Ver.1.4.11: Add ldap authentication. Fix malfunction in exceptional terminals.

[opengate/opengate.git] / opengate / doc / en / install.html

<html>\r
<head>\r
<title>Opegnate Install</title>\r
<meta http-equiv="content-type" content="text/html">\r
<link rel="stylesheet" type="text/css" media="screen" href="style.css">\r
</head>\r
\r
\r
<body bgcolor="#fafff0">\r
\r
<h2>Opengate Install Procedure<A class=anchor href="#top" name=top>\81õ</A></h2>\r
<!-- Start:content table -->\r
<ul>\r
        <li class="list_alpha"><A href="#outline0">Outline</A>\r
        <ul>\r
                <li class="list_num"><A href="#outline1">System Configuration</A></li>\r
                <li class="list_num"><A href="#outline2">Install Procedure</A></li>\r
        </ul></li>\r
        <li class="list_alpha"><A href="#freebsd0">FreeBSD Install</A>\r
        <ul>\r
                <li class="list_num"><A href="#freebsd1">Bssic Install</A></li>\r
                <li class="list_num"><A href="#freebsd2">Addition of NAT and Firewal</A></li>\r
                <li class="list_num"><A href="#freebsd3">Setup of IPv6</A></li>\r
        </ul></li>\r
        <li class="list_alpha"><A href="#bind0">BIND9 Install</A>\r
        <ul>\r
                <li class="list_num"><A href="#bind1">Ports Install</A></li>\r
                <li class="list_num"><A href="#bind2">Making RNDC Key</A></li>\r
                <li class="list_num"><A href="#bind3">Setup of named.conf</A></li>\r
                <li class="list_num"><A href="#bind4">Setup of Zone</A></li>\r
                <li class="list_num"><A href="#bind5">Checking Behavior</A></li>\r
        </ul></li>\r
        <li class="list_alpha"><A href="#dhcp0">isc-dhcp3 Install</A>\r
        <ul>\r
                <li class="list_num"><A href="#dhcp1">Ports Install</A></li>\r
                <li class="list_num"><A href="#dhcp2">Setup of DHCP</A></li>\r
        </ul></li>\r
        <li class="list_alpha"><A href="#apache0">Apache2 Install</A>\r
        <ul>\r
                <li class="list_num"><A href="#apache1">Ports Install</A></li>\r
                <li class="list_num"><A href="#apache2">Making Certificate</A></li>\r
                <li class="list_num"><A href="#apache3">Setup of VertualHost</A></li>\r
                <li class="list_num"><A href="#apache4">Other Setup and check</A></li>\r
        </ul></li>\r
        <li class="list_alpha"><A href="#opengate0">Opengate Install</A>\r
        <ul>\r
                <li class="list_num"><A href="#opengate1">Opengate Package</A></li>\r
                <li class="list_num"><A href="#opengate2">Install</A></li>\r
                <li class="list_num"><A href="#opengate3">Setup of Config File</A></li>\r
                <li class="list_num"><A href="#opengate4">Setup of ipfw</A></li>\r
                <li class="list_num"><A href="#opengate5">Setup of ip6fw</A></li>\r
                <li class="list_num"><A href="#opengate6">Setup of syslog</A></li>\r
                <li class="list_num"><A href="#opengate6">Checking Behavior</A></li>\r
        </ul></li>\r
        <li class="list_alpha"><A href="#mrtg0">MRTG Install</A>\r
        <ul>\r
                <li class="list_num"><A href="#mrtg1">Ports Install</A></li>\r
                <li class="list_num"><A href="#mrtg2">Setup</A></li>\r
                <li class="list_num"><A href="#mrtg3">Check Behavior</A></li>\r
                <li class="list_num"><A href="#mrtg4">Regist to Crontab</A></li>\r
        </ul></li>\r
    <li class="list_alpha"><A href="#rulechk">rulechk Install</A>\r
        </li>\r
</ul>\r
\r
<!-- End:content table  -->\r
<hr>\r
<!-- Start:Outline -->\r
<h3>A&nbsp;Outline<A class=anchor href="#outline0" name=outline0>\81õ</A></h3>\r
\r
        <ul>\r
                <li class="list_num"><A href="#outline1">System Configuration</A></li>\r
                <li class="list_num"><A href="#outline2">Install Procedure</A></li>\r
        </ul>\r
        \r
<!-- ************1************* -->\r
<h4>A.1&nbsp;System Configuration<A class=anchor href="#outline1" name=outline1>\81õ</A></h4>\r
\r
<ul>\r
        <li>Gateway Machine \r
  \r
        <ul>\r
                <li>FreeBSD Ver 4.x, 5.x, or 6.x </li>\r
    \r
                <li>Having Two or more NICs</li>\r
        </ul> </li>\r
</ul>\r
\r
<p>In this document, we use the system configuration as follows. The network connecting terminals is called as lower-side network and the network having servers is called upper-side network.</p>\r
\r
\r
<table><tr><td><pre>\r
upper-side network:192.168.0.0/24, 2001:1:2:3/64\r
Gateway to upper-side network:fxp1, 192.168.0.124, 2001:1:2:3::4\r
Gateway to lower-side network:fxp0, 192.168.1.1, 2001:5:6:7::1\r
lower-side network:192.168.1.0/24, 2001:5:6:7/64\r
</pre></td></tr></table>\r
\r
<p>Opengate recognizes the both addresses of IPv4 and IPv6, and controles the both firewalls. It can be used for IPv4 control only under the FreeBSD system that does not set up IPv6 environments.</p>\r
\r
\r
<!-- ***********2************** -->\r
<h4>A.2&nbsp;Install Procedure<A class=anchor href="#outline2" name=outline2>\81õ</A></h4>\r
\r
<p>Following is the proceddure of Opengate. The '*'mark means the mandatory items.</p>\r
\r
<ul>  \r
        <li class="list_num">FreeBSD Install&nbsp;*</li>\r
        <li class="list_num">Addition of Firewall&nbsp;*</li>\r
