1 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
4 <META HTTP-EQUIV="CONTENT-TYPE" CONTENT="text/html; charset=utf-8">
5 <TITLE>Opengate Install</TITLE>
8 <BODY LANG="en-US" BGCOLOR="#fafff0" DIR="ltr">
9 <H2><A href="#top" name=top><FONT SIZE=4>Opengate Installation
10 Procedure</FONT></A></H2>
12 <!-- Start:content table -->
14 <LI><A href="#outline0">Outline</A>
17 <LI><A href="#outline1">System Configuration</A> </LI>
18 <LI><A href="#outline2">Installation Procedure</A> </LI>
19 <LI><A href="#outline3">Support Page</A></LI>
21 <LI><A href="#freebsd0">FreeBSD Installation</A> </LI>
23 <LI><A href="#freebsd1">Basic Installation</A> </LI>
24 <LI><A href="#freebsd2">Adding NAT and Firewall</A> </LI>
25 <LI><A href="#freebsd3">Setting up IPv6</A></LI>
27 <LI><A href="#bind0">BIND9 Installation (Optional)</A> </LI>
29 <LI><A href="#bind1">Ports Installation</A> </LI>
30 <LI><A href="#bind2">Making RNDC Key</A> </LI>
31 <LI><A href="#bind3">Setting up named.conf</A> </LI>
32 <LI><A href="#bind4">Creating a Zone file</A> </LI>
33 <LI><A href="#bind5">Checking Behavior</A></LI>
35 <LI><A href="#dhcp0">isc-dhcp3 Installation (Optional)</A>
37 <LI><A href="#dhcp1">Ports Installation</A> </LI>
38 <LI><A href="#dhcp2">Setting up DHCP</A></LI>
40 <LI><A href="#apache0">Apache2 Installation</A> </LI>
42 <LI><A href="#apache1">Ports Installation</A> </LI>
43 <LI><A href="#apache2">Making Certificates</A> </LI>
44 <LI><A href="#apache3">Setting up VirtualHost</A> </LI>
45 <LI><A href="#apache4">Other Settings and Checking the Installation</A></LI>
47 <LI><A href="#opengate0">Opengate Installation</A> </LI>
49 <LI><A href="#opengate1">Opengate Package</A> </LI>
50 <LI><A href="#opengate2">Installation</A> </LI>
51 <LI><A href="#opengate3">Setting up Config File</A> </LI>
52 <LI><A href="#opengate4">Setting up IPFW</A> </LI>
53 <LI><A href="#opengate5">Setting up Syslog</A> </LI>
54 <LI><A href="#opengate6">Checking Behavior</A> </LI>
55 <LI><A href="#opengate7">Modifying Pages</A> </LI>
57 <LI><A href="#mrtg0">MRTG Install(Optional)</A> </LI>
59 <LI><A href="#mrtg1">Ports Installation</A> </LI>
60 <LI><A href="#mrtg2">Setting up MRTG</A> </LI>
61 <LI><A href="#mrtg3">Confirming MRTG Startup Operation</A> </LI>
62 <LI><A href="#mrtg4">Registering to Crontab</A> </LI>
64 <LI><A href="#rulechk">rulechk Installation (Optional)</A> </LI>
68 <P></P><!-- End:content table --><!-- Start:Outline -->
71 <H3><A href="#outline0" name=outline0>A Outline</A></H3>
73 <LI><A href="#outline1">System Configuration</A> </LI>
75 <LI><A href="#outline2">Installation Procedure</A> </LI>
78 <H4><!-- ************1************* -->
79 <A href="#outline1" name=outline1>A.1 System
80 Configuration</A></H4>
82 <LI>Gateway Machine </LI>
84 <LI>FreeBSD Ver 4.x, 5.x, 6.x or 7.x </LI>
85 <LI>Having two or more NICs </LI>
88 <P>In this document, we use the system configuration as follows. The
89 network connecting terminals is called "lower-side network" and
90 the network having servers is called "upper-side network".</P>
91 <TABLE CELLPADDING=2 CELLSPACING=2>
94 <PRE>upper-side network:192.168.0.0/24, 2001:1:2:3/64
95 Gateway to upper-side network:fxp1, 192.168.0.124, 2001:1:2:3::4
96 Gateway to lower-side network:fxp0, 192.168.1.1, 2001:5:6:7::1
97 lower-side network:192.168.1.0/24, 2001:5:6:7/64</PRE>
101 <P>Opengate recognizes both IPv4 and IPv6 addresses, and controls
102 both firewalls. It can be used for IPv4 control only if the FreeBSD
103 environment is not set up for IPv6.</P>
106 <H4><!-- ***********2************** -->
107 <A href="#outline2" name=outline2>A.2 Installation
109 <P>The following steps are necessary to complete the installation of
110 Opengate. <BR>Items marked with '*' are mandatory.</P>
112 <LI>FreeBSD Installation * </LI>
114 <LI>Adding the Firewall * </LI>
116 <LI>BIND9 Installation and Setup </LI>
118 <LI>DHCP Installation and Setup </LI>
120 <LI>Apache2 Installation and Setup *</LI>
