[opengate/opengate.git] / opengate / doc / en / install.html

<html>\r
<head>\r
<title>Opegnate Install</title>\r
<meta http-equiv="content-type" content="text/html">\r
<link rel="stylesheet" type="text/css" media="screen" href="style.css">\r
</head>\r
\r
\r
<body bgcolor="#fafff0">\r
\r
<h2>Opengate Install Procedure<A class=anchor href="#top" name=top>\81õ</A></h2>\r
<!-- Start:content table -->\r
<ul>\r
        <li class="list_alpha"><A href="#outline0">Outline</A>\r
        <ul>\r
                <li class="list_num"><A href="#outline1">System Configuration</A></li>\r
                <li class="list_num"><A href="#outline2">Install Procedure</A></li>\r
                <li class="list_num"><A href="#outline3">Support Page</A></li>\r
        </ul></li>\r
        <li class="list_alpha"><A href="#freebsd0">FreeBSD Install</A>\r
        <ul>\r
                <li class="list_num"><A href="#freebsd1">Bssic Install</A></li>\r
                <li class="list_num"><A href="#freebsd2">Addition of NAT and Firewal</A></li>\r
                <li class="list_num"><A href="#freebsd3">Setup of IPv6</A></li>\r
        </ul></li>\r
        <li class="list_alpha"><A href="#bind0">BIND9 Install(Optional)</A>\r
        <ul>\r
                <li class="list_num"><A href="#bind1">Ports Install</A></li>\r
                <li class="list_num"><A href="#bind2">Making RNDC Key</A></li>\r
                <li class="list_num"><A href="#bind3">Setup of named.conf</A></li>\r
                <li class="list_num"><A href="#bind4">Setup of Zone</A></li>\r
                <li class="list_num"><A href="#bind5">Checking Behavior</A></li>\r
        </ul></li>\r
        <li class="list_alpha"><A href="#dhcp0">isc-dhcp3 Install(Optional)</A>\r
        <ul>\r
                <li class="list_num"><A href="#dhcp1">Ports Install</A></li>\r
                <li class="list_num"><A href="#dhcp2">Setup of DHCP</A></li>\r
        </ul></li>\r
        <li class="list_alpha"><A href="#apache0">Apache2 Install</A>\r
        <ul>\r
                <li class="list_num"><A href="#apache1">Ports Install</A></li>\r
                <li class="list_num"><A href="#apache2">Making Certificate</A></li>\r
                <li class="list_num"><A href="#apache3">Setup of VertualHost</A></li>\r
                <li class="list_num"><A href="#apache4">Other Setup and check</A></li>\r
        </ul></li>\r
        <li class="list_alpha"><A href="#opengate0">Opengate Install</A>\r
        <ul>\r
                <li class="list_num"><A href="#opengate1">Opengate Package</A></li>\r
                <li class="list_num"><A href="#opengate2">Install</A></li>\r
                <li class="list_num"><A href="#opengate3">Setup of Config File</A></li>\r
                <li class="list_num"><A href="#opengate4">Setup of ipfw</A></li>\r
                <li class="list_num"><A href="#opengate5">Setup of ip6fw</A></li>\r
                <li class="list_num"><A href="#opengate6">Setup of syslog</A></li>\r
                <li class="list_num"><A href="#opengate6">Checking Behavior</A></li>\r
        </ul></li>\r
        <li class="list_alpha"><A href="#mrtg0">MRTG Install(Optional)</A>\r
        <ul>\r
                <li class="list_num"><A href="#mrtg1">Ports Install</A></li>\r
                <li class="list_num"><A href="#mrtg2">Setup</A></li>\r
                <li class="list_num"><A href="#mrtg3">Check Behavior</A></li>\r
                <li class="list_num"><A href="#mrtg4">Regist to Crontab</A></li>\r
        </ul></li>\r
    <li class="list_alpha"><A href="#rulechk">rulechk Install(Optional)</A>\r
        </li>\r
</ul>\r
\r
<!-- End:content table  -->\r
<hr>\r
<!-- Start:Outline -->\r
<h3>A&nbsp;Outline<A class=anchor href="#outline0" name=outline0>\81õ</A></h3>\r
\r
        <ul>\r
                <li class="list_num"><A href="#outline1">System Configuration</A></li>\r
                <li class="list_num"><A href="#outline2">Install Procedure</A></li>\r
        </ul>\r
        \r
<!-- ************1************* -->\r
<h4>A.1&nbsp;System Configuration<A class=anchor href="#outline1" name=outline1>\81õ</A></h4>\r
\r
<ul>\r
        <li>Gateway Machine \r
  \r
        <ul>\r
                <li>FreeBSD Ver 4.x, 5.x, or 6.x </li>\r
    \r
                <li>Having Two or more NICs</li>\r
        </ul> </li>\r
</ul>\r
\r
<p>In this document, we use the system configuration as follows. The network connecting terminals is called as lower-side network and the network having servers is called upper-side network.</p>\r
\r
\r
<table><tr><td><pre>\r
upper-side network:192.168.0.0/24, 2001:1:2:3/64\r
Gateway to upper-side network:fxp1, 192.168.0.124, 2001:1:2:3::4\r
Gateway to lower-side network:fxp0, 192.168.1.1, 2001:5:6:7::1\r
lower-side network:192.168.1.0/24, 2001:5:6:7/64\r
</pre></td></tr></table>\r
\r
<p>Opengate recognizes the both addresses of IPv4 and IPv6, and controles the both firewalls. It can be used for IPv4 control only under the FreeBSD system that does not set up IPv6 environments.</p>\r
\r
\r
<!-- ***********2************** -->\r
<h4>A.2&nbsp;Install Procedure<A class=anchor href="#outline2" name=outline2>\81õ</A></h4>\r
\r
<p>Following is the proceddure of Opengate. The '*'mark means the mandatory items.</p>\r
\r
<ul>  \r