        <li class="list_num">BIND9 Install and Setup</li>\r
        <li class="list_num">DHCP Install and Setup</li>\r
        <li class="list_num">Apache2 Install and Setup&nbsp;*</li>\r
        <li class="list_num">Opengate Install and Setup&nbsp;*</li></ul>\r
\r
<div align="right"><A href="#outline0">back</A>&nbsp;<A href="#top">top</A></div>\r
\r
<hr>\r
<!-- Start:FreeBSD Install-->\r
<h3>B&nbsp;FreeBSD Install<A class=anchor href="#freebsd0" name=freebsd0>\81õ</A></h3>\r
\r
        <ul>\r
                <li class="list_num"><A href="#freebsd1">Basic Install</A></li>\r
                <li class="list_num"><A href="#freebsd2">Addition of NAT and Firewall</A></li>\r
                <li class="list_num"><A href="#freebsd3">Setup of IPv6</A></li>\r
        </ul>\r
        \r
<!-- ************1************* -->\r
<h4>B.1&nbsp;Basic Install<A class=anchor href="#freebsd1" name=freebsd1>\81õ</A></h4>\r
\r
<p>Choose distribution Developer(Full sources, binaries and doc), because we have to prepare a kernel.</p>\r
<p>Add next line to "/etc/rc.conf", because you enable the gateway function.</p>\r
\r
<table>\r
  <TR>\r
<td><code>gateway_enable="YES"</code></td></TR>\r
</table>\r
\r
<div align="right"><A href="#freebsd0">back</A>&nbsp;<A href="#top">top</A></div>\r
\r
\r
\r
<!-- ************ 2 ************** -->\r
<h4>B.2&nbsp;Addition of NAT and Firewall<A class=anchor href="#freebsd2" name=freebsd2>\81õ</A></h4>\r
\r
<p>Prepare kernel having ipfw and ip6fw functions.</p>\r
\r
<p>Copy kernel options file.</p>\r
\r
<table><tr><td><pre>\r
# cd /usr/src/sys/i386/conf\r
# cp GENERIC MYKERNEL\r
</pre></td></tr></table>\r
\r
<p>Add next lines to the kernel.</p>\r
\r
<table><tr><td><pre>\r
options IPDIVERT\r
\r
options IPFIREWALL\r
options IPFIREWALL_FORWARD\r
options IPFIREWALL_VERBOSE\r
options IPFIREWALL_VERBOSE_LIMIT=100\r
\r
options IPV6FIREWALL\r
options IPV6FIREWALL_VERBOSE\r
options IPV6FIREWALL_VERBOSE_LIMIT=100\r
\r
options IPSEC\r
options IPSEC_ESP\r
options TCP_DROP_SYNFIN\r
</pre></td></tr></table>\r
\r
<UL>\r
<li>When use NAT, IPDIVERT is necessary. </li>\r
<li>When need firewal log, *VERBOSE is necessary. </li>\r
<li>When use IPSEC, IPSEC* is necessary. </li>\r
<li>When use IPv6, IPV6* is necessary. </li>\r
</UL>\r
\r
<p>compile and install kernel having ipfw and ip6fw supports.</p>\r
\r
\r
<table><tr><td><pre>\r
# config MYKERNEL\r
# cd ../compile/MYKERNEL\r
# make depend\r
# make\r
# make install\r
</pre></td></tr></table>\r
\r
<p>In FreeBSD 6.x, "make clean" might be requested before "make depend".</p>\r
\r
<p>Add next lines to "/etc/rc.conf". It you need not IPv6 function, do not add ipv6XXX.</p>\r
\r
<table><tr><td><pre>\r
firewall_enable="YES"\r
firewall_script="/etc/rc.firewall"\r
firewall_type="open"\r
\r
ipv6_firewall_enable="YES"\r
ipv6_firewall_script="/etc/rc.firewall6"\r
ipv6_firewall_type="open"\r
\r
natd_enable="YES"\r
natd_interface="fxp1"\r
</pre></td></tr></table>\r
\r
<p>Enable the ipfw and ip6fw. Be care to set the type 'OPEN' as to prevent mysteryous system behavior in installing procedure. For NAT, Enable natd and setup natd interface(Upper-side interface).</p>\r
\r
<p>Connect PC to the lower-side network and check the IPv4 behavior.</p>\r
\r
<p>As the DHCP does not setup yet, The PC must be setup manually.</p>\r
\r
\r
\r
<div align="right"><A href="#freebsd0">back</A>&nbsp;<A href="#top">top</A></div>\r
\r
<!-- ************ 3 ************** -->\r
<h4>B.3&nbsp;Setup of IPv6<A class=anchor href="#freebsd3" name=freebsd3>\81õ</A></h4>\r
\r
<p>If you need IPv4 only, this section can be skipped. Though explanation is omitted, many pareameters like the following sample might be set in /etc/rc.conf. You must study about IPv6 and setup carefully. </p>\r
\r
<table><tr><td><pre>\r
##ENABLE IPv6\r
ipv6_enable="YES"\r
ipv6_network_interfaces="gif0 fxp0"\r
\r
##TUNNELLING INTERFACE\r
gif_interfaces="gif0"\r
gifconfig_gif0="192.168.0.124 192.168.0.126"\r
\r
##IPv6 ADDRESS \r
ipv6_prefix_fxp0="2001:5:6:7"\r
ipv6_ifconfig_fxp0="2001:5:6:7::1 prefixlen 64"\r
\r
##ADVERTISE\r
rtadvd_enable="YES"\r
rtadvd_interfaces="fxp0"\r
\r
##DEFAULT GATEWAY\r
ipv6_default_interface="gif0"\r
ipv6_defaultrouter="fe80::a:b:c:d%gif0"\r
\r
##ROUTING(RIPv6)\r
ipv6_gateway_enable="YES"\r
ipv6_router_enable="YES"\r
ipv6_router="/usr/sbin/route6d"\r
ipv6_router_flags="-O 2001:5:6:7::/64,gif0"\r
</pre></td></tr></table>\r
\r
<p>Connect a PC to the lower-side network and check the behavior of IPv6</p>\r
<p>In WindowsPC, a command "ipv6 install" might be needed to activate IPv6.</p>\r
\r
\r
<div align="right"><A href="#ipfw0">back</A>&freebsd0;<A href="#top">top</A></div>\r
\r
<hr>\r
\r
\r
<!-- Start:BIND9 Install -->\r
<h3>C&nbsp;BIND9 Install<A class=anchor href="#bind0" name=bind0>\81õ</A></h3>\r
\r
<ul>\r
        <li class="list_num"><A href="#bind1">Ports Install</A></li>\r
        <li class="list_num"><A href="#bind2">Making RNDC Key</A></li>\r
        <li class="list_num"><A href="#bind3">Setup of named.conf</A></li>\r
        <li class="list_num"><A href="#bind4">Setup of Zone</A></li>\r
        <li class="list_num"><A href="#bind5">Checking Behavior</A></li>\r
</ul>\r
\r
<!-- ********** 1 *********** -->\r
<h4>C.1&nbsp;Ports Install<A class=anchor href="#bind1" name=bind1>\81õ</A></h4>\r
\r