122 <LI>Opengate Installation and Setup *</LI>
126 <H4><!-- ***********3************** -->
127 <A href="#outline3" name=outline3>A.2 Support Page</A></H4>
128 <P STYLE="MARGIN-BOTTOM: 0in">The Opengate support page can be
131 <TABLE CELLPADDING=2 CELLSPACING=2>
134 <PRE> http://www.cc.saga-u.ac.jp/opengate/index-e.html</PRE>
138 <P ALIGN=right STYLE="MARGIN-BOTTOM: 0in"><A href="#outline0">back</A> <A href="#top">top</A></P>
142 <!-- Start:FreeBSD Install-->
143 <H3><A href="#freebsd0" name=freebsd0>B FreeBSD Installation</A></H3>
145 <LI><A href="#freebsd1">Basic Installation</A> </LI>
146 <LI><A href="#freebsd2">Adding NAT and Firewall</A> </LI>
147 <LI><A href="#freebsd3">Setting up IPv6</A> </LI>
151 <H4><!-- ************1************* -->
152 <A href="#freebsd1" name=freebsd1>B.1 Basic Installation</A></H4>
154 <P>Use FreeBSD4.x or later. FreeBSD6.1 or later is preferred. <BR>Choose
155 distribution "Developer (Full sources, binaries and doc)" or
156 "all" because we have to compile a custom kernel.</P>
157 <P>Add the following line to "/etc/rc.conf", to enable the
158 gateway function:</P>
159 <TABLE CELLPADDING=2 CELLSPACING=2>
162 <P><CODE>gateway_enable="YES"</CODE></P>
166 <P ALIGN=right><A href="#freebsd0">back</A> <A href="#top">top</A></P>
169 <H4><!-- ************ 2 ************** --><A href="#freebsd2" name=freebsd2>B.2 Adding
170 NAT and Firewall</A></H4>
171 <P>Preparing the kernel to include IPFW and IP6FW functionality.</P>
172 <P>Copy the kernel configuration file:</P>
173 <TABLE CELLPADDING=2 CELLSPACING=2>
176 <PRE># cd /usr/src/sys/i386/conf
177 # cp GENERIC MYKERNEL</PRE>
181 <P>Add the following lines to the kernel configuration file:</P>
182 <P>A. FreeBSD6.0 or earlier</P>
183 <TABLE CELLPADDING=2 CELLSPACING=2>
186 <PRE>options IPDIVERT
189 options IPFIREWALL_FORWARD
190 options IPFIREWALL_VERBOSE
191 options IPFIREWALL_VERBOSE_LIMIT=100
194 options IPV6FIREWALL_VERBOSE
195 options IPV6FIREWALL_VERBOSE_LIMIT=100
199 options TCP_DROP_SYNFIN</PRE>
203 <P>B. FreeBSD6.1 or later</P>
204 <TABLE CELLPADDING=2 CELLSPACING=2>
207 <PRE>options IPDIVERT
210 options IPFIREWALL_FORWARD
211 options IPFIREWALL_VERBOSE
212 options IPFIREWALL_VERBOSE_LIMIT=100
219 <P>compile and install the new kernel (incl. added support for IPFW
221 <TABLE CELLPADDING=2 CELLSPACING=2>
224 #make buildkernel KERNCONF=MYKERNEL
225 #make installkernel KERNCONF=MYKERNEL
229 <P>It might be failed in old FreeBSD. In the case, execute the following.</P>
230 <TABLE CELLPADDING=2 CELLSPACING=2>
232 <PRE># config MYKERNEL
233 # cd ../compile/MYKERNEL
239 <P>"make clean" might be requested before "make
242 <P>Add the following lines to "/etc/rc.conf":</P>
243 <P>a. FreeBSD6.0 or earlier</P>
244 <TABLE CELLPADDING=2 CELLSPACING=2>
247 <PRE>firewall_enable="YES"
248 firewall_script="/etc/rc.firewall"
251 ipv6_firewall_enable="YES"
252 ipv6_firewall_script="/etc/rc.firewall6"
253 ipv6_firewall_type="open"
256 natd_interface="fxp1"</PRE>
260 <P>b. FreeBSD6.1 or later</P>
261 <TABLE CELLPADDING=2 CELLSPACING=2>
264 <PRE>firewall_enable="YES"
265 firewall_script="/etc/rc.firewall"
269 natd_interface="fxp1"</PRE>
273 <P>When enabling IPFW (and IP6FW), make sure
274 to also set the firewall_type to 'OPEN', to prevent unpredictable
275 system behavior during installation. <BR>To enable NAT, set
276 natd_enable to 'YES' and define the natd interface (Upper-side
278 <P>Connect a client pc to the lower-side
279 network and check the IPv4 behavior.<BR>Since DHCP is not yet set up,
280 the client's network settings must be configured manually.</P>
281 <P ALIGN=right><A href="#freebsd0">back</A> <A href="#top">top</A></P>
284 <H4><!-- ************ 3 ************** -->
285 <A href="#freebsd3" name=freebsd3>B.3 Setting up IPv6</A></H4>
286 <P>If you need IPv4 only, this section can
287 be skipped. <BR>Though explanation is omitted, many parameters, like
288 the ones used in the following sample, can be set in /etc/rc.conf.