        <li class="list_num">FreeBSD Install&nbsp;*</li>\r
        <li class="list_num">Addition of Firewall&nbsp;*</li>\r
        <li class="list_num">BIND9 Install and Setup</li>\r
        <li class="list_num">DHCP Install and Setup</li>\r
        <li class="list_num">Apache2 Install and Setup&nbsp;*</li>\r
        <li class="list_num">Opengate Install and Setup&nbsp;*</li></ul>\r
\r
\r
<!-- ***********3************** -->\r
<h4>A.2&nbsp;Support Page<A class=anchor href="#outline3" name=outline3>\81õ</A></h4>\r
\r
We prepare the Opengate support page as follows.\r
\r
<table><tr><td><pre>\r
  http://www.cc.saga-u.ac.jp/opengate/index-e.html\r
</pre></td></tr></table>\r
\r
\r
\r
<div align="right"><A href="#outline0">back</A>&nbsp;<A href="#top">top</A></div>\r
\r
<hr>\r
<!-- Start:FreeBSD Install-->\r
<h3>B&nbsp;FreeBSD Install<A class=anchor href="#freebsd0" name=freebsd0>\81õ</A></h3>\r
\r
        <ul>\r
                <li class="list_num"><A href="#freebsd1">Basic Install</A></li>\r
                <li class="list_num"><A href="#freebsd2">Addition of NAT and Firewall</A></li>\r
                <li class="list_num"><A href="#freebsd3">Setup of IPv6</A></li>\r
        </ul>\r
        \r
<!-- ************1************* -->\r
<h4>B.1&nbsp;Basic Install<A class=anchor href="#freebsd1" name=freebsd1>\81õ</A></h4>\r
\r
<p>Use FreeBSD4.x or later. FreeBSD6.1 or later is desirable.  \r
Choose distribution Developer(Full sources, binaries and doc) or all, because we have to prepare a kernel.</p>\r
<p>Add next line to "/etc/rc.conf", because you enable the gateway function.</p>\r
\r
<table>\r
  <TR>\r
<td><code>gateway_enable="YES"</code></td></TR>\r
</table>\r
\r
<div align="right"><A href="#freebsd0">back</A>&nbsp;<A href="#top">top</A></div>\r
\r
\r
\r
<!-- ************ 2 ************** -->\r
<h4>B.2&nbsp;Addition of NAT and Firewall<A class=anchor href="#freebsd2" name=freebsd2>\81õ</A></h4>\r
\r
<p>Prepare kernel having ipfw and ip6fw functions.</p>\r
\r
<p>Copy kernel options file.</p>\r
\r
<table><tr><td><pre>\r
# cd /usr/src/sys/i386/conf\r
# cp GENERIC MYKERNEL\r
</pre></td></tr></table>\r
\r
<p>Add next lines to the kernel.</p>\r
\r
<p>(For FreeBSD6.0 or earlier)</p>\r
\r
<table><tr><td><pre>\r
options IPDIVERT\r
\r
options IPFIREWALL\r
options IPFIREWALL_FORWARD\r
options IPFIREWALL_VERBOSE\r
options IPFIREWALL_VERBOSE_LIMIT=100\r
\r
options IPV6FIREWALL\r
options IPV6FIREWALL_VERBOSE\r
options IPV6FIREWALL_VERBOSE_LIMIT=100\r
\r
options IPSEC\r
options IPSEC_ESP\r
options TCP_DROP_SYNFIN\r
</pre></td></tr></table>\r
\r
<p>(For FreeBSD6.1 or later)</p>\r
\r
<table><tr><td><pre>\r
options IPDIVERT\r
\r
options IPFIREWALL\r
options IPFIREWALL_FORWARD\r
options IPFIREWALL_VERBOSE\r
options IPFIREWALL_VERBOSE_LIMIT=100\r
\r
options IPSEC\r
device crypto\r
</pre></td></tr></table>\r
\r
\r
<p>compile and install kernel having ipfw (and ip6fw) supports.</p>\r
\r
\r
<table><tr><td><pre>\r
# config MYKERNEL\r
# cd ../compile/MYKERNEL\r
# make depend\r
# make\r
# make install\r
</pre></td></tr></table>\r
\r
<p>"make clean" might be requested before "make depend".</p>\r
\r
<p>Add next lines to "/etc/rc.conf".</p>\r
\r
<p>(For FreeBSD6.0 or earlier)</p>\r
\r
<table><tr><td><pre>\r
firewall_enable="YES"\r
firewall_script="/etc/rc.firewall"\r
firewall_type="open"\r
\r
ipv6_firewall_enable="YES"\r
ipv6_firewall_script="/etc/rc.firewall6"\r
ipv6_firewall_type="open"\r
\r
natd_enable="YES"\r
natd_interface="fxp1"\r
</pre></td></tr></table>\r
\r
<p>(For FreeBSD6.1 or later)</p>\r
<table><tr><td><pre>\r
firewall_enable="YES"\r
firewall_script="/etc/rc.firewall"\r
firewall_type="open"\r
\r
natd_enable="YES"\r
natd_interface="fxp1"\r
</pre></td></tr></table>\r
\r
<p>When setting the ipfw(and ip6fw) enable, be care to set the type 'OPEN' as to prevent mysteryous system behavior in installing procedure. For NAT, Enable natd and setup natd interface(Upper-side interface).</p>\r
\r
<p>Connect PC to the lower-side network and check the IPv4 behavior.</p>\r
\r
<p>As the DHCP does not setup yet, The PC network must be setup manually.</p>\r
\r
\r
\r
<div align="right"><A href="#freebsd0">back</A>&nbsp;<A href="#top">top</A></div>\r
\r
<!-- ************ 3 ************** -->\r
<h4>B.3&nbsp;Setup of IPv6<A class=anchor href="#freebsd3" name=freebsd3>\81õ</A></h4>\r
\r
<p>If you need IPv4 only, this section can be skipped. Though explanation is omitted, many pareameters like the following sample might be set in /etc/rc.conf. You must study about IPv6 and setup carefully. </p>\r
\r
<table><tr><td><pre>\r
##ENABLE IPv6\r
ipv6_enable="YES"\r
ipv6_network_interfaces="gif0 fxp0"\r
\r
##TUNNELLING INTERFACE\r
gif_interfaces="gif0"\r
gifconfig_gif0="192.168.0.124 192.168.0.126"\r
\r
##IPv6 ADDRESS \r
ipv6_prefix_fxp0="2001:5:6:7"\r
ipv6_ifconfig_fxp0="2001:5:6:7::1 prefixlen 64"\r
\r
##ADVERTISE\r
rtadvd_enable="YES"\r
rtadvd_interfaces="fxp0"\r
\r
##DEFAULT GATEWAY\r
ipv6_default_interface="gif0"\r
ipv6_defaultrouter="fe80::a:b:c:d%gif0"\r
\r
##ROUTING(RIPv6)\r
ipv6_gateway_enable="YES"\r
ipv6_router_enable="YES"\r
ipv6_router="/usr/sbin/route6d"\r
ipv6_router_flags="-O 2001:5:6:7::/64,gif0"\r
</pre></td></tr></table>\r
\r
<p>Connect a PC to the lower-side network and check the behavior of IPv6</p>\r
