Ver.1.4.38: Modified english document.

[opengate/opengate.git] / opengate / doc / en / install.html

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML>
<HEAD>
        <META HTTP-EQUIV="CONTENT-TYPE" CONTENT="text/html; charset=utf-8">
        <TITLE>Opengate Install</TITLE>

</HEAD>
<BODY LANG="en-US" BGCOLOR="#fafff0" DIR="ltr">
<H2><A href="#top" name=top><FONT SIZE=4>Opengate Installation
Procedure</FONT></A></H2>

<!-- Start:content table -->
<UL>
        <LI><A href="#outline0">Outline</A>
                
        <UL>
                <LI><A href="#outline1">System Configuration</A>  </LI>
                <LI><A href="#outline2">Installation Procedure</A>  </LI>
                <LI><A href="#outline3">Support Page</A></LI>
        </UL>
        <LI><A href="#freebsd0">FreeBSD Installation</A>  </LI>
        <UL>
                <LI><A href="#freebsd1">Basic Installation</A>  </LI>
                <LI><A href="#freebsd2">Adding NAT and Firewall</A>  </LI>
                <LI><A href="#freebsd3">Setting up IPv6</A></LI>
        </UL>
        <LI><A href="#bind0">BIND9 Installation (Optional)</A>  </LI>
        <UL>
                <LI><A href="#bind1">Ports Installation</A> </LI>
                <LI><A href="#bind2">Making RNDC Key</A> </LI>
                <LI><A href="#bind3">Setting up named.conf</A>  </LI>
                <LI><A href="#bind4">Creating a Zone file</A>  </LI>
                <LI><A href="#bind5">Checking Behavior</A></LI>
        </UL>
        <LI><A href="#dhcp0">isc-dhcp3 Installation (Optional)</A> 
        <UL>
                <LI><A href="#dhcp1">Ports Installation</A> </LI>
                <LI><A href="#dhcp2">Setting up DHCP</A></LI>
        </UL>
        <LI><A href="#apache0">Apache2 Installation</A> </LI>
        <UL>
                <LI><A href="#apache1">Ports Installation</A> </LI>
                <LI><A href="#apache2">Making Certificates</A>  </LI>
                <LI><A href="#apache3">Setting up VirtualHost</A>  </LI>
                <LI><A href="#apache4">Other Settings and Checking the Installation</A></LI>
        </UL>
        <LI><A href="#opengate0">Opengate Installation</A> </LI>
        <UL>
                <LI><A href="#opengate1">Opengate Package</A>  </LI>
                <LI><A href="#opengate2">Installation</A> </LI>
                <LI><A href="#opengate3">Setting up Config File</A>  </LI>
                <LI><A href="#opengate4">Setting up IPFW</A>  </LI>
                <LI><A href="#opengate5">Setting up Syslog</A>  </LI>
                <LI><A href="#opengate6">Checking Behavior</A>  </LI>
                <LI><A href="#opengate7">Modifying Pages</A>  </LI>
                        </UL>
        <LI><A href="#mrtg0">MRTG Install(Optional)</A>  </LI>
        <UL>
                <LI><A href="#mrtg1">Ports Installation</A> </LI>
                <LI><A href="#mrtg2">Setting up MRTG</A> </LI>
                <LI><A href="#mrtg3">Confirming MRTG Startup Operation</A> </LI>
                <LI><A href="#mrtg4">Registering to Crontab</A> </LI>
        </UL>
        <LI><A href="#rulechk">rulechk Installation (Optional)</A> </LI>
</UL>

<BR><BR>
<P></P><!-- End:content table --><!-- Start:Outline -->


<H3><A href="#outline0" name=outline0>A&nbsp;Outline</A></H3>
<UL>
        <LI><A href="#outline1">System Configuration</A>  </LI>

        <LI><A href="#outline2">Installation Procedure</A> </LI>
</UL>

<H4><!-- ************1************* -->
<A href="#outline1" name=outline1>A.1&nbsp;System
Configuration</A></H4>
<UL>
        <LI>Gateway Machine </LI>
        <UL>
                <LI>FreeBSD Ver 4.x, 5.x, 6.x or 7.x </LI>
                <LI>Having two or more NICs </LI>
        </UL></LI>
</UL>
<P>In this document, we use the system configuration as follows. The
network connecting terminals is called "lower-side network" and
the network having servers is called "upper-side network".</P>
<TABLE CELLPADDING=2 CELLSPACING=2>
        <TR>
                <TD>
                        <PRE>upper-side network:192.168.0.0/24, 2001:1:2:3/64
Gateway to upper-side network:fxp1, 192.168.0.124, 2001:1:2:3::4
Gateway to lower-side network:fxp0, 192.168.1.1, 2001:5:6:7::1
lower-side network:192.168.1.0/24, 2001:5:6:7/64</PRE>
                </TD>
        </TR>
</TABLE>
<P>Opengate recognizes both IPv4 and IPv6 addresses, and controls
both firewalls. It can be used for IPv4 control only if the FreeBSD
environment is not set up for IPv6.</P>


<H4><!-- ***********2************** -->
<A href="#outline2" name=outline2>A.2&nbsp;Installation
Procedure</A></H4>
<P>The following steps are necessary to complete the installation of
Opengate. <BR>Items marked with '*' are mandatory.</P>
<UL>
        <LI>FreeBSD Installation&nbsp;* </LI>

        <LI>Adding the Firewall&nbsp;* </LI>

        <LI>BIND9 Installation and Setup </LI>

        <LI>DHCP Installation and Setup </LI>

        <LI>Apache2 Installation and Setup&nbsp;*</LI>

        <LI>Opengate Installation and Setup&nbsp;*</LI>
</UL>


<H4><!-- ***********3************** -->
<A href="#outline3" name=outline3>A.2&nbsp;Support Page</A></H4>
<P STYLE="MARGIN-BOTTOM: 0in">The Opengate support page can be
consulted at: 
</P>
<TABLE CELLPADDING=2 CELLSPACING=2>
        <TR>
                <TD>
                        <PRE>  http://www.cc.saga-u.ac.jp/opengate/index-e.html</PRE>
                </TD>
        </TR>
</TABLE>
<P ALIGN=right STYLE="MARGIN-BOTTOM: 0in"><A href="#outline0">back</A>&nbsp;<A href="#top">top</A></P>
<HR>


<!-- Start:FreeBSD Install-->
<H3><A href="#freebsd0" name=freebsd0>B&nbsp;FreeBSD Installation</A></H3>
<UL>
        <LI><A href="#freebsd1">Basic Installation</A> </LI>
        <LI><A href="#freebsd2">Adding NAT and Firewall</A> </LI>
        <LI><A href="#freebsd3">Setting up IPv6</A> </LI>
</UL>


