FreeBSD Router

FreeBSD Router
From MMAE

This will not be completed anytime soon, but I will leave it up because it has some good reference info. If you feel like contributing please feel free. -Brian K.
This is a generic guide for building a router/firewall using FreeBSD as the platform. This is more of a checklist and notes for myself. Feel free to add or change something if you think it could be done better.


Goal

Firewall/NAT (pf)
DHCP Server
Internal DNS
Tunneling (OpenVPN)
Routing (Quagga)
IDS (Snort/Acid)
SNMP Monitoring (Cacti)

Setup
(basic install instructions for FreeBSD)

Firewall/NAT (pf)

Installation

Enabling PF
PF comes pre-installed on FreeBSD. To enable it, add the following to /etc/rc.conf: pf_enable="YES"
pflog_enable="YES"
pflog_logfile="/var/log/pflog"
Also make sure you have the following in /etc/rc.conf, which allows you to forward packets to an internal LAN or do NAT: gateway_enable="YES"

Enabling ALTQ
ALTQ is not supported by all of the available network card drivers. Please see the altq(4) manual page from the FreeBSD website.
ALTQ support must be compiled into your kernel by adding the following options: options ALTQ
options ALTQ_CBQ # Class Bases Queuing (CBQ)
options ALTQ_RED # Random Early Detection (RED)
options ALTQ_RIO # RED In/Out
options ALTQ_HFSC # Hierarchical Packet Scheduler (HFSC)
options ALTQ_PRIQ # Priority Queuing (PRIQ)
options ALTQ_NOPCC # Required for SMP build

Configuration

Starting

Internal DNS
DNS is used to resolve ip addresses to host names and vica-versa. The purpose of an internal DNS is to keep track of all the hostnames within your internal network and provide an easily accesible DNS for all internal machines. For our DNS purposes we will be using Bind 9. Bind's daemon is called named.

Installation
Bind comes pre-installed on FreeBSD and to get it working you need to add the following to /etc/rc.conf:
named_enable="YES"

Configuration
Configuration for Bind is located in /etc/namedb/. The main configuration file, named.conf, contains options for named as well as zone declerations. It is customary to have a subfolder masters, in this directory that contains the individual configuartions for each master zone (as declared in named.conf). There is also a subfolder called slave that has configurations for all slave zones.
The first step is to run make-localhost. This command will create a localhost.rev file in the master directory. These are the default configuartion files
cd /etc/namedb
sh make-localhost
Next edit named.conf and create the zone configurations for each zone declared in named.conf. For information on how to do this, visit the FreeBSD Handbook
Sample named.conf configuration:

// $FreeBSD$
//
// Refer to the named.conf(5) and named(8) man pages, and the documentation
// in /usr/share/doc/bind9 for more details.
//
// If you are going to set up an authoritative server, make sure you
// understand the hairy details of how DNS works. Even with
// simple mistakes, you can break connectivity for af fected parties,
// or cause huge amounts of useless Internet traffic.
options {
directory "/etc/namedb";
pid-file "/var/run/named/pid";
dump-file "/var/dump/named_dump.db";
statistics-file "/var/stats/named.stats";
// If named is being used only as a local resolver, this is a safe default.
// For named to be accessible to the network, comment this option, specify
// the proper IP address, or delete this option.
listen-on { 127.0.0.1; };
// If you have IPv6 enabled on this system, uncomment this option for
// use as a local resolver. To give access to the network, specify
// an IPv6 address, or the keyword "any".
// listen-on-v6 { ::1; };
// In addition to the "forwarders" clause, you can force your name
// server to never initiate queries of its own, but always ask its
// forwarders only, by enabling the following line:
//
// forward only;
// If you've got a DNS server around at your upstream provider, enter
// its IP address here, and enable the line below. This will make you
// benefit from its cache, thus reduce overall DNS traffic in the Internet.
/*
forwarders {
127.0.0.1;
};
*/
/*
* If there is a firewall between you and nameservers you want
* to talk to, you might need to uncomment the query-source
* directive below. Previous versions of BIND always asked
* questions using port 53, but BIND versions 8 and later
* use a pseudo-random unprivileged UDP port by default.
*/
// query-source address * port 53;
};
// If you enable a local name server, don't forget to enter 127.0.0.1
// first in your /etc/resolv.conf so this server will be queried.
// Also, make sure to enable it in /etc/rc.conf.

