   Postroenie mezhsetevogo `ekrana na kommutiruemom kanale svyazi pri
                            pomoschi FreeBSD

  Marc Silver

   <marcs@draenor.org>

   $Date: 2004-07-16 12:58:37 $

   `Eta stat'ya opisyvaet, kak nastroit' mezhsetevoj `ekran pri
   pomoschi vozmozhnostej PPP po rabote na kommutiruemom kanale
   svyazi s FreeBSD i IPFW, i, v chastnosti, opisyvaetsya nastrojka
   mezhsetevogo `ekrana pri ispol'zovanii kommutiruemogo kanala
   svyazi s dinamicheski vydelyaemym adresom IP. `Etot dokument ne
   opisyvaet nachal'nuyu nastrojku PPP-soedineniya.

     --------------------------------------------------------------

1. Vvedenie

   Postroenie mezhsetevogo `ekrana na kommutiruemom kanale svyazi pri
   pomoschi FreeBSD

   `Etot dokument prednaznachen dlya togo, chtoby opisat' dejstviya,
   trebuemye dlya nastrojki mezhsetevogo `ekrana pri pomoschi FreeBSD
   v sluchae, kogda IP-adres vydelyaetsya dinamicheski vashim
   provajderom. Hotya prilagalis' vse usiliya dlya togo, chtoby
   sdelat' `etot dokument maksimal'no informativnym i pravil'nym, vse
   zhe prisylajte svoi kommentarii i pozhelaniya sostavitelyu.

     --------------------------------------------------------------

2. Parametry yadra

   Prezhde vsego vam nuzhno perekompilirovat' vashe yadro FreeBSD.
   Esli vam nuzhna bolee podrobnaya informaciya o tom, kak `eto
   sdelat', to luchshe vsego nachat' s razdela Rukovodstva o
   konfiguracii yadra. Vam nuzhno vklyuchit' v yadro sleduyuschie
   parametry:

   options IPFIREWALL

           Vklyuchaet mezhsetevoj `ekran v yadre.

   options IPFIREWALL_VERBOSE

           Posylaet soobscheniya o zhurnaliruemyh paketah v sistemnyj
           zhurnal.

   options IPFIREWALL_VERBOSE_LIMIT=100

           Ogranichivaet kolichestvo zapisyvaemyh v zhurnal
           sovpadayuschih soobschenij. `Eto pozvolyaet izbavit'sya ot
           zapolneniya fajlov protokola mnozhestvom
           povtoryayuschihsya zapisej. 100 yavlyaetsya podhodyaschim
           dlya ispol'zovaniya parametrom, no vy mozhete izmenit' ego
           v zavisimosti ot vashih potrebnostej.

   options IPDIVERT

           Vklyuchaet ispol'zovanie perenapravlyayuschih soketov,
           chto budet pokazano nizhe.

   Imeetsya takzhe esche neskol'ko NEOBYAZATEL'NYH parametrov,
   kotorye vy mozhete ukazat' v yadre dlya dostizheniya
   dopolnitel'noj bezopasnosti. Dlya raboty mezhsetevogo `ekrana
   `etogo ne trebuetsya, no nekotorye paranoidal'no nastroennye
   pol'zovateli mogut vse zhe imi vospol'zovat'sya.

   options TCP_RESTRICT_RST

           `Etot parametr blokiruet vse pakety TCP RST. `Eto luchshe
           ispol'zovat' v sistemah, kotorye mogut podvergat'sya
           flud-atakam SYN (horoshim primerom yavlyayutsya servery
           IRC) ili temi, kto ne hochet byt' legko podvergnutym
           skanirovaniyu portov.

   options TCP_DROP_SYNFIN

           Pri ispol'zovanii `etogo parametra TCP-pakety s polyami
           SYN i FIN ignoriruyutsya. `Eto pozvolit izbezhat'
           raspoznavaniya ispol'zuemogo na mashine tipa steka takimi
           utilitami, kak nmap, no pri `etom nel'zya budet
           ispol'zovat' rasshireniya RFC1644. Esli na mashine budet
           rabotat' veb-server, delat' `eto NE rekomenduetsya.