<p>If the IPv6 function is used, Opengate needs a FQDN attached to both IPv4 and IPv6 addresses. It can be settled in existing DNS. If the IPv6 function is not used, you can ignore DNS setting and control with IP address base. </p>\r
\r
\r
<p>Installing BIND9 from ports is as follows.</p> \r
\r
\r
<table><tr><td><pre>\r
# cd /usr/ports/dns/bind9/\r
# make clean\r
# make install clean ; rehash\r
</pre></td></tr></table>\r
\r
<p>The directory "/etc/namedb(/var/named/etc/namedb)" is made in the installation.</p>\r
\r
\r
<div align="right"><A href="#bind0">back</A>&nbsp;<A href="#top">top</A></div>\r
\r
<!-- ********** 2 ********** -->\r
<h4>C.2&nbsp;Making RNDC key<A class=anchor href="#bind2" name=bind2>\81õ</A></h4>\r
\r
<p>For security, BIND9 is controlled by rndc command.</p>\r
\r
<p></p>\r
\r
<p>Create the rndc key as follows.</p>\r
\r
<table><tr><td><pre>\r
# /usr/local/sbin/dnssec-keygen -a hmac-md5 -b 512 -n user rndc\r
</pre></td></tr></table>\r
\r
<p>When error "out of entropy", try with next method.</p>\r
\r
<table><tr><td><pre>\r
# /usr/local/sbin/dnssec-keygen -r /dev/urandom -a hmac-md5 -b 512 -n user rndc\r
</pre></td></tr></table>\r
\r
<p>By the command, following files are generated.</p>\r
\r
<ul>\r
        <li><pre>Krndc.+157+60849.key</pre></li>\r
        <li><pre>Krndc.+157+60849.private</pre></li>\r
</ul>\r
\r
<p>There is "/usr/local/etc/rndc.conf.sample" after BIND9 installation. \r
Copy it to "rndc.conf".</p>\r
\r
<p>Insert "key" directive in "Krndc.+xxxxxxxx.private into "key" directive in rndc.key.</p>\r
\r
\r
\r
<table><tr><td><pre>options {\r
        default-server  localhost;\r
        default-key     "rndc_key";\r
};\r
\r
server localhost {\r
        key     "rndc_key";\r
};\r
\r
key "rndc_key" {\r
        algorithm       hmac-md5;\r
        secret "......................";\r
};\r
</pre></td></tr></table>\r
\r
\r
\r
<div align="right"><A href="#bind0">back</A>&nbsp;<A href="#top">top</A></div>\r
\r
<!-- ********* 3 ********* -->\r
<h4>C.3&nbsp;Setup of named.conf<A class=anchor href="#bind3" name=bind3>\81õ</A></h4>\r
\r
<p>There is "/etc/namedb/named.conf" after installation.</p>\r
\r
<p>Edit "key" directive as like "key" directive of "rndc.conf"</p>\r
\r
\r
<table><tr><td><pre>\r
key "rndc_key" {\r
        algorithm       hmac-md5;\r
        secret ".......................";\r
};\r
\r
controls {\r
        inet ::1 allow {\r
                ::1;\r
        }\r
        keys {\r
                "rndc_key";\r
        };\r
        inet 127.0.0.1 allow {\r
                127.0.0.1;\r
        }\r
        keys {\r
                "rndc_key";\r
        };\r
};\r
</pre></td></tr></table>\r
\r
<p>For security, it is better to write the "key" directive in the other file,  include it in "named.conf", and modify file permission.</p>\r
\r
<p>Edit "options" directive.</p>\r
\r
<table><tr><td><pre>\r
options {\r
        directory "/etc/namedb";\r
        pid-file "/var/run/named/named.pid";\r
        auth-nxdomain yes;\r
        listen-on-v6 { any; };\r
};\r
</pre></td></tr></table>\r
\r
<p>Make the corresponding directory to put "named.pid".</p>\r
\r
\r
<div align="right"><A href="#bind0">back</A>&nbsp;<A href="#top">top</A></div>\r
\r
<!-- ******** 4 ********* -->\r
<h4>C.4&nbsp;Setup of Zone<A class=anchor href="#bind4" name=bind4>\81õ</A></h4>\r
\r
<p>Edit "view" and "zone" directive.</p>\r
\r
<p>The "view" directive is implemented in BIND9.  Replying to the inquiry from matched-clients, BIND9 sends the information described in the corresponding view.</p>\r
\r
\r
\r
<table><tr><td><pre>\r
view "og" {\r
        match-clients\r
        {\r
        192.168.1.0/24;\r
        };\r
\r
        recursion yes;\r
\r
        zone "." {\r
                type hint;\r
                file "named.root";\r
        };\r
\r
        zone "og.saga-u.ac.jp" {\r
                type master;\r
                file "og.saga-u.ac.jp";\r
        };\r
\r
        zone "0.0.127.IN-ADDR.ARPA" {\r
                type master;\r
                file "master/localhost.rev";\r
        };\r
\r
        // RFC 3152\r
        zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.\\r
              0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA" {\r
                type master;\r
                file "master/localhost-v6.rev";\r
        };\r
\r
        // RFC 1886 -- deprecated\r
        zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.\\r
              0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.INT" {\r
                type master;\r
                file "master/localhost-v6.rev";\r
        };\r
};\r
</pre></td></tr></table>\r
\r
<p>Make a "zone" file for the domain as "og.saga-u.ac.jp".</p>\r
\r
<table><tr><td><pre>\r
$TTL    3600\r
$ORIGIN og.saga-u.ac.jp.\r
\r
@       IN      SOA     ns.og.saga-u.ac.jp. postmaster (\r
                        2005051702 ;\r
                        3600\r
                        1200\r
                        2419200\r
                        86400 )\r
                IN      NS      ns.og.saga-u.ac.jp.\r
                IN      A       192.168.1.1\r
                IN      MX      10 opengate.og.saga-u.ac.jp.\r
\r
ns              IN      A       192.168.1.1\r
\r
opengate        IN      A       192.168.1.1\r
                        AAAA    2001:5:6:7::1\r
</pre></td></tr></table>\r
\r
