-<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">\r
-<HTML>\r
-<HEAD>\r
- <META HTTP-EQUIV="CONTENT-TYPE" CONTENT="text/html; charset=utf-8">\r
- <TITLE>Opengate Install</TITLE>\r
-\r
-</HEAD>\r
-<BODY LANG="en-US" BGCOLOR="#fafff0" DIR="ltr">\r
-<H2><A href="#top" name=top><FONT SIZE=4>Opengate Installation\r
-Procedure</FONT></A></H2>\r
-\r
-<!-- Start:content table -->\r
-<UL>\r
- <LI><A href="#outline0">Outline</A>\r
- \r
- <UL>\r
- <LI><A href="#outline1">System Configuration</A> </LI>\r
- <LI><A href="#outline2">Installation Procedure</A> </LI>\r
- <LI><A href="#outline3">Support Page</A></LI>\r
- </UL>\r
- <LI><A href="#freebsd0">FreeBSD Installation</A> </LI>\r
- <UL>\r
- <LI><A href="#freebsd1">Basic Installation</A> </LI>\r
- <LI><A href="#freebsd2">Adding NAT and Firewall</A> </LI>\r
- <LI><A href="#freebsd3">Setting up IPv6</A></LI>\r
- </UL>\r
- <LI><A href="#bind0">BIND9 Installation (Optional)</A> </LI>\r
- <UL>\r
- <LI><A href="#bind1">Ports Installation</A> </LI>\r
- <LI><A href="#bind2">Making RNDC Key</A> </LI>\r
- <LI><A href="#bind3">Setting up named.conf</A> </LI>\r
- <LI><A href="#bind4">Creating a Zone file</A> </LI>\r
- <LI><A href="#bind5">Checking Behavior</A></LI>\r
- </UL>\r
- <LI><A href="#dhcp0">isc-dhcp3 Installation (Optional)</A> \r
- <UL>\r
- <LI><A href="#dhcp1">Ports Installation</A> </LI>\r
- <LI><A href="#dhcp2">Setting up DHCP</A></LI>\r
- </UL>\r
- <LI><A href="#apache0">Apache2 Installation</A> </LI>\r
- <UL>\r
- <LI><A href="#apache1">Ports Installation</A> </LI>\r
- <LI><A href="#apache2">Making Certificates</A> </LI>\r
- <LI><A href="#apache3">Setting up VirtualHost</A> </LI>\r
- <LI><A href="#apache4">Other Settings and Checking the Installation</A></LI>\r
- </UL>\r
- <li class="list_alpha"><A href="#sqlite0">SQLite3 Installation</A>\r
- <ul>\r
- <li class="list_num"><A href="#sqlite1">Installation</A></li>\r
- <li class="list_num"><A href="#sqlite2">Checking</A></li>\r
- </ul></li>\r
- <LI><A href="#opengate0">Opengate Installation</A> </LI>\r
- <UL>\r
- <LI><A href="#opengate1">Opengate Package</A> </LI>\r
- <LI><A href="#opengate2">Installation</A> </LI>\r
- <LI><A href="#opengate3">Setting up Config File</A> </LI>\r
- <LI><A href="#opengate4">Setting up IPFW</A> </LI>\r
- <LI><A href="#opengate5">Setting up Syslog</A> </LI>\r
- <LI><A href="#opengate6">Checking Behavior</A> </LI>\r
- <LI><A href="#opengate7">Modifying Pages</A> </LI>\r
- <LI><A href="#opengate8">Setting up SQLite3</A> </LI>\r
- </UL>\r
- <LI><A href="#mrtg0">MRTG Install(Optional)</A> </LI>\r
- <UL>\r
- <LI><A href="#mrtg1">Ports Installation</A> </LI>\r
- <LI><A href="#mrtg2">Setting up MRTG</A> </LI>\r
- <LI><A href="#mrtg3">Confirming MRTG Startup Operation</A> </LI>\r
- <LI><A href="#mrtg4">Registering to Crontab</A> </LI>\r
- </UL>\r
- <LI><A href="#rulechk">rulechk Installation (Optional)</A> </LI>\r
-</UL>\r
-\r
-<BR><BR>\r
-<P></P><!-- End:content table --><!-- Start:Outline -->\r
-\r
-\r
-<H3><A href="#outline0" name=outline0>A Outline</A></H3>\r
