3 <title>Opegnate Install</title>
\r
4 <meta http-equiv="content-type" content="text/html">
\r
5 <link rel="stylesheet" type="text/css" media="screen" href="style.css">
\r
9 <body bgcolor="#fafff0">
\r
11 <h2>Opengate Install Procedure<A class=anchor href="#top" name=top>
\81õ</A></h2>
\r
12 <!-- Start:content table -->
\r
14 <li class="list_alpha"><A href="#outline0">Outline</A>
\r
16 <li class="list_num"><A href="#outline1">System Configuration</A></li>
\r
17 <li class="list_num"><A href="#outline2">Install Procedure</A></li>
\r
18 <li class="list_num"><A href="#outline3">Support Page</A></li>
\r
20 <li class="list_alpha"><A href="#freebsd0">FreeBSD Install</A>
\r
22 <li class="list_num"><A href="#freebsd1">Bssic Install</A></li>
\r
23 <li class="list_num"><A href="#freebsd2">Addition of NAT and Firewal</A></li>
\r
24 <li class="list_num"><A href="#freebsd3">Setup of IPv6</A></li>
\r
26 <li class="list_alpha"><A href="#bind0">BIND9 Install(Optional)</A>
\r
28 <li class="list_num"><A href="#bind1">Ports Install</A></li>
\r
29 <li class="list_num"><A href="#bind2">Making RNDC Key</A></li>
\r
30 <li class="list_num"><A href="#bind3">Setup of named.conf</A></li>
\r
31 <li class="list_num"><A href="#bind4">Setup of Zone</A></li>
\r
32 <li class="list_num"><A href="#bind5">Checking Behavior</A></li>
\r
34 <li class="list_alpha"><A href="#dhcp0">isc-dhcp3 Install(Optional)</A>
\r
36 <li class="list_num"><A href="#dhcp1">Ports Install</A></li>
\r
37 <li class="list_num"><A href="#dhcp2">Setup of DHCP</A></li>
\r
39 <li class="list_alpha"><A href="#apache0">Apache2 Install</A>
\r
41 <li class="list_num"><A href="#apache1">Ports Install</A></li>
\r
42 <li class="list_num"><A href="#apache2">Making Certificate</A></li>
\r
43 <li class="list_num"><A href="#apache3">Setup of VertualHost</A></li>
\r
44 <li class="list_num"><A href="#apache4">Other Setup and check</A></li>
\r
46 <li class="list_alpha"><A href="#opengate0">Opengate Install</A>
\r
48 <li class="list_num"><A href="#opengate1">Opengate Package</A></li>
\r
49 <li class="list_num"><A href="#opengate2">Install</A></li>
\r
50 <li class="list_num"><A href="#opengate3">Setup of Config File</A></li>
\r
51 <li class="list_num"><A href="#opengate4">Setup of ipfw</A></li>
\r
52 <li class="list_num"><A href="#opengate5">Setup of ip6fw</A></li>
\r
53 <li class="list_num"><A href="#opengate6">Setup of syslog</A></li>
\r
54 <li class="list_num"><A href="#opengate6">Checking Behavior</A></li>
\r
56 <li class="list_alpha"><A href="#mrtg0">MRTG Install(Optional)</A>
\r
58 <li class="list_num"><A href="#mrtg1">Ports Install</A></li>
\r
59 <li class="list_num"><A href="#mrtg2">Setup</A></li>
\r
60 <li class="list_num"><A href="#mrtg3">Check Behavior</A></li>
\r
61 <li class="list_num"><A href="#mrtg4">Regist to Crontab</A></li>
\r
63 <li class="list_alpha"><A href="#rulechk">rulechk Install(Optional)</A>
\r
67 <!-- End:content table -->
\r
69 <!-- Start:Outline -->
\r
70 <h3>A Outline<A class=anchor href="#outline0" name=outline0>
\81õ</A></h3>
\r
73 <li class="list_num"><A href="#outline1">System Configuration</A></li>
\r
74 <li class="list_num"><A href="#outline2">Install Procedure</A></li>
\r
77 <!-- ************1************* -->
\r
78 <h4>A.1 System Configuration<A class=anchor href="#outline1" name=outline1>
\81õ</A></h4>
\r
81 <li>Gateway Machine
\r
84 <li>FreeBSD Ver 4.x, 5.x, or 6.x </li>
\r
86 <li>Having Two or more NICs</li>
\r
90 <p>In this document, we use the system configuration as follows. The network connecting terminals is called as lower-side network and the network having servers is called upper-side network.</p>
\r
93 <table><tr><td><pre>
\r
94 upper-side network:192.168.0.0/24, 2001:1:2:3/64
\r
95 Gateway to upper-side network:fxp1, 192.168.0.124, 2001:1:2:3::4
\r
96 Gateway to lower-side network:fxp0, 192.168.1.1, 2001:5:6:7::1
\r
97 lower-side network:192.168.1.0/24, 2001:5:6:7/64
\r
98 </pre></td></tr></table>
\r
100 <p>Opengate recognizes the both addresses of IPv4 and IPv6, and controles the both firewalls. It can be used for IPv4 control only under the FreeBSD system that does not set up IPv6 environments.</p>
\r
103 <!-- ***********2************** -->
\r
104 <h4>A.2 Install Procedure<A class=anchor href="#outline2" name=outline2>
\81õ</A></h4>
\r
106 <p>Following is the proceddure of Opengate. The '*'mark means the mandatory items.</p>