zone "." {
type hint;
file "named.root";
};
zone "0.0.127.IN-ADDR.ARPA" {
type master;
file "master/localhost.rev";
};
// RFC 3152
zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA" {
type master;
file "master/localhost-v6.rev";
};
// NB: Do not use the IP addresses below, they are faked, and only
// serve demonstration/documentation purposes!
//
// Example slave zone config entries. It can be convenient to become
// a slave at least for the zone your own domain is in. Ask
// your network administrator for the IP address of the responsible
// primary.
//
// Never forget to include the reverse lookup (IN-ADDR.ARPA) zone!
// (This is named after the first bytes of the IP address, in reverse
// order, with ".IN-ADDR.ARPA" appended.)
//
// Before starting to set up a primary zone, make sure you fully
// understand how DNS and BIND works. There are sometimes
// non-obvious pitfalls. Setting up a slave zone is simpler.
//
// NB: Don't blindly enable the examples below. :-) Use actual names
// and addresses instead.
/* An example master zone
zone "example.net" {
type master;
file "master/example.net";
};
*/
/* An example dynamic zone
key "exampleorgkey" {
algorithm hmac-md5;
secret "sf87HJqjkqh8ac87a02lla==";
};
zone "example.org" {
type master;
allow-update {
key "exampleorgkey";
};
file "dynamic/example.org";
};
*/
/* Examples of forward and reverse slave zones
zone "example.com" {
type slave;
file "slave/example.com";
masters {
192.168.1.1;
};
};
zone "1.168.192.in-addr.arpa" {
type slave;
file "slave/1.168.192.in-addr.arpa";
masters {
192.168.1.1;
};
};
*/
Sample Zone Configuartion file: $TTL 3600 ; 1 hour
example.org. IN SOA ns1.example.org. admin.example.org. (
2006051501 ; Serial
10800 ; Refresh
3600 ; Retry
604800 ; Expire
86400 ; Minimum TTL
)
; DNS Servers
IN NS ns1.example.org.
IN NS ns2.example.org.
; MX Records
IN MX 10 mx.example.org.
IN MX 20 mail.example.org.

IN A 192.168.1.1
; Machine Names
localhost IN A 127.0.0.1
ns1 IN A 192.168.1.2
ns2 IN A 192.168.1.3
mx IN A 192.168.1.4
mail IN A 192.168.1.5
; Aliases
www IN CNAME @

Starting
To start Bind run:
/etc/rc.d/named start

DHCP
DHCP (Dynamic Host Configuration Protocol) is a daemon used to lease out network information to computers on a network. This way each computer will be configured automatically upon boot without conflicts.

Install
FreeBSD uses the ISC (Internet Software Consortium) implementation of the DHCP server. To install this we will be using the net/isc-dhcp-server package. You can either install this package from ports (source) or as a binary package. For either option you must have root access.

Install from Ports
cd /usr/ports/net/isc-dhcp3-server
make install clean
You can accept the default options or change them to your likings

Install binary package
pkg_add -r isc-dhcp-server
After installing the package, you must add the following to /etc/rc.conf:
dhcpd_enable="YES"
dhcpd_ifaces="fxp1"
Where fxp1 is the interface the DHCP daemon will listen on

Configuartion
The configuration file for DHCP is /usr/local/etc/dhcpd.conf. The net/isc-dhcp-server port installs /usr/local/etc/dhcpd.conf. . For information on how to do this, visit the FreeBSD Handbook
Sample dhcpd.conf option domain-name "example.com";(1)
option domain-name-servers 192.168.4.100;(2)
option subnet-mask 255.255.255.0;(3)
default-lease-time 3600;(4)
max-lease-time 86400;(5)
ddns-update-style none;(6)
subnet 192.168.4.0 netmask 255.255.255.0 {
range 192.168.4.129 192.168.4.254;(7)
option routers 192.168.4.1;(8)
}
host mailhost {
hardware ethernet 02:03:04:05:06:07;(9)
fixed-address mailhost.example.com;(10)
}


Starting
To start the DHCP server run:
/usr/local/etc/rc.d/isc-dhcpd start

Source: "http://www2.mmae.ucf.edu/wiki/FreeBSD_Router"