10.2-RELEASE Gateway/Firewall/DNS configuration

[hanzer]

FreeBSD 10.2-RELEASE #0 r286666: Wed Aug 12 19:31:38 UTC 2015

I would like to use this FreeBSD machine as an Internet gateway (with a firewall) but I haven't been able to get it configured correctly using only the handbook.

I copied /etc/defaults/rc.conf to /etc/rc.conf - Actually, I did a cat /etc/defaults/rc.conf >> /etc/rc.conf then cleaned things up a bit. This way I can see all of the options and syntax. The relevant parts are probably:

hostname="insomnia.bohemia.net"
pf_enable="YES"                 # Set to YES to enable packet filter (pf)
pflog_enable="YES"              # Set to YES to enable packet filter logging
ifconfig_lo0="inet 127.0.0.1"   # default loopback device configuration.
ifconfig_re0="inet 192.168.0.1 netmask 255.255.255.0"
wlans_ath0="wlan0"              # wlan(4) interfaces for ath0 device
ifconfig_wlan0="WPA DHCP"
local_unbound_enable="YES"      # local caching resolver
sshd_enable="YES"               # Enable sshd
ntpd_enable="YES"               # Run ntpd Network Time Protocol (or NO).
gateway_enable="YES"            # Set to YES if this host will be a gateway.

From the Handbook 29.3.3.1. A Simple Gateway with NAT
/etc/pf.conf

set block-policy return
set loginterface wlan0
set skip on lo

nat on wlan0 from re0:network to any -> (wlan0)
block all
pass from { lo0, re0:network } to any keep state

/etc/sysctl.conf

net.inet.ip.forwarding=1
net.inet.ip.random_id=1

Everything else is pretty much whatever the installation defaults were (except /etc/wpa_supplicant.conf but its contents aren't important (rather, they're private) other than to say that the wireless NIC connects).

On the FreeBSD machine:
ping -c1 www.google.com

ping: cannot resolve www.google.com: Host name lookup failure

ping -c1 8.8.8.8

PING 8.8.8.8 (8.8.8.8): 56 data bytes
ping: sendto: Operation not permitted
^C
--- 8.8.8.8 ping statistics ---
1 packets transmitted, 0 packets received, 100.0% packet loss

sudo pfctl -d

No ALTQ support in kernel
ALTQ related functions disabled
pf disabled

ping -c1 8.8.8.8

PING 8.8.8.8 (8.8.8.8): 56 data bytes
64 bytes from 8.8.8.8: icmp_seq=0 ttl=55 time=172.983 ms

--- 8.8.8.8 ping statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 172.983/172.983/172.983/0.000 ms

ping -c1 www.google.com

PING www.google.com (74.125.21.103): 56 data bytes
64 bytes from 74.125.21.103: icmp_seq=0 ttl=42 time=102.675 ms

--- www.google.com ping statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 102.675/102.675/102.675/0.000 ms

So there is a problem with PF.

NAT doesn't seem to be working at all. The LAN machine can ssh into the FreeBSD Gateway machine but can't access the Internet.

 

[wblock@]

Actually, I did a cat /etc/defaults/rc.conf >> /etc/rc.conf then cleaned things up a bit.

Please do not do that. Set only the entries in rc.conf that actually need to be changed.

PF NAT does work, or this message would not be posted.

 

[hanzer]

Please do not do that. Set only the entries in rc.conf that actually need to be changed.

Okay, is there a good reason why not? I find it to be a convenient reference.

PF NAT does work

Good to know, thanks, but do you see anything in my configuration that would explain why it's not working? I guess /etc/pf.conf needs some attention but NAT isn't working with PF disabled so I am assuming that something else is also misconfigured.

 

[hanzer]

I've made a little progress on the firewall/NAT issue. With this /etc/pf.conf:

set block-policy return
set loginterface wlan0
set skip on lo
nat on wlan0 from re0:network to any -> (wlan0)
block in all
pass out all keep state
pass from re0:network to any keep state
pass from lo0 to any keep state

Basic Internet connectivity is working for both the FreeBSD machine and the LAN machines. If I can get dhcpd and unbound nicely configured to serve the LAN then this thread will be solved.

 

[wblock@]

Okay, is there a good reason why not? I find it to be a convenient reference.

Mainly, do not set defaults to their default value. It serves no purpose except to break when the real default values change.

 

[hanzer]

Mainly, do not set defaults to their default value.

Ah, so that's like a commandment kind of a deal

It serves no purpose except to break when the real default values change.

Well, it kind of does serve a purpose - a convenient reference of what's available and its syntax. Maybe after each update something like diff /etc/rc.conf /etc/defaults/rc.conf might be a useful way to keep an eye on things.

 

[wblock@]

But rc.conf is already a diff from the defaults. Unless you enter all the defaults again...