   Ne perezagruzhajte mashinu srazu zhe posle perekompilyacii yadra.
   Dlya zaversheniya nastrojki mezhsetevogo `ekrana nam, k schast'yu,
   dostatochno budet vypolnit' perezagruzku vsego odin raz .

     --------------------------------------------------------------

3. Izmenenie /etc/rc.conf dlya zagruzki mezhsetevogo `ekrana

   Teper' nam nuzhno vnesti nekotorye izmeneniya v fajl /etc/rc.conf
   dlya togo, chtoby ukazat' o vklyuchenii mezhsetevogo `ekrana.
   Prosto dobav'te sleduyuschie stroki:

 firewall_enable="YES"
 firewall_script="/etc/firewall/fwrules"
 natd_enable="YES"
 natd_interface="tun0"
 natd_flags="-dynamic"
    

   Dlya polucheniya bolee polnoj informacii o tom, chto delayut `eti
   stroki, vzglyanite na soderzhimoe fajla /etc/defaults/rc.conf i
   prochtite rc.conf(5)

     --------------------------------------------------------------

4. Vyklyuchenie mehanizma preobrazovaniya setevyh adresov v PPP

   Mozhet, vy uzhe ispol'zuete vstroennyj v PPP mehanizm
   preobrazovaniya setevyh adresov (NAT). Esli `eto vash sluchaj, to
   vam nuzhno `eto vyklyuchit', tak kak v `etih primerah dlya teh zhe
   samyh celej ispol'zuetsya natd(8).

   Esli u vas uzhe est' blok direktiv dlya avtomaticheskogo zapuska
   PPP, to on, skoree vsego, vyglyadit primerno tak:

 ppp_enable="YES"
 ppp_mode="auto"
 ppp_nat="YES"
 ppp_profile="profile"
    

   Esli `eto tak, to udalite strochku ppp_nat="YES". Vam takzhe
   potrebuetsya udalit' vse strochki nat enable yes i alias enable
   yes v fajle /etc/ppp/ppp.conf.

     --------------------------------------------------------------

5. Nabor pravil dlya mezhsetevogo `ekrana

   Teper' my vypolnili prakticheski vse. Edinstvennoe, chto ostalos'
   sdelat', tak `eto zadat' pravila dlya mezhsetevogo `ekrana, posle
   chego my mozhem vypolnit' perezagruzku, i mezhsetevoj `ekran
   dolzhen zarabotat'. YA ponimayu, chto v kazhdom konkretnom sluchae
   potrebuetsya nabor pravil, ves'ma otlichayuschijsya ot
   predlagaemogo. YA vsego lish' popytalsya napisat' nabor pravil,
   kotorye dolzhny podojti bol'shinstvu pol'zovatelej kommutiruemogo
   dostupa. Vy mozhete trivial'no izmenit' ih pod vashi trebovaniya,
   vzyav nizhesleduyuschie pravila v kachestve osnovy. No snachala
   rassmotrim osnovy zakrytogo mezhsetevogo `ekrana. Vy hotite
   zapretit' po umolchaniyu vse, a zatem otkryvat' tol'ko to, chto
   vam nuzhno. Pravila dolzhny sledovat' v poryadke, kogda snachala
   idut razreshayuschie pravila, a zatem zapreschayuschie. Polagaem,
   chto vy dobavite svoi razreshayuschie pravila, a zatem vse
   ostal'noe budet zaprescheno. :)

   Teper' sozdadim katalog /etc/firewall. Perejdite v `etot katalog i
   otredaktirujte fajl fwrules, kotoryj my ukazali v rc.conf.
   Pozhalujsta, otmet'te, chto vy mozhete izmenit' `eto imya na
   lyuboe drugoe. V `etom rukovodstve imya fajla daetsya v kachestve
   primera.

   Davajte vzglyanem na primer fajla dlya mezhsetevogo `ekrana, i
   podrobno opishem ego soderzhimoe.