<div align="right"><A href="#bind0">back</A>&nbsp;<A href="#top">top</A></div>\r
\r
<!-- ********* 5 ********* -->\r
<h4>C.5&nbsp;Checking Behavior<A class=anchor href="#bind5" name=bind5>\81õ</A></h4>\r
\r
<p>Confirm starting of "named" after setting was completed.</p>\r
\r
<table><tr><td><pre>\r
# /usr/local/sbin/named/ -u bind -c /etc/namedb/named.conf\r
</pre></td></tr></table>\r
\r
<p>If "named" starts without problems, Add next lines to "/etc/rc.conf" for auto start.</p>\r
\r
<table><tr><td><pre>named_enable="YES"\r
named_program="/usr/local/sbin/named"\r
named_flags="-u bind -c /etc/namedb/named.conf"\r
</pre></td></tr></table>\r
\r
<p>Because management of a DNS server is too complicatedly, You need to read manual of BIND9 carefully, and refer other document.</p>\r
\r
\r
<div align="right"><A href="#bind0">back</A>&nbsp;<A href="#top">top</A></div>\r
<hr>\r
\r
<!-- Start:isc-dhcp3 Install -->\r
<h3>D&nbsp;isc-dhcp3 Install<A class=anchor href="#dhcp0" name=dhcp0>\81õ</A></h3>\r
\r
<ul>\r
        <li class="list_num"><A href="#dhcp1">Ports Install</A></li>\r
        <li class="list_num"><A href="#dhcp2">Setting of DHCP</A></li>\r
</ul>\r
\r
<!-- *********** 1 ************* -->\r
<h4>D.1&nbsp;Ports Install<A class=anchor href="#dhcp1" name=dhcp1>\81õ</A></h4>\r
\r
<p>Many client PCs are connected one after another.  The DHCP might be a desireble solution for assginment of IP addresses to these clients.</p>\r
\r
<p>Installing isc-dhcp3  from ports is as follows.</p>\r
\r
<table><tr><td><pre>\r
# cd /usr/ports/net/isc-dhcp3-server\r
# make clean\r
# make install clean ; rehash\r
</pre></td></tr></table>\r
\r
<div align="right"><A href="#dhcp0">back</A>&nbsp;<A href="#top">top</A></div>\r
\r
\r
<!-- ************ 2 ************** -->\r
<h4>D.2&nbsp;Setup of DHCP<A class=anchor href="#dhcp2" name=dhcp2>\81õ</A></h4>\r
\r
<p>There is a configuration file "/usr/local/etc/dhcpd.conf.sample" after instalation. Copy "dhcpd.conf.sample" to "dhcpd.conf" and edit the file. Following is a setting example. The lease time must be greater than the maximum usage duration (Duration/Max in opengatesrv.conf) used at sellecting time watching mode.</p>\r
\r
\r
<table><tr><td><pre>\r
option domain-name "og.saga-u.ac.jp";\r
option domain-name-servers 192.168.1.1;\r
option subnet-mask 255.255.255.0;\r
option broadcast-address 192.168.1.255;\r
option routers 192.168.1.1;\r
\r
default-lease-time 86400;\r
max-lease-time 604800;\r
ddns-update-style none;\r
log-facility local7;\r
\r
subnet 192.168.55.0 netmask 255.255.255.0 {\r
  range 192.168.1.10 192.168.1.250;\r
}\r
</pre></td></tr></table>\r
\r
<p>Add next lines to "/etc/rc.conf" for auto start.</p>\r
\r
<table><tr><td><pre>\r
dhcpd_enable="YES"\r
dhcpd_ifaces="fxp0"\r
dhcpd_conf="/usr/local/etc/dhcpd.conf"\r
</pre></td></tr></table>\r
\r
<p>In this description, the value of "dhcpd_ifaces" is the interface for DHCP service(the lower-side network).</p>\r
\r
<div align="right"><A href="#dhcp0">back</A>&nbsp;<A href="#top">top</A></div>\r
\r
<hr>\r
\r
<!-- Start:Apache2 Install-->\r
<h3>E&nbsp;Apache2 Install<A class=anchor href="#apache0" name=apache0>\81õ</A></h3>\r
<ul>\r
        <li class="list_num"><A href="#apache1">Ports Install</A></li>\r
        <li class="list_num"><A href="#apache2">Making Certificate</A></li>\r
        <li class="list_num"><A href="#apache3">Setup SSL</A></li>\r
        <li class="list_num"><A href="#apache4">Other Setting and Checking</A></li>\r
</ul>\r
\r
<!-- ************ 1 ************** -->\r
<h4>E.1&nbsp;Ports Install<A class=anchor href="#apache1" name=apache1>\81õ</A></h4>\r
\r
<p>When using IPv6 function, Opengate needs Apache2 supporting IPv6. In default, Apache2 supports SSL which is desirable for secure authentication.</p>\r
\r
\r
<p>Installing Apache2 from ports is as follows.</p>\r
\r
<table><tr><td><pre>\r
# cd /usr/ports/www/apache2\r
# make clean\r
# make install clean ; rehash\r
</pre></td></tr></table>\r
\r
<p>Add next lines to "/etc/rc.conf" for auto start.</p>\r
\r
\r
<table><tr><td><pre>\r
apache2_enable="YES"\r
apache2ssl_enable="YES"\r
</pre></td></tr></table>\r
\r
\r
<div align="right"><A href="#apache0">back</A>&nbsp;<A href="#top">top</A></div>\r
\r
<!-- ************ 2 ************** -->\r
<h4>E.2&nbsp;Making Certificate<A class=anchor href="#apache2" name=apache2>\81õ</A></h4>\r
\r
<p>It is better to obtain a formal key from some CA. But we shows the proceddure to make a self-signed private key and certificate. </p>\r
\r
\r
<p>Make a private key as follows.</p>\r
\r
<table><tr><td><pre>\r
# cd /usr/local/etc/apache2\r
# mkdir ssl.key ssl.crt\r
# chmod 700 ssl.key ssl.crt\r
\r
# /usr/bin/openssl genrsa -out /usr/local/etc/apache2/ssl.key/server.key 1024\r
</pre></td></tr></table>\r
\r
<p>Make a certificate from the key as follows.</p>\r
\r
<table><tr><td><pre>\r
# /usr/bin/openssl req -new -x509 -days 365 \\r
    -key /usr/local/etc/apache2/ssl.key/server.key \\r
    -out /usr/local/etc/apache2/ssl.crt/server.crt\r
\r
You are about to be asked to enter information that will be incorporated\r
into your certificate request.\r
What you are about to enter is what is called a Distinguished Name or a DN.\r
There are quite a few fields but you can leave some blank\r
For some fields there will be a default value,\r
If you enter '.', the field will be left blank.\r