Just in case it's not clear, /etc/defaults/rc.conf is sourced, then /etc/rc.conf is sourced to override them.

 

[hanzer]

But rc.conf is already a diff from the defaults. Unless you enter all the defaults again...

Just in case it's not clear, /etc/defaults/rc.conf is sourced, then /etc/rc.conf is sourced to override them.

I prefer the convenience of having all of the options in /etc/rc.conf and I don't see any significant downside (so far, that might change with experience). If you would like to explore the issue further then maybe you could start a thread and expound on the pros and cons of the various methods (I would read that thread). I would like to focus this thread on the Gateway, Firewall, DNS, DHCP setup for a small home network.

 

[hanzer]

Update: first pass seems to be working but will need some tweaking. This is what I've done so far:
pkg install isc-dhcp43-server-4.3.2
pkg install unbound
The non-default lines in /etc/rc.conf are: diff /etc/rc.conf /etc/defaults/rc.conf | grep "^<"

< dumpdev="AUTO"
< powerd_enable="YES"  # Run powerd to lower our power usage.
< hostname="insomnia.bohemia.net"
< dhcpd_enable="YES"  # dhcpd enabled?
< dhcpd_flags="-q"  # command option(s)
< dhcpd_conf="/usr/local/etc/dhcpd.conf"  # configuration file
< dhcpd_ifaces="re0"  # ethernet interface(s)
< dhcpd_withumask="022"  # file creation mask
< dhcpd_chuser_enable="YES"  # runs w/o privileges?
< dhcpd_withuser="dhcpd"  # user name to run as
< dhcpd_withgroup="dhcpd"  # group name to run as
< dhcpd_chroot_enable="YES"  # runs chrooted?
< dhcpd_devfs_enable="YES"  # use devfs if available?
< dhcpd_rootdir="/var/db/dhcpd"  # directory to run in
< #dhcpd_includedir="<some_dir>"  # directory with config files to include
< pf_enable="YES"  # Set to YES to enable packet filter (pf)
< pflog_enable="YES"  # Set to YES to enable packet filter logging
< ifconfig_lo0="inet 127.0.0.1" # default loopback device configuration.
< ifconfig_re0="inet 192.168.0.1 netmask 255.255.255.0"
< wlans_ath0="wlan0"  # wlan(4) interfaces for ath0 device
< ifconfig_wlan0="WPA DHCP"
< unbound_enable="YES"
< tor_enable="YES"
< polipo_enable="YES"
< privoxy_enable="YES"
< sshd_enable="YES"  # Enable sshd
< ntpd_enable="YES"  # Run ntpd Network Time Protocol (or NO).
< gateway_enable="YES"  # Set to YES if this host will be a gateway.
< keyrate="fast"  # keyboard rate to: slow, normal, fast (or NO).
< keybell="off"  # See kbdcontrol(1) for options.  Use "off" to disable.
< saver="green"  # screen saver: Uses /boot/kernel/${saver}_saver.ko
< allscreens_flags="VESA_800x600"  # Set this vidcontrol mode for all virtual screens

/usr/local/etc/dhcpd.conf

option domain-name "bohemia.net";
option domain-name-servers insomnia.bohemia.net;
option subnet-mask 255.255.255.0;

default-lease-time 600;
max-lease-time 7200;
ddns-update-style none;

authoritative;

subnet 192.168.0.0 netmask 255.255.255.224 {
  range 192.168.0.3 192.168.0.5;
  option routers 192.168.0.1;
}

host helix {
  hardware ethernet 00:e0:4c:78:1a:48;
  fixed-address 192.168.0.2;
  option routers 192.168.0.1;
}

wget ftp://FTP.INTERNIC.NET/domain/named.cache -O /usr/local/etc/unbound/root.hints
/usr/local/etc/unbound/root.key

. IN DS 19036 8 2 49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5

/usr/local/etc/unbound/unbound.conf

server:
  verbosity: 1
  interface: 127.0.0.1
  interface: 192.168.0.1
  port: 53
  do-ip4: yes
  do-ip6: no
  do-udp: yes
  do-tcp: yes
  access-control: 127.0.0.0/8 allow
  access-control: 192.168.0.0/16 allow
  root-hints: "/usr/local/etc/unbound/root.hints"
  do-daemonize: yes
  hide-identity: yes
  hide-version: yes
  harden-glue: yes
  harden-dnssec-stripped: yes
  use-caps-for-id: yes
  cache-min-ttl: 3600
  cache-max-ttl: 86400
  prefetch: yes
  num-threads: 1
  msg-cache-slabs: 2
  rrset-cache-slabs: 2
  infra-cache-slabs: 2
  key-cache-slabs: 2
  username: "unbound"
  directory: "/usr/local/etc/unbound"
  use-syslog: yes
  pidfile: "/usr/local/etc/unbound/unbound.pid"
  private-address: 10.0.0.0/8
  private-address: 172.16.0.0/12
  private-address: 192.168.0.0/16
  private-address: 169.254.0.0/16
  private-domain: "bohemia.net"
  unwanted-reply-threshold: 10000
  do-not-query-localhost: no
  auto-trust-anchor-file: "/usr/local/etc/unbound/root.key"
  val-clean-additional: yes