\r
109 <li class="list_num">FreeBSD Install *</li>
\r
110 <li class="list_num">Addition of Firewall *</li>
\r
111 <li class="list_num">BIND9 Install and Setup</li>
\r
112 <li class="list_num">DHCP Install and Setup</li>
\r
113 <li class="list_num">Apache2 Install and Setup *</li>
\r
114 <li class="list_num">Opengate Install and Setup *</li></ul>
\r
117 <!-- ***********3************** -->
\r
118 <h4>A.2 Support Page<A class=anchor href="#outline3" name=outline3>
\81õ</A></h4>
\r
120 We prepare the Opengate support page as follows.
\r
122 <table><tr><td><pre>
\r
123 http://www.cc.saga-u.ac.jp/opengate/index-e.html
\r
124 </pre></td></tr></table>
\r
128 <div align="right"><A href="#outline0">back</A> <A href="#top">top</A></div>
\r
131 <!-- Start:FreeBSD Install-->
\r
132 <h3>B FreeBSD Install<A class=anchor href="#freebsd0" name=freebsd0>
\81õ</A></h3>
\r
135 <li class="list_num"><A href="#freebsd1">Basic Install</A></li>
\r
136 <li class="list_num"><A href="#freebsd2">Addition of NAT and Firewall</A></li>
\r
137 <li class="list_num"><A href="#freebsd3">Setup of IPv6</A></li>
\r
140 <!-- ************1************* -->
\r
141 <h4>B.1 Basic Install<A class=anchor href="#freebsd1" name=freebsd1>
\81õ</A></h4>
\r
143 <p>Use FreeBSD4.x or later. FreeBSD6.1 or later is desirable.
\r
144 Choose distribution Developer(Full sources, binaries and doc) or all, because we have to prepare a kernel.</p>
\r
145 <p>Add next line to "/etc/rc.conf", because you enable the gateway function.</p>
\r
149 <td><code>gateway_enable="YES"</code></td></TR>
\r
152 <div align="right"><A href="#freebsd0">back</A> <A href="#top">top</A></div>
\r
156 <!-- ************ 2 ************** -->
\r
157 <h4>B.2 Addition of NAT and Firewall<A class=anchor href="#freebsd2" name=freebsd2>
\81õ</A></h4>
\r
159 <p>Prepare kernel having ipfw and ip6fw functions.</p>
\r
161 <p>Copy kernel options file.</p>
\r
163 <table><tr><td><pre>
\r
164 # cd /usr/src/sys/i386/conf
\r
165 # cp GENERIC MYKERNEL
\r
166 </pre></td></tr></table>
\r
168 <p>Add next lines to the kernel.</p>
\r
170 <p>(For FreeBSD6.0 or earlier)</p>
\r
172 <table><tr><td><pre>
\r
176 options IPFIREWALL_FORWARD
\r
177 options IPFIREWALL_VERBOSE
\r
178 options IPFIREWALL_VERBOSE_LIMIT=100
\r
180 options IPV6FIREWALL
\r
181 options IPV6FIREWALL_VERBOSE
\r
182 options IPV6FIREWALL_VERBOSE_LIMIT=100
\r
186 options TCP_DROP_SYNFIN
\r
187 </pre></td></tr></table>
\r
189 <p>(For FreeBSD6.1 or later)</p>
\r
191 <table><tr><td><pre>
\r
195 options IPFIREWALL_FORWARD
\r
196 options IPFIREWALL_VERBOSE
\r
197 options IPFIREWALL_VERBOSE_LIMIT=100
\r
201 </pre></td></tr></table>
\r
204 <p>compile and install kernel having ipfw (and ip6fw) supports.</p>
\r
207 <table><tr><td><pre>
\r
209 # cd ../compile/MYKERNEL
\r
213 </pre></td></tr></table>
\r
215 <p>"make clean" might be requested before "make depend".</p>
\r
217 <p>Add next lines to "/etc/rc.conf".</p>
\r
219 <p>(For FreeBSD6.0 or earlier)</p>
\r
221 <table><tr><td><pre>
\r
222 firewall_enable="YES"
\r
223 firewall_script="/etc/rc.firewall"
\r
224 firewall_type="open"
\r
226 ipv6_firewall_enable="YES"
\r
227 ipv6_firewall_script="/etc/rc.firewall6"
\r
228 ipv6_firewall_type="open"
\r
231 natd_interface="fxp1"
\r
232 </pre></td></tr></table>
\r
234 <p>(For FreeBSD6.1 or later)</p>
\r
235 <table><tr><td><pre>
\r
236 firewall_enable="YES"
\r
237 firewall_script="/etc/rc.firewall"
\r
238 firewall_type="open"
\r
241 natd_interface="fxp1"
\r
242 </pre></td></tr></table>
\r
244 <p>When setting the ipfw(and ip6fw) enable, be care to set the type 'OPEN' as to prevent mysteryous system behavior in installing procedure. For NAT, Enable natd and setup natd interface(Upper-side interface).</p>
\r
246 <p>Connect PC to the lower-side network and check the IPv4 behavior.</p>
\r
248 <p>As the DHCP does not setup yet, The PC network must be setup manually.</p>
\r
252 <div align="right"><A href="#freebsd0">back</A> <A href="#top">top</A></div>
\r
254 <!-- ************ 3 ************** -->
\r
255 <h4>B.3 Setup of IPv6<A class=anchor href="#freebsd3" name=freebsd3>
\81õ</A></h4>
\r
257 <p>If you need IPv4 only, this section can be skipped. Though explanation is omitted, many pareameters like the following sample might be set in /etc/rc.conf. You must study about IPv6 and setup carefully. </p>
\r
259 <table><tr><td><pre>
\r
262 ipv6_network_interfaces="gif0 fxp0"
\r
264 ##TUNNELLING INTERFACE
\r
265 gif_interfaces="gif0"
\r
266 gifconfig_gif0="192.168.0.124 192.168.0.126"
\r
269 ipv6_prefix_fxp0="2001:5:6:7"
\r
270 ipv6_ifconfig_fxp0="2001:5:6:7::1 prefixlen 64"
\r
273 rtadvd_enable="YES"
\r
274 rtadvd_interfaces="fxp0"
\r
277 ipv6_default_interface="gif0"
\r
278 ipv6_defaultrouter="fe80::a:b:c:d%gif0"
\r
281 ipv6_gateway_enable="YES"
\r
282 ipv6_router_enable="YES"
\r
283 ipv6_router="/usr/sbin/route6d"
\r
284 ipv6_router_flags="-O 2001:5:6:7::/64,gif0"
\r
285 </pre></td></tr></table>