<H4><!-- ************1************* -->
<A href="#freebsd1" name=freebsd1>B.1&nbsp;Basic Installation</A></H4>

<P>Use FreeBSD4.x or later. FreeBSD6.1 or later is preferred. <BR>Choose
distribution "Developer (Full sources, binaries and doc)" or
"all" because we have to compile a custom kernel.</P>
<P>Add the following line to "/etc/rc.conf", to enable the
gateway function:</P>
<TABLE CELLPADDING=2 CELLSPACING=2>
        <TR>
                <TD>
                        <P><CODE>gateway_enable="YES"</CODE></P>
                </TD>
        </TR>
</TABLE>
<P ALIGN=right><A href="#freebsd0">back</A>&nbsp;<A href="#top">top</A></P>


<H4><!-- ************ 2 ************** --><A href="#freebsd2" name=freebsd2>B.2&nbsp;Adding
NAT and Firewall</A></H4>
<P>Preparing the kernel to include IPFW and IP6FW functionality.</P>
<P>Copy the kernel configuration file:</P>
<TABLE CELLPADDING=2 CELLSPACING=2>
        <TR>
                <TD>
                        <PRE># cd /usr/src/sys/i386/conf
# cp GENERIC MYKERNEL</PRE>
                </TD>
        </TR>
</TABLE>
<P>Add the following lines to the kernel configuration file:</P>
<P>A. FreeBSD6.0 or earlier</P>
<TABLE CELLPADDING=2 CELLSPACING=2>
        <TR>
                <TD>
                        <PRE>options IPDIVERT

options IPFIREWALL
options IPFIREWALL_FORWARD
options IPFIREWALL_VERBOSE
options IPFIREWALL_VERBOSE_LIMIT=100

options IPV6FIREWALL
options IPV6FIREWALL_VERBOSE
options IPV6FIREWALL_VERBOSE_LIMIT=100

options IPSEC
options IPSEC_ESP
options TCP_DROP_SYNFIN</PRE>
                </TD>
        </TR>
</TABLE>
<P>B. FreeBSD6.1 or later</P>
<TABLE CELLPADDING=2 CELLSPACING=2>
        <TR>
                <TD>
                        <PRE>options IPDIVERT

options IPFIREWALL
options IPFIREWALL_FORWARD
options IPFIREWALL_VERBOSE
options IPFIREWALL_VERBOSE_LIMIT=100

options IPSEC
device crypto</PRE>
                </TD>
        </TR>
</TABLE>
<P>compile and install the new kernel (incl. added support for IPFW
and IP6FW).</P>
<TABLE CELLPADDING=2 CELLSPACING=2>
<TR><TD>
<PRE>#cd /usr/src
#make buildkernel KERNCONF=MYKERNEL
#make installkernel KERNCONF=MYKERNEL
</PRE>
</TD></TR>
</TABLE>
<P>It might be failed in old FreeBSD.&nbsp;&nbsp;In the case, execute the following.</P>
<TABLE CELLPADDING=2 CELLSPACING=2>
<TR><TD>
<PRE># config MYKERNEL
# cd ../compile/MYKERNEL
# make depend
# make
# make install</PRE>
</TD></TR>
</TABLE>
<P>"make clean" might be requested before "make
depend". 
</P>
<P>Add the following lines to "/etc/rc.conf":</P>
<P>a. FreeBSD6.0 or earlier</P>
<TABLE CELLPADDING=2 CELLSPACING=2>
        <TR>
                <TD>
                        <PRE>firewall_enable="YES"
firewall_script="/etc/rc.firewall"
firewall_type="open"

ipv6_firewall_enable="YES"
ipv6_firewall_script="/etc/rc.firewall6"
ipv6_firewall_type="open"

natd_enable="YES"
natd_interface="fxp1"</PRE>
                </TD>
        </TR>
</TABLE>
<P>b. FreeBSD6.1 or later</P>
<TABLE CELLPADDING=2 CELLSPACING=2>
        <TR>
                <TD>
                        <PRE>firewall_enable="YES"
firewall_script="/etc/rc.firewall"
firewall_type="open"

natd_enable="YES"
natd_interface="fxp1"</PRE>
                </TD>
        </TR>
</TABLE>
<P>When enabling IPFW (and IP6FW), make sure
to also set the firewall_type to 'OPEN', to prevent  unpredictable
system behavior during installation. <BR>To enable NAT, set
natd_enable to 'YES' and define the natd interface (Upper-side
interface).</P>
<P>Connect a client pc to the lower-side
network and check the IPv4 behavior.<BR>Since DHCP is not yet set up,
the client's network settings must be configured manually.</P>
<P ALIGN=right><A href="#freebsd0">back</A>&nbsp;<A href="#top">top</A></P>


<H4><!-- ************ 3 ************** -->
<A href="#freebsd3" name=freebsd3>B.3&nbsp;Setting up IPv6</A></H4>
<P>If you need IPv4 only, this section can
be skipped. <BR>Though explanation is omitted, many parameters, like
the ones used in the following sample, can be set in /etc/rc.conf.
<BR>It is advised to read up on IPv6 and carefully set up its
parameters. 
</P>
<TABLE CELLPADDING=2 CELLSPACING=2>
        <TR>
                <TD>
                        <PRE>##ENABLE IPv6
ipv6_enable="YES"
ipv6_network_interfaces="gif0 fxp0"

##TUNNELLING INTERFACE
gif_interfaces="gif0"
gifconfig_gif0="192.168.0.124 192.168.0.126"

##IPv6 ADDRESS 
ipv6_prefix_fxp0="2001:5:6:7"
ipv6_ifconfig_fxp0="2001:5:6:7::1 prefixlen 64"

##ADVERTISE
rtadvd_enable="YES"
rtadvd_interfaces="fxp0"

##DEFAULT GATEWAY
ipv6_default_interface="gif0"
ipv6_defaultrouter="fe80::a:b:c:d%gif0"

##ROUTING(RIPv6)
ipv6_gateway_enable="YES"
ipv6_router_enable="YES"
ipv6_router="/usr/sbin/route6d"
ipv6_router_flags="-O 2001:5:6:7::/64,gif0"</PRE>
                </TD>
        </TR>
</TABLE>
<P>Connect a client pc to the lower-side
network and check the behavior of IPv6.<BR>On a Windows pc, the
command "ipv6 install" might be needed to activate IPv6.</P>
<P ALIGN=right STYLE="MARGIN-BOTTOM: 0in"><A href="#ipfw0">back</A>&nbsp;<A href="#top">top</A></P>
<HR>