  local-zone: "doubleclick.net" redirect
  local-data: "doubleclick.net A 127.0.0.1"
  local-zone: "googlesyndication.com" redirect
  local-data: "googlesyndication.com A 127.0.0.1"
  local-zone: "googleadservices.com" redirect
  local-data: "googleadservices.com A 127.0.0.1"
  local-zone: "google-analytics.com" redirect
  local-data: "google-analytics.com A 127.0.0.1"
  local-zone: "ads.youtube.com" redirect
  local-data: "ads.youtube.com A 127.0.0.1"
  local-zone: "adserver.yahoo.com" redirect
  local-data: "adserver.yahoo.com A 127.0.0.1"
  local-zone: "ask.com" redirect
  local-data: "ask.com A 127.0.0.1"

  local-zone: "bohemia.net." static
  local-data: "insomnia.bohemia.net.  IN A 192.168.0.1"
  local-data: "helix.bohemia.net.  IN A 192.168.0.2"
  local-data: "guest1.bohemia.net.  IN A 192.168.0.3"
  local-data: "guest2.bohemia.net.  IN A 192.168.0.4"
  local-data: "guest3.bohemia.net.  IN A 192.168.0.5"

  local-data-ptr: "192.168.0.1  insomnia.bohemia.net"
  local-data-ptr: "192.168.0.2  helix.bohemia.net"
  local-data-ptr: "192.168.0.3  guest1.bohemia.net"
  local-data-ptr: "192.168.0.4  guest2.bohemia.net"
  local-data-ptr: "192.168.0.5  guest3.bohemia.net"

  forward-zone:
  name: "."
  forward-addr: 8.8.8.8  # Google Public DNS
  forward-addr: 74.82.42.42  # Hurricane Electric
  forward-addr: 4.2.2.4  # Level3 Verizon

chown -R unbound:unbound /usr/local/etc/unbound
/etc/rc.d/local_unbound stop
/usr/local/etc/rc.d/isc-dhcpd start
/usr/local/etc/rc.d/unbound start

If anyone spots any mistakes, redundancies, contradictions, insecurities , inefficiencies, or any opportunities for improvement, please let it be known! I'll keep tinkering, tuning and posting.

 

[tobik@]

The non-default lines in /etc/rc.conf are:

You could run sysrc -a for this instead, but that won't work in your case because you copied all of /etc/defaults/rc.conf to your /etc/rc.conf. That's one more reason not to do it.

If you need the reference maybe comment out everything you copied from /etc/defaults/rc.conf.

 

[hanzer]

You could run sysrc -a for this instead, but that won't work in your case because you copied all of /etc/defaults/rc.conf to your /etc/rc.conf. That's one more reason not to do it.

I wasn't aware of sysrc(8), thanks! FYI, -a (dump a list of all non-default configuration variables) does seem to work in my case, e.g., sysrc -a yields:

allscreens_flags: VESA_800x600
dhcpd_chroot_enable: YES
dhcpd_chuser_enable: YES
dhcpd_conf: /usr/local/etc/dhcpd.conf
dhcpd_devfs_enable: YES
dhcpd_enable: YES
dhcpd_flags: -q
dhcpd_ifaces: re0
dhcpd_rootdir: /var/db/dhcpd
dhcpd_withgroup: dhcpd
dhcpd_withumask: 022
dhcpd_withuser: dhcpd
dumpdev: AUTO
gateway_enable: YES
hostname: insomnia.bohemia.net
ifconfig_lo0: inet 127.0.0.1
ifconfig_re0: inet 192.168.0.1 netmask 255.255.255.0
ifconfig_wlan0: WPA DHCP
keybell: off
keyrate: fast
ntpd_enable: YES
pf_enable: YES
pflog_enable: YES
polipo_enable: YES
powerd_enable: YES
privoxy_enable: YES
saver: green
sshd_enable: YES
tor_enable: YES
unbound_enable: YES
wlans_ath0: wlan0

If you need the reference maybe comment out everything you copied from /etc/defaults/rc.conf.