\r
287 <p>Connect a PC to the lower-side network and check the behavior of IPv6</p>
\r
288 <p>In WindowsPC, a command "ipv6 install" might be needed to activate IPv6.</p>
\r
291 <div align="right"><A href="#ipfw0">back</A> <A href="#top">top</A></div>
\r
296 <!-- Start:BIND9 Install -->
\r
297 <h3>C BIND9 Install(Optional)<A class=anchor href="#bind0" name=bind0>
\81õ</A></h3>
\r
300 <li class="list_num"><A href="#bind1">Ports Install</A></li>
\r
301 <li class="list_num"><A href="#bind2">Making RNDC Key</A></li>
\r
302 <li class="list_num"><A href="#bind3">Setup of named.conf</A></li>
\r
303 <li class="list_num"><A href="#bind4">Setup of Zone</A></li>
\r
304 <li class="list_num"><A href="#bind5">Checking Behavior</A></li>
\r
307 <!-- ********** 1 *********** -->
\r
308 <h4>C.1 Ports Install<A class=anchor href="#bind1" name=bind1>
\81õ</A></h4>
\r
310 <p>You can ignore the DNS setting, if you control with IP address base or use existing DNS servers.</p>
\r
312 <p>Installing BIND9 from ports is as follows. The "sysinstall" command can also be used for installation.</p>
\r
315 <table><tr><td><pre>
\r
316 # cd /usr/ports/dns/bind9/
\r
318 # make install clean ; rehash
\r
319 </pre></td></tr></table>
\r
321 <p>The directory "/etc/namedb(/var/named/etc/namedb)" is made in the installation.</p>
\r
324 <div align="right"><A href="#bind0">back</A> <A href="#top">top</A></div>
\r
326 <!-- ********** 2 ********** -->
\r
327 <h4>C.2 Making RNDC key<A class=anchor href="#bind2" name=bind2>
\81õ</A></h4>
\r
329 <p>For security, BIND9 is controlled by rndc command.</p>
\r
331 <p>Create the rndc key as follows.</p>
\r
333 <table><tr><td><pre>
\r
335 # rndc-confgen -b 512 > rndc.conf
\r
336 </pre></td></tr></table>
\r
338 <p>By the command, following "rndc.conf" file is generated.</p>
\r
340 <table><tr><td><pre>
\r
341 # Start of rndc.conf
\r
343 algorithm hmac-md5;
\r
344 secret "wMpASEmnRVnD602MtEb+RqtMee5+n0RVgpaUrlAHvPpgH3SoK7f2nRZBUH7a0urvmyBuAg0dwtk/Otg9Ker3gA==";
\r
348 default-key "rndc-key";
\r
349 default-server 127.0.0.1;
\r
354 # Use with the following in named.conf, adjusting the allow list as needed:
\r
356 # algorithm hmac-md5;
\r
357 # secret "wMpASEmnRVnD602MtEb+RqtMee5+n0RVgpaUrlAHvPpgH3SoK7f2nRZBUH7a0urvmyBuAg0dwtk/Otg9Ker3gA==";
\r
361 # inet 127.0.0.1 port 953
\r
362 # allow { 127.0.0.1; } keys { "rndc-key"; };
\r
364 # End of named.conf
\r
365 </pre></td></tr></table>
\r
368 <div align="right"><A href="#bind0">back</A> <A href="#top">top</A></div>
\r
370 <!-- ********* 3 ********* -->
\r
371 <h4>C.3 Setup of named.conf<A class=anchor href="#bind3" name=bind3>
\81õ</A></h4>
\r
373 <p>There is "/etc/namedb/named.conf" after installation.</p>
\r
375 <p>Copy later half of "rndc.conf" file, remove comment, and add IPv6 configuration(if required).</p>
\r
377 <table><tr><td><pre>
\r
378 # Use with the following in named.conf, adjusting the allow list as needed:
\r
380 algorithm hmac-md5;
\r
381 secret "wMpASEmnRVnD602MtEb+RqtMee5+n0RVgpaUrlAHvPpgH3SoK7f2nRZBUH7a0urvmyBuAg0dwtk/Otg9Ker3gA==";
\r
385 inet ::1 port 953 allow { ::1; } keys { "rndc-key"; };
\r
386 inet 127.0.0.1 port 953 allow { 127.0.0.1; } keys { "rndc-key"; };
\r
388 # End of named.conf
\r
389 </pre></td></tr></table>
\r
391 <p>For security, it is better to write the "key" directive in the other file.</p>
\r
393 <p>Edit "options" directive in "named.conf".</p>
\r
395 <table><tr><td><pre>
\r
397 directory "/etc/namedb";
\r
398 pid-file "/var/run/named/pid";
\r
400 listen-on-v6 { any; };
\r
402 </pre></td></tr></table>
\r
404 <p>Make the corresponding directory to put "pid".</p>
\r
407 <div align="right"><A href="#bind0">back</A> <A href="#top">top</A></div>
\r
409 <!-- ******** 4 ********* -->
\r
410 <h4>C.4 Setup of Zone<A class=anchor href="#bind4" name=bind4>
\81õ</A></h4>
\r
412 <p>Edit "view" and "zone" directive in "named.conf".</p>
\r
414 <p>The "view" directive is implemented in BIND9. Replying to the inquiry from matched-clients, BIND9 sends the information described in the corresponding view.</p>
\r
418 <table><tr><td><pre>
\r
432 zone "og.saga-u.ac.jp" {
\r
434 file "og.saga-u.ac.jp";
\r
437 zone "0.0.127.IN-ADDR.ARPA" {
\r
439 file "master/localhost.rev";
\r
443 zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.\
\r
444 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA" {
\r
446 file "master/localhost-v6.rev";
\r
449 // RFC 1886 -- deprecated
\r
450 zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.\
\r
451 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.INT" {
\r
453 file "master/localhost-v6.rev";
\r
456 </pre></td></tr></table>
\r
458 <p>Make a "zone" file for the domain as "og.saga-u.ac.jp".
\r
459 The domain name and IPv4/6 addresses should be modified properly.
\r
460 If you don't need IPv6, the line "AAAA ...." should be removed.</p>
\r
462 <table><tr><td><pre>
\r
464 $ORIGIN og.saga-u.ac.jp.