<H3><!-- Start:BIND9 Install --><A href="#bind0" name=bind0>C&nbsp;BIND9
Install(Optional)</A></H3>
<UL>
        <LI><A href="#bind1">Ports Install</A></LI>
        <LI><A href="#bind2">Making RNDC Key</A></LI>
        <LI><A href="#bind3">Setting up named.conf</A></LI>
        <LI><A href="#bind4">Creating up a Zone file</A> </LI>
        <LI><A href="#bind5">Checking Behavior</A> </LI>
</UL>


<H4><!-- ********** 1 *********** -->
<A href="#bind1" name=bind1>C.1&nbsp;Ports Install</A></H4>

<P>     You can ignore DNS
settings, if you control with IP address base
or use existing DNS servers.</P>
<P>     Installing BIND9 from
ports:<BR>      
Note: The "sysinstall" command can also be used.</P>
<TABLE CELLPADDING=2 CELLSPACING=2>
        <TR>
                <TD>
                        <PRE># cd /usr/ports/dns/bind9/
# make clean
# make install clean ; rehash</PRE>
                </TD>
        </TR>
</TABLE>
<P>During installation  the directory "/etc/namedb
(/var/named/etc/namedb)" is created.</P>
<P ALIGN=right><A href="#bind0">back</A>&nbsp;<A href="#top">top</A></P>


<H4><!-- ********** 2 ********** -->
<A href="#bind2" name=bind2>C.2&nbsp;Making RNDC key</A></H4>
<P>Use the "rndc" command to further secure BIND9.</P>
<P>Create the rndc key as follows:</P>
<TABLE CELLPADDING=2 CELLSPACING=2>
        <TR>
                <TD>
                        <PRE># cd /etc/namebd/
# rndc-confgen -b 512 &gt; rndc.conf</PRE>
                </TD>
        </TR>
</TABLE>
<P>This will generate the "rndc.conf" file.</P>
<TABLE CELLPADDING=2 CELLSPACING=2>
        <TR>
                <TD>
                        <PRE># Start of rndc.conf
key "rndc-key" {
        algorithm hmac-md5;
        secret "wMpASEmnRVnD602MtEb+RqtMee5+n0RVgpaUrlAHvPpgH3SoK7f2nRZBUH7a0urvmyBuAg0dwtk/Otg9Ker3gA==";
};

options {
        default-key "rndc-key";
        default-server 127.0.0.1;
        default-port 953;
};
# End of rndc.conf

# Use with the following in named.conf, adjusting the allow list as needed:
# key "rndc-key" {
#       algorithm hmac-md5;
#       secret "wMpASEmnRVnD602MtEb+RqtMee5+n0RVgpaUrlAHvPpgH3SoK7f2nRZBUH7a0urvmyBuAg0dwtk/Otg9Ker3gA==";
# };
# 
# controls {
#       inet 127.0.0.1 port 953
#               allow { 127.0.0.1; } keys { "rndc-key"; };
# };
# End of named.conf</PRE>
                </TD>
        </TR>
</TABLE>
<P ALIGN=right><A href="#bind0">back</A>&nbsp;<A href="#top">top</A></P>


<H4><!-- ********* 3 ********* -->
<A href="#bind3" name=bind3>C.3&nbsp;Setting up named.conf</A></H4>
<P>After installation,  look for the
"/etc/namedb/named.conf" file and copy the last half of the
"rndc.conf" file to it, making sure to remove comments, and
add IPv6 configuration where/if required.</P>
<TABLE CELLPADDING=2 CELLSPACING=2>
        <TR>
                <TD>
                        <PRE># Use with the following in named.conf, adjusting the allow list as needed:
key "rndc-key" {
        algorithm hmac-md5;
        secret "wMpASEmnRVnD602MtEb+RqtMee5+n0RVgpaUrlAHvPpgH3SoK7f2nRZBUH7a0urvmyBuAg0dwtk/Otg9Ker3gA==";
};

controls {
        inet ::1 port 953 allow { ::1; } keys { "rndc-key"; };
        inet 127.0.0.1 port 953 allow { 127.0.0.1; } keys { "rndc-key"; };
};
# End of named.conf</PRE>
                </TD>
        </TR>
</TABLE>
<P>For security reasons, it is better to write the "key"
directive in the other file.</P>
<P>Edit the "options" directive in "named.conf":</P>
<TABLE CELLPADDING=2 CELLSPACING=2>
        <TR>
                <TD>
                        <PRE>options {
        directory "/etc/namedb";
        pid-file "/var/run/named/pid";
        auth-nxdomain yes;
        listen-on-v6 { any; };
};</PRE>
                </TD>
        </TR>
</TABLE>
<P>Create the corresponding "pid" directory.</P>
<P ALIGN=right><A href="#bind0">back</A>&nbsp;<A href="#top">top</A></P>


<H4><!-- ******** 4 ********* -->
<A href="#bind4" name=bind4>C.4&nbsp;Creating a  Zone file</A></H4>
<P>Edit the "view" and "zone" directives in "named.conf".</P>
<P>The "view" directive is implemented in BIND9. Replying
to the inquiries from matched-clients, BIND9 sends the information as
described in the corresponding "view"</P>
<TABLE CELLPADDING=2 CELLSPACING=2>
        <TR>
                <TD>
                        <PRE>view "og" {
        match-clients
        {
        192.168.1.0/24;
        };

        recursion yes;

        zone "." {
                type hint;
                file "named.root";
        };

        zone "og.saga-u.ac.jp" {
                type master;
                file "og.saga-u.ac.jp";
        };

        zone "0.0.127.IN-ADDR.ARPA" {
                type master;
                file "master/localhost.rev";
        };

        // RFC 3152
        zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.\
              0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA" {
                type master;
                file "master/localhost-v6.rev";
        };

        // RFC 1886 -- deprecated
        zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.\
              0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.INT" {
                type master;
                file "master/localhost-v6.rev";
        };
};</PRE>
                </TD>
        </TR>
</TABLE>
<P><BR>Make a "zone" file for the domain "og.saga-u.ac.jp".
<BR>The domain name and IPv4/6 addresses should be modified properly.
If you don't need IPv6, remove the line containing "AAAA ....".</P>
<TABLE CELLPADDING=2 CELLSPACING=2>
        <TR>
                <TD>
                        <PRE>$TTL    3600
$ORIGIN og.saga-u.ac.jp.