-----\r
Country Name (2 letter code) [AU]:JP\r
State or Province Name (full name) [Some-State]:Saga\r
Locality Name (eg, city) []:Saga-city\r
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Saga-university\r
Organizational Unit Name (eg, subsection) []:Opengate Management\r
Common Name (eg, YOUR name) []:opengate.og.saga-u.ac.jp\r
Email Address []:administrator@opengate.og.saga-u.ac.jp\r
\r
Please enter the following 'extra' attributes\r
to be sent with your certificate request\r
A challenge password []:\r
An optional company name []:\r
\r
</pre></td></tr></table>\r
\r
<div align="right"><A href="#apache0">back</A>&nbsp;<A href="#top">top</A></div>\r
\r
<!-- ************ 4 ************** -->\r
<h4>E.4&nbsp Setup of SSL<A class=anchor href="#apache3" name=apache3>\81õ</A></h4>\r
\r
\r
<p>Edit "ssl.conf" like the following example.</p>\r
\r
<table><tr><td>ssl.conf\r
</td></tr><tr><td><pre>\r
&lt;VirtualHost _default_:443&gt;\r
    DocumentRoot "/usr/local/www/data"\r
    ServerName opengate.og.saga-u.ac.jp:443\r
    ServerAdmin administrator@opengate.og.saga-u.ac.jp\r
    ErrorLog "|/usr/bin/logger -p local6.info"\r
    CustomLog "|/usr/bin/logger -p local5.info" combined\r
\r
    SSLEngine on\r
    SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL\r
    SSLCertificateFile /usr/local/etc/apache2/ssl.crt/server.crt\r
    SSLCertificateKeyFile /usr/local/etc/apache2/ssl.key/server.key\r
&lt;/VirtualHost&gt;\r
</pre></td></tr></table>\r
\r
<p>As Apache2 has many settings, be familiar with Apache2 configuration for adequate control.</p>\r
\r
\r
\r
<div align="right"><A href="#apache0">back</A>&nbsp;<A href="#top">top</A></div>\r
\r
<!-- ************ 5 ************** -->\r
<h4>E.5&nbsp;Other Setting and Checking<A class=anchor href="#apache4" name=apache4>\81õ</A></h4>\r
\r
<p>Edit "/usr/local/etc/httpd.conf" as follows.</p>\r
\r
<p>Opengate send back the authentication page for any kind of HTTP request. To do so, add next line to httpd.conf. This means the sending back top page at HTTP_ERROR 404(file not found) error.</p>\r
\r
\r
\r
<table><tr><td><pre>\r
ErrorDocument 404 /\r
</pre></td></tr></table>\r
\r
<p>Add ExecCGI to execute CGI program in cgi-bin directory.</p>\r
<table><tr><td><pre>\r
&lt;Directory "/usr/local/www/cgi-bin"&gt;\r
    ...\r
    Options ExecCGI\r
    ...\r
&lt;/Directory&gt;\r
</pre></td></tr></table>\r
\r
\r
<p>Check the behavior of Apache2 by various access.</p>\r
\r
\r
<div align="right"><A href="#apache0">back</A>&nbsp;<A href="#top">top</A></div>\r
\r
<hr>\r
\r
<!-- Start:Opengate Install -->\r
<h3>F&nbsp;Opengate Install<A class=anchor href="#opengate0" name=opengate0>\81õ</A></h3>\r
\r
        <ul>\r
                <li class="list_num"><A href="#opengate1">Opengate Package</A></li>\r
                <li class="list_num"><A href="#opengate2">Install</A></li>\r
                <li class="list_num"><A href="#opengate3">Setup of Config File</A></li>\r
                <li class="list_num"><A href="#opengate4">Setup of ipfw</A></li>\r
                <li class="list_num"><A href="#opengate5">Setup of ip6fw</A></li>\r
                <li class="list_num"><A href="#opengate6">Setup of syslog</A></li>\r
                <li class="list_num"><A href="#opengate7">Checking Behavior</A></li>\r
        </ul>\r
        \r
<!-- ************1************* -->\r
<h4>F.1&nbsp;Opengate Package<A class=anchor href="#opengate1" name=opengate1>\81õ</A></h4>\r
\r
<p>Unfold the package of Opengate. It have following directorys.</p>\r
\r
<table>\r
<tr><td><pre>\r
doc: Documentations\r
conf: Configuration file and firewall control perl script sample\r
javahtml: Client Java Programs and  HTML files\r
opengatesrv: Server CGI programs\r
tools: Some related tools\r
ezxml: XML parser (Copyright Aaron Voisine)\r
</pre>\r
</td></tr>\r
</table>\r
<div align="right"><A href="#opengate0">back</A>&nbsp;<A href="#top">top</A></div>\r
\r
<!-- ************2************* -->\r
\r
<h4>F.2&nbsp;Install<A class=anchor href="#opengate2" name=opengate2>\81õ</A></h4>\r
\r
<p>Check setting in opengatesrv/Makefile as follows. If web directory is changed, modify it. If you modify the setting, modify the same setting in config file described below.</p>\r
\r
<table>\r
<tr><td><pre>\r
HTMLTOP = /usr/local/www/data\r
DOCPATH = /usr/local/www/data/opengate\r
CGIPATH = /usr/local/www/cgi-bin/opengate\r
CONFIGPATH = /etc/opengate\r
</pre>\r
</td></tr>\r
</table>\r
\r
<p>Compile and Install as follows.</p>\r
\r
<table><tr><td><pre>\r
# make clean\r
# make install\r
</pre></td></tr></table>\r
\r
\r
<div align="right"><A href="#opengate0">back</A>&nbsp;<A href="#top">top</A></div>\r
\r
\r
<!-- ************ 3 ************** -->\r
<h4>F.3&nbsp;Setup of Config File<A class=anchor href="#opengate3" name=opengate3>\81õ</A></h4>\r
\r
\r
<p>Copy sample config file '/etc/opengate/opengatesrv.conf.sample' to '/etc/opengate/opengatesrv.conf' and modify. Following settings must be changed.</p>\r
\r
<table><tr><td><pre>\r
        &lt;OpengateServerName&gt;opengate.og.saga-u.ac.jp&lt;/OpengateServerName&gt;\r
\r
        &lt;AuthServer&gt;\r
                &lt;Address&gt;192.168.0.2&lt;/Address&gt;\r
                &lt;Protocol&gt;pop3s&lt;/Protocol&gt;\r
        &lt;/AuthServer&gt;\r
</pre></td></tr></table>\r
\r