<p>In WindowsPC, a command "ipv6 install" might be needed to activate IPv6.</p>\r
\r
\r
<div align="right"><A href="#ipfw0">back</A>&nbsp;<A href="#top">top</A></div>\r
\r
<hr>\r
\r
\r
<!-- Start:BIND9 Install -->\r
<h3>C&nbsp;BIND9 Install(Optional)<A class=anchor href="#bind0" name=bind0>\81õ</A></h3>\r
\r
<ul>\r
        <li class="list_num"><A href="#bind1">Ports Install</A></li>\r
        <li class="list_num"><A href="#bind2">Making RNDC Key</A></li>\r
        <li class="list_num"><A href="#bind3">Setup of named.conf</A></li>\r
        <li class="list_num"><A href="#bind4">Setup of Zone</A></li>\r
        <li class="list_num"><A href="#bind5">Checking Behavior</A></li>\r
</ul>\r
\r
<!-- ********** 1 *********** -->\r
<h4>C.1&nbsp;Ports Install<A class=anchor href="#bind1" name=bind1>\81õ</A></h4>\r
\r
<p>You can ignore the DNS setting, if you control with IP address base or use existing DNS servers.</p>\r
\r
<p>Installing BIND9 from ports is as follows. The "sysinstall" command can also be used for installation.</p> \r
\r
\r
<table><tr><td><pre>\r
# cd /usr/ports/dns/bind9/\r
# make clean\r
# make install clean ; rehash\r
</pre></td></tr></table>\r
\r
<p>The directory "/etc/namedb(/var/named/etc/namedb)" is made in the installation.</p>\r
\r
\r
<div align="right"><A href="#bind0">back</A>&nbsp;<A href="#top">top</A></div>\r
\r
<!-- ********** 2 ********** -->\r
<h4>C.2&nbsp;Making RNDC key<A class=anchor href="#bind2" name=bind2>\81õ</A></h4>\r
\r
<p>For security, BIND9 is controlled by rndc command.</p>\r
\r
<p>Create the rndc key as follows.</p>\r
\r
<table><tr><td><pre>\r
# cd /etc/namebd/\r
# rndc-confgen -b 512 > rndc.conf\r
</pre></td></tr></table>\r
\r
<p>By the command, following "rndc.conf" file is generated.</p>\r
\r
<table><tr><td><pre>\r
# Start of rndc.conf\r
key "rndc-key" {\r
        algorithm hmac-md5;\r
        secret "wMpASEmnRVnD602MtEb+RqtMee5+n0RVgpaUrlAHvPpgH3SoK7f2nRZBUH7a0urvmyBuAg0dwtk/Otg9Ker3gA==";\r
};\r
\r
options {\r
        default-key "rndc-key";\r
        default-server 127.0.0.1;\r
        default-port 953;\r
};\r
# End of rndc.conf\r
\r
# Use with the following in named.conf, adjusting the allow list as needed:\r
# key "rndc-key" {\r
#       algorithm hmac-md5;\r
#       secret "wMpASEmnRVnD602MtEb+RqtMee5+n0RVgpaUrlAHvPpgH3SoK7f2nRZBUH7a0urvmyBuAg0dwtk/Otg9Ker3gA==";\r
# };\r
# \r
# controls {\r
#       inet 127.0.0.1 port 953\r
#               allow { 127.0.0.1; } keys { "rndc-key"; };\r
# };\r
# End of named.conf\r
</pre></td></tr></table>\r
\r
\r
<div align="right"><A href="#bind0">back</A>&nbsp;<A href="#top">top</A></div>\r
\r
<!-- ********* 3 ********* -->\r
<h4>C.3&nbsp;Setup of named.conf<A class=anchor href="#bind3" name=bind3>\81õ</A></h4>\r
\r
<p>There is "/etc/namedb/named.conf" after installation.</p>\r
\r
<p>Copy later half of "rndc.conf" file, remove comment, and add IPv6 configuration(if required).</p>\r
\r
<table><tr><td><pre>\r
# Use with the following in named.conf, adjusting the allow list as needed:\r
key "rndc-key" {\r
        algorithm hmac-md5;\r
        secret "wMpASEmnRVnD602MtEb+RqtMee5+n0RVgpaUrlAHvPpgH3SoK7f2nRZBUH7a0urvmyBuAg0dwtk/Otg9Ker3gA==";\r
};\r
\r
controls {\r
        inet ::1 port 953 allow { ::1; } keys { "rndc-key"; };\r
        inet 127.0.0.1 port 953 allow { 127.0.0.1; } keys { "rndc-key"; };\r
};\r
# End of named.conf\r
</pre></td></tr></table>\r
\r
<p>For security, it is better to write the "key" directive in the other file.</p>\r
\r
<p>Edit "options" directive in "named.conf".</p>\r
\r
<table><tr><td><pre>\r
options {\r
        directory "/etc/namedb";\r
        pid-file "/var/run/named/pid";\r
        auth-nxdomain yes;\r
        listen-on-v6 { any; };\r
};\r
</pre></td></tr></table>\r
\r
<p>Make the corresponding directory to put "pid".</p>\r
\r
\r
<div align="right"><A href="#bind0">back</A>&nbsp;<A href="#top">top</A></div>\r
\r
<!-- ******** 4 ********* -->\r
<h4>C.4&nbsp;Setup of Zone<A class=anchor href="#bind4" name=bind4>\81õ</A></h4>\r
\r
<p>Edit "view" and "zone" directive in "named.conf".</p>\r
\r
<p>The "view" directive is implemented in BIND9.  Replying to the inquiry from matched-clients, BIND9 sends the information described in the corresponding view.</p>\r
\r
\r
\r
<table><tr><td><pre>\r
view "og" {\r
        match-clients\r
        {\r
        192.168.1.0/24;\r
        };\r
\r
        recursion yes;\r
\r
        zone "." {\r
                type hint;\r
                file "named.root";\r
        };\r
\r
        zone "og.saga-u.ac.jp" {\r
                type master;\r
                file "og.saga-u.ac.jp";\r
        };\r
\r
        zone "0.0.127.IN-ADDR.ARPA" {\r
                type master;\r
                file "master/localhost.rev";\r
        };\r
\r
        // RFC 3152\r
        zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.\\r
              0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA" {\r
                type master;\r
                file "master/localhost-v6.rev";\r
        };\r
\r
        // RFC 1886 -- deprecated\r
        zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.\\r
              0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.INT" {\r
                type master;\r
                file "master/localhost-v6.rev";\r
        };\r
};\r