\r
466 @ IN SOA ns.og.saga-u.ac.jp. postmaster (
\r
472 IN NS ns.og.saga-u.ac.jp.
\r
474 IN MX 10 opengate.og.saga-u.ac.jp.
\r
476 ns IN A 192.168.1.1
\r
478 opengate IN A 192.168.1.1
\r
480 </pre></td></tr></table>
\r
482 <div align="right"><A href="#bind0">back</A> <A href="#top">top</A></div>
\r
484 <!-- ********* 5 ********* -->
\r
485 <h4>C.5 Checking Behavior<A class=anchor href="#bind5" name=bind5>
\81õ</A></h4>
\r
487 <p>Confirm starting of "named" after setting was completed.</p>
\r
489 <table><tr><td><pre>
\r
490 # /usr/local/sbin/named -u bind -c /etc/namedb/named.conf
\r
491 </pre></td></tr></table>
\r
493 <p>If "named" starts without problems, Add next lines to "/etc/rc.conf" for auto start.</p>
\r
495 <table><tr><td><pre>named_enable="YES"
\r
496 named_program="/usr/local/sbin/named"
\r
497 named_flags="-u bind -c /etc/namedb/named.conf"
\r
498 </pre></td></tr></table>
\r
500 <p>Because the management of a DNS server is complicated, You need to read manual of BIND9 carefully, and refer other document.</p>
\r
503 <div align="right"><A href="#bind0">back</A> <A href="#top">top</A></div>
\r
506 <!-- Start:isc-dhcp3 Install -->
\r
507 <h3>D isc-dhcp3 Install(Optional)<A class=anchor href="#dhcp0" name=dhcp0>
\81õ</A></h3>
\r
510 <li class="list_num"><A href="#dhcp1">Ports Install</A></li>
\r
511 <li class="list_num"><A href="#dhcp2">Setting of DHCP</A></li>
\r
514 <!-- *********** 1 ************* -->
\r
515 <h4>D.1 Ports Install<A class=anchor href="#dhcp1" name=dhcp1>
\81õ</A></h4>
\r
517 <p>Many client PCs are connected. Thus the DHCP might be a desireble solution for assginment of IP addresses to these clients.</p>
\r
519 <p>Installing isc-dhcp3 from ports is as follows. The "sysinstall" command can also be used for intallation.</p>
\r
521 <table><tr><td><pre>
\r
522 # cd /usr/ports/net/isc-dhcp3-server
\r
524 # make install clean ; rehash
\r
525 </pre></td></tr></table>
\r
527 <div align="right"><A href="#dhcp0">back</A> <A href="#top">top</A></div>
\r
530 <!-- ************ 2 ************** -->
\r
531 <h4>D.2 Setup of DHCP<A class=anchor href="#dhcp2" name=dhcp2>
\81õ</A></h4>
\r
533 <p>There is a configuration file "/usr/local/etc/dhcpd.conf.sample" after instalation. Copy "dhcpd.conf.sample" to "dhcpd.conf" and edit the file. Following is an example setup. The lease time must be greater than the maximum usage duration (Duration/Max in opengatesrv.conf).</p>
\r
534 <p>The domain name and IP addresses should be modified. </p>
\r
536 <table><tr><td><pre>
\r
537 option domain-name "og.saga-u.ac.jp";
\r
538 option domain-name-servers 192.168.1.1;
\r
539 option subnet-mask 255.255.255.0;
\r
540 option broadcast-address 192.168.1.255;
\r
541 option routers 192.168.1.1;
\r
543 default-lease-time 86400;
\r
544 max-lease-time 604800;
\r
545 ddns-update-style none;
\r
546 log-facility local7;
\r
548 subnet 192.168.55.0 netmask 255.255.255.0 {
\r
549 range 192.168.1.10 192.168.1.250;
\r
551 </pre></td></tr></table>
\r
553 <p>Add next lines to "/etc/rc.conf" for auto start.</p>
\r
555 <table><tr><td><pre>
\r
557 dhcpd_ifaces="fxp0"
\r
558 dhcpd_conf="/usr/local/etc/dhcpd.conf"
\r
559 </pre></td></tr></table>
\r
561 <p>In this description, the value of "dhcpd_ifaces" is the interface for DHCP service(the lower-side network).</p>
\r
563 <div align="right"><A href="#dhcp0">back</A> <A href="#top">top</A></div>
\r
567 <!-- Start:Apache2 Install-->
\r
568 <h3>E Apache2 Install<A class=anchor href="#apache0" name=apache0>
\81õ</A></h3>
\r
570 <li class="list_num"><A href="#apache1">Ports Install</A></li>
\r
571 <li class="list_num"><A href="#apache2">Making Certificate</A></li>
\r
572 <li class="list_num"><A href="#apache3">Setup SSL</A></li>
\r
573 <li class="list_num"><A href="#apache4">Other Setting and Checking</A></li>
\r
576 <!-- ************ 1 ************** -->
\r
577 <h4>E.1 Ports Install<A class=anchor href="#apache1" name=apache1>
\81õ</A></h4>
\r
579 <p>When using IPv6 function, Opengate needs Apache2 supporting IPv6. In default, Apache2 supports SSL which is desirable for secure authentication.</p>
\r
582 <p>Installing Apache2 from ports is as follows. The "sysinstall" command can also be used for installation.</p>
\r
584 <table><tr><td><pre>
\r
585 # cd /usr/ports/www/apache22
\r
587 # make install clean ; rehash
\r
588 </pre></td></tr></table>
\r
592 <div align="right"><A href="#apache0">back</A> <A href="#top">top</A></div>
\r
594 <!-- ************ 2 ************** -->
\r
595 <h4>E.2 Making Certificate<A class=anchor href="#apache2" name=apache2>
\81õ</A></h4>
\r
597 <p>It is better to obtain a formal key from some CA. But we shows the procedure to make a self-signed private key and certificate. </p>
\r
600 <p>Make a private key as follows.</p>
\r
602 <table><tr><td><pre>
\r
603 # cd /usr/local/etc/apache22
\r
604 # mkdir ssl.key ssl.crt
\r
605 # chmod 700 ssl.key ssl.crt
\r
607 # /usr/bin/openssl genrsa -out /usr/local/etc/apache22/server.key 1024
\r
608 </pre></td></tr></table>
\r
610 <p>Make a certificate from the key as follows.</p>
\r
612 <table><tr><td><pre>
\r
613 # /usr/bin/openssl req -new -x509 -days 365 \
\r
614 -key /usr/local/etc/apache22/server.key \
\r
615 -out /usr/local/etc/apache22/server.crt
\r
617 You are about to be asked to enter information that will be incorporated
\r
618 into your certificate request.
