The previous chapter examined building a Linux based gateway. Building a FreeBSD gateway for a wireless network is very similar. This chapter will examine the steps to set up a FreeBSD gateway comparable in function and behavior to the Linux gateway already described. The example network architecture we will be using in this chapter is the same as in the previous chapter.
Unlike with Linux, network interfaces have different names based on
the type of hardware. Throughout this chapter, we will use
dc0, dc1, and
dc2 as the network interfaces. These correspond to
the common Netgear and
Linksys cards sold in most stores. Replace these
with the names you have created for the three interfaces.
The first step is to install the operating system and configure it to provide the necessary services. The installation should be minimal as possible. Any unnecessary services and programs that are installed only increase the risk that one of the programs on the gateway may be vulnerable. Do not install the X Windows System or any of the optional applications.
It is important to install the development tools and the system
source code. After installation, you will need to recompile the
kernel and the new versions of several services might need to be
downloaded and compiled, so the development tools will be necessary.
The ports collection along with the cvsup
utility will be helpful in installing and updating services too, so
it might be a good idea to install those. Information on ports and
cvsup can be found at http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/ports-using.html.
Make the /var partition of decent size during
the drive setup. A couple hundred megabytes should be more than
sufficient. A gateway can generate many logs and this is where they
will be stored.
The kernel configuration should be reviewed to remove unneeded support. Take out support for anything that won’t be needed for the hardware configuration of the gateway. The general process for doing this and the details of options are described in Chapter 4 (see Section 4.1.1 and especially Section 4.1.2). Enable the following options to add support for the firewall, NAT translation, randomizing IP identifiers, and dropping TCP SYN/FIN packets:
options IPFIREWALL options IPFIREWALL_VERBOSE options IPFIREWALL_VERBOSE_LIMIT=10 options IPDIVERT options RANDOM_IP_ID options TCP_DROP_SYNFIN pseudo-device bpf
The only option here that we have not
discussed yet is IPDIVERT, which enables support
for divert rules in the firewall. Divert rules will be used to funnel
packets to natd, the daemon which performs NAT
translation on FreeBSD.
If the gateway is going to connect to the wireless network using
HostAP or a wireless network card instead of an
Ethernet connection to the AP, make sure the kernel has support for
the wireless drivers selected and has the proper options set. The
options are described in Section 4.1.1 and the
HostAP instructions of Chapter 9.
Just as with the
clients, the unneeded services on the gateway should be disabled. The
basic approach to doing this is described in Chapter 4. This machine should only have a minimal set
of services running. An example /etc/rc.conf
appropriate for the gateway we are building should contain the
following settings.
Set the upstream router this gateway will communicate with to
192.0.2.1.
defaultrouter="192.0.2.1"Enable gateway behavior. This will cause packets to be forwarded
between the interfaces. Then, set the hostname to
"gateway“.
gateway_enable="YES" hostname="gateway"
This sets up the IP addresses and netmasks for the three network interfaces. There are no separate configuration files as there are under Linux. Change these to suit your network layout:
ifconfig_dc0="inet192.0.2.230netmask255.255.255.0" ifconfig_dc1="inet192.168.0.1netmask255.255.255.0" ifconfig_dc2="inet192.168.1.1netmask255.255.255.0"
Setting the kernel security level to 3
prevents changing of certain settings without a reboot. One important
thing this does is to prevent someone from changing the firewall
rules while the system is running. You might want to set
kern_securelevel_enable to NO
while you are getting things set up; it will save you a few reboots
while you fine tune the firewall rules and other settings. Remember
to come back and re-enable this when you are done building the
gateway.
kern_securelevel="3" kern_securelevel_enable="YES"
Disable NFS, sendmail, and inetd. We
won’t need these or any of the services that are
started from inetd.
nfs_server_enable="NO" sendmail_enable="NONE" inetd_enable="NO"
To allow remote administration of the gateway
sshd will need to be running. This will provide
encrypted shell sessions from the ssh client
program.
sshd_enable="YES"
Enable the firewall, and tell it to log results. The firewall type is
set to “unknown” here, as we will
be using a separate script to load the rules. Entering
"unknown" will
cause rc.firewall to set up basic firewall
settings but not load rules.
firewall_enable="YES" firewall_type="unknown" firewall_logging="YES"
This enables the NAT daemon and tells it the outside interface is
dc0. It will translate the addresses in packets
only when they traverse this interface. Replace this with your
external interface name.
natd_enable="YES"
natd_interface="dc0"The last three settings drop and log ICMP redirect packets and drop TCP SYN/FIN packets. These types of packets should not be seen as part of normal traffic.
icmp_drop_redirect="YES" icmp_log_redirect="YES" tcp_drop_synfin="YES"