@       IN      SOA     ns.og.saga-u.ac.jp. postmaster (
                        2005051702 ;
                        3600
                        1200
                        2419200
                        86400 )
                IN      NS      ns.og.saga-u.ac.jp.
                IN      A       192.168.1.1
                IN      MX      10 opengate.og.saga-u.ac.jp.

ns              IN      A       192.168.1.1

opengate        IN      A       192.168.1.1
                        AAAA    2001:5:6:7::1</PRE>
                </TD>
        </TR>
</TABLE>
<P ALIGN=right><A href="#bind0">back</A>&nbsp;<A href="#top">top</A></P>


<H4><!-- ********* 5 ********* -->
<A href="#bind5" name=bind5>C.5&nbsp;Checking Behavior</A></H4>
<P>Confirm starting of "named" after completings its
configuration.</P>
<TABLE CELLPADDING=2 CELLSPACING=2>
        <TR>
                <TD>
                        <PRE># /usr/local/sbin/named -u bind -c /etc/namedb/named.conf</PRE>
                </TD>
        </TR>
</TABLE>
<P>If "named" starts without problems, add the following
lines to "/etc/rc.conf" to allow it to automatically start
on boot up.</P>
<TABLE CELLPADDING=2 CELLSPACING=2>
        <TR>
                <TD>
                        <PRE>named_enable="YES"
named_program="/usr/local/sbin/named"
named_flags="-u bind -c /etc/namedb/named.conf"</PRE>
                </TD>
        </TR>
</TABLE>
<P>Because the management of a DNS server
can be complicated,  it is strongly advised to carefully read the
BIND9 manual, and/or consult other documentation.</P>
<P ALIGN=right STYLE="MARGIN-BOTTOM: 0in"><A href="#bind0">back</A>&nbsp;<A href="#top">top</A></P>


<HR>
<H3><!-- Start:isc-dhcp3 Install -->
<A href="#dhcp0" name=dhcp0>D&nbsp;isc-dhcp3 Installation (Optional)</A></H3>
<UL>
        <LI><A href="#dhcp1">Ports Installation</A> 
        <LI><A href="#dhcp2">Setting up DHCP</A> </LI>
</UL>


<H4><!-- *********** 1 ************* -->
<A href="#dhcp1" name=dhcp1>D.1&nbsp;Ports Install</A></H4>
<P>If many client PCs are going to be
connected, using the DHCP service might be a desirable solution for
assigning IP addresses to these clients.</P>
<P>Installing isc-dhcp3 from ports:<BR>Note:
the "sysinstall" command can also be used.</P>
<TABLE CELLPADDING=2 CELLSPACING=2>
        <TR>
                <TD>
                        <PRE># cd /usr/ports/net/isc-dhcp3-server
# make clean
# make install clean ; rehash</PRE>
                </TD>
        </TR>
</TABLE>
<P ALIGN=right><A href="#dhcp0">back</A>&nbsp;<A href="#top">top</A></P>


<H4><!-- ************ 2 ************** -->
<A href="#dhcp2" name=dhcp2>D.2&nbsp;Setting up DHCP</A></H4>
<P>The"/usr/local/etc/dhcpd.conf.sample"
 configuration file is created during installation. <BR>Copy
"dhcpd.conf.sample" to "dhcpd.conf" and edit the
file. <BR><BR>The following is an example setup: <BR>The lease time
must be greater than the maximum usage duration (Duration/Max in
opengatesrv.conf).<BR>The domain name and IP addresses should be
modified. 
</P>
<TABLE CELLPADDING=2 CELLSPACING=2>
        <TR>
                <TD>
                        <PRE>option domain-name "og.saga-u.ac.jp";
option domain-name-servers 192.168.1.1;
option subnet-mask 255.255.255.0;
option broadcast-address 192.168.1.255;
option routers 192.168.1.1;

default-lease-time 86400;
max-lease-time 604800;
ddns-update-style none;
log-facility local7;

subnet 192.168.55.0 netmask 255.255.255.0 {
  range 192.168.1.10 192.168.1.250;
}</PRE>
                </TD>
        </TR>
</TABLE>
<P>Add the following lines to "/etc/rc.conf" to allow it to
automatically start on boot up.</P>
<TABLE CELLPADDING=2 CELLSPACING=2>
        <TR>
                <TD>
                        <PRE>dhcpd_enable="YES"
dhcpd_ifaces="fxp0"
dhcpd_conf="/usr/local/etc/dhcpd.conf"</PRE>
                </TD>
        </TR>
</TABLE>
<P>In this example, the value of
"dhcpd_ifaces" is the interface providing the DHCP service
<BR>(to the lower-side network).</P>
<P ALIGN=right STYLE="MARGIN-BOTTOM: 0in"><A href="#dhcp0">back</A>&nbsp;<A href="#top">top</A></P>
<HR>


<H3><!-- Start:Apache2 Install--><A href="#apache0" name=apache0>E&nbsp;Apache2
Installation</A></H3>
<UL>
        <LI><A href="#apache1">Ports Installation</A> </LI>
        <LI><A href="#apache2">Making Certificates</A> </LI>
        <LI><A href="#apache3">Setting up SSL</A></LI>
        <LI><A href="#apache4">Other Settings and Checking the installation</A> </LI>
</UL>


<H4><!-- ************ 1 ************** --><A href="#apache1" name=apache1>E.1&nbsp;Ports
Install</A></H4>
<P>When using IPv6, Opengate needs Apache2
to support IPv6. <BR>By default, Apache2 supports SSL which is
preferred for secure authentication.</P>
<P>Installing Apache2 from ports:<BR>Note:
The "sysinstall" command can also be used.</P>
<TABLE CELLPADDING=2 CELLSPACING=2>
        <TR>
                <TD>
                        <PRE># cd /usr/ports/www/apache22
# make clean
# make install clean ; rehash</PRE>
                </TD>
        </TR>
</TABLE>
<P ALIGN=right><A href="#apache0">back</A>&nbsp;<A href="#top">top</A></P>


<H4><!-- ************ 2 ************** --><A href="#apache2" name=apache2>E.2&nbsp;Making
Certificates</A></H4>
<P>It is better to obtain a formal key from
some CA. But we will show you how to create a self-signed private key
and certificate. 
</P>
<P>Creating a private key:</P>
<TABLE CELLPADDING=2 CELLSPACING=2>
        <TR>
                <TD>
                        <PRE># cd /usr/local/etc/apache22
# mkdir ssl.key ssl.crt
# chmod 700 ssl.key ssl.crt

# /usr/bin/openssl genrsa -out /usr/local/etc/apache22/server.key 1024</PRE>
                </TD>
        </TR>
</TABLE>
<P><BR>Making a certificate from the created key:</P>
<TABLE CELLPADDING=2 CELLSPACING=2>
        <TR>
                <TD>
                        <PRE># /usr/bin/openssl req -new -x509 -days 365 \
    -key /usr/local/etc/apache22/server.key \
    -out /usr/local/etc/apache22/server.crt