\r
619 What you are about to enter is what is called a Distinguished Name or a DN.
\r
620 There are quite a few fields but you can leave some blank
\r
621 For some fields there will be a default value,
\r
622 If you enter '.', the field will be left blank.
\r
624 Country Name (2 letter code) [AU]:JP
\r
625 State or Province Name (full name) [Some-State]:Saga
\r
626 Locality Name (eg, city) []:Saga-city
\r
627 Organization Name (eg, company) [Internet Widgits Pty Ltd]:Saga-university
\r
628 Organizational Unit Name (eg, subsection) []:Opengate Management
\r
629 Common Name (eg, YOUR name) []:opengate.og.saga-u.ac.jp
\r
630 Email Address []:administrator@opengate.og.saga-u.ac.jp
\r
632 Please enter the following 'extra' attributes
\r
633 to be sent with your certificate request
\r
634 A challenge password []:
\r
635 An optional company name []:
\r
637 </pre></td></tr></table>
\r
639 <div align="right"><A href="#apache0">back</A> <A href="#top">top</A></div>
\r
641 <!-- ************ 4 ************** -->
\r
642 <h4>E.4  Setup of SSL<A class=anchor href="#apache3" name=apache3>
\81õ</A></h4>
\r
645 <p>Edit "/usr/local/etc/apache22/extra/httpd-ssl.conf" like the following example.</p>
\r
647 <table><tr><td>ssl.conf
\r
648 </td></tr><tr><td><pre>
\r
649 <VirtualHost _default_:443>
\r
650 DocumentRoot "/usr/local/www/apache22/data"
\r
651 ServerName opengate.og.saga-u.ac.jp:443
\r
652 ServerAdmin administrator@opengate.og.saga-u.ac.jp
\r
653 ErrorLog "|/usr/bin/logger -p local6.info"
\r
654 CustomLog "|/usr/bin/logger -p local5.info" combined
\r
657 SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
\r
658 SSLCertificateFile /usr/local/etc/apache22/server.crt
\r
659 SSLCertificateKeyFile /usr/local/etc/apache22/server.key
\r
660 </VirtualHost>
\r
661 </pre></td></tr></table>
\r
663 <p>As Apache2 has many settings, be familiar with Apache2 configuration for adequate control.</p>
\r
667 <div align="right"><A href="#apache0">back</A> <A href="#top">top</A></div>
\r
669 <!-- ************ 5 ************** -->
\r
670 <h4>E.5 Other Setting and Checking<A class=anchor href="#apache4" name=apache4>
\81õ</A></h4>
\r
672 <p>Edit "/usr/local/etc/apache22/httpd.conf" as follows.</p>
\r
674 <p>Opengate send back the authentication page for any kind of HTTP request. To do so, add next line to httpd.conf. This means that the top page is sent back at HTTP_ERROR 404(file not found) error.</p>
\r
678 <table><tr><td><pre>
\r
679 ErrorDocument 404 /
\r
680 </pre></td></tr></table>
\r
682 <p>Add ExecCGI to execute CGI program in cgi-bin directory.</p>
\r
683 <table><tr><td><pre>
\r
684 <Directory "/usr/local/www/cgi-bin">
\r
689 </pre></td></tr></table>
\r
692 Remove the comment mark to enable the following setting
\r
693 <table><tr><td><pre>
\r
694 AddHandler cgi-script .cgi
\r
695 AddHandler type-map .var
\r
696 </pre></td></tr></table>
\r
700 Add "index.html.var" into DirectoryIndex.
\r
701 <table><tr><td><pre>
\r
702 DirectoryIndex index.html.var index.html
\r
703 </pre></td></tr></table>
\r
707 Include ssl conf file.
\r
708 <table><tr><td><pre>
\r
709 Include etc/apache22/extra/httpd-ssl.conf
\r
710 </pre></td></tr></table>
\r
715 <table><tr><td><pre>
\r
716 ServerName opengate.og.saga-u.ac.jp
\r
717 </pre></td></tr></table>
\r
720 <p>Start Apache2 with "apachectl start" and check the normal action.
