #
Set timeout
set ifaddr 10.0.0.1/0 10.0.0. 2/0 255.255.255.0 0.0.0.0
Add default Hisaddr # Add a (sticky) default route

The first part is the way to set up the log and some default information set device PPPoE: The back needs to be changed to your network card driver, my Realtek is 8139, so that is rl0, the following is set the maximum Send/accept unit, PPPoE default is 1492, Then timeout is the timeout that you set when you are using the Auto method, which will be disconnected over this time. Enable DNS is to open the DNS from the ISP server to receive assignments, the following Papchap part is to set up your PPPoE account information, the last two sentences is to set the routing information, please be sure to add.

Note the statement after the label to have indentation, at least indented a space, in the post may not see, we should pay attention to!

After modifying the configuration file you can use ppp-ddial Papchap to test, if the connection on the network is no problem, add the following two sentences in the rc.conf file can start when the PPP dialing:

ppp_enable="YES"
　　ppp_mode=ddial
　　ppp_nat="YES"
　　ppp_profile="papchap"

The ppp_mode= is followed by PPP, optional auto ddial background, and the specific information can be obtained from man PPP. The above is PPP dial PPPoE configuration, you can see very simple.

The following section is the firewall that starts the IPFW, which needs to modify the default kernel settings, while using the MPD also need to modify the kernel, which is also modified here. I'm using the upgraded version of IPFW, known as the IPFW2 firewall, which requires you to recompile IPFW on freebsd4.x, which requires you to install FreeBSD4.6 above the source code on your hard disk, and then perform the following steps to upgrade your IPFW:

cd /usr/src/sbin/ipfw
　　make -DIPFW2
　　make install
　　cd /usr/src/lib/libalias
　　make -DIPFW2
　　make install

or add it to your/etc/make.conf.

Ipfw2=true

And MAK world to upgrade your firewall.

Upgrade IPFW finished, the next is to modify the kernel, recompile the kernel need to go through the following steps, first into the/sys/i386/conf/directory, which has two files, one is generic, the other is lint, the specific description of information I will not repeat, I'll just talk about the process of modifying the kernel.

First, the CP GENERIC Mykern Edit Mykern added the following sections:

options NETGRAPH
　　options NETGRAPH_PPPOE
　　options NETGRAPH_SOCKET
　　options NETGRAPH_ETHER
　　options IPFW2
　　options IPDIVERT
　　options IPFIREWALL_VERBOSE
　　options IPFIREWALL_VERBOSE_LIMIT=100
　　options IPSTEALTH
　　options ACCEPT_FILTER_DATA
　　options ACCEPT_FILTER_HTTP

Exit editor

config mykern
　　cd ../../compile/mykern
　　make depend
　　make
　　make install

And then reboot the machine kernel update is done.

So IPFW2 installation is done, we do not open the firewall, we first configure MPD to establish PPTP server. The installation of MPD is actually very simple, you can compile it yourself manually, but I recommend that you use ports to install it, because I really can't think of any reason to install it without ports: If you install ports to your hard drive, you can complete MPD installation with the following steps

cd /usr/ports/net/mpd
　　make install
　　make clean

After installation, ports will automatically create the/USR/LOCAL/ETC/MPD directory and the configuration file samples stored in this directory, you can modify the existing configuration file samples to complete the MPD configuration, to Mpd.conf.sample, for example, first CP Mpd.conf.sample mpd.conf then modifies the following partial PPTP:

new -i ng0 pptp pptp
　　set iface disable on-demand
　　set iface enable proxy-arp
　　set iface idle 1800
　　set bundle enable multilink
　　set link yes acfcomp protocomp
　　set link no pap chap
　　set link enable chap
　　set link keep-alive 10 60
　　set link mtu 1460
　　set ipcp yes vjcomp
　　set ipcp ranges 192.168.1.1/32 192.168.1.50/32
　　set ipcp dns 192.168.1.3
　　set ipcp nbns 192.168.1.4
　　#
　　# The five lines below enable Microsoft Point-to-Point encryption
　　# (MPPE) using the ng_mppc(8) netgraph node type.
　　#
　　set bundle enable compression
　　set ccp yes mppc
　　set ccp yes mpp-e40
　　set ccp yes mpp-e128
　　set ccp yes mpp-stateless