289 <BR>It is advised to read up on IPv6 and carefully set up its
292 <TABLE CELLPADDING=2 CELLSPACING=2>
297 ipv6_network_interfaces="gif0 fxp0"
299 ##TUNNELLING INTERFACE
300 gif_interfaces="gif0"
301 gifconfig_gif0="192.168.0.124 192.168.0.126"
304 ipv6_prefix_fxp0="2001:5:6:7"
305 ipv6_ifconfig_fxp0="2001:5:6:7::1 prefixlen 64"
309 rtadvd_interfaces="fxp0"
312 ipv6_default_interface="gif0"
313 ipv6_defaultrouter="fe80::a:b:c:d%gif0"
316 ipv6_gateway_enable="YES"
317 ipv6_router_enable="YES"
318 ipv6_router="/usr/sbin/route6d"
319 ipv6_router_flags="-O 2001:5:6:7::/64,gif0"</PRE>
323 <P>Connect a client pc to the lower-side
324 network and check the behavior of IPv6.<BR>On a Windows pc, the
325 command "ipv6 install" might be needed to activate IPv6.</P>
326 <P ALIGN=right STYLE="MARGIN-BOTTOM: 0in"><A href="#ipfw0">back</A> <A href="#top">top</A></P>
330 <H3><!-- Start:BIND9 Install --><A href="#bind0" name=bind0>C BIND9
331 Install(Optional)</A></H3>
333 <LI><A href="#bind1">Ports Install</A></LI>
334 <LI><A href="#bind2">Making RNDC Key</A></LI>
335 <LI><A href="#bind3">Setting up named.conf</A></LI>
336 <LI><A href="#bind4">Creating up a Zone file</A> </LI>
337 <LI><A href="#bind5">Checking Behavior</A> </LI>
341 <H4><!-- ********** 1 *********** -->
342 <A href="#bind1" name=bind1>C.1 Ports Install</A></H4>
344 <P> You can ignore DNS
345 settings, if you control with IP address base
346 or use existing DNS servers.</P>
347 <P> Installing BIND9 from
349 Note: The "sysinstall" command can also be used.</P>
350 <TABLE CELLPADDING=2 CELLSPACING=2>
353 <PRE># cd /usr/ports/dns/bind9/
355 # make install clean ; rehash</PRE>
359 <P>During installation the directory "/etc/namedb
360 (/var/named/etc/namedb)" is created.</P>
361 <P ALIGN=right><A href="#bind0">back</A> <A href="#top">top</A></P>
364 <H4><!-- ********** 2 ********** -->
365 <A href="#bind2" name=bind2>C.2 Making RNDC key</A></H4>
366 <P>Use the "rndc" command to further secure BIND9.</P>
367 <P>Create the rndc key as follows:</P>
368 <TABLE CELLPADDING=2 CELLSPACING=2>
371 <PRE># cd /etc/namebd/
372 # rndc-confgen -b 512 > rndc.conf</PRE>
376 <P>This will generate the "rndc.conf" file.</P>
377 <TABLE CELLPADDING=2 CELLSPACING=2>
380 <PRE># Start of rndc.conf
383 secret "wMpASEmnRVnD602MtEb+RqtMee5+n0RVgpaUrlAHvPpgH3SoK7f2nRZBUH7a0urvmyBuAg0dwtk/Otg9Ker3gA==";
387 default-key "rndc-key";
388 default-server 127.0.0.1;
393 # Use with the following in named.conf, adjusting the allow list as needed:
395 # algorithm hmac-md5;
396 # secret "wMpASEmnRVnD602MtEb+RqtMee5+n0RVgpaUrlAHvPpgH3SoK7f2nRZBUH7a0urvmyBuAg0dwtk/Otg9Ker3gA==";
400 # inet 127.0.0.1 port 953
401 # allow { 127.0.0.1; } keys { "rndc-key"; };
403 # End of named.conf</PRE>
407 <P ALIGN=right><A href="#bind0">back</A> <A href="#top">top</A></P>
410 <H4><!-- ********* 3 ********* -->
411 <A href="#bind3" name=bind3>C.3 Setting up named.conf</A></H4>
412 <P>After installation, look for the
413 "/etc/namedb/named.conf" file and copy the last half of the
414 "rndc.conf" file to it, making sure to remove comments, and
415 add IPv6 configuration where/if required.</P>
416 <TABLE CELLPADDING=2 CELLSPACING=2>
419 <PRE># Use with the following in named.conf, adjusting the allow list as needed:
422 secret "wMpASEmnRVnD602MtEb+RqtMee5+n0RVgpaUrlAHvPpgH3SoK7f2nRZBUH7a0urvmyBuAg0dwtk/Otg9Ker3gA==";
426 inet ::1 port 953 allow { ::1; } keys { "rndc-key"; };
427 inet 127.0.0.1 port 953 allow { 127.0.0.1; } keys { "rndc-key"; };
429 # End of named.conf</PRE>
433 <P>For security reasons, it is better to write the "key"
434 directive in the other file.</P>
435 <P>Edit the "options" directive in "named.conf":</P>
436 <TABLE CELLPADDING=2 CELLSPACING=2>
440 directory "/etc/namedb";
441 pid-file "/var/run/named/pid";
443 listen-on-v6 { any; };
448 <P>Create the corresponding "pid" directory.</P>
449 <P ALIGN=right><A href="#bind0">back</A> <A href="#top">top</A></P>
452 <H4><!-- ******** 4 ********* -->
453 <A href="#bind4" name=bind4>C.4 Creating a Zone file</A></H4>
454 <P>Edit the "view" and "zone" directives in "named.conf".</P>
455 <P>The "view" directive is implemented in BIND9. Replying
456 to the inquiries from matched-clients, BIND9 sends the information as
457 described in the corresponding "view"</P>
458 <TABLE CELLPADDING=2 CELLSPACING=2>
474 zone "og.saga-u.ac.jp" {
476 file "og.saga-u.ac.jp";
479 zone "0.0.127.IN-ADDR.ARPA" {
481 file "master/localhost.rev";
485 zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.\
486 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA" {
488 file "master/localhost-v6.rev";
491 // RFC 1886 -- deprecated
492 zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.\
493 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.INT" {
495 file "master/localhost-v6.rev";
501 <P><BR>Make a "zone" file for the domain "og.saga-u.ac.jp".
502 <BR>The domain name and IPv4/6 addresses should be modified properly.
503 If you don't need IPv6, remove the line containing "AAAA ....".</P>
504 <TABLE CELLPADDING=2 CELLSPACING=2>
508 $ORIGIN og.saga-u.ac.jp.