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:JP
State or Province Name (full name) [Some-State]:Saga
Locality Name (eg, city) []:Saga-city
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Saga-university
Organizational Unit Name (eg, subsection) []:Opengate Management
Common Name (eg, YOUR name) []:opengate.og.saga-u.ac.jp
Email Address []:administrator@opengate.og.saga-u.ac.jp

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:</PRE>
                </TD>
        </TR>
</TABLE>
<P ALIGN=right><A href="#apache0">back</A>&nbsp;<A href="#top">top</A></P>


<H4><!-- ************ 3 ************** --><A href="#apache3" name=apache3>E.3&nbsp;
Setting up SSL</A></H4>
<P>Edit "/usr/local/etc/apache22/extra/httpd-ssl.conf" as
shown in the following example:</P>
<TABLE CELLPADDING=2 CELLSPACING=2>
        <TR>
                <TD>
                        <P>ssl.conf 
                        </P>
                </TD>
        </TR>
        <TR>
                <TD>
                        <PRE>&lt;VirtualHost _default_:443&gt;
    DocumentRoot "/usr/local/www/apache22/data"
    ServerName opengate.og.saga-u.ac.jp:443
    ServerAdmin administrator@opengate.og.saga-u.ac.jp
    ErrorLog "|/usr/bin/logger -p local6.info"
    CustomLog "|/usr/bin/logger -p local5.info" combined

    SSLEngine on
    SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
    SSLCertificateFile /usr/local/etc/apache22/server.crt
    SSLCertificateKeyFile /usr/local/etc/apache22/server.key
&lt;/VirtualHost&gt;</PRE>
                </TD>
        </TR>
</TABLE>
<P>Since Apache2 has many settings,
familiarize yourself with the Apache2 configuration options for
adequate control.</P>
<P ALIGN=right><A href="#apache0">back</A>&nbsp;<A href="#top">top</A></P>


<H4><!-- ************ 4 ************** --><A href="#apache4" name=apache4>E.4&nbsp;Other
Settings and Checking the Installation</A></H4>
<P>Edit "/usr/local/etc/apache22/httpd.conf" as follows:</P>
<P>Opengate should send back the
authentication page in response to any kind of HTTP request. <BR>To
do so, add the following line to httpd.conf: <BR> (the top page will
be sent back on an HTTP_ERROR 404 [file not found] error).</P>
<TABLE CELLPADDING=2 CELLSPACING=2>
        <TR>
                <TD>
                        <PRE>ErrorDocument 404 /</PRE>
                </TD>
        </TR>
</TABLE>
<P><BR>Add "ExecCGI" to allow executing CGI programs in the
cgi-bin directory.</P>
<TABLE CELLPADDING=2 CELLSPACING=2>
        <TR>
                <TD>
                        <PRE>&lt;Directory "/usr/local/www/cgi-bin"&gt;
    ...
    Options ExecCGI
    ...
&lt;/Directory&gt;</PRE>
                </TD>
        </TR>
</TABLE>
<P>Remove the comment mark ("#") to
enable the following setting: 
</P>
<TABLE CELLPADDING=2 CELLSPACING=2>
        <TR>
                <TD>
                        <PRE>AddHandler cgi-script .cgi
AddHandler type-map .var</PRE>
                </TD>
        </TR>
</TABLE>
<P>Add "index.html.var" to
DirectoryIndex: 
</P>
<TABLE CELLPADDING=2 CELLSPACING=2>
        <TR>
                <TD>
                        <PRE>DirectoryIndex index.html.var index.html</PRE>
                </TD>
        </TR>
</TABLE>
<P>Include ssl conf file:</P>
<TABLE CELLPADDING=2 CELLSPACING=2>
        <TR>
                <TD>
                        <PRE>Include etc/apache22/extra/httpd-ssl.conf</PRE>
                </TD>
        </TR>
</TABLE>
<P>Set ServerName: 
</P>
<TABLE CELLPADDING=2 CELLSPACING=2>
        <TR>
                <TD>
                        <PRE>ServerName opengate.og.saga-u.ac.jp</PRE>
                </TD>
        </TR>
</TABLE>
<P>Start Apache2 with "apachectl start"
and check for errors. <BR>If no errors are displayed, add the
following lines to "/etc/rc.conf" to allow Apache to start
on boot up:</P>
<TABLE CELLPADDING=2 CELLSPACING=2>
        <TR>
                <TD>
                        <PRE>apache22_enable="YES"
apache22ssl_enable="YES"</PRE>
                </TD>
        </TR>
</TABLE>
<P>If the system shows "Failed to
enable the 'httpready' Accept Filter", add the following to
/boot/loader.conf :</P>
<TABLE CELLPADDING=2 CELLSPACING=2>
        <TR>
                <TD>
                        <PRE>accf_http_load="YES"</PRE>
                </TD>
        </TR>
</TABLE>
<P>Should the certificate require a PASSPHRASE, Apache will ask for it during
boot up.<BR> If you do not enter the passphrase (reboot due to
power outage, remote reboot, ,...), this will prevent <BR> the server from starting Apache normally, 
i.e. leaving you with a possible "crippled" server.</P>
<BLOCKQUOTE>
<P>
Easy fix:<BR>
1. create a simple script containing the following:<BR>
#!/bin/sh<BR>
echo "&lt;passphrase goes here&gt;"<BR>
<BR>2. add the following to     httpd.conf:<BR>
SSLPassPhraseDialog exec:/path/to/above/script
</P></BLOCKQUOTE>

<P ALIGN=right STYLE="MARGIN-BOTTOM: 0in"><A href="#apache0">back</A>&nbsp;<A href="#top">top</A></P>


<HR>
<H3><!-- Start:Opengate Install -->
<A href="#opengate0" name=opengate0>F&nbsp;Opengate Installation</A></H3>
<UL>
        <LI><A href="#opengate1">Opengate Package</A> 
        <LI><A href="#opengate2">Installation</A> </LI>
        <LI><A href="#opengate3">Setting up Config File</A> </LI>
        <LI><A href="#opengate4">Setting up IPFW</A> </LI>
        <LI><A href="#opengate5">Setting up syslog</A> </LI>
        <LI><A href="#opengate6">Checking Behavior</A> </LI>
        <LI><A href="#opengate7">Modifying Pages</A> </LI>
</UL>