Yeah, maybe. I haven't really used FreeBSD for much during the last five or six years so there's plenty of exploring and experimenting to do before developing and settling into a set of practices and conventions that fit my style and use case. At the moment, there is probably a lot of stuff that is like [the software equivalent of] a workshop or construction zone. For the most part, this is just a suitability-test/technology-evaluation to see how well FreeBSD might function in the role of a Gateway/Firewall network appliance on a little Sempron machine with a Atheros 9227 wireless NIC.

Last night was the first extended period of runtime for the system. This morning there was no connectivity and plenty of dmesg output like:

ath0: ath_rate_tx_complete: ts_rate=27 ts_finaltsi=0
ath0: bad series0 hwrate 0x1b, tries 1 ts_status 0x0
ath0: ath_rate_tx_complete: ts_rate=27 ts_finaltsi=0
ath0: bad series0 hwrate 0x1b, tries 1 ts_status 0x0
ath0: ath_rate_tx_complete: ts_rate=27 ts_finaltsi=0
ath0: bad series0 hwrate 0x1b, tries 4 ts_status 0x0
ath0: bad series0 hwrate 0x81, tries 2 ts_status 0x0
ath0: bad series0 hwrate 0x82, tries 4 ts_status 0x0
ath0: bad series0 hwrate 0x80, tries 2 ts_status 0x0
ath0: bad series0 hwrate 0x82, tries 3 ts_status 0x0
ath0: bad series0 hwrate 0x80, tries 4 ts_status 0x0
ath0: bad series0 hwrate 0x80, tries 2 ts_status 0x0
ath0: bad series0 hwrate 0x81, tries 2 ts_status 0x0
ath0: bad series0 hwrate 0x81, tries 2 ts_status 0x0
ath0: ath_rate_tx_complete: ts_rate=27 ts_finaltsi=0
ath0: bad series0 hwrate 0x1b, tries 1 ts_status 0x0
ath0: bad series0 hwrate 0x81, tries 2 ts_status 0x0

Connectivity was restored after reboot (but this all probably belongs in another thread).

 

[SirDice]

/etc/sysctl.conf

net.inet.ip.forwarding=1

Don't set this, use gateway_enable in rc.conf.

 

[hanzer]

Don't set this, use gateway_enable in rc.conf.

Both, gateway_enable in /etc/rc.conf and net.inet.ip.forwarding /etc/sysctl.conf are currently set on my system. The section of the handbook that led to this is somewhat vague (see section 29.3.3.1. A Simple Gateway with NAT).

Is it the case that the two are simply redundant and setting both introduces additional administrative work and possible maintenance difficulties? Or, are the two contradictory in some way? In the case of the former, the use of a command: "Don't set this", seems to be a misleading & malformed way to express a personal preference and/or advice. In the case of the latter, maybe a bug report or a request for clarification could be sent to the handbook maintainers?

 

[junovitch@]

The sentence to hone in on is this one in particular.

To enable these settings at system boot, add the following to /etc/rc.conf:

gateway_enable="YES" #for ipv4
ipv6_gateway_enable="YES" #for ipv6

# sysctl net.inet.ip.forwarding=1 only sets it right now. Upon the next reboot it's gone as well as upon certain devd(8) events where it may get changed back to off without the setting that makes it persistent.

EDIT: To expand on this, net.inet.ip.forwarding=1 in /etc/sysctl.conf is not correct. A devd(8) event could end up turning it off when the gateway_enable="YES" line isn't set.

 

[hanzer]

EDIT: To expand on this, net.inet.ip.forwarding=1 in /etc/sysctl.conf is not correct. A devd(8) event could end up turning it off when the gateway_enable="YES" line isn't set.

I'm not sure if I see the significance of the issue yet but just for fun:

1. Is there any value in ever having net.inet.ip.forwarding=1 in /etc/sysctl.conf?
2. Is there any conflict in having both net.inet.ip.forwarding=1 in /etc/sysctl.conf and gateway_enable="YES" in /etc/rc.conf?

 

[junovitch@]

No for both questions. Here's an example to help clarify.

- Set non-persistent forwarding.

# sysctl net.inet.ip.forwarding=1
net.inet.ip.forwarding: 0 -> 1

- Check it

# sysctl net.inet.ip.forwarding
net.inet.ip.forwarding: 1

- Trigger a new device event by plugging in a spare USB WiFi adapter

# sysctl net.inet.ip.forwarding
net.inet.ip.forwarding: 0

With gateway_enable="YES" it stays on.

 

[hanzer]

No for both questions.
With gateway_enable="YES" it stays on.

Interesting example, thanks! The devd(8) reference was also interesting; it seems like that might be a potentially useful component in monitoring and restarting a fragile wireless connection.

Just to be sure that we're all on the same page (so to say), gateway_enable="YES" is (from the beginning) set in my /etc/rc.conf file. I'm still a little puzzled by the activity on that topic. I would have thought that unbound isn't running in a chroot jail yet would have been more interesting.