\r
721 Then add next lines to "/etc/rc.conf" for auto start.</p>
\r
723 <table><tr><td><pre>
\r
724 apache22_enable="YES"
\r
725 apache22ssl_enable="YES"
\r
726 </pre></td></tr></table>
\r
729 If the system shows "Failed to enable the 'httpready' Accept Filter",
\r
730 add following into /boot/loader.conf
\r
731 <table><tr><td><pre>
\r
732 accf_http_load="YES"
\r
733 </pre></td></tr></table>
\r
736 <div align="right"><A href="#apache0">back</A> <A href="#top">top</A></div>
\r
740 <!-- Start:Opengate Install -->
\r
741 <h3>F Opengate Install<A class=anchor href="#opengate0" name=opengate0>
\81õ</A></h3>
\r
744 <li class="list_num"><A href="#opengate1">Opengate Package</A></li>
\r
745 <li class="list_num"><A href="#opengate2">Install</A></li>
\r
746 <li class="list_num"><A href="#opengate3">Setup of Config File</A></li>
\r
747 <li class="list_num"><A href="#opengate4">Setup of ipfw</A></li>
\r
748 <li class="list_num"><A href="#opengate5">Setup of ip6fw</A></li>
\r
749 <li class="list_num"><A href="#opengate6">Setup of syslog</A></li>
\r
750 <li class="list_num"><A href="#opengate7">Checking Behavior</A></li>
\r
753 <!-- ************1************* -->
\r
754 <h4>F.1 Opengate Package<A class=anchor href="#opengate1" name=opengate1>
\81õ</A></h4>
\r
756 <p>Unfold the package of Opengate. </p>
\r
758 <table><tr><td><pre>
\r
759 # tar xzvf opengatexxxx.tar.gz
\r
760 </pre></td></tr></table>
\r
762 <p>It have following directorys.</p>
\r
766 doc: Documentations
\r
767 conf: Configuration file and firewall control perl script sample
\r
768 javahtml: Client Java Programs and HTML files
\r
769 opengatesrv: Server CGI programs
\r
770 tools: Some related tools
\r
771 ezxml: XML parser (Copyright Aaron Voisine)
\r
775 <div align="right"><A href="#opengate0">back</A> <A href="#top">top</A></div>
\r
777 <!-- ************2************* -->
\r
779 <h4>F.2 Install<A class=anchor href="#opengate2" name=opengate2>
\81õ</A></h4>
\r
781 <p>Check setting in "opengatesrv/Makefile" and modify properly.</p>
\r
785 HTMLTOP = /usr/local/www/apache22
\r
788 OPENGATEDIR = /opengate
\r
789 CONFIGPATH = /etc/opengate
\r
794 <p>Compile and Install.</p>
\r
796 <table><tr><td><pre>
\r
799 </pre></td></tr></table>
\r
802 <div align="right"><A href="#opengate0">back</A> <A href="#top">top</A></div>
\r
805 <!-- ************ 3 ************** -->
\r
806 <h4>F.3 Setup of Config File<A class=anchor href="#opengate3" name=opengate3>
\81õ</A></h4>
\r
809 <p>Copy sample config file "/etc/opengate/opengatesrv.conf.sample" to "/etc/opengate/opengatesrv.conf" and modify. Following settings must be changed.</p>
\r
811 <table><tr><td><pre>
\r
812 <OpengateServerName>opengate.og.saga-u.ac.jp</OpengateServerName>
\r
815 <Protocol>pop3s</Protocol>
\r
816 <Address>192.168.0.2</Address>
\r
817 </AuthServer>
\r
818 </pre></td></tr></table>
\r
820 <p>In <OpengateServerName>, set HOSTNAME(FQDN) or IP address of opengate gateway server. If you
\r
821 want to use IPv6 function, you need to set FQDN corresponding to IPv4 and IPv6 both addresses.</p>
\r
822 <p>In <AuthServer>, set the information of authentication server. Opengate support various auth protocols. See the config file for details. To separate the problem between auth server and opengate server, try the following setting firstly. This means that any userid and password are accepted.</p>
\r
825 <table><tr><td><pre>
\r
826 ****Do not use this setting in real service****
\r
828 <Protocol>accept</Protocol>
\r
830 </pre></td></tr></table>
\r
832 <p>The config file is XML form. The # mark in the file does not mean the start of a comment. Use XML-formed comment as <!-- Comment String --> to disable description.</p>
\r
834 <p>Opengate can switch auth setting with "userid@extid" pattern. See the config file for details. By this function, you can divide the authentication servers for many sections or guests.</P>
\r
836 <p>When default auth server is not replied, Opengate can re-request to other auth servers. See the config file for details.</P>
\r
838 <p>Caution: Do not delete the IPv6 related setting in config file. The IPv6 access is executed when the FQDN for IPv6 is prepared.</P>
\r
840 <div align="right"><A href="#opengate0">back</A> <A href="#top">top</A></div>
\r
843 <!-- ************ 4 ************** -->
\r
844 <h4>F.4 Setup of ipfw<A class=anchor href="#opengate4" name=opengate4>
\81õ</A></h4>
\r
846 <p>Write ipfw rules for Opengate.
\r
849 <p>(For FreeBSD6.0 or earlier)</p>
\r
851 <p>IPv4 packets are controlled by ipfw, and IPv6 packets by ip6fw.</p>
\r
852 <p>Sample setup scripts for both commands are prepared as "/etc/opengate/rc.firewall4.sample" and "/etc/opengate/rc.firewall6.sample"</p>
\r
853 <p>Copy these script and modify properly.</p>
\r
855 <table><tr><td><pre>
\r
857 # cp rc.firewall4.sample rc.firewall4
\r
858 # cp rc.firewall6.sample rc.firewall6
\r
861 </pre></td></tr></table>
\r
863 <p>Modify firewall setting in /erc/rc.conf as follows. Be care that accesses after this setting might be denied by the firewall.</p>
\r
865 <table><tr><td><pre>
\r
866 firewall_enable="YES"
\r
867 firewall_script="/etc/opengate/rc.firewall4"
\r
869 ipv6_firewall_enable="YES"
\r
870 ipv6_firewall_script="/etc/opengate/rc.firewall6"
\r
871 </pre></td></tr></table>
\r
873 <p>Then modify "/etc/opengatesrv.conf" from <Ip6fwPath>/sbin/ipfw</Ip6fwPath> to <Ip6fwPath>/sbin/ip6fw</Ip6fwPath> </p>
\r
876 <p>(For FreeBSD6.1 or later)</p>
\r
878 <p>Both of IPv4 and IPv6 packets are controlled by ipfw.</p>
\r
879 <p>Sample setup scripts for the system are prepared as "/etc/opengate/rc.firewall.sample"</p>
\r
880 <p>Copy the script and modify properly. If you don't know IPv6, set IPv6 addresses as localhost(*net6="0", *ip6="::1").</p>
\r
882 <table><tr><td><pre>
\r
884 # cp rc.firewall.sample rc.firewall
\r
886 </pre></td></tr></table>
\r
888 <p>Modify firewall setting in /erc/rc.conf as follows. Be care that accesses after this setting might be denied by the firewall.</p>
\r
890 <table><tr><td><pre>
\r
891 firewall_enable="YES"
\r
892 firewall_script="/etc/opengate/rc.firewall"
\r
893 </pre></td></tr></table>
\r
896 <p>Be familiar with the ipfw command. Opengate is a software to send out ipfw add/delete command.</p>
\r
898 <p>Opengate adds/removes the allow rule (rule number:10000-40000) for the authenticated terminals. And the forward rule is exists in less priority position(rule number:60000) in the initial setting. Thus the packets for authenticated terminals pass the gateway, and the Web access from other terminals results the authentication page.