<H4><!-- ************1************* -->
<A href="#opengate1" name=opengate1>F.1&nbsp;Opengate
Package</A></H4>
<P>Unpack the Opengate compressed file: 
</P>
<TABLE CELLPADDING=2 CELLSPACING=2>
        <TR>
                <TD>
                        <PRE># tar xzvf opengatexxxx.tar.gz</PRE>
                </TD>
        </TR>
</TABLE>
<P>It contains the following directories:</P>
<TABLE CELLPADDING=2 CELLSPACING=2>
        <TR>
                <TD>
                        <PRE>doc: Documentation
conf: Configuration files and firewall control Perl script sample
javahtml: Client Java Programs and  HTML files
opengatesrv: Server CGI programs
tools: Some related tools
ezxml: XML parser (Copyright Aaron Voisine)</PRE>
                </TD>
        </TR>
</TABLE>
<P ALIGN=right><A href="#opengate0">back</A>&nbsp;<A href="#top">top</A></P>


<H4><!-- ************2************* -->
<A href="#opengate2" name=opengate2>F.2&nbsp;Installation</A></H4>
<P>Check the settings in "opengatesrv/Makefile" and modify
if needed:</P>
<TABLE CELLPADDING=2 CELLSPACING=2>
        <TR>
                <TD>
                        <PRE>HTMLTOP = /usr/local/www/apache22
DOCDIR = /data
CGIDIR = /cgi-bin
OPENGATEDIR = /opengate
CONFIGPATH = /etc/opengate</PRE>
                </TD>
        </TR>
</TABLE>
<P>Compile and Install:</P>
<TABLE CELLPADDING=2 CELLSPACING=2>
        <TR>
                <TD>
                        <PRE># make clean
# make install</PRE>
                </TD>
        </TR>
</TABLE>
<P ALIGN=right><A href="#opengate0">back</A>&nbsp;<A href="#top">top</A></P>


<H4><!-- ************ 3 ************** -->
<A href="#opengate3" name=opengate3>F.3&nbsp;Setting up Config File</A></H4>

<P>Copy the sample configuration file
"/etc/opengate/opengatesrv.conf.sample" to
"/etc/opengate/opengatesrv.conf" and modify. <BR>The
following settings must be changed:</P>
<TABLE CELLPADDING=2 CELLSPACING=2>
        <TR>
                <TD>
                        <PRE>        &lt;OpengateServerName&gt;opengate.og.saga-u.ac.jp&lt;/OpengateServerName&gt;

        &lt;AuthServer&gt;
                &lt;Protocol&gt;pop3s&lt;/Protocol&gt;
                &lt;Address&gt;192.168.0.2&lt;/Address&gt;
        &lt;/AuthServer&gt;</PRE>
                </TD>
        </TR>
</TABLE>
<P>In &lt;OpengateServerName&gt;, set the
HOSTNAME(FQDN) or IP address of the opengate gateway server. If you
want to use IPv6, you need to set the FQDN corresponding to both IPv4
and IPv6 addresses.</P>
<P>In &lt;AuthServer&gt;, set the
information for the authentication server. Opengate supports various
authentication protocols. See the config file for details. <BR>To
differentiate between erorrs caused by authentication server or those
caused by the opengate server, try the following setting first. This
means that any userid and password combination is accepted.</P>
<TABLE CELLPADDING=2 CELLSPACING=2>
        <TR>
                <TD>
                        <PRE> ****Do not use this setting in real service****
        &lt;AuthServer&gt;
                &lt;Protocol&gt;accept&lt;/Protocol&gt; 
        &lt;AuthServer&gt;</PRE>
                </TD>
        </TR>
</TABLE>
<P>The config file is XML. "#" marks in
the file do not represent the start of a comment. <BR>Use
XML-formatted comments like &lt;!-- Comment String --&gt; to disable
a description.</P>
<P>Opengate can pass authentication settings
in the form of "userid@extid". <BR>See the config file for
more details. <BR>By using this function, you can use different
authentication servers for many sections or guests.</P>
<P>When the primary authentication server
does not reply, Opengate can resend the request to other
authentication servers. See the config file for more details.</P>
<P>Caution: Do not delete the IPv6 related
settings in the config file! <BR>          The IPv6 access is executed when
the FQDN for IPv6 is prepared.</P>

<P ALIGN=right><A href="#opengate0">back</A>&nbsp;<A href="#top">top</A></P>


<H4><!-- ************ 4 ************** -->
<A href="#opengate4" name=opengate4>F.4&nbsp;Setting up IPFW</A></H4>
<P>Write IPFW rules for Opengate. 
</P>
<P>a. For FreeBSD6.0 or earlier</P>
<P>IPv4 and Ipv6 rules are controlled by IPFW and IP6FW respectively
.</P>
<P>  Sample rule sets for both firewall
types are prepared as "/etc/opengate/rc.firewall4.sample"
and "/etc/opengate/rc.firewall6.sample"</P>
<P>Copy these scripts and modify according to your needs.</P>
<TABLE CELLPADDING=2 CELLSPACING=2>
        <TR>
                <TD>
                        <PRE># cd /etc/opengate
# cp rc.firewall4.sample rc.firewall4
# cp rc.firewall6.sample rc.firewall6
# vi rc.firewall4
# vi rc.firewall6</PRE>
                </TD>
        </TR>
</TABLE>
<P>Modify the firewall settings in /etc/rc.conf as follows: <BR>  Be
careful not to lock yourself out of the system after reloading the
firewall.</P>
<TABLE CELLPADDING=2 CELLSPACING=2>
        <TR>
                <TD>
                        <PRE>firewall_enable="YES"
firewall_script="/etc/opengate/rc.firewall4"

ipv6_firewall_enable="YES"
ipv6_firewall_script="/etc/opengate/rc.firewall6"</PRE>
                </TD>
        </TR>
</TABLE>
<P>For Ipv6 support, change the path in "/etc/opengatesrv.conf"
from &lt;Ip6fwPath&gt;/sbin/ipfw&lt;/Ip6fwPath&gt; to
&lt;Ip6fwPath&gt;/sbin/ip6fw&lt;/Ip6fwPath&gt; 
</P>
<P>b. For FreeBSD6.1 or later</P>
<P>Both IPv4 and IPv6 packets are controlled by IPFW.</P>
<P>A sample rule set for IPFW can be found in
"/etc/opengate/rc.firewall.sample"</P>
<P>Copy the script and modify to fit your needs. <BR>   If you are
not familiar with Ipv6, set IPv6 addresses as localhost (*net6="0",
*ip6="::1").</P>
<TABLE CELLPADDING=2 CELLSPACING=2>
        <TR>
                <TD>
                        <PRE># cd /etc/opengate
# cp rc.firewall.sample rc.firewall
# vi rc.firewall</PRE>
                </TD>
        </TR>
</TABLE>
<P>Modify the firewall settings in /etc/rc.conf as follows:<BR>  Be
careful not to lock yourself out of the system after reloading the
firewall.</P>
<TABLE CELLPADDING=2 CELLSPACING=2>
        <TR>
                <TD>
                        <PRE>firewall_enable="YES"
firewall_script="/etc/opengate/rc.firewall"</PRE>
                </TD>
        </TR>
</TABLE>
<P>Familiarise yourself with the "ipfw" command. <BR>  The
Opengate software sends out ipfw add/delete commands.</P>
<P ALIGN=right><A href="#opengate0">back</A>&nbsp;<A href="#top">top</A></P>