</pre></td></tr></table>\r
\r
<p>Make a "zone" file for the domain as "og.saga-u.ac.jp".  \r
The domain name and IPv4/6 addresses should be modified properly. \r
If you don't need IPv6, the line "AAAA ...." should be removed.</p>\r
\r
<table><tr><td><pre>\r
$TTL    3600\r
$ORIGIN og.saga-u.ac.jp.\r
\r
@       IN      SOA     ns.og.saga-u.ac.jp. postmaster (\r
                        2005051702 ;\r
                        3600\r
                        1200\r
                        2419200\r
                        86400 )\r
                IN      NS      ns.og.saga-u.ac.jp.\r
                IN      A       192.168.1.1\r
                IN      MX      10 opengate.og.saga-u.ac.jp.\r
\r
ns              IN      A       192.168.1.1\r
\r
opengate        IN      A       192.168.1.1\r
                        AAAA    2001:5:6:7::1\r
</pre></td></tr></table>\r
\r
<div align="right"><A href="#bind0">back</A>&nbsp;<A href="#top">top</A></div>\r
\r
<!-- ********* 5 ********* -->\r
<h4>C.5&nbsp;Checking Behavior<A class=anchor href="#bind5" name=bind5>\81õ</A></h4>\r
\r
<p>Confirm starting of "named" after setting was completed.</p>\r
\r
<table><tr><td><pre>\r
# /usr/local/sbin/named -u bind -c /etc/namedb/named.conf\r
</pre></td></tr></table>\r
\r
<p>If "named" starts without problems, Add next lines to "/etc/rc.conf" for auto start.</p>\r
\r
<table><tr><td><pre>named_enable="YES"\r
named_program="/usr/local/sbin/named"\r
named_flags="-u bind -c /etc/namedb/named.conf"\r
</pre></td></tr></table>\r
\r
<p>Because the management of a DNS server is complicated, You need to read manual of BIND9 carefully, and refer other document.</p>\r
\r
\r
<div align="right"><A href="#bind0">back</A>&nbsp;<A href="#top">top</A></div>\r
<hr>\r
\r
<!-- Start:isc-dhcp3 Install -->\r
<h3>D&nbsp;isc-dhcp3 Install(Optional)<A class=anchor href="#dhcp0" name=dhcp0>\81õ</A></h3>\r
\r
<ul>\r
        <li class="list_num"><A href="#dhcp1">Ports Install</A></li>\r
        <li class="list_num"><A href="#dhcp2">Setting of DHCP</A></li>\r
</ul>\r
\r
<!-- *********** 1 ************* -->\r
<h4>D.1&nbsp;Ports Install<A class=anchor href="#dhcp1" name=dhcp1>\81õ</A></h4>\r
\r
<p>Many client PCs are connected.  Thus the DHCP might be a desireble solution for assginment of IP addresses to these clients.</p>\r
\r
<p>Installing isc-dhcp3 from ports is as follows. The "sysinstall" command can also be used for intallation.</p>\r
\r
<table><tr><td><pre>\r
# cd /usr/ports/net/isc-dhcp3-server\r
# make clean\r
# make install clean ; rehash\r
</pre></td></tr></table>\r
\r
<div align="right"><A href="#dhcp0">back</A>&nbsp;<A href="#top">top</A></div>\r
\r
\r
<!-- ************ 2 ************** -->\r
<h4>D.2&nbsp;Setup of DHCP<A class=anchor href="#dhcp2" name=dhcp2>\81õ</A></h4>\r
\r
<p>There is a configuration file "/usr/local/etc/dhcpd.conf.sample" after instalation. Copy "dhcpd.conf.sample" to "dhcpd.conf" and edit the file. Following is an example setup. The lease time must be greater than the maximum usage duration (Duration/Max in opengatesrv.conf).</p>\r
<p>The domain name and IP addresses should be modified. </p>\r
\r
<table><tr><td><pre>\r
option domain-name "og.saga-u.ac.jp";\r
option domain-name-servers 192.168.1.1;\r
option subnet-mask 255.255.255.0;\r
option broadcast-address 192.168.1.255;\r
option routers 192.168.1.1;\r
\r
default-lease-time 86400;\r
max-lease-time 604800;\r
ddns-update-style none;\r
log-facility local7;\r
\r
subnet 192.168.55.0 netmask 255.255.255.0 {\r
  range 192.168.1.10 192.168.1.250;\r
}\r
</pre></td></tr></table>\r
\r
<p>Add next lines to "/etc/rc.conf" for auto start.</p>\r
\r
<table><tr><td><pre>\r
dhcpd_enable="YES"\r
dhcpd_ifaces="fxp0"\r
dhcpd_conf="/usr/local/etc/dhcpd.conf"\r
</pre></td></tr></table>\r
\r
<p>In this description, the value of "dhcpd_ifaces" is the interface for DHCP service(the lower-side network).</p>\r
\r
<div align="right"><A href="#dhcp0">back</A>&nbsp;<A href="#top">top</A></div>\r
\r
<hr>\r
\r
<!-- Start:Apache2 Install-->\r
<h3>E&nbsp;Apache2 Install<A class=anchor href="#apache0" name=apache0>\81õ</A></h3>\r
<ul>\r
        <li class="list_num"><A href="#apache1">Ports Install</A></li>\r
        <li class="list_num"><A href="#apache2">Making Certificate</A></li>\r
        <li class="list_num"><A href="#apache3">Setup SSL</A></li>\r
        <li class="list_num"><A href="#apache4">Other Setting and Checking</A></li>\r
</ul>\r
\r
<!-- ************ 1 ************** -->\r
<h4>E.1&nbsp;Ports Install<A class=anchor href="#apache1" name=apache1>\81õ</A></h4>\r
\r
<p>When using IPv6 function, Opengate needs Apache2 supporting IPv6. In default, Apache2 supports SSL which is desirable for secure authentication.</p>\r
\r
\r
<p>Installing Apache2 from ports is as follows. The "sysinstall" command can also be used for installation.</p>\r
\r
<table><tr><td><pre>\r
# cd /usr/ports/www/apache22\r
# make clean\r
# make install clean ; rehash\r
</pre></td></tr></table>\r
\r
\r
\r
<div align="right"><A href="#apache0">back</A>&nbsp;<A href="#top">top</A></div>\r
\r
<!-- ************ 2 ************** -->\r
<h4>E.2&nbsp;Making Certificate<A class=anchor href="#apache2" name=apache2>\81õ</A></h4>\r
\r
<p>It is better to obtain a formal key from some CA. But we shows the procedure to make a self-signed private key and certificate. </p>\r