\r
901 <div align="right"><A href="#opengate0">back</A> <A href="#top">top</A></div>
\r
903 <!-- ************ 5 ************** -->
\r
904 <h4>F.5 Setup of syslog<A class=anchor href="#opengate5" name=opengate5>
\81õ</A></h4>
\r
906 <p>Edit /etc/syslog.conf to save log file for Opengate.</p>
\r
908 <table><tr><td><pre>
\r
909 | Separeted by TAB code
\r
911 local1.* /var/log/opengate.log
\r
912 </pre></td></tr></table>
\r
914 <p>Make the log file as follows. Be care to control the size of this log file.</p>
\r
916 <table><tr><td><pre>
\r
917 # touch /var/log/opengate.log
\r
918 </pre></td></tr></table>
\r
920 <div align="right"><A href="#opengate0">back</A> <A href="#top">top</A></div>
\r
922 <!-- ************ 6 ************** -->
\r
923 <h4>F.6 Checking Behavior<A class=anchor href="#opengate6" name=opengate6>
\81õ</A></h4>
\r
925 <p>Connect a PC to the lower-side network and access to a site in the upper-side network. If it does not work properly, refer doc/progflow.html and doc/protocol.txt to understand the procedure. And see the log file for Opengate, httpd, system and others. To dump more information from Opengate, set the <Debug> switch "2" in opengatesrv.conf. Check also the functions of related software. The error checking document(errcheck.html) and Q and A document (qa.html, recentqa.html in web) might be used for problem solving.</p>
\r
927 <div align="right"><A href="#opengate0">back</A> <A href="#top">top</A></div>
\r
929 <!-- ************ 7 ************** -->
\r
930 <h4>F.7 Modification of Pages<A class=anchor href="#opengate7" name=opengate7>
\81õ</A></h4>
\r
933 If you want to modify the contents of web pages, edit the html files in Opengate directories. The relative path cannot use in httpkeep.html. Use the URL of full description. The descriptions such as %%XXX%% are variables replaced with some proper values in CGI. </p>
\r
935 <div align="right"><A href="#opengate0">back</A> <A href="#top">top</A></div>
\r
939 <!-- Start:Install MRTG -->
\r
940 <h3>G MRTG Install(Optional)<A class=anchor href="#mrtg0" name=mrtg0>†</A></h3>
\r
943 <li class="list_num"><A href="#mrtg1">Install (ports)</A></li>
\r
944 <li class="list_num"><A href="#mrtg2">Setup MRTG</A></li>
\r
945 <li class="list_num"><A href="#mrtg3">Start confirmation</A></li>
\r
946 <li class="list_num"><A href="#mrtg4">Setup crontab</A></li>
\r
949 <!-- ************ 1 ************** -->
\r
950 <h4>G.1 Ports Install<A class=anchor href="#mrtg1" name=mrtg1>†</A></h4>
\r
952 <p>This is optional. When you want to watch the state of Opengate, MRTG can be used but is not required usually.</p>
\r
954 <p><a href="http://people.ee.ethz.ch/~oetiker/webtools/mrtg/" target="_blank">MRTG</a>(Multi Router Traffic Grapher) is system to watch network traffic.
\r
955 MRTG makes graphic images and HTML files. </p>
\r
957 <p>You can install MRTG to gateway server or another server. If you must watch plural Opengate, you
\r
958 had better install MRTG to another server.</p>
\r
960 <table><tr><td><pre>
\r
961 # cd /usr/ports/net-mgmt/mrtg/
\r
963 # make install clean ; rehash
\r
964 </pre></td></tr></table>
\r
966 <div align="right"><A href="#mrtg0">back</A> <A href="#top">top</A></div><!-- ************ 2 ************** -->
\r
967 <h4>G.2 Setup of MRTG<A class=anchor href="#mrtg2" name=mrtg2>†</A></h4>
\r
969 <p>There is "/usr/local/etc/mrtg/mrtg.cfg.sample" as configuration file after instalation.
\r
970 Copy mrtg.cfg.sample to opengate.cfg and edit configuration file.</p>
\r
972 <table><tr><td><pre>
\r
973 ##################################################
\r
974 # opengate user counter
\r
976 WorkDir: /usr/home/user/public_html/mrtg/opengate/
\r
979 Options[^]: growright,gauge,nopercent,integer
\r
981 Target[opengate]:`/usr/home/user/bin/input.sh`
\r
982 Title[opengate]: Opengate user counter
\r
984 PageTop[opengate]: <h1>Opengate user counter</h1>
\r
985 <p>Show the number of people using Opengate</p>
\r
988 MaxBytes[opengate]: 200
\r
991 YLegend[opengate]: Opengate User
\r
993 ShortLegend[opengate]: s
\r
994 # Title of graph LegendI: first line LegendO: second line
\r
995 LegendI[opengate]: IPv6 Users
\r
996 LegendO[opengate]: Total Users
\r
997 </pre></td></tr></table>
\r
999 <p>make a directory which you appointed in "WorkDir". MRTG makes graphic images and HTML files in WorkDir.</p>
\r
1001 <p>"Target[opengate]" is path to program to hand data to MRTG. explain below th details.</p>
\r
1005 <h5>G.2.1 Case of gateway server<A class=anchor href="#mrtg21" name=mrtg21>†</A></h5>
\r
1007 <p>Put this shellscript as "/usr/home/user/bin/input.sh".</p>
\r
1009 <table><tr><td><pre>
\r
1012 #######################################
\r
1014 ## show opengate status for MRTG
\r
1016 ## 1 line : IPv6 Users
\r
1017 ## 2 line : Total Users
\r
1018 ## 3 line : uptime
\r
1019 ## 4 line : comment for data
\r
1021 #######################################
\r
1030 prefix="2001:2f8:22:801:"
\r
1031 ###opengateprocessname
\r
1032 process="opengatesrv.cgi"
\r
1035 tmp_all="/tmp/og_count_all.tmp"
\r
1036 tmp_6="/tmp/og_count_6.tmp"
\r
1038 ######################################################
\r
1039 psax | grep $process > $tmp_all
\r
1040 COUNT = `wc-l $tmp_all | awk '{print $1}'`
\r
1041 grep $prefix $tmp_all > $tmp_6
\r
1042 COUNT6=`wc -l $tmp_6 | awk '{print $1}'`
\r
1043 UPTIME=`uptime | awk '{print $3$4}' | sed -e "s/,//g"`
\r
1051 echo "Opengate User Counter"
\r
1052 </pre></td></tr></table>
\r
1054 <p>carry out this shell script alone and confirm that you can acquire the following data.</p>
\r
1056 <table><tr><td><pre>5
\r
1059 Opengate User Counter
\r
1060 </pre></td></tr></table>
\r
1063 <h5>G.2.2 Case of another server<A class=anchor href="#mrtg22" name=mrtg22>†</A></h5>
\r
1065 <p>Put this shellscript as "/usr/home/user/bin/input.sh" on another server.</p>
\r
1067 <table><tr><td><pre>
\r
1070 #######################################
\r
1072 ## input data for MRTG
\r
1074 ## 1 line : IPv6 Users
\r
1075 ## 2 line : Total Users
\r
1076 ## 3 line : uptime
\r
1077 ## 4 line : comment for data
\r
1079 #######################################
\r
1082 file="/tmp/opengate.tmp"
\r
1084 # URL of output.sh at opengate
\r
1085 url="http://opengate.saga-u.ac.jp/cgi-bin/output.sh"
\r
1087 fetch -o $file $url &> /dev/null
\r
1090 </pre></td></tr></table>
\r
1092 <p>Put this shell script as "/usr/local/apache2/cgi-bin/output.sh" on Opengate server.