<H4><!-- ************ 5 ************** -->
<A href="#opengate5" name=opengate5>F.5&nbsp;Setting
up syslog</A></H4>
<P>Edit /etc/syslog.conf to save log entries for Opengate.</P>
<TABLE CELLPADDING=2 CELLSPACING=2>
        <TR>
                <TD>
                        <PRE>         | Separated by TAB code
         V
local1.*   /var/log/opengate.log</PRE>
                </TD>
        </TR>
</TABLE>
<P>Make the log file as follows: <BR>  Consider using log rotation to
control the size of this log file.</P>
<TABLE CELLPADDING=2 CELLSPACING=2>
        <TR>
                <TD>
                        <PRE># touch /var/log/opengate.log</PRE>
                </TD>
        </TR>
</TABLE>
<P ALIGN=right><A href="#opengate0">back</A>&nbsp;<A href="#top">top</A></P>


<H4><!-- ************ 6 ************** -->
<A href="#opengate6" name=opengate6>F.6&nbsp;Checking
Behavior</A></H4>
<P>Connect a PC to the lower-side network
and try to access a site in the upper-side network. <BR>If it does
not work properly, consult doc/progflow.html and doc/protocol.txt to
better understand the procedure. Also check the log files for
Opengate, httpd, system and others. To dump more information from
Opengate, set the &lt;Debug&gt; switch to "2" in
opengatesrv.conf.  Also check the functions of related software. The
error checking document (errcheck.html) and Q&amp;A documents
(qa.html, recentqa.html on the web) can be used for problem solving.</P>
<P ALIGN=right><A href="#opengate0">back</A>&nbsp;<A href="#top">top</A></P>


<H4><!-- ************ 7 ************** -->
<A href="#opengate7" name=opengate7>F.7&nbsp;Modifying
Pages</A></H4>
<P>If you want to modify the contents of the
web pages, edit the html files in the Opengate directories. The
relative path cannot be used in httpkeep.html. Use the full URL
description. The descriptions such as %%XXX%% are variables replaced
by their proper values during CGI runtime. 
</P>
<P ALIGN=right STYLE="MARGIN-BOTTOM: 0in"><A href="#opengate0">back</A>&nbsp;<A href="#top">top</A></P>
<HR>



<HR>
<H3><!-- Start:Install MRTG -->
<A href="#mrtg0" name=mrtg0>G&nbsp;MRTG Installion (Optional)</A></H3>
<UL>
        <LI><A href="#mrtg1">Ports Installation</A> </LI>
        <LI><A href="#mrtg2">Setting up MRTG</A> </LI>
        <LI><A href="#mrtg3">Confirming proper startup</A>  </LI>
        <LI><A href="#mrtg4">Setting up crontab</A> </LI>
</UL>

<H4><!-- ************ 1 ************** -->
<A href="#mrtg1" name=mrtg1>G.1&nbsp;Ports Installation</A></H4>

<P>This section is optional. <BR>   If you want to graphically
monitor the state of Opengate, MRTG can be used but is not required.</P>
<P><A HREF="http://people.ee.ethz.ch/%7Eoetiker/webtools/mrtg/" TARGET="_blank">MRTG<SPAN STYLE="TEXT-DECORATION: none">
</SPAN></A>(Multi Router Traffic Grapher) is a system to monitor
network traffic. MRTG produces graphic images and HTML files. 
</P>
<P>You can install MRTG on the gateway
server or another server. If you need to monitor multiple Opengate
systems, it is advised to install MRTG on a separate server.</P>
<TABLE CELLPADDING=2 CELLSPACING=2>
        <TR>
                <TD>
                        <PRE># cd /usr/ports/net-mgmt/mrtg/
# make clean
# make install clean ; rehash</PRE>
                </TD>
        </TR>
</TABLE>
<P ALIGN=right><A href="#mrtg0">back</A>&nbsp;<A href="#top">top</A></P>


<H4><!-- ************ 2 ************** -->
<A href="#mrtg2" name=mrtg2>G.2&nbsp;Setting up MRTG</A></H4>
<P>MRTG creates
"/usr/local/etc/mrtg/mrtg.cfg.sample" as the sample
configuration file during installation. Copy mrtg.cfg.sample to
opengate.cfg and edit the file:</P>
<TABLE CELLPADDING=2 CELLSPACING=2>
        <TR>
                <TD>
                        <PRE>##################################################
#  opengate user counter

WorkDir: /usr/home/user/public_html/mrtg/opengate/

##### Options
Options[^]: growright,gauge,nopercent,integer

Target[opengate]:`/usr/home/user/bin/input.sh`
Title[opengate]: Opengate user counter

PageTop[opengate]: &lt;h1&gt;Opengate user counter&lt;/h1&gt;
 &lt;p&gt;Show the number of people using Opengate&lt;/p&gt;

# Max Number
MaxBytes[opengate]: 200

# Title of Y axis
YLegend[opengate]: Opengate User
# unit
ShortLegend[opengate]: s
# Title of graph LegendI: first line LegendO: second line
LegendI[opengate]: IPv6 Users
LegendO[opengate]: Total Users</PRE>
                </TD>
        </TR>
</TABLE>
<P>Be sure to actually create the directory
which you appointed in "WorkDir". MRTG creates its graphic
images and HTML files in "WorkDir"</P>
<P>"Target[opengate]" contains the
path to the program that hands its data to MRTG. <BR>(details
explained below)</P>

<H5>G.2.1&nbsp;Scenario 1: Running MRTG on the gateway server</H5>
<P>Create the shell script "/usr/home/user/bin/input.sh"
with the following contents:</P>
<TABLE CELLPADDING=2 CELLSPACING=2>
        <TR>
                <TD>
                        <PRE>#!/bin/sh

#######################################
##
## show opengate status for MRTG
##
##   1 line : IPv6 Users
##   2 line : Total Users
##   3 line : uptime
##   4 line : comment for data
##
#######################################

LANG=C
COLUMNS=256

export LANG
export COLUMNS

### IPv6 prefix
prefix="2001:2f8:22:801:"
###opengateprocessname
process="opengatesrv.cgi" 

###tmp file  name
tmp_all="/tmp/og_count_all.tmp"
tmp_6="/tmp/og_count_6.tmp"