\r
\r
<p>Make a private key as follows.</p>\r
\r
<table><tr><td><pre>\r
# cd /usr/local/etc/apache22\r
# mkdir ssl.key ssl.crt\r
# chmod 700 ssl.key ssl.crt\r
\r
# /usr/bin/openssl genrsa -out /usr/local/etc/apache22/server.key 1024\r
</pre></td></tr></table>\r
\r
<p>Make a certificate from the key as follows.</p>\r
\r
<table><tr><td><pre>\r
# /usr/bin/openssl req -new -x509 -days 365 \\r
    -key /usr/local/etc/apache22/server.key \\r
    -out /usr/local/etc/apache22/server.crt\r
\r
You are about to be asked to enter information that will be incorporated\r
into your certificate request.\r
What you are about to enter is what is called a Distinguished Name or a DN.\r
There are quite a few fields but you can leave some blank\r
For some fields there will be a default value,\r
If you enter '.', the field will be left blank.\r
-----\r
Country Name (2 letter code) [AU]:JP\r
State or Province Name (full name) [Some-State]:Saga\r
Locality Name (eg, city) []:Saga-city\r
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Saga-university\r
Organizational Unit Name (eg, subsection) []:Opengate Management\r
Common Name (eg, YOUR name) []:opengate.og.saga-u.ac.jp\r
Email Address []:administrator@opengate.og.saga-u.ac.jp\r
\r
Please enter the following 'extra' attributes\r
to be sent with your certificate request\r
A challenge password []:\r
An optional company name []:\r
\r
</pre></td></tr></table>\r
\r
<div align="right"><A href="#apache0">back</A>&nbsp;<A href="#top">top</A></div>\r
\r
<!-- ************ 4 ************** -->\r
<h4>E.4&nbsp Setup of SSL<A class=anchor href="#apache3" name=apache3>\81õ</A></h4>\r
\r
\r
<p>Edit "/usr/local/etc/apache22/extra/httpd-ssl.conf" like the following example.</p>\r
\r
<table><tr><td>ssl.conf\r
</td></tr><tr><td><pre>\r
&lt;VirtualHost _default_:443&gt;\r
    DocumentRoot "/usr/local/www/apache22/data"\r
    ServerName opengate.og.saga-u.ac.jp:443\r
    ServerAdmin administrator@opengate.og.saga-u.ac.jp\r
    ErrorLog "|/usr/bin/logger -p local6.info"\r
    CustomLog "|/usr/bin/logger -p local5.info" combined\r
\r
    SSLEngine on\r
    SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL\r
    SSLCertificateFile /usr/local/etc/apache22/server.crt\r
    SSLCertificateKeyFile /usr/local/etc/apache22/server.key\r
&lt;/VirtualHost&gt;\r
</pre></td></tr></table>\r
\r
<p>As Apache2 has many settings, be familiar with Apache2 configuration for adequate control.</p>\r
\r
\r
\r
<div align="right"><A href="#apache0">back</A>&nbsp;<A href="#top">top</A></div>\r
\r
<!-- ************ 5 ************** -->\r
<h4>E.5&nbsp;Other Setting and Checking<A class=anchor href="#apache4" name=apache4>\81õ</A></h4>\r
\r
<p>Edit "/usr/local/etc/apache22/httpd.conf" as follows.</p>\r
\r
<p>Opengate send back the authentication page for any kind of HTTP request. To do so, add next line to httpd.conf. This means that the top page is sent back at HTTP_ERROR 404(file not found) error.</p>\r
\r
\r
\r
<table><tr><td><pre>\r
ErrorDocument 404 /\r
</pre></td></tr></table>\r
\r
<p>Add ExecCGI to execute CGI program in cgi-bin directory.</p>\r
<table><tr><td><pre>\r
&lt;Directory "/usr/local/www/cgi-bin"&gt;\r
    ...\r
    Options ExecCGI\r
    ...\r
&lt;/Directory&gt;\r
</pre></td></tr></table>\r
\r
<p>\r
Remove the comment mark to enable the following setting\r
<table><tr><td><pre>\r
AddHandler cgi-script .cgi\r
AddHandler type-map .var\r
</pre></td></tr></table>\r
</p>\r
\r
<p>\r
Add "index.html.var" into DirectoryIndex.\r
<table><tr><td><pre>\r
DirectoryIndex index.html.var index.html\r
</pre></td></tr></table>\r
</p>\r
\r
<p>\r
Include ssl conf file.\r
<table><tr><td><pre>\r
Include etc/apache22/extra/httpd-ssl.conf\r
</pre></td></tr></table>\r
</p>\r
\r
<p>\r
Set Server name.\r
<table><tr><td><pre>\r
ServerName opengate.og.saga-u.ac.jp\r
</pre></td></tr></table>\r
</p>\r
\r
<p>Start Apache2 with "apachectl start" and check the normal action. \r
Then add next lines to "/etc/rc.conf" for auto start.</p>\r
\r
<table><tr><td><pre>\r
apache22_enable="YES"\r
apache22ssl_enable="YES"\r
</pre></td></tr></table>\r
\r
<p>\r
If the system shows "Failed to enable the 'httpready' Accept Filter",\r
add following into /boot/loader.conf\r
<table><tr><td><pre>\r
accf_http_load="YES"\r
</pre></td></tr></table>\r
</p>\r
\r
<div align="right"><A href="#apache0">back</A>&nbsp;<A href="#top">top</A></div>\r
\r
<hr>\r
\r
<!-- Start:Opengate Install -->\r
<h3>F&nbsp;Opengate Install<A class=anchor href="#opengate0" name=opengate0>\81õ</A></h3>\r
\r
        <ul>\r
                <li class="list_num"><A href="#opengate1">Opengate Package</A></li>\r
                <li class="list_num"><A href="#opengate2">Install</A></li>\r
                <li class="list_num"><A href="#opengate3">Setup of Config File</A></li>\r
                <li class="list_num"><A href="#opengate4">Setup of ipfw</A></li>\r
                <li class="list_num"><A href="#opengate5">Setup of ip6fw</A></li>\r
                <li class="list_num"><A href="#opengate6">Setup of syslog</A></li>\r
                <li class="list_num"><A href="#opengate7">Checking Behavior</A></li>\r
        </ul>\r
        \r
<!-- ************1************* -->\r
<h4>F.1&nbsp;Opengate Package<A class=anchor href="#opengate1" name=opengate1>\81õ</A></h4>\r