\r
1093 And set this URL to $url in script explained by the above.</p>
\r
1095 <table><tr><td><pre>
\r
1098 #######################################
\r
1100 ## show opengate status for MRTG
\r
1102 ## 1 line : IPv6 Users
\r
1103 ## 2 line : Total Users
\r
1104 ## 3 line : uptime
\r
1105 ## 4 line : comment for data
\r
1107 #######################################
\r
1116 prefix="2001:2f8:22:801:"
\r
1117 ###opengateprocessname
\r
1118 process="opengatesrv.cgi"
\r
1121 tmp_all="/tmp/og_count_all.tmp"
\r
1122 tmp_6="/tmp/og_count_6.tmp"
\r
1124 ######################################################
\r
1125 psax | grep $process > $tmp_all
\r
1126 COUNT = `wc-l $tmp_all | awk '{print $1}'`
\r
1127 grep $prefix $tmp_all > $tmp_6
\r
1128 COUNT6=`wc -l $tmp_6 | awk '{print $1}'`
\r
1129 UPTIME=`uptime | awk '{print $3$4}' | sed -e "s/,//g"`
\r
1133 echo "Content-type: text/plain; charset=iso-8859-1"
\r
1139 echo "Opengate User Counter"
\r
1140 </pre></td></tr></table>
\r
1142 <p>carry out "input.sh" shell script on another server and confirm that you can acquire the following data.</p>
\r
1144 <table><tr><td><pre>5
\r
1147 Opengate User Counter
\r
1148 </pre></td></tr></table>
\r
1150 <div align="right"><A href="#mrtg0">back</A> <A href="#top">top</A></div><!-- ************ 3 ************** -->
\r
1151 <h4>G.3 Start confirmation<A class=anchor href="#mrtg3" name=mrtg3>†</A></h4>
\r
1153 <p>Confirm after setting was completed.</p>
\r
1155 <table><tr><td><pre>
\r
1156 # /usr/local/bin/mrtg /usr/local/etc/mrtg/opengate.cfg
\r
1157 </pre></td></tr></table>
\r
1159 <p>Various WARNING is output the first and second time.</p>
\r
1161 <p>There is some files in "WorkDir".</p>
\r
1163 <table><tr><td><pre>> ls -l
\r
1164 -rw-r--r-- 1 root wheel 538 12 14 04:40 mrtg-l.png
\r
1165 -rw-r--r-- 1 root wheel 414 12 14 04:40 mrtg-m.png
\r
1166 -rw-r--r-- 1 root wheel 1759 12 14 04:40 mrtg-r.png
\r
1167 -rw-r--r-- 1 root wheel 2941 12 20 15:15 opengate-day.png
\r
1168 -rw-r--r-- 1 root wheel 2146 12 20 14:35 opengate-month.png
\r
1169 -rw-r--r-- 1 root wheel 2867 12 20 14:55 opengate-week.png
\r
1170 -rw-r--r-- 1 root wheel 1897 12 20 05:00 opengate-year.png
\r
1171 -rw-r--r-- 1 root wheel 5961 12 20 15:15 opengate.html
\r
1172 -rw-r--r-- 1 root wheel 48786 12 20 15:15 opengate.log
\r
1173 -rw-r--r-- 1 root wheel 48784 12 20 15:10 opengate.old
\r
1174 </pre></td></tr></table>
\r
1176 <div align="right"><A href="#mrtg0">back</A> <A href="#top">top</A></div>
\r
1178 <!-- ************ 4 ************** -->
\r
1179 <h4>G.4 Setup crontab<A class=anchor href="#mrtg4" name=mrtg4>†</A></h4>
\r
1181 <p>Add next line to "/etc/crontab".</p>
\r
1183 <table><tr><td><pre>
\r
1184 */5 * * * * root /usr/local/bin/mrtg /usr/local/etc/mrtg/opengate.cfg
\r
1185 </pre></td></tr></table>
\r
1187 <div align="right"><A href="#mrtg0">back</A> <A href="#top">top</A></div>
\r
1190 <!-- ************ 1 ************** -->
\r
1191 <h3>H rulechk Install(Optional)<A class=anchor href="#rulechk" name=rulechk>†</A></h3>
\r
1193 <p>This is optional. At the abnormal termination of Opengate process, superfluous rule might be left bihind.
\r
1194 Though it is very rare, a script dealing with the case is prepared in tools/rulechk. This script is compatible with Opengate Ver1.3.1 or later.
\r
1195 This script compares the Opengate process list and the firewall rule list, and deletes the superfluous rules.
\r
1197 <div align="right"><A href="#rulechk">back</A> <A href="#top">top</A></div>
\r