 # Firewall rules
 # Written by Marc Silver (marcs@draenor.org)
 # http://draenor.org/ipfw
 # Freely distributable


 # Define the firewall command (as in /etc/rc.firewall) for easy
 # reference.  Helps to make it easier to read.
 fwcmd="/sbin/ipfw"

 # Force a flushing of the current rules before we reload.
 $fwcmd -f flush

 # Divert all packets through the tunnel interface.
 $fwcmd add divert natd all from any to any via tun0

 # Allow all data from my network card and localhost.  Make sure you
 # change your network card (mine was fxp0) before you reboot.  :)
 $fwcmd add allow ip from any to any via lo0
 $fwcmd add allow ip from any to any via fxp0

 # Allow all connections that I initiate.
 $fwcmd add allow tcp from any to any out xmit tun0 setup

 # Once connections are made, allow them to stay open.
 $fwcmd add allow tcp from any to any via tun0 established

 # Everyone on the internet is allowed to connect to the following
 # services on the machine.  This example shows that people may connect
 # to ssh and apache.
 $fwcmd add allow tcp from any to any 80 setup
 $fwcmd add allow tcp from any to any 22 setup

 # This sends a RESET to all ident packets.
 $fwcmd add reset log tcp from any to any 113 in recv tun0

 # Allow outgoing DNS queries ONLY to the specified servers.
 $fwcmd add allow udp from any to x.x.x.x 53 out xmit tun0

 # Allow them back in with the answers...  :)
 $fwcmd add allow udp from x.x.x.x 53 to any in recv tun0

 # Allow ICMP (for ping and traceroute to work).  You may wish to
 # disallow this, but I feel it suits my needs to keep them in.
 $fwcmd add 65435 allow icmp from any to any

 # Deny all the rest.
 $fwcmd add 65435 deny log ip from any to any
    

   Teper' u vas est' polnofunkcional'nyj mezhsetevoj `ekran, kotoryj
   razreshaet soedineniya k portam 80 i 22, i otobrazhaet v zhurnale
   vse ostal'nye popytki soedineniya. Teper' u vas dolzhna uspeshno
   projti perezagruzka i vash mezhsetevoj `ekran dolzhen normal'no
   zarabotat'. Esli vy obnaruzhite, chto `eto ne tak, u vas vozniknut
   problemy ili u vas vozniknut pozhelaniya, pozhalujsta, napishite
   mne pis'mo po `elektronnoj pochte.

     --------------------------------------------------------------

6. Voprosy

   6.1. Pochemu vy ispol'zuete natd i ipfw, kogda mozhno ispol'zovat'
   vstroennye fil'try ppp?

   6.2. Esli vo vnutrennej seti ya ispol'zuyu takie adresa, kak
   192.168.0.0, to mogu li ya dobavit' komandu tipa $fwcmd add deny
   all from any to 192.168.0.0:255.255.0.0 via tun0 k pravilam
   mezhsetevogo `ekrana dlya predotvrascheniya popytok
   podklyuchit'sya izvne k mashinam vo vnutrennej seti?

   6.3. CHto-to zdes' nepravil'no. YA sledoval vashim ukazaniyam
   vplot' do bukvy, i teper' dostup zablokirovan.

   6.1. Pochemu vy ispol'zuete natd i ipfw, kogda mozhno ispol'zovat'
   vstroennye fil'try ppp?

   Skazhu chestno, chto opredelennoj prichiny, ob"yasnyayuschej,
   pochemu ya ispol'zuyu ipfw i natd vmesto vstroennyh v ppp
   fil'trov. V rezul'tate obsuzhdenij `etogo voprosa s drugimi
   lyud'mi ya prishel k mneniyu, chto, hotya ipfw yavlyaetsya gorazdo
   bolee moschnym i gibkim instrumentom, chem fil'try ppp, no vse,
   chto on vyigryvaet v shirote vozmozhnostej, proigryvaet v legkosti
   nastrojki. Odnoj iz prichin, po kotoroj ya ego ispol'zuyu,
   yavlyaetsya to, chto ya predpochitayu funkcii mezhsetevogo
   `ekrana, realizuemye v yadre, a ne v pol'zovatel'skoj programme.

   6.2. Esli vo vnutrennej seti ya ispol'zuyu takie adresa, kak
   192.168.0.0, to mogu li ya dobavit' komandu tipa $fwcmd add deny
   all from any to 192.168.0.0:255.255.0.0 via tun0 k pravilam
   mezhsetevogo `ekrana dlya predotvrascheniya popytok
   podklyuchit'sya izvne k mashinam vo vnutrennej seti?