510 @ IN SOA ns.og.saga-u.ac.jp. postmaster (
516 IN NS ns.og.saga-u.ac.jp.
518 IN MX 10 opengate.og.saga-u.ac.jp.
522 opengate IN A 192.168.1.1
523 AAAA 2001:5:6:7::1</PRE>
527 <P ALIGN=right><A href="#bind0">back</A> <A href="#top">top</A></P>
530 <H4><!-- ********* 5 ********* -->
531 <A href="#bind5" name=bind5>C.5 Checking Behavior</A></H4>
532 <P>Confirm starting of "named" after completings its
534 <TABLE CELLPADDING=2 CELLSPACING=2>
537 <PRE># /usr/local/sbin/named -u bind -c /etc/namedb/named.conf</PRE>
541 <P>If "named" starts without problems, add the following
542 lines to "/etc/rc.conf" to allow it to automatically start
544 <TABLE CELLPADDING=2 CELLSPACING=2>
547 <PRE>named_enable="YES"
548 named_program="/usr/local/sbin/named"
549 named_flags="-u bind -c /etc/namedb/named.conf"</PRE>
553 <P>Because the management of a DNS server
554 can be complicated, it is strongly advised to carefully read the
555 BIND9 manual, and/or consult other documentation.</P>
556 <P ALIGN=right STYLE="MARGIN-BOTTOM: 0in"><A href="#bind0">back</A> <A href="#top">top</A></P>
560 <H3><!-- Start:isc-dhcp3 Install -->
561 <A href="#dhcp0" name=dhcp0>D isc-dhcp3 Installation (Optional)</A></H3>
563 <LI><A href="#dhcp1">Ports Installation</A>
564 <LI><A href="#dhcp2">Setting up DHCP</A> </LI>
568 <H4><!-- *********** 1 ************* -->
569 <A href="#dhcp1" name=dhcp1>D.1 Ports Install</A></H4>
570 <P>If many client PCs are going to be
571 connected, using the DHCP service might be a desirable solution for
572 assigning IP addresses to these clients.</P>
573 <P>Installing isc-dhcp3 from ports:<BR>Note:
574 the "sysinstall" command can also be used.</P>
575 <TABLE CELLPADDING=2 CELLSPACING=2>
578 <PRE># cd /usr/ports/net/isc-dhcp3-server
580 # make install clean ; rehash</PRE>
584 <P ALIGN=right><A href="#dhcp0">back</A> <A href="#top">top</A></P>
587 <H4><!-- ************ 2 ************** -->
588 <A href="#dhcp2" name=dhcp2>D.2 Setting up DHCP</A></H4>
589 <P>The"/usr/local/etc/dhcpd.conf.sample"
590 configuration file is created during installation. <BR>Copy
591 "dhcpd.conf.sample" to "dhcpd.conf" and edit the
592 file. <BR><BR>The following is an example setup: <BR>The lease time
593 must be greater than the maximum usage duration (Duration/Max in
594 opengatesrv.conf).<BR>The domain name and IP addresses should be
597 <TABLE CELLPADDING=2 CELLSPACING=2>
600 <PRE>option domain-name "og.saga-u.ac.jp";
601 option domain-name-servers 192.168.1.1;
602 option subnet-mask 255.255.255.0;
603 option broadcast-address 192.168.1.255;
604 option routers 192.168.1.1;
606 default-lease-time 86400;
607 max-lease-time 604800;
608 ddns-update-style none;
611 subnet 192.168.55.0 netmask 255.255.255.0 {
612 range 192.168.1.10 192.168.1.250;
617 <P>Add the following lines to "/etc/rc.conf" to allow it to
618 automatically start on boot up.</P>
619 <TABLE CELLPADDING=2 CELLSPACING=2>
622 <PRE>dhcpd_enable="YES"
624 dhcpd_conf="/usr/local/etc/dhcpd.conf"</PRE>
628 <P>In this example, the value of
629 "dhcpd_ifaces" is the interface providing the DHCP service
630 <BR>(to the lower-side network).</P>
631 <P ALIGN=right STYLE="MARGIN-BOTTOM: 0in"><A href="#dhcp0">back</A> <A href="#top">top</A></P>
635 <H3><!-- Start:Apache2 Install--><A href="#apache0" name=apache0>E Apache2
636 Installation</A></H3>
638 <LI><A href="#apache1">Ports Installation</A> </LI>
639 <LI><A href="#apache2">Making Certificates</A> </LI>
640 <LI><A href="#apache3">Setting up SSL</A></LI>
641 <LI><A href="#apache4">Other Settings and Checking the installation</A> </LI>
645 <H4><!-- ************ 1 ************** --><A href="#apache1" name=apache1>E.1 Ports
647 <P>When using IPv6, Opengate needs Apache2
648 to support IPv6. <BR>By default, Apache2 supports SSL which is
649 preferred for secure authentication.</P>
650 <P>Installing Apache2 from ports:<BR>Note:
651 The "sysinstall" command can also be used.</P>
652 <TABLE CELLPADDING=2 CELLSPACING=2>
655 <PRE># cd /usr/ports/www/apache22
657 # make install clean ; rehash</PRE>
661 <P ALIGN=right><A href="#apache0">back</A> <A href="#top">top</A></P>
664 <H4><!-- ************ 2 ************** --><A href="#apache2" name=apache2>E.2 Making
665 Certificates</A></H4>
666 <P>It is better to obtain a formal key from
667 some CA. But we will show you how to create a self-signed private key
670 <P>Creating a private key:</P>
671 <TABLE CELLPADDING=2 CELLSPACING=2>
674 <PRE># cd /usr/local/etc/apache22
675 # mkdir ssl.key ssl.crt
676 # chmod 700 ssl.key ssl.crt
678 # /usr/bin/openssl genrsa -out /usr/local/etc/apache22/server.key 1024</PRE>
682 <P><BR>Making a certificate from the created key:</P>
683 <TABLE CELLPADDING=2 CELLSPACING=2>
686 <PRE># /usr/bin/openssl req -new -x509 -days 365 \
687 -key /usr/local/etc/apache22/server.key \
688 -out /usr/local/etc/apache22/server.crt
690 You are about to be asked to enter information that will be incorporated
691 into your certificate request.