\r
<p>Unfold the package of Opengate. </p>\r
\r
<table><tr><td><pre>\r
# tar xzvf opengatexxxx.tar.gz\r
</pre></td></tr></table>\r
\r
<p>It have following directorys.</p>\r
\r
<table>\r
<tr><td><pre>\r
doc: Documentations\r
conf: Configuration file and firewall control perl script sample\r
javahtml: Client Java Programs and  HTML files\r
opengatesrv: Server CGI programs\r
tools: Some related tools\r
ezxml: XML parser (Copyright Aaron Voisine)\r
</pre>\r
</td></tr>\r
</table>\r
<div align="right"><A href="#opengate0">back</A>&nbsp;<A href="#top">top</A></div>\r
\r
<!-- ************2************* -->\r
\r
<h4>F.2&nbsp;Install<A class=anchor href="#opengate2" name=opengate2>\81õ</A></h4>\r
\r
<p>Check setting in "opengatesrv/Makefile" and modify properly.</p>\r
\r
<table>\r
<tr><td><pre>\r
HTMLTOP = /usr/local/www/apache22\r
DOCDIR = /data\r
CGIDIR = /cgi-bin\r
OPENGATEDIR = /opengate\r
CONFIGPATH = /etc/opengate\r
</pre>\r
</td></tr>\r
</table>\r
\r
<p>Compile and Install.</p>\r
\r
<table><tr><td><pre>\r
# make clean\r
# make install\r
</pre></td></tr></table>\r
\r
\r
<div align="right"><A href="#opengate0">back</A>&nbsp;<A href="#top">top</A></div>\r
\r
\r
<!-- ************ 3 ************** -->\r
<h4>F.3&nbsp;Setup of Config File<A class=anchor href="#opengate3" name=opengate3>\81õ</A></h4>\r
\r
\r
<p>Copy sample config file "/etc/opengate/opengatesrv.conf.sample" to "/etc/opengate/opengatesrv.conf" and modify. Following settings must be changed.</p>\r
\r
<table><tr><td><pre>\r
        &lt;OpengateServerName&gt;opengate.og.saga-u.ac.jp&lt;/OpengateServerName&gt;\r
\r
        &lt;AuthServer&gt;\r
                &lt;Protocol&gt;pop3s&lt;/Protocol&gt;\r
                &lt;Address&gt;192.168.0.2&lt;/Address&gt;\r
        &lt;/AuthServer&gt;\r
</pre></td></tr></table>\r
\r
<p>In &lt;OpengateServerName&gt;, set HOSTNAME(FQDN) or IP address of opengate gateway server. If you \r
want to use IPv6 function, you need to set FQDN corresponding to IPv4 and IPv6 both addresses.</p>\r
<p>In &lt;AuthServer&gt;, set the information of authentication server.  Opengate support various auth protocols. See the config file for details.  To separate the problem between auth server and opengate server, try the following setting firstly. This means that any userid and password are accepted.</p>\r
\r
\r
<table><tr><td><pre>\r
 ****Do not use this setting in real service****\r
        &lt;AuthServer&gt;\r
                &lt;Protocol&gt;accept&lt;/Protocol&gt; \r
        &lt;AuthServer&gt;\r
</pre></td></tr></table>\r
\r
<p>The config file is XML form.  The # mark in the file does not mean the start of a comment. Use XML-formed comment as &lt;!-- Comment String --&gt; to disable description.</p>\r
\r
<p>Opengate can switch auth setting with "userid@extid" pattern. See the config file for details. By this function, you can divide the authentication servers for many sections or guests.</P>\r
\r
<p>When default auth server is not replied, Opengate can re-request to other auth servers. See the config file for details.</P>\r
\r
<p>Caution: Do not delete the IPv6 related setting in config file.  The IPv6 access is executed when the FQDN for IPv6 is prepared.</P>\r
\r
<div align="right"><A href="#opengate0">back</A>&nbsp;<A href="#top">top</A></div>\r
\r
\r
<!-- ************ 4 ************** -->\r
<h4>F.4&nbsp;Setup of ipfw<A class=anchor href="#opengate4" name=opengate4>\81õ</A></h4>\r
\r
<p>Write ipfw rules for Opengate. \r
\r
\r
<p>(For FreeBSD6.0 or earlier)</p>\r
\r
<p>IPv4 packets are controlled by ipfw, and IPv6 packets by ip6fw.</p>\r
<p>Sample setup scripts for both commands are prepared as "/etc/opengate/rc.firewall4.sample" and "/etc/opengate/rc.firewall6.sample"</p>\r
<p>Copy these script and modify properly.</p>\r
\r
<table><tr><td><pre>\r
# cd /etc/opengate\r
# cp rc.firewall4.sample rc.firewall4\r
# cp rc.firewall6.sample rc.firewall6\r
# vi rc.firewall4\r
# vi rc.firewall6\r
</pre></td></tr></table>\r
\r
<p>Modify firewall setting in /erc/rc.conf as follows. Be care that accesses after this setting might be denied by the firewall.</p>\r
\r
<table><tr><td><pre>\r
firewall_enable="YES"\r
firewall_script="/etc/opengate/rc.firewall4"\r
\r
ipv6_firewall_enable="YES"\r
ipv6_firewall_script="/etc/opengate/rc.firewall6"\r
</pre></td></tr></table>\r
\r
<p>Then modify "/etc/opengatesrv.conf" from &lt;Ip6fwPath&gt;/sbin/ipfw&lt;/Ip6fwPath&gt; to &lt;Ip6fwPath&gt;/sbin/ip6fw&lt;/Ip6fwPath&gt; </p>\r
\r
\r
<p>(For FreeBSD6.1 or later)</p>\r
\r
<p>Both of IPv4 and IPv6 packets are controlled by ipfw.</p>\r
<p>Sample setup scripts for the system are prepared as "/etc/opengate/rc.firewall.sample"</p>\r
<p>Copy the script and modify properly. If you don't know IPv6, set IPv6 addresses as localhost(*net6="0", *ip6="::1").</p>\r
\r
<table><tr><td><pre>\r
# cd /etc/opengate\r
# cp rc.firewall.sample rc.firewall\r
# vi rc.virewall\r
</pre></td></tr></table>\r
\r
<p>Modify firewall setting in /erc/rc.conf as follows. Be care that accesses after this setting might be denied by the firewall.</p>\r
\r
<table><tr><td><pre>\r
firewall_enable="YES"\r
firewall_script="/etc/opengate/rc.firewall"\r
</pre></td></tr></table>\r
\r
\r
<p>Be familiar with the ipfw command. Opengate is a software to send out ipfw add/delete command.</p>\r
