If you are using RedHat Linux 5.x or SUSE Linux 6.x you can use the
firewall-masq-diald-rh5x-0.10-1.i386.rpm or
firewall-masq-diald-suse6x-0.10-1.i386.rpm respectively to
automatically install both the firewall-scripts and the HOWTO.
To install the scripts on other distributions you need to untar
firewall-masq-diald-0.11-1.tgz to a temporary directory, preferably
/tmp, and follow the installation instructions (se the file INSTALL)
to do it by hand.
After successful installation you have to configure the scripts to reflect exactly what your environment needs. This is described in the following paragraphs.
To adapt the main script to your environment various variables have to be set. Here's a description of them with example values:
This variable holds all the internal interfaces used on the linux firewall box. A very common example will be
IFINTERN="eth0"
although even more than one interface can be used, seperated by spaces.
This variable contains the internal used network range which is allowed to go through the firewall. You can only make use of one network range so if you are using more than one network address you should make sure these addresses can be described with one address/subnet pair, e.g. you use two address ranges 192.168.1.0 and 192.168.2.0 the correct setting would be
NETINTERN="192.168.0.0/16"
allowing all private addresses of the 192.168.x.x pool. This should be no problem except you wish to be restrictiv on IP level which cannot be handled via the script.
DNSEXTERN holds all nameserver addresses of your ISP seperated by spaces. If the nameservers you are allowed to use are 195.2.34.123 and 195.2.34.124 the variable will look like
DNSEXTERN="195.2.34.123 195.2.34.124"
You must set at least one address.
Here you can define the range of the so called unprivileged udp/tcp ports in the form lownum:highnum. Normally there's no need to change it. So the line
UNPRIVPORTS="1024:65535"
should remain unchanged.
Be warned: Don't set lownum to anything below 1024 because the ports up to 1023 are privileged which means they do have a special meaning in tcp/ip and could open a back door on your firewall if used here!
With this variable you are able to open your firewall for special services
coming from the internet. These services are the tcp port numbers or, for
better reading, the names of the port as they are found in
/etc/services. E.g. if you want to have a web and ftp server behind
your firewall accessible from the internet you would allow the www
and ftp service:
IN_ALLOW_TCP="www ftp"
But remember: In this case you can't use the private IP addresses because the address of the web and the ftp server must be an official one to be routed on the internet!
IRC_RANGE holds the range of ports which may be used for IRC. Be sure
you only use the minimum number of these unprivileged ports because of
security issues!
A very common range is 6666:6669 for load balancing on the IRC
servers. You can define only one port too, normally 6667 or the name
in /etc/services, normally irc. To disable IRC just leave the
variable empty.
Examples:
This setting will also be used for setting the parameters for the IP
Masquerading module to the corresponding values, e.g.
/sbin/modprobe ip_masq_irc $IRC_RANGE
This variable is used to configure explicitly which services - either by
port number or by name derived from /etc/services - your users
are allowed to use on the internet. Normally you would allow nearly
everything, but I included this variable for some certain configurations.
A working setting for this is:
OUT_ALLOW_TCP="ftp http https imap pop smtp telnet nntp $IRC_RANGE"
This allows internal users access to ftp, web servers including ssl (http, https), email (imap, pop, smtp), telnet, news (nntp) and irc (if a range is given in IRC_RANGE).
Remember that all names set up here or in IN_ALLOW_TCP have to be
defined in /etc/services else you have to use the tcp port number.
As shown in this example you also can use ranges of tcp ports but this is not the recommended way, with some exceptions like irc.
PING can be set to yes or no respectively. Setting it to yes allows all internal PCs to ping any host on the internet, and allows any internet host to ping the firewall.
But remember: No internal host can be pingīed from the internet!
With TRACEROUTE="yes" you allow all internal PCs to use the command traceroute on Linux/Unix based machines or tracert on Windows machines.
Under certain circumstances traceroute wonīt work directly on the firewall
host, e.g. if you have 2 ethernet cards of which one is used for the local
network and one is defined as the external interface on which firewalling
occurs. In that case youīll have to add the -i option to the
traceroute command like in
traceroute -i eth1 www.anywhere.com
where eth1 is the external interface connected to the internet.
This wonīt be necessary if using diald!
Setting TRACEROUTE="no" disables the ability to use this function.
But remember: No internal host can be tracerouteīed from the internet!
With ACCEPTLOG you can define how the logging should look like for all rules which accept requests. Possible values for ipfwadm are:
For ipchains use instead:
These options will automatically be appended to any ipfwadm/ipchains command for accept rules.
For debugging purposes the setting ACCEPTLOG="-v -o" (ipfwadm) or ACCEPTLOG="-v -l" (ipchains) may be useful. Under normal operation setting it to "" should be ok, except you wish to have a lot of ugly accept entries in your syslog ;)
With DENYLOG you can define how the logging should look like for all ipfwadm rules which deny requests. Possible values for ipfwadm are:
For ipchains use instead:
These options will automatically be appended to any ipfwadm/ipchains command for deny rules.
I recommend using the setting DENYLOG="-o" or DENYLOG="-l", or DENYLOG="-v -o" orDENYLOG="-v -l".
There's no need to configure either /etc/rc.d/rc.firewall.diald.add,
/etc/rc.d/rc.firewall.ipchains.diald.add or
/etc/rc.d/rc.firewall.diald.del,
/etc/rc.d/rc.firewall.ipchains.diald.del.