692 What you are about to enter is what is called a Distinguished Name or a DN.
693 There are quite a few fields but you can leave some blank
694 For some fields there will be a default value,
695 If you enter '.', the field will be left blank.
697 Country Name (2 letter code) [AU]:JP
698 State or Province Name (full name) [Some-State]:Saga
699 Locality Name (eg, city) []:Saga-city
700 Organization Name (eg, company) [Internet Widgits Pty Ltd]:Saga-university
701 Organizational Unit Name (eg, subsection) []:Opengate Management
702 Common Name (eg, YOUR name) []:opengate.og.saga-u.ac.jp
703 Email Address []:administrator@opengate.og.saga-u.ac.jp
705 Please enter the following 'extra' attributes
706 to be sent with your certificate request
707 A challenge password []:
708 An optional company name []:</PRE>
712 <P ALIGN=right><A href="#apache0">back</A> <A href="#top">top</A></P>
715 <H4><!-- ************ 3 ************** --><A href="#apache3" name=apache3>E.3
716 Setting up SSL</A></H4>
717 <P>Edit "/usr/local/etc/apache22/extra/httpd-ssl.conf" as
718 shown in the following example:</P>
719 <TABLE CELLPADDING=2 CELLSPACING=2>
728 <PRE><VirtualHost _default_:443>
729 DocumentRoot "/usr/local/www/apache22/data"
730 ServerName opengate.og.saga-u.ac.jp:443
731 ServerAdmin administrator@opengate.og.saga-u.ac.jp
732 ErrorLog "|/usr/bin/logger -p local6.info"
733 CustomLog "|/usr/bin/logger -p local5.info" combined
736 SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
737 SSLCertificateFile /usr/local/etc/apache22/server.crt
738 SSLCertificateKeyFile /usr/local/etc/apache22/server.key
739 </VirtualHost></PRE>
743 <P>Since Apache2 has many settings,
744 familiarize yourself with the Apache2 configuration options for
745 adequate control.</P>
746 <P ALIGN=right><A href="#apache0">back</A> <A href="#top">top</A></P>
749 <H4><!-- ************ 4 ************** --><A href="#apache4" name=apache4>E.4 Other
750 Settings and Checking the Installation</A></H4>
751 <P>Edit "/usr/local/etc/apache22/httpd.conf" as follows:</P>
752 <P>Opengate should send back the
753 authentication page in response to any kind of HTTP request. <BR>To
754 do so, add the following line to httpd.conf: <BR> (the top page will
755 be sent back on an HTTP_ERROR 404 [file not found] error).</P>
756 <TABLE CELLPADDING=2 CELLSPACING=2>
759 <PRE>ErrorDocument 404 /</PRE>
763 <P><BR>Add "ExecCGI" to allow executing CGI programs in the
764 cgi-bin directory.</P>
765 <TABLE CELLPADDING=2 CELLSPACING=2>
768 <PRE><Directory "/usr/local/www/cgi-bin">
772 </Directory></PRE>
776 <P>Remove the comment mark ("#") to
777 enable the following setting:
779 <TABLE CELLPADDING=2 CELLSPACING=2>
782 <PRE>AddHandler cgi-script .cgi
783 AddHandler type-map .var</PRE>
787 <P>Add "index.html.var" to
790 <TABLE CELLPADDING=2 CELLSPACING=2>
793 <PRE>DirectoryIndex index.html.var index.html</PRE>
797 <P>Include ssl conf file:</P>
798 <TABLE CELLPADDING=2 CELLSPACING=2>
801 <PRE>Include etc/apache22/extra/httpd-ssl.conf</PRE>
807 <TABLE CELLPADDING=2 CELLSPACING=2>
810 <PRE>ServerName opengate.og.saga-u.ac.jp</PRE>
814 <P>Start Apache2 with "apachectl start"
815 and check for errors. <BR>If no errors are displayed, add the
816 following lines to "/etc/rc.conf" to allow Apache to start
818 <TABLE CELLPADDING=2 CELLSPACING=2>
821 <PRE>apache22_enable="YES"
822 apache22ssl_enable="YES"</PRE>
826 <P>If the system shows "Failed to
827 enable the 'httpready' Accept Filter", add the following to
828 /boot/loader.conf :</P>
829 <TABLE CELLPADDING=2 CELLSPACING=2>
832 <PRE>accf_http_load="YES"</PRE>
836 <P>Should the certificate require a PASSPHRASE, Apache will ask for it during
837 boot up.<BR> If you do not enter the passphrase (reboot due to
838 power outage, remote reboot, ,...), this will prevent <BR> the server from starting Apache normally,
839 i.e. leaving you with a possible "crippled" server.</P>
843 1. create a simple script containing the following:<BR>
845 echo "<passphrase goes here>"<BR>
846 <BR>2. add the following to httpd.conf:<BR>
847 SSLPassPhraseDialog exec:/path/to/above/script
850 <P ALIGN=right STYLE="MARGIN-BOTTOM: 0in"><A href="#apache0">back</A> <A href="#top">top</A></P>
854 <H3><!-- Start:Opengate Install -->
855 <A href="#opengate0" name=opengate0>F Opengate Installation</A></H3>
857 <LI><A href="#opengate1">Opengate Package</A>
858 <LI><A href="#opengate2">Installation</A> </LI>
859 <LI><A href="#opengate3">Setting up Config File</A> </LI>
860 <LI><A href="#opengate4">Setting up IPFW</A> </LI>
861 <LI><A href="#opengate5">Setting up syslog</A> </LI>
862 <LI><A href="#opengate6">Checking Behavior</A> </LI>
863 <LI><A href="#opengate7">Modifying Pages</A> </LI>
867 <H4><!-- ************1************* -->
868 <A href="#opengate1" name=opengate1>F.1 Opengate
870 <P>Unpack the Opengate compressed file:
872 <TABLE CELLPADDING=2 CELLSPACING=2>