<p>In &lt;OpengateServerName&gt;, set HOSTNAME(FQDN) or IP address of opengate gateway server. If you \r
want to use IPv6 function, you need to set FQDN corresponding to IPv4 and IPv6 both addresses.</p>\r
<p>In &lt;AuthServer&gt;, set the information of authentication server. Though Opengate support various protocol, see the config file for details.  To separate the problem between auth server and opengate server, try the following setting firstly.</p>\r
\r
<table><tr><td><pre>\r
 ****Do not use this setting in real service****\r
        &lt;AuthServer&gt;\r
                &lt;Protocol&gt;accept&lt;/Protocol&gt; \r
        &lt;AuthServer&gt;\r
</pre></td></tr></table>\r
\r
<p>Opengate switchs plural auth servers and other settings by ID attached to userid (userid@ID). See the config file for details. By this function, you can divide the authentication servers for many sections or guests.</P>\r
<p>About parameters that can be modified in the config file, see the config file for details.</P>\r
<p>Caution: As the IPv6 function is activated only when IPv6 access is detected, do not delete the IPv6 related setting in config file. The IPv6 access is executed when the FQDN for IPv6 is prepared.</P>\r
\r
<div align="right"><A href="#opengate0">back</A>&nbsp;<A href="#top">top</A></div>\r
\r
\r
<!-- ************ 4 ************** -->\r
<h4>F.4&nbsp;Setup of ipfw<A class=anchor href="#opengate4" name=opengate4>\81õ</A></h4>\r
\r
<p>Write ipfw rules for for Opengate. This is example "rc.firewall".</p>\r
<p>From FreeBSD6.1, IPFW supports IPv6. The IPFW rule used in Opengate is affected by this change. See <a href="http://www.cc.saga-u.ac.jp/opengate/newipfw-e.html>Setting of IPFW on FreeBSD6.1 or Later</a> for detail.</p>\r
\r
<table><tr><td><pre>\r
### set these to your outside interface network and netmask and ip\r
oif="fxp1"\r
onet="192.168.0.0"\r
omask="255.255.255.0"\r
oip="192.168.0.124"\r
\r
### set these to your inside interface network and netmask and ip\r
iif="fxp0"\r
inet="192.168.1.0"\r
imask="255.255.255.0"\r
iip="192.168.1.1"\r
\r
fwcmd="/sbin/ipfw"\r
\r
### divert packet to NATD \r
$fwcmd add 1 divert natd ip from any to any via ${oif}\r
\r
### Stop spoofing\r
$fwcmd add deny all from ${inet}:${imask} to any in via ${oif}\r
$fwcmd add deny all from ${onet}:${omask} to any in via ${iif}\r
\r
### Stop http from softeather\r
$fwcmd add deny tcp from 192.168.0.0:255.255.255.0 to ${oip} 80\r
$fwcmd add deny tcp from 192.168.0.0:255.255.255.0 to ${oip} 443\r
\r
### Allow from / to myself\r
$fwcmd add pass all from ${iip} to any via ${iif}\r
$fwcmd add pass all from ${oip} to any via ${oif}\r
$fwcmd add pass all from any to ${iip} via ${iif}\r
$fwcmd add pass all from any to ${oip} via ${oif}\r
\r
### Allow DNS queries out in the world\r
### (if DNS is on localhost, delete passDNS)\r
$fwcmd add pass udp from any 53 to any\r
$fwcmd add pass udp from any to any 53\r
$fwcmd add pass tcp from any to any 53\r
$fwcmd add pass tcp from any 53 to any\r
\r
### Forwarding http connection from unauth client \r
$fwcmd add 60000 fwd localhost tcp from ${inet}:${imask} to any 80\r
\r
### Allow TCP through if setup succeeded \r
$fwcmd add 60100 pass tcp from any to any established\r
</pre></td></tr></table>\r
\r
<p>\r
Rule number for [forward] Command(60000) must be larger than the rule numbers used by opengate(10000-40000). Rule number for [divert to natd] must be smaller than most rules.</p>\r
\r
<p>The above script is installed as /etc/opengate/rc.firewall.sample. Copy it to /etc/opengate/rc.firewall and modify. To use this script, edit firewall setting in /erc/rc.conf as follows. Be care that accesses after this setting might be denied by the firewall.</p>\r
\r
<table><tr><td><pre>\r
firewall_script="/etc/opengate/rc.firewall"\r
</pre></td></tr></table>\r
\r
\r
<p>Be familiar with the ipfw command. Opengate is a software to send out ipfw add/delete command.</p>\r
\r
<div align="right"><A href="#opengate0">back</A>&nbsp;<A href="#top">top</A></div>\r
\r
<!-- ************ 5 ************** -->\r
<h4>F.5&nbsp;Setup of ip6fw<A class=anchor href="#opengate5" name=opengate5>\81õ</A></h4>\r
\r
<p>Write ipfw rules for for Opengate. This is example "rc.firewall6". </p>\r
<p>From FreeBSD6.1, IPFW supports IPv6. The IPFW rule used in Opengate is affected by this change. See <a href="http://www.cc.saga-u.ac.jp/opengate/newipfw-e.html>Setting of IPFW on FreeBSD6.1 or Later</a> for detail.</p>\r
\r
<table><tr><td><pre>\r
### set these to your outside interface network and prefixlen and ip\r
oif="fxp1"\r
onet="2001:1:2:3::"\r
oprefixlen="64"\r
oip="2001:1:2:3::4"\r
\r
### set these to your inside interface network and prefixlen and ip\r
iif="fxp0"\r
inet="2001:5:6:7::"\r
iprefixlen="64"\r
iip="2001:5:6:7::1"\r
\r
### path to command "ip6fw"\r
fw6cmd="/sbin/ip6fw"\r
\r
${fw6cmd} add pass all from ${iip} to any\r
${fw6cmd} add pass all from any to ${iip}\r
${fw6cmd} add pass all from ${oip} to any\r
${fw6cmd} add pass all from any to ${oip}\r
\r
### Allow RA RS NS NA Redirect...\r
${fw6cmd} add pass ipv6-icmp from any to any\r
\r
# Allow IP fragments to pass through\r
${fw6cmd} add pass all from any to any frag\r
\r
# Allow RIPng\r
${fw6cmd} add pass udp from fe80::/10 521 to ff02::9 521\r
${fw6cmd} add pass udp from fe80::/10 521 to fe80::/10 521\r
\r