######################################################
psax | grep $process &gt; $tmp_all
COUNT = `wc-l $tmp_all | awk '{print $1}'` 
grep $prefix $tmp_all &gt;  $tmp_6
COUNT6=`wc -l $tmp_6 | awk '{print $1}'`
UPTIME=`uptime | awk '{print $3$4}' | sed -e "s/,//g"`

rm $tmp_all
rm $tmp_6

echo "$COUNT6"
echo "$COUNT"
echo "$UPTIME"
echo "Opengate User Counter"</PRE>
                </TD>
        </TR>
</TABLE>
<P>Run this shell script as standalone and confirm that you can
acquire the following data:</P>
<TABLE CELLPADDING=2 CELLSPACING=2>
        <TR>
                <TD>
                        <PRE>5
48
10days
Opengate User Counter</PRE>
                </TD>
        </TR>
</TABLE>
<H5>G.2.2&nbsp;Scenario 2: Running MRTG on a separate server</H5>
<P>Create the shell script "/usr/home/user/bin/input.sh" on
a separate server.</P>
<TABLE CELLPADDING=2 CELLSPACING=2>
        <TR>
                <TD>
                        <PRE>#!/bin/sh

#######################################
##
## input data for MRTG
##
##   1 line : IPv6 Users
##   2 line : Total Users
##   3 line : uptime
##   4 line : comment for data
##
#######################################

# tmp file name
file="/tmp/opengate.tmp"

# URL of output.sh at opengate
url="http://opengate.saga-u.ac.jp/cgi-bin/output.sh"

fetch -o $file $url &amp;&gt; /dev/null

more $file</PRE>
                </TD>
        </TR>
</TABLE>
<P STYLE="TEXT-INDENT: 0in">Create the shell script
"/usr/local/apache2/cgi-bin/output.sh" on the Opengate
(gateway) server, and set the URL to $url, as explained above.</P>
<TABLE CELLPADDING=2 CELLSPACING=2>
        <TR>
                <TD>
                        <PRE>#!/bin/sh

#######################################
##
## show opengate status for MRTG
##
##   1 line : IPv6 Users
##   2 line : Total Users
##   3 line : uptime
##   4 line : comment for data
##
#######################################

LANG=C
COLUMNS=256

export LANG
export COLUMNS

### IPv6 prefix
prefix="2001:2f8:22:801:"
###opengateprocessname
process="opengatesrv.cgi" 

###tmp file name
tmp_all="/tmp/og_count_all.tmp"
tmp_6="/tmp/og_count_6.tmp"

######################################################
psax | grep $process &gt; $tmp_all 
COUNT = `wc-l $tmp_all | awk '{print $1}'` 
grep $prefix $tmp_all &gt;  $tmp_6
COUNT6=`wc -l $tmp_6 | awk '{print $1}'`
UPTIME=`uptime | awk '{print $3$4}' | sed -e "s/,//g"`
rm $tmp_all
rm $tmp_6

echo "Content-type: text/plain; charset=iso-8859-1"
echo

echo "$COUNT6"
echo "$COUNT"
echo "$UPTIME"
echo "Opengate User Counter"</PRE>
                </TD>
        </TR>
</TABLE>
<P>Run "input.sh" on another server and confirm that you
can acquire the following data:</P>
<TABLE CELLPADDING=2 CELLSPACING=2>
        <TR>
                <TD>
                        <PRE>5
48
10days
Opengate User Counter</PRE>
                </TD>
        </TR>
</TABLE>
<P ALIGN=right><A href="#mrtg0">back</A>&nbsp;<A href="#top">top</A></P>

<H4><!-- ************ 3 ************** -->
<A href="#mrtg3" name=mrtg3>G.3&nbsp;Confirming MRTG Startup Operation:</A></H4>

<P>Use the following command to confirm MRTG is working with your
config:</P>
<TABLE CELLPADDING=2 CELLSPACING=2>
        <TR>
                <TD>
                        <PRE># /usr/local/bin/mrtg /usr/local/etc/mrtg/opengate.cfg</PRE>
                </TD>
        </TR>
</TABLE>
<P STYLE="TEXT-INDENT: 0in">Various WARNING messages are output the
first and second time, this is normal behavior <BR>(as explained in
the MRTG documentation)!<BR>Some files are created in "WorkDir".</P>
<TABLE CELLPADDING=2 CELLSPACING=2>
        <TR>
                <TD>
                        <PRE>&gt; ls -l
-rw-r--r--  1 root  wheel    538 12 14 04:40 mrtg-l.png
-rw-r--r--  1 root  wheel    414 12 14 04:40 mrtg-m.png
-rw-r--r--  1 root  wheel   1759 12 14 04:40 mrtg-r.png
-rw-r--r--  1 root  wheel   2941 12 20 15:15 opengate-day.png
-rw-r--r--  1 root  wheel   2146 12 20 14:35 opengate-month.png
-rw-r--r--  1 root  wheel   2867 12 20 14:55 opengate-week.png
-rw-r--r--  1 root  wheel   1897 12 20 05:00 opengate-year.png
-rw-r--r--  1 root  wheel   5961 12 20 15:15 opengate.html
-rw-r--r--  1 root  wheel  48786 12 20 15:15 opengate.log
-rw-r--r--  1 root  wheel  48784 12 20 15:10 opengate.old</PRE>
                </TD>
        </TR>
</TABLE>
<P ALIGN=right><A href="#mrtg0">back</A>&nbsp;<A href="#top">top</A></P>

<H4><!-- ************ 4 ************** -->
<A href="#mrtg4" name=mrtg4>G.4&nbsp;Registering to Crontab</A></H4>

<P>Add the following line to "/etc/crontab":</P>
<TABLE CELLPADDING=2 CELLSPACING=2>
        <TR>
                <TD>
                        <PRE>*/5 * * * * root /usr/local/bin/mrtg /usr/local/etc/mrtg/opengate.cfg</PRE>
                </TD>
        </TR>
</TABLE>
<P ALIGN=right><A href="#mrtg0">back</A>&nbsp;<A href="#top">top</A></P>


<H3><!-- Start:Install rulechk -->
<A href="#rulechk" name=rulechk>H&nbsp;rulechk Installation (Optional)</A></H3>

<P>This section is optional. <BR>When the
Opengate process is not exited normally, superfluous rules might be
left behind. <BR>Though it is 
very rare, the tools/rulechk script is made to handle such situations. This 
script compares the Opengate process list and the firewall rule list, and 
deletes the obsolete rules.<BR>This script is compatible with Opengate Ver1.3.1 or above. 
</P>
<P ALIGN=right STYLE="MARGIN-BOTTOM: 0in"><A href="#rulechk">back</A>&nbsp;<A href="#top">top</A></P>
</BODY>
</HTML>