   Prostoj otvet vyglyadit kak net. Prichinoj `etogo yavlyaetsya to,
   chto natd vypolnyaet preobrazovaniya dlya vsego trafika,
   perenapravlyaemogo cherez ustrojstvo tun0. Do teh por, poka `eto
   tak, vhodyaschie pakety budut napravlyat'sya tol'ko na
   dinamicheski naznachennyj IP-adres, a NE vo vnutrennyuyu set'.
   Odnako zamet'te, chto vy mozhete dobavit', naprimer, pravilo
   $fwcmd add deny all from 192.168.0.4:255.255.0.0 to any via tun0,
   kotoroe budet ogranichivat' kommunikacii hosta v vashej vnutrennej
   seti s vneshnim mirom cherez mezhsetevoj `ekran.

   6.3. CHto-to zdes' nepravil'no. YA sledoval vashim ukazaniyam
   vplot' do bukvy, i teper' dostup zablokirovan.

   V `etom dokumente predpolagaetsya, chto vy rabotaete s programmoj
   ppp urovnya pol'zovatelya, po`etomu predlagaemyj nabor pravil
   rabotaet s interfejsom tun0, kotoryj sootvetstvuet pervomu
   soedineniyu, delaemomu utilitoj ppp(8) (izvestnoj takzhe kak
   user-ppp). Dopolnitel'nye soedineniya budut ispol'zovat'
   ustrojstva tun1, tun2 i tak dalee.

   Vy dolzhny takzhe otmetit', chto programma pppd(8) ispol'zuet
   drugoj interfejs, ppp0, po`etomu, esli vy osuschestvlyaete
   soedinenie s pomosch'yu programmy pppd(8), to dolzhny zamenit'
   tun0 na ppp0. Bystryj sposob izmenit' pravila dlya mezhsetevogo
   `ekrana pokazan nizhe. Original'nyj nabor pravil budet sohranen v
   fajle fwrules_tun0.

             % cd /etc/firewall
             /etc/firewall% su
             Password:
             /etc/firewall# mv fwrules fwrules_tun0
             /etc/firewall# cat fwrules_tun0 | sed s/tun0/ppp0/g > fwrules
          

   Dlya togo, chtoby uznat', ispol'zuete li vy ppp(8) ili pppd(8), vy
   mozhete posmotret' vyvod komandy ifconfig(8) posle ustanovki
   soedineniya. Naprimer, dlya soedineniya, vypolnyaemogo pri
   pomoschi programmy pppd(8), vy uvidite nechto, pohozhee na
   sleduyuschee (pokazany tol'ko otnosyaschiesya k delu strochki):

             % ifconfig
             (skipped...)
             ppp0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1524
                     inet xxx.xxx.xxx.xxx --> xxx.xxx.xxx.xxx netmask 0xff000000
             (skipped...)
          

   S drugoj storony, dlya soedinenij, vypolnyaemyh posredstvom ppp(8)
   (user-ppp), vy dolzhny uvidet' nechto vrode sleduyuschego:

             % ifconfig
             (skipped...)
             ppp0: flags=8010<POINTOPOINT,MULTICAST> mtu 1500
             (skipped...)
             tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1524
                     (IPv6 stuff skipped...)
                     inet xxx.xxx.xxx.xxx --> xxx.xxx.xxx.xxx netmask 0xffffff00
                     Opened by PID xxxxx
             (skipped...)
          

     --------------------------------------------------------------

            `Etot, i drugie dokumenty, mogut byt' skachany s
                ftp://ftp.FreeBSD.org/pub/FreeBSD/doc/.

  Po voprosam, svyazannym s FreeBSD, prochitajte dokumentaciyu prezhde
                 chem pisat' v <questions@FreeBSD.org>.
         Po voprosam, svyazannym s `etoj dokumentaciej, pishite
                           <doc@FreeBSD.org>.
  Po voprosam, svyazannym s russkim perevodom dokumentacii, pishite v
                    rassylku <frdp@FreeBSD.org.ua>.
  Informaciya po podpiske na `etu rassylku nahoditsya na sajte proekta
                               perevoda.