875 <PRE># tar xzvf opengatexxxx.tar.gz</PRE>
879 <P>It contains the following directories:</P>
880 <TABLE CELLPADDING=2 CELLSPACING=2>
883 <PRE>doc: Documentation
884 conf: Configuration files and firewall control Perl script sample
885 javahtml: Client Java Programs and HTML files
886 opengatesrv: Server CGI programs
887 tools: Some related tools
888 ezxml: XML parser (Copyright Aaron Voisine)</PRE>
892 <P ALIGN=right><A href="#opengate0">back</A> <A href="#top">top</A></P>
895 <H4><!-- ************2************* -->
896 <A href="#opengate2" name=opengate2>F.2 Installation</A></H4>
897 <P>Check the settings in "opengatesrv/Makefile" and modify
899 <TABLE CELLPADDING=2 CELLSPACING=2>
902 <PRE>HTMLTOP = /usr/local/www/apache22
905 OPENGATEDIR = /opengate
906 CONFIGPATH = /etc/opengate</PRE>
910 <P>Compile and Install:</P>
911 <TABLE CELLPADDING=2 CELLSPACING=2>
919 <P ALIGN=right><A href="#opengate0">back</A> <A href="#top">top</A></P>
922 <H4><!-- ************ 3 ************** -->
923 <A href="#opengate3" name=opengate3>F.3 Setting up Config File</A></H4>
925 <P>Copy the sample configuration file
926 "/etc/opengate/opengatesrv.conf.sample" to
927 "/etc/opengate/opengatesrv.conf" and modify. <BR>The
928 following settings must be changed:</P>
929 <TABLE CELLPADDING=2 CELLSPACING=2>
932 <PRE> <OpengateServerName>opengate.og.saga-u.ac.jp</OpengateServerName>
935 <Protocol>pop3s</Protocol>
936 <Address>192.168.0.2</Address>
937 </AuthServer></PRE>
941 <P>In <OpengateServerName>, set the
942 HOSTNAME(FQDN) or IP address of the opengate gateway server. If you
943 want to use IPv6, you need to set the FQDN corresponding to both IPv4
944 and IPv6 addresses.</P>
945 <P>In <AuthServer>, set the
946 information for the authentication server. Opengate supports various
947 authentication protocols. See the config file for details. <BR>To
948 differentiate between erorrs caused by authentication server or those
949 caused by the opengate server, try the following setting first. This
950 means that any userid and password combination is accepted.</P>
951 <TABLE CELLPADDING=2 CELLSPACING=2>
954 <PRE> ****Do not use this setting in real service****
956 <Protocol>accept</Protocol>
957 <AuthServer></PRE>
961 <P>The config file is XML. "#" marks in
962 the file do not represent the start of a comment. <BR>Use
963 XML-formatted comments like <!-- Comment String --> to disable
965 <P>Opengate can pass authentication settings
966 in the form of "userid@extid". <BR>See the config file for
967 more details. <BR>By using this function, you can use different
968 authentication servers for many sections or guests.</P>
969 <P>When the primary authentication server
970 does not reply, Opengate can resend the request to other
971 authentication servers. See the config file for more details.</P>
972 <P>Caution: Do not delete the IPv6 related
973 settings in the config file! <BR> The IPv6 access is executed when
974 the FQDN for IPv6 is prepared.</P>
976 <P ALIGN=right><A href="#opengate0">back</A> <A href="#top">top</A></P>
979 <H4><!-- ************ 4 ************** -->
980 <A href="#opengate4" name=opengate4>F.4 Setting up IPFW</A></H4>
981 <P>Write IPFW rules for Opengate.
983 <P>a. For FreeBSD6.0 or earlier</P>
984 <P>IPv4 and Ipv6 rules are controlled by IPFW and IP6FW respectively
986 <P> Sample rule sets for both firewall
987 types are prepared as "/etc/opengate/rc.firewall4.sample"
988 and "/etc/opengate/rc.firewall6.sample"</P>
989 <P>Copy these scripts and modify according to your needs.</P>
990 <TABLE CELLPADDING=2 CELLSPACING=2>
993 <PRE># cd /etc/opengate
994 # cp rc.firewall4.sample rc.firewall4
995 # cp rc.firewall6.sample rc.firewall6
997 # vi rc.firewall6</PRE>
1001 <P>Modify the firewall settings in /etc/rc.conf as follows: <BR> Be
1002 careful not to lock yourself out of the system after reloading the
1004 <TABLE CELLPADDING=2 CELLSPACING=2>
1007 <PRE>firewall_enable="YES"
1008 firewall_script="/etc/opengate/rc.firewall4"
1010 ipv6_firewall_enable="YES"
1011 ipv6_firewall_script="/etc/opengate/rc.firewall6"</PRE>
1015 <P>For Ipv6 support, change the path in "/etc/opengatesrv.conf"
1016 from <Ip6fwPath>/sbin/ipfw</Ip6fwPath> to
1017 <Ip6fwPath>/sbin/ip6fw</Ip6fwPath>
1019 <P>b. For FreeBSD6.1 or later</P>
1020 <P>Both IPv4 and IPv6 packets are controlled by IPFW.</P>
1021 <P>A sample rule set for IPFW can be found in
1022 "/etc/opengate/rc.firewall.sample"</P>
1023 <P>Copy the script and modify to fit your needs. <BR> If you are
1024 not familiar with Ipv6, set IPv6 addresses as localhost (*net6="0",
1026 <TABLE CELLPADDING=2 CELLSPACING=2>
1029 <PRE># cd /etc/opengate
1030 # cp rc.firewall.sample rc.firewall
1031 # vi rc.firewall</PRE>
1035 <P>Modify the firewall settings in /etc/rc.conf as follows:<BR> Be
1036 careful not to lock yourself out of the system after reloading the
1038 <TABLE CELLPADDING=2 CELLSPACING=2>