### Allow TCP through if setup succeeded\r
${fw6cmd} add 60100 pass tcp from any to any established\r
\r
# TCP reset notice message\r
${fw6cmd} add 60200 reset tcp from any to any 80\r
${fw6cmd} add 60300 reset tcp from any to any 443\r
</pre></td></tr></table>\r
\r
<p>ip6fw dose not have [forward] function. Therefore IPv6 HTTP request is denied. And retried access with IPv4 is catched by ipfw [forward] fuction.</p>\r
\r
<p>When use FreeBSD 5.2 or later, ip6fw has TCP reset function. Because of the reset response, client needs no waiting time until timeout.</p>\r
\r
<p>The above script is installed as /etc/opengate/rc.firewall6.sample. Copy it to /etc/opengate/rc.firewall6 and modify. To use this script, edit firewall setting in /erc/rc.conf as follows. Be care that accesses after this setting might be denied by the firewall.</p>\r
\r
<table><tr><td><pre>\r
ipv6_firewall_script="/etc/opengate/rc.firewall6"\r
</pre></td></tr></table>\r
\r
<p>Be familiar with ip6fw command too.</p>\r
\r
\r
\r
<div align="right"><A href="#opengate0">back</A>&nbsp;<A href="#top">top</A></div>\r
\r
<!-- ************ 6 ************** -->\r
<h4>F.6&nbsp;Setup of syslog<A class=anchor href="#opengate6" name=opengate6>\81õ</A></h4>\r
\r
<p>Edit /etc/syslog.conf to save log file for Opengate.</p>\r
\r
<table><tr><td><pre>\r
local1.*   /var/log/opengate.log\r
         | Separeted by TAB code\r
</pre></td></tr></table>\r
\r
<p>Make the corresponding file as follows. Be care to control the size of this log file.</p>\r
\r
<table><tr><td><pre>\r
# touch /var/log/opengate.log\r
</pre></td></tr></table>\r
\r
<div align="right"><A href="#opengate0">back</A>&nbsp;<A href="#top">top</A></div>\r
\r
<!-- ************ 7 ************** -->\r
<h4>F.7&nbsp;Checking Behavior<A class=anchor href="#opengate7" name=opengate7>\81õ</A></h4>\r
\r
<p>Connect a PC to the lower-side network and access to a site in the upper-side network. If it does not work properly, refer doc/progflow.html and doc/protocol.txt to understand the procedure. And see the log file for Opengate, httpd, system and others at first. To dump more information from Opengate, set the &lt;Debug&gt; switch 1 in opengatesrv.conf. Check also the functions of related software. The error checking document(errcheck.html) and Q and A document (qa.html) might be used for problem solving.</p>\r
\r
<div align="right"><A href="#opengate0">back</A>&nbsp;<A href="#top">top</A></div>\r
\r
\r
\r
\r
<hr>\r
<!-- Start:Install MRTG -->\r
<h3>G&nbsp;MRTG Install<A class=anchor href="#mrtg0" name=mrtg0>&dagger;</A></h3>\r
\r
<ul>\r
        <li class="list_num"><A href="#mrtg1">Install (ports)</A></li>\r
        <li class="list_num"><A href="#mrtg2">Setup MRTG</A></li>\r
        <li class="list_num"><A href="#mrtg3">Start confirmation</A></li>\r
        <li class="list_num"><A href="#mrtg4">Setup crontab</A></li>\r
</ul>\r
\r
<!-- ************ 1 ************** -->\r
<h4>G.1&nbsp;Ports Install<A class=anchor href="#mrtg1" name=mrtg1>&dagger;</A></h4>\r
\r
<p>This is optional. You can use MRTG to watch a state of Opengate. If you do not want to watch the state of Opengate, you do not need to install MRTG.</p>\r
\r
<p><a href="http://people.ee.ethz.ch/~oetiker/webtools/mrtg/" target="_blank">MRTG</a>(Multi Router Traffic Grapher) is system to watch network traffic. \r
MRTG makes graphic images and HTML files. </p>\r
\r
<p>You can install MRTG to gateway server or another server. If you must watch plural Opengate, you \r
had better install MRTG to another server.</p>\r
\r
<table><tr><td><pre>\r
# cd /usr/ports/net-mgmt/mrtg/\r
# make clean\r
# make install clean ; rehash\r
</pre></td></tr></table>\r
\r
<div align="right"><A href="#mrtg0">back</A>&nbsp;<A href="#top">top</A></div><!-- ************ 2 ************** -->\r
<h4>G.2&nbsp;Setup of MRTG<A class=anchor href="#mrtg2" name=mrtg2>&dagger;</A></h4>\r
\r
<p>There is "/usr/local/etc/mrtg/mrtg.cfg.sample" as configuration file after instalation. \r
Copy mrtg.cfg.sample to opengate.cfg and edit configuration file.</p>\r
\r
<table><tr><td><pre>\r
##################################################\r
#  opengate user counter\r
\r
WorkDir: /usr/home/user/public_html/mrtg/opengate/\r
\r
##### Options\r
Options[^]: growright,gauge,nopercent,integer\r
\r
Target[opengate]:`/usr/home/user/bin/input.sh`\r
Title[opengate]: Opengate user counter\r
\r
PageTop[opengate]: &lt;h1&gt;Opengate user counter&lt;/h1&gt;\r
 &lt;p&gt;Show the number of people using Opengate&lt;/p&gt;\r
\r
# Max Number\r
MaxBytes[opengate]: 200\r
\r
# Title of Y axis\r
YLegend[opengate]: Opengate User\r
# unit\r
ShortLegend[opengate]: s\r
# Title of graph LegendI: first line LegendO: second line\r
LegendI[opengate]: IPv6 Users\r
LegendO[opengate]: Total Users\r
</pre></td></tr></table>\r
\r
<p>make a directory which you appointed in "WorkDir". MRTG makes graphic images and HTML files in WorkDir.</p>\r
\r
<p>"Target[opengate]" is path to program to hand data to MRTG. explain below th details.</p>\r
\r
\r
\r
<h5>G.2.1&nbsp;Case of gateway server<A class=anchor href="#mrtg21" name=mrtg21>&dagger;</A></h5>\r
\r
<p>Put this shellscript as "/usr/home/user/bin/input.sh".</p>\r
\r
<table><tr><td><pre>\r
#!/bin/sh\r
\r
#######################################\r
##\r
## shwo opengate status for MRTG\r
##\r