Only a few lines have to be added to /etc/rc.d/rc.local. These are:
if [ -f /etc/rc.d/rc.firewall ] ; then
# set the firewall rules to the default
# these are the same as diald uses when the connection is terminated
. /etc/rc.d/rc.firewall.del
fi
/sbin/irqtune 3
where 3 is the number of the interrupt used for the second and forth serial
port. If your modem or ISDN terminaladapter is connected to the first or third
serial port the number will be 4. The first serial port is also known as
COM1, the second as COM2 and so on.
You can also add a second number for the slave interrupt controller, e.g. 11 which is used for a SCSI card on my system. For more information see irqtune or the irqtune homepage.
If you are using diald the following 2 lines must be added to
/etc/diald.conf and diald must be restarted:
addroute /etc/rc.d/rc.firewall.diald.add delroute /etc/rc.d/rc.firewall.diald.del
All other configuration options will not be touched, that's your turn! As said before you should have already a working system with diald set up correctly prior to installing the scripts!
When using diald you should carefully consider which services you will use automatically. E.g. if you configured your email program to check for new email every 15 minutes, regardless on which platform, then diald calls your ISP every 15 minutes.
In the USA this is a minor problem since you lucky US guys do not have to pay for each call to your ISP but in germany and many other european countries each call counts.
Users of Netscape Communicator 4.5x and higher (each platform) should add the
following line to their prefs.js file (Windows 95/98/NT) found in e.g.
C:\Program Files\Netscape\Users\Defaultuser\ or to
preferences.js (linux) found in ~/.netscape:
user_pref("mailnews.start_page.enabled",false);
This line tells Netscape Messenger not to automatically connect to Netscape Netcenter when opening Netscape Messenger.
Remember to exit all Netscape windows BEFORE changing the file!
There may be some other services which regularly check for new information (maybe ICQ, any news ticker, ...) which I didnīt figure out yet, and make diald open the connection. As soon as I get information on that issue I will publish it and update the HOWTO. If someone knows about such services I would appreciate her/his hints!
If you use a static IP address assigned to your dial-up firewall box from your
ISP you only have to adapt /etc/diald.conf with the appropriate
settings which you normally should have done before.
You have to omit the option
dynamic
and change the line
local 192.168.1.1
with the IP address assigned to your firewall box by your ISP.
When you are a lucky guy and you own a leased line you are for sure using a
static assigned IP address. Since there's no need to use diald you will not
install the scripts /etc/rc.d/rc.firewall.diald.add and
/etc/rc.d/rc.firewall.diald.del or
/etc/rc.d/rc.firewall.ipchains.diald.add and
/etc/rc.d/rc.firewall.ipchains.diald.del. Therefore in
/etc/rc.d/rc.local the line
. /etc/rc.d/rc.firewall.diald.del
must be replaced with the lines
. /etc/rc.d/rc.firewall.var . /etc/rc.d/rc.firewall ppp0 "$NETINTERN"
or
. /etc/rc.d/rc.firewall.ipchains.diald.del
must be replaced with the lines
. /etc/rc.d/rc.firewall.var.ipchains . /etc/rc.d/rc.firewall.ipchains ppp0 "$NETINTERN"
Additionally you'll have to change the ppp0 part of the last added
line to reflect your external interface used for the leased line.
Of course no changes to /etc/diald.conf can be made because this file
should be absent in leased line configurations.
In order to make ftp work youīll have to include the line
/sbin/modprobe ip_masq_ftp in /etc/rc.d/rc.firewall or
/etc/rc.d/rc.firewall.ipchains which is already done in the shipped
rc.firewall or rc.firewall.ipchains script.
Here is a list of all additional modules which are shipped with kernel 2.0.36
which can be found in /lib/modules/2.0.36/ipv4:
needed for the program CU-SeeMe
needed for ftp PASV transfers
needed for IRC serverīs DCC feature
needed for playing quake on the internet behind the firewall
needed for the Real Audio Player
needed for the program VDOLive
Additional modules are shipped with kernel 2.2.x. These are:
needed for protocols which are not yet supported by own ip_masq modules
similiar to port forwarding (see below) but makes use of "firewall marks" (see ipchains(8), option -m)
needed for forwarding packets from outside to inside a firewall on given ports, e.g. for internal web servers accessible on the internet
If there is need of using one or more of them simply put in a line like
/sbin/modprobe ip_masq_cuseeme
at the beginning of /etc/rc.firewall.
If you encounter perfomance problems it is likely a problem with the serial line if using a modem or ISDN terminaladapter via the serial line.
Some beta testers encountered performance problems with 56k modems
with a diald connection. After using the following ppp-options in
/etc/diald.conf the performance was back to normal:
ppp-options noccp noipx noproxyarp
Please note: The options should be added to your already existing
ppp-options line in /etc/diald.conf!
Thank you Flo for this hint!
For people who find their connection is still pretty slow compared with e.g. windows should try irqtune from http://www.best.com/~cae/irqtune/. For RedHat users an rpm package is also available there.
irqtune changes the priority of interrupts which on a standard installation often causes the serial interfaces to be of very low priority. With irqtune you can change this behaviour and get a speed up of up to 3x for modem connections. But you canīt expand the bandwidth of your modem with irqtune! You only tell the kernel to use the interrupt of the serial interface before any other interrupt.
I use /sbin/irqtune 3 11 in /etc/rc.local to set the serial
interfaceīs irq on the master controller (3) and the irq of my SCSI card on the
secondary controller (11) to the highest priority.
More information about this tool can be found on the irqtune homepage (see above).