1041 <PRE>firewall_enable="YES"
1042 firewall_script="/etc/opengate/rc.firewall"</PRE>
1046 <P>Familiarise yourself with the "ipfw" command. <BR> The
1047 Opengate software sends out ipfw add/delete commands.</P>
1048 <P ALIGN=right><A href="#opengate0">back</A> <A href="#top">top</A></P>
1051 <H4><!-- ************ 5 ************** -->
1052 <A href="#opengate5" name=opengate5>F.5 Setting
1054 <P>Edit /etc/syslog.conf to save log entries for Opengate.</P>
1055 <TABLE CELLPADDING=2 CELLSPACING=2>
1058 <PRE> | Separated by TAB code
1060 local1.* /var/log/opengate.log</PRE>
1064 <P>Make the log file as follows: <BR> Consider using log rotation to
1065 control the size of this log file.</P>
1066 <TABLE CELLPADDING=2 CELLSPACING=2>
1069 <PRE># touch /var/log/opengate.log</PRE>
1073 <P ALIGN=right><A href="#opengate0">back</A> <A href="#top">top</A></P>
1076 <H4><!-- ************ 6 ************** -->
1077 <A href="#opengate6" name=opengate6>F.6 Checking
1079 <P>Connect a PC to the lower-side network
1080 and try to access a site in the upper-side network. <BR>If it does
1081 not work properly, consult doc/progflow.html and doc/protocol.txt to
1082 better understand the procedure. Also check the log files for
1083 Opengate, httpd, system and others. To dump more information from
1084 Opengate, set the <Debug> switch to "2" in
1085 opengatesrv.conf. Also check the functions of related software. The
1086 error checking document (errcheck.html) and Q&A documents
1087 (qa.html, recentqa.html on the web) can be used for problem solving.</P>
1088 <P ALIGN=right><A href="#opengate0">back</A> <A href="#top">top</A></P>
1091 <H4><!-- ************ 7 ************** -->
1092 <A href="#opengate7" name=opengate7>F.7 Modifying
1094 <P>If you want to modify the contents of the
1095 web pages, edit the html files in the Opengate directories. The
1096 relative path cannot be used in httpkeep.html. Use the full URL
1097 description. The descriptions such as %%XXX%% are variables replaced
1098 by their proper values during CGI runtime.
1100 <P ALIGN=right STYLE="MARGIN-BOTTOM: 0in"><A href="#opengate0">back</A> <A href="#top">top</A></P>
1106 <H3><!-- Start:Install MRTG -->
1107 <A href="#mrtg0" name=mrtg0>G MRTG Installion (Optional)</A></H3>
1109 <LI><A href="#mrtg1">Ports Installation</A> </LI>
1110 <LI><A href="#mrtg2">Setting up MRTG</A> </LI>
1111 <LI><A href="#mrtg3">Confirming proper startup</A> </LI>
1112 <LI><A href="#mrtg4">Setting up crontab</A> </LI>
1115 <H4><!-- ************ 1 ************** -->
1116 <A href="#mrtg1" name=mrtg1>G.1 Ports Installation</A></H4>
1118 <P>This section is optional. <BR> If you want to graphically
1119 monitor the state of Opengate, MRTG can be used but is not required.</P>
1120 <P><A HREF="http://people.ee.ethz.ch/%7Eoetiker/webtools/mrtg/" TARGET="_blank">MRTG<SPAN STYLE="TEXT-DECORATION: none">
1121 </SPAN></A>(Multi Router Traffic Grapher) is a system to monitor
1122 network traffic. MRTG produces graphic images and HTML files.
1124 <P>You can install MRTG on the gateway
1125 server or another server. If you need to monitor multiple Opengate
1126 systems, it is advised to install MRTG on a separate server.</P>
1127 <TABLE CELLPADDING=2 CELLSPACING=2>
1130 <PRE># cd /usr/ports/net-mgmt/mrtg/
1132 # make install clean ; rehash</PRE>
1136 <P ALIGN=right><A href="#mrtg0">back</A> <A href="#top">top</A></P>
1139 <H4><!-- ************ 2 ************** -->
1140 <A href="#mrtg2" name=mrtg2>G.2 Setting up MRTG</A></H4>
1142 "/usr/local/etc/mrtg/mrtg.cfg.sample" as the sample
1143 configuration file during installation. Copy mrtg.cfg.sample to
1144 opengate.cfg and edit the file:</P>
1145 <TABLE CELLPADDING=2 CELLSPACING=2>
1148 <PRE>##################################################
1149 # opengate user counter
1151 WorkDir: /usr/home/user/public_html/mrtg/opengate/
1154 Options[^]: growright,gauge,nopercent,integer
1156 Target[opengate]:`/usr/home/user/bin/input.sh`
1157 Title[opengate]: Opengate user counter
1159 PageTop[opengate]: <h1>Opengate user counter</h1>
1160 <p>Show the number of people using Opengate</p>
1163 MaxBytes[opengate]: 200
1166 YLegend[opengate]: Opengate User
1168 ShortLegend[opengate]: s
1169 # Title of graph LegendI: first line LegendO: second line
1170 LegendI[opengate]: IPv6 Users
1171 LegendO[opengate]: Total Users</PRE>
1175 <P>Be sure to actually create the directory
1176 which you appointed in "WorkDir". MRTG creates its graphic
1177 images and HTML files in "WorkDir"</P>
1178 <P>"Target[opengate]" contains the
1179 path to the program that hands its data to MRTG. <BR>(details
1180 explained below)</P>
1182 <H5>G.2.1 Scenario 1: Running MRTG on the gateway server</H5>
1183 <P>Create the shell script "/usr/home/user/bin/input.sh"
1184 with the following contents:</P>
1185 <TABLE CELLPADDING=2 CELLSPACING=2>
1190 #######################################
1192 ## show opengate status for MRTG