\r
<p>Opengate adds/removes the allow rule (rule number:10000-40000) for the authenticated terminals.  And the forward rule is exists in less priority position(rule number:60000) in the initial setting.  Thus the packets for authenticated terminals pass the gateway, and the Web access from other terminals results the authentication page.\r
</p>\r
\r
<div align="right"><A href="#opengate0">back</A>&nbsp;<A href="#top">top</A></div>\r
\r
<!-- ************ 5 ************** -->\r
<h4>F.5&nbsp;Setup of syslog<A class=anchor href="#opengate5" name=opengate5>\81õ</A></h4>\r
\r
<p>Edit /etc/syslog.conf to save log file for Opengate.</p>\r
\r
<table><tr><td><pre>\r
         | Separeted by TAB code\r
         V\r
local1.*   /var/log/opengate.log\r
</pre></td></tr></table>\r
\r
<p>Make the log file as follows. Be care to control the size of this log file.</p>\r
\r
<table><tr><td><pre>\r
# touch /var/log/opengate.log\r
</pre></td></tr></table>\r
\r
<div align="right"><A href="#opengate0">back</A>&nbsp;<A href="#top">top</A></div>\r
\r
<!-- ************ 6 ************** -->\r
<h4>F.6&nbsp;Checking Behavior<A class=anchor href="#opengate6" name=opengate6>\81õ</A></h4>\r
\r
<p>Connect a PC to the lower-side network and access to a site in the upper-side network. If it does not work properly, refer doc/progflow.html and doc/protocol.txt to understand the procedure. And see the log file for Opengate, httpd, system and others. To dump more information from Opengate, set the &lt;Debug&gt; switch "2" in opengatesrv.conf. Check also the functions of related software. The error checking document(errcheck.html) and Q and A document (qa.html, recentqa.html in web) might be used for problem solving.</p>\r
\r
<div align="right"><A href="#opengate0">back</A>&nbsp;<A href="#top">top</A></div>\r
\r
<!-- ************ 7 ************** -->\r
<h4>F.7&nbsp;Modification of Pages<A class=anchor href="#opengate7" name=opengate7>\81õ</A></h4>\r
\r
<p>\r
If you want to modify the contents of web pages, edit the html files in Opengate directories. The relative path cannot use in httpkeep.html. Use the URL of full description. The descriptions such as %%XXX%% are variables replaced with some proper values in CGI. </p>\r
\r
<div align="right"><A href="#opengate0">back</A>&nbsp;<A href="#top">top</A></div>\r
\r
\r
<hr>\r
<!-- Start:Install MRTG -->\r
<h3>G&nbsp;MRTG Install(Optional)<A class=anchor href="#mrtg0" name=mrtg0>&dagger;</A></h3>\r
\r
<ul>\r
        <li class="list_num"><A href="#mrtg1">Install (ports)</A></li>\r
        <li class="list_num"><A href="#mrtg2">Setup MRTG</A></li>\r
        <li class="list_num"><A href="#mrtg3">Start confirmation</A></li>\r
        <li class="list_num"><A href="#mrtg4">Setup crontab</A></li>\r
</ul>\r
\r
<!-- ************ 1 ************** -->\r
<h4>G.1&nbsp;Ports Install<A class=anchor href="#mrtg1" name=mrtg1>&dagger;</A></h4>\r
\r
<p>This is optional.  When you want to watch the state of Opengate, MRTG can be used but is not required usually.</p>\r
\r
<p><a href="http://people.ee.ethz.ch/~oetiker/webtools/mrtg/" target="_blank">MRTG</a>(Multi Router Traffic Grapher) is system to watch network traffic. \r
MRTG makes graphic images and HTML files. </p>\r
\r
<p>You can install MRTG to gateway server or another server. If you must watch plural Opengate, you \r
had better install MRTG to another server.</p>\r
\r
<table><tr><td><pre>\r
# cd /usr/ports/net-mgmt/mrtg/\r
# make clean\r
# make install clean ; rehash\r
</pre></td></tr></table>\r
\r
<div align="right"><A href="#mrtg0">back</A>&nbsp;<A href="#top">top</A></div><!-- ************ 2 ************** -->\r
<h4>G.2&nbsp;Setup of MRTG<A class=anchor href="#mrtg2" name=mrtg2>&dagger;</A></h4>\r
\r
<p>There is "/usr/local/etc/mrtg/mrtg.cfg.sample" as configuration file after instalation. \r
Copy mrtg.cfg.sample to opengate.cfg and edit configuration file.</p>\r
\r
<table><tr><td><pre>\r
##################################################\r
#  opengate user counter\r
\r
WorkDir: /usr/home/user/public_html/mrtg/opengate/\r
\r
##### Options\r
Options[^]: growright,gauge,nopercent,integer\r
\r
Target[opengate]:`/usr/home/user/bin/input.sh`\r
Title[opengate]: Opengate user counter\r
\r
PageTop[opengate]: &lt;h1&gt;Opengate user counter&lt;/h1&gt;\r
 &lt;p&gt;Show the number of people using Opengate&lt;/p&gt;\r
\r
# Max Number\r
MaxBytes[opengate]: 200\r
\r
# Title of Y axis\r
YLegend[opengate]: Opengate User\r
# unit\r
ShortLegend[opengate]: s\r
# Title of graph LegendI: first line LegendO: second line\r
LegendI[opengate]: IPv6 Users\r
LegendO[opengate]: Total Users\r
</pre></td></tr></table>\r
\r
<p>make a directory which you appointed in "WorkDir". MRTG makes graphic images and HTML files in WorkDir.</p>\r
\r
<p>"Target[opengate]" is path to program to hand data to MRTG. explain below th details.</p>\r
\r
\r
\r
<h5>G.2.1&nbsp;Case of gateway server<A class=anchor href="#mrtg21" name=mrtg21>&dagger;</A></h5>\r
\r
<p>Put this shellscript as "/usr/home/user/bin/input.sh".</p>\r
\r
<table><tr><td><pre>\r
#!/bin/sh\r
\r
#######################################\r
##\r
## show opengate status for MRTG\r
##\r
##   1 line : IPv6 Users\r
##   2 line : Total Users\r
##   3 line : uptime\r
##   4 line : comment for data\r
##\r