##   1 line : IPv6 Users\r
##   2 line : Total Users\r
##   3 line : uptime\r
##   4 line : comment for data\r
##\r
#######################################\r
\r
LANG=C\r
COLUMNS=256\r
\r
export LANG\r
export COLUMNS\r
\r
### IPv6 prefix\r
prefix="2001:2f8:22:801:"\r
###opengateprocessname\r
process="opengatesrv.cgi" \r
\r
###tmp file  name\r
tmp_all="/tmp/og_count_all.tmp"\r
tmp_6="/tmp/og_count_6.tmp"\r
\r
######################################################\r
psax | grep $process &gt; $tmp_all\r
COUNT = `wc-l $tmp_all | awk '{print $1}'` \r
grep $prefix $tmp_all &gt;  $tmp_6\r
COUNT6=`wc -l $tmp_6 | awk '{print $1}'`\r
UPTIME=`uptime | awk '{print $3$4}' | sed -e "s/,//g"`\r
\r
rm $tmp_all\r
rm $tmp_6\r
\r
echo "$COUNT6"\r
echo "$COUNT"\r
echo "$UPTIME"\r
echo "Opengate User Counter"\r
</pre></td></tr></table>\r
\r
<p>carry out this shell script alone and confirm that you can acquire the following data.</p>\r
\r
<table><tr><td><pre>5\r
48\r
10days\r
Opengate User Counter\r
</pre></td></tr></table>\r
\r
\r
<h5>G.2.2&nbsp;Case of another server<A class=anchor href="#mrtg22" name=mrtg22>&dagger;</A></h5>\r
\r
<p>Put this shellscript as "/usr/home/user/bin/input.sh" on another server.</p>\r
\r
<table><tr><td><pre>\r
#!/bin/sh\r
\r
#######################################\r
##\r
## input data for MRTG\r
##\r
##   1 line : IPv6 Users\r
##   2 line : Total Users\r
##   3 line : uptime\r
##   4 line : comment for data\r
##\r
#######################################\r
\r
# tmp file name\r
file="/tmp/opengate.tmp"\r
\r
# URL of output.sh at opengate\r
url="http://opengate.saga-u.ac.jp/cgi-bin/output.sh"\r
\r
fetch -o $file $url &amp;&gt; /dev/null\r
\r
more $file\r
</pre></td></tr></table>\r
\r
<p>Put this shell script as "/usr/local/apache2/cgi-bin/output.sh" on Opengate server. \r
And set this URL to $url in script explained by the above.</p>\r
\r
<table><tr><td><pre>\r
#!/bin/sh\r
\r
#######################################\r
##\r
## shwo opengate status for MRTG\r
##\r
##   1 line : IPv6 Users\r
##   2 line : Total Users\r
##   3 line : uptime\r
##   4 line : comment for data\r
##\r
#######################################\r
\r
LANG=C\r
COLUMNS=256\r
\r
export LANG\r
export COLUMNS\r
\r
### IPv6 prefix\r
prefix="2001:2f8:22:801:"\r
###opengateprocessname\r
process="opengatesrv.cgi" \r
\r
###tmp file name\r
tmp_all="/tmp/og_count_all.tmp"\r
tmp_6="/tmp/og_count_6.tmp"\r
\r
######################################################\r
psax | grep $process &gt; $tmp_all \r
COUNT = `wc-l $tmp_all | awk '{print $1}'` \r
grep $prefix $tmp_all &gt;  $tmp_6\r
COUNT6=`wc -l $tmp_6 | awk '{print $1}'`\r
UPTIME=`uptime | awk '{print $3$4}' | sed -e "s/,//g"`\r
rm $tmp_all\r
rm $tmp_6\r
\r
echo "Content-type: text/plain; charset=iso-8859-1"\r
echo\r
\r
echo "$COUNT6"\r
echo "$COUNT"\r
echo "$UPTIME"\r
echo "Opengate User Counter"\r
</pre></td></tr></table>\r
\r
<p>carry out "input.sh" shell script on another server and confirm that you can acquire the following data.</p>\r
\r
<table><tr><td><pre>5\r
48\r
10days\r
Opengate User Counter\r
</pre></td></tr></table>\r
\r
<div align="right"><A href="#mrtg0">back</A>&nbsp;<A href="#top">top</A></div><!-- ************ 3 ************** -->\r
<h4>G.3&nbsp;Start confirmation<A class=anchor href="#mrtg3" name=mrtg3>&dagger;</A></h4>\r
\r
<p>Confirm after setting was completed.</p>\r
\r
<table><tr><td><pre>\r
# /usr/local/bin/mrtg /usr/local/etc/mrtg/opengate.cfg\r
</pre></td></tr></table>\r
\r
<p>Various WARNING is output the first and second time.</p>\r
\r
<p>There is some files in "WorkDir".</p>\r
\r
<table><tr><td><pre>&gt; ls -l\r
-rw-r--r--  1 root  wheel    538 12 14 04:40 mrtg-l.png\r
-rw-r--r--  1 root  wheel    414 12 14 04:40 mrtg-m.png\r
-rw-r--r--  1 root  wheel   1759 12 14 04:40 mrtg-r.png\r
-rw-r--r--  1 root  wheel   2941 12 20 15:15 opengate-day.png\r
-rw-r--r--  1 root  wheel   2146 12 20 14:35 opengate-month.png\r
-rw-r--r--  1 root  wheel   2867 12 20 14:55 opengate-week.png\r
-rw-r--r--  1 root  wheel   1897 12 20 05:00 opengate-year.png\r
-rw-r--r--  1 root  wheel   5961 12 20 15:15 opengate.html\r
-rw-r--r--  1 root  wheel  48786 12 20 15:15 opengate.log\r
-rw-r--r--  1 root  wheel  48784 12 20 15:10 opengate.old\r
</pre></td></tr></table>\r
\r
<div align="right"><A href="#mrtg0">back</A>&nbsp;<A href="#top">top</A></div>\r
\r
<!-- ************ 4 ************** -->\r
<h4>G.4&nbsp;Setup crontab<A class=anchor href="#mrtg4" name=mrtg4>&dagger;</A></h4>\r
\r
<p>Add next line to "/etc/crontab".</p>\r
\r
<table><tr><td><pre>\r
*/5 * * * * root /usr/local/bin/mrtg /usr/local/etc/mrtg/opengate.cfg\r
</pre></td></tr></table>\r
\r
<div align="right"><A href="#mrtg0">back</A>&nbsp;<A href="#top">top</A></div>\r
\r
\r
<!-- ************ 1 ************** -->\r
<h3>H&nbsp;rulechk Install<A class=anchor href="#rulechk" name=rulechk>&dagger;</A></h3>\r
\r
<p>This is optional. At the abnormal termination of Opengate process, superfluous rule might be left bihind. \r
Though it is very rare, a script dealing with the case is prepared in tools/rulechk. This script is compatible with Opengate Ver1.3.1 or later.\r
This script compares the Opengate process list and the firewall rule list, and deletes the superfluous rules.\r
</p>\r
<div align="right"><A href="#rulechk">back</A>&nbsp;<A href="#top">top</A></div>\r
\r
</body>\r
</html>