1194 ## 1 line : IPv6 Users
1195 ## 2 line : Total Users
1197 ## 4 line : comment for data
1199 #######################################
1208 prefix="2001:2f8:22:801:"
1209 ###opengateprocessname
1210 process="opengatesrv.cgi"
1213 tmp_all="/tmp/og_count_all.tmp"
1214 tmp_6="/tmp/og_count_6.tmp"
1216 ######################################################
1217 psax | grep $process > $tmp_all
1218 COUNT = `wc-l $tmp_all | awk '{print $1}'`
1219 grep $prefix $tmp_all > $tmp_6
1220 COUNT6=`wc -l $tmp_6 | awk '{print $1}'`
1221 UPTIME=`uptime | awk '{print $3$4}' | sed -e "s/,//g"`
1229 echo "Opengate User Counter"</PRE>
1233 <P>Run this shell script as standalone and confirm that you can
1234 acquire the following data:</P>
1235 <TABLE CELLPADDING=2 CELLSPACING=2>
1241 Opengate User Counter</PRE>
1245 <H5>G.2.2 Scenario 2: Running MRTG on a separate server</H5>
1246 <P>Create the shell script "/usr/home/user/bin/input.sh" on
1247 a separate server.</P>
1248 <TABLE CELLPADDING=2 CELLSPACING=2>
1253 #######################################
1255 ## input data for MRTG
1257 ## 1 line : IPv6 Users
1258 ## 2 line : Total Users
1260 ## 4 line : comment for data
1262 #######################################
1265 file="/tmp/opengate.tmp"
1267 # URL of output.sh at opengate
1268 url="http://opengate.saga-u.ac.jp/cgi-bin/output.sh"
1270 fetch -o $file $url &> /dev/null
1276 <P STYLE="TEXT-INDENT: 0in">Create the shell script
1277 "/usr/local/apache2/cgi-bin/output.sh" on the Opengate
1278 (gateway) server, and set the URL to $url, as explained above.</P>
1279 <TABLE CELLPADDING=2 CELLSPACING=2>
1284 #######################################
1286 ## show opengate status for MRTG
1288 ## 1 line : IPv6 Users
1289 ## 2 line : Total Users
1291 ## 4 line : comment for data
1293 #######################################
1302 prefix="2001:2f8:22:801:"
1303 ###opengateprocessname
1304 process="opengatesrv.cgi"
1307 tmp_all="/tmp/og_count_all.tmp"
1308 tmp_6="/tmp/og_count_6.tmp"
1310 ######################################################
1311 psax | grep $process > $tmp_all
1312 COUNT = `wc-l $tmp_all | awk '{print $1}'`
1313 grep $prefix $tmp_all > $tmp_6
1314 COUNT6=`wc -l $tmp_6 | awk '{print $1}'`
1315 UPTIME=`uptime | awk '{print $3$4}' | sed -e "s/,//g"`
1319 echo "Content-type: text/plain; charset=iso-8859-1"
1325 echo "Opengate User Counter"</PRE>
1329 <P>Run "input.sh" on another server and confirm that you
1330 can acquire the following data:</P>
1331 <TABLE CELLPADDING=2 CELLSPACING=2>
1337 Opengate User Counter</PRE>
1341 <P ALIGN=right><A href="#mrtg0">back</A> <A href="#top">top</A></P>
1343 <H4><!-- ************ 3 ************** -->
1344 <A href="#mrtg3" name=mrtg3>G.3 Confirming MRTG Startup Operation:</A></H4>
1346 <P>Use the following command to confirm MRTG is working with your
1348 <TABLE CELLPADDING=2 CELLSPACING=2>
1351 <PRE># /usr/local/bin/mrtg /usr/local/etc/mrtg/opengate.cfg</PRE>
1355 <P STYLE="TEXT-INDENT: 0in">Various WARNING messages are output the
1356 first and second time, this is normal behavior <BR>(as explained in
1357 the MRTG documentation)!<BR>Some files are created in "WorkDir".</P>
1358 <TABLE CELLPADDING=2 CELLSPACING=2>
1362 -rw-r--r-- 1 root wheel 538 12 14 04:40 mrtg-l.png
1363 -rw-r--r-- 1 root wheel 414 12 14 04:40 mrtg-m.png
1364 -rw-r--r-- 1 root wheel 1759 12 14 04:40 mrtg-r.png
1365 -rw-r--r-- 1 root wheel 2941 12 20 15:15 opengate-day.png
1366 -rw-r--r-- 1 root wheel 2146 12 20 14:35 opengate-month.png
1367 -rw-r--r-- 1 root wheel 2867 12 20 14:55 opengate-week.png
1368 -rw-r--r-- 1 root wheel 1897 12 20 05:00 opengate-year.png
1369 -rw-r--r-- 1 root wheel 5961 12 20 15:15 opengate.html
1370 -rw-r--r-- 1 root wheel 48786 12 20 15:15 opengate.log
1371 -rw-r--r-- 1 root wheel 48784 12 20 15:10 opengate.old</PRE>
1375 <P ALIGN=right><A href="#mrtg0">back</A> <A href="#top">top</A></P>
1377 <H4><!-- ************ 4 ************** -->
1378 <A href="#mrtg4" name=mrtg4>G.4 Registering to Crontab</A></H4>
1380 <P>Add the following line to "/etc/crontab":</P>
1381 <TABLE CELLPADDING=2 CELLSPACING=2>
1384 <PRE>*/5 * * * * root /usr/local/bin/mrtg /usr/local/etc/mrtg/opengate.cfg</PRE>
1388 <P ALIGN=right><A href="#mrtg0">back</A> <A href="#top">top</A></P>
1391 <H3><!-- Start:Install rulechk -->
1392 <A href="#rulechk" name=rulechk>H rulechk Installation (Optional)</A></H3>
1394 <P>This section is optional. <BR>When the
1395 Opengate process is not exited normally, superfluous rules might be
1396 left behind. <BR>Though it is
1397 very rare, the tools/rulechk script is made to handle such situations. This
1398 script compares the Opengate process list and the firewall rule list, and
1399 deletes the obsolete rules.<BR>This script is compatible with Opengate Ver1.3.1 or above.
1401 <P ALIGN=right STYLE="MARGIN-BOTTOM: 0in"><A href="#rulechk">back</A> <A href="#top">top</A></P>