#######################################\r
\r
LANG=C\r
COLUMNS=256\r
\r
export LANG\r
export COLUMNS\r
\r
### IPv6 prefix\r
prefix="2001:2f8:22:801:"\r
###opengateprocessname\r
process="opengatesrv.cgi" \r
\r
###tmp file  name\r
tmp_all="/tmp/og_count_all.tmp"\r
tmp_6="/tmp/og_count_6.tmp"\r
\r
######################################################\r
psax | grep $process &gt; $tmp_all\r
COUNT = `wc-l $tmp_all | awk '{print $1}'` \r
grep $prefix $tmp_all &gt;  $tmp_6\r
COUNT6=`wc -l $tmp_6 | awk '{print $1}'`\r
UPTIME=`uptime | awk '{print $3$4}' | sed -e "s/,//g"`\r
\r
rm $tmp_all\r
rm $tmp_6\r
\r
echo "$COUNT6"\r
echo "$COUNT"\r
echo "$UPTIME"\r
echo "Opengate User Counter"\r
</pre></td></tr></table>\r
\r
<p>carry out this shell script alone and confirm that you can acquire the following data.</p>\r
\r
<table><tr><td><pre>5\r
48\r
10days\r
Opengate User Counter\r
</pre></td></tr></table>\r
\r
\r
<h5>G.2.2&nbsp;Case of another server<A class=anchor href="#mrtg22" name=mrtg22>&dagger;</A></h5>\r
\r
<p>Put this shellscript as "/usr/home/user/bin/input.sh" on another server.</p>\r
\r
<table><tr><td><pre>\r
#!/bin/sh\r
\r
#######################################\r
##\r
## input data for MRTG\r
##\r
##   1 line : IPv6 Users\r
##   2 line : Total Users\r
##   3 line : uptime\r
##   4 line : comment for data\r
##\r
#######################################\r
\r
# tmp file name\r
file="/tmp/opengate.tmp"\r
\r
# URL of output.sh at opengate\r
url="http://opengate.saga-u.ac.jp/cgi-bin/output.sh"\r
\r
fetch -o $file $url &amp;&gt; /dev/null\r
\r
more $file\r
</pre></td></tr></table>\r
\r
<p>Put this shell script as "/usr/local/apache2/cgi-bin/output.sh" on Opengate server. \r
And set this URL to $url in script explained by the above.</p>\r
\r
<table><tr><td><pre>\r
#!/bin/sh\r
\r
#######################################\r
##\r
## show opengate status for MRTG\r
##\r
##   1 line : IPv6 Users\r
##   2 line : Total Users\r
##   3 line : uptime\r
##   4 line : comment for data\r
##\r
#######################################\r
\r
LANG=C\r
COLUMNS=256\r
\r
export LANG\r
export COLUMNS\r
\r
### IPv6 prefix\r
prefix="2001:2f8:22:801:"\r
###opengateprocessname\r
process="opengatesrv.cgi" \r
\r
###tmp file name\r
tmp_all="/tmp/og_count_all.tmp"\r
tmp_6="/tmp/og_count_6.tmp"\r
\r
######################################################\r
psax | grep $process &gt; $tmp_all \r
COUNT = `wc-l $tmp_all | awk '{print $1}'` \r
grep $prefix $tmp_all &gt;  $tmp_6\r
COUNT6=`wc -l $tmp_6 | awk '{print $1}'`\r
UPTIME=`uptime | awk '{print $3$4}' | sed -e "s/,//g"`\r
rm $tmp_all\r
rm $tmp_6\r
\r
echo "Content-type: text/plain; charset=iso-8859-1"\r
echo\r
\r
echo "$COUNT6"\r
echo "$COUNT"\r
echo "$UPTIME"\r
echo "Opengate User Counter"\r
</pre></td></tr></table>\r
\r
<p>carry out "input.sh" shell script on another server and confirm that you can acquire the following data.</p>\r
\r
<table><tr><td><pre>5\r
48\r
10days\r
Opengate User Counter\r
</pre></td></tr></table>\r
\r
<div align="right"><A href="#mrtg0">back</A>&nbsp;<A href="#top">top</A></div><!-- ************ 3 ************** -->\r
<h4>G.3&nbsp;Start confirmation<A class=anchor href="#mrtg3" name=mrtg3>&dagger;</A></h4>\r
\r
<p>Confirm after setting was completed.</p>\r
\r
<table><tr><td><pre>\r
# /usr/local/bin/mrtg /usr/local/etc/mrtg/opengate.cfg\r
</pre></td></tr></table>\r
\r
<p>Various WARNING is output the first and second time.</p>\r
\r
<p>There is some files in "WorkDir".</p>\r
\r
<table><tr><td><pre>&gt; ls -l\r
-rw-r--r--  1 root  wheel    538 12 14 04:40 mrtg-l.png\r
-rw-r--r--  1 root  wheel    414 12 14 04:40 mrtg-m.png\r
-rw-r--r--  1 root  wheel   1759 12 14 04:40 mrtg-r.png\r
-rw-r--r--  1 root  wheel   2941 12 20 15:15 opengate-day.png\r
-rw-r--r--  1 root  wheel   2146 12 20 14:35 opengate-month.png\r
-rw-r--r--  1 root  wheel   2867 12 20 14:55 opengate-week.png\r
-rw-r--r--  1 root  wheel   1897 12 20 05:00 opengate-year.png\r
-rw-r--r--  1 root  wheel   5961 12 20 15:15 opengate.html\r
-rw-r--r--  1 root  wheel  48786 12 20 15:15 opengate.log\r
-rw-r--r--  1 root  wheel  48784 12 20 15:10 opengate.old\r
</pre></td></tr></table>\r
\r
<div align="right"><A href="#mrtg0">back</A>&nbsp;<A href="#top">top</A></div>\r
\r
<!-- ************ 4 ************** -->\r
<h4>G.4&nbsp;Setup crontab<A class=anchor href="#mrtg4" name=mrtg4>&dagger;</A></h4>\r
\r
<p>Add next line to "/etc/crontab".</p>\r
\r
<table><tr><td><pre>\r
*/5 * * * * root /usr/local/bin/mrtg /usr/local/etc/mrtg/opengate.cfg\r
</pre></td></tr></table>\r
\r
<div align="right"><A href="#mrtg0">back</A>&nbsp;<A href="#top">top</A></div>\r
\r
\r
<!-- ************ 1 ************** -->\r
<h3>H&nbsp;rulechk Install(Optional)<A class=anchor href="#rulechk" name=rulechk>&dagger;</A></h3>\r
\r
<p>This is optional. At the abnormal termination of Opengate process, superfluous rule might be left bihind. \r
Though it is very rare, a script dealing with the case is prepared in tools/rulechk. This script is compatible with Opengate Ver1.3.1 or later.\r
This script compares the Opengate process list and the firewall rule list, and deletes the superfluous rules.\r
</p>\r
<div align="right"><A href="#rulechk">back</A>&nbsp;<A href="#top">top</A></div>\r
\r
</body>\r
</html>\r