-<UL>\r
- <LI><A href="#outline1">System Configuration</A> </LI>\r
-\r
- <LI><A href="#outline2">Installation Procedure</A> </LI>\r
-</UL>\r
-\r
-<H4><!-- ************1************* -->\r
-<A href="#outline1" name=outline1>A.1 System\r
-Configuration</A></H4>\r
-<UL>\r
- <LI>Gateway Machine </LI>\r
- <UL>\r
- <LI>FreeBSD Ver 6.1 or later </LI>\r
- <LI>Having two or more NICs </LI>\r
- </UL></LI>\r
-</UL>\r
-<P>In this document, we use the system configuration as follows. The\r
-network connecting terminals is called "lower-side network" and\r
-the network having servers is called "upper-side network".</P>\r
-<TABLE CELLPADDING=2 CELLSPACING=2>\r
- <TR>\r
- <TD>\r
- <PRE>upper-side network:192.168.0.0/24, 2001:1:2:3/64\r
-Gateway to upper-side network:fxp1, 192.168.0.124, 2001:1:2:3::4\r
-Gateway to lower-side network:fxp0, 192.168.1.1, 2001:5:6:7::1\r
-lower-side network:192.168.1.0/24, 2001:5:6:7/64</PRE>\r
- </TD>\r
- </TR>\r
-</TABLE>\r
-<P>Opengate recognizes both IPv4 and IPv6 addresses, and controls\r
-both firewalls. It can be used for IPv4 control only if the FreeBSD\r
-environment is not set up for IPv6.</P>\r
-\r
-\r
-<H4><!-- ***********2************** -->\r
-<A href="#outline2" name=outline2>A.2 Installation\r
-Procedure</A></H4>\r
-<P>The following steps are necessary to complete the installation of\r
-Opengate. <BR>Items marked with '*' are mandatory.</P>\r
-<UL>\r
- <LI>FreeBSD Installation * </LI>\r
-\r
- <LI>Adding the Firewall * </LI>\r
-\r
- <LI>BIND9 Installation and Setup </LI>\r
-\r
- <LI>DHCP Installation and Setup </LI>\r
-\r
- <LI>Apache2 Installation and Setup *</LI>\r
-\r
- <LI>Opengate Installation and Setup *</LI>\r
-</UL>\r
-\r
-\r
-<H4><!-- ***********3************** -->\r
-<A href="#outline3" name=outline3>A.2 Support Page</A></H4>\r
-<P STYLE="MARGIN-BOTTOM: 0in">The Opengate support page can be\r
-consulted at: \r
-</P>\r
-<TABLE CELLPADDING=2 CELLSPACING=2>\r
- <TR>\r
- <TD>\r
- <PRE> http://www.cc.saga-u.ac.jp/opengate/index-e.html</PRE>\r
- </TD>\r
- </TR>\r
-</TABLE>\r
-<P ALIGN=right STYLE="MARGIN-BOTTOM: 0in"><A href="#outline0">back</A> <A href="#top">top</A></P>\r
-<HR>\r
-\r
-\r
-<!-- Start:FreeBSD Install-->\r
-<H3><A href="#freebsd0" name=freebsd0>B FreeBSD Installation</A></H3>\r
-<UL>\r
- <LI><A href="#freebsd1">Basic Installation</A> </LI>\r
- <LI><A href="#freebsd2">Adding NAT and Firewall</A> </LI>\r
- <LI><A href="#freebsd3">Setting up IPv6</A> </LI>\r
-</UL>\r
-\r
-\r
-<H4><!-- ************1************* -->\r
-<A href="#freebsd1" name=freebsd1>B.1 Basic Installation</A></H4>\r
-\r
-<P>Use FreeBSD4.x or later. FreeBSD6.1 or later is preferred. <BR>Choose\r
-distribution "Developer (Full sources, binaries and doc)" or\r
-"all" because we have to compile a custom kernel.</P>\r
-<P>Add the following line to "/etc/rc.conf", to enable the\r
-gateway function:</P>\r
-<TABLE CELLPADDING=2 CELLSPACING=2>\r
- <TR>\r
- <TD>\r
- <P><CODE>gateway_enable="YES"</CODE></P>\r
- </TD>\r
- </TR>\r
-</TABLE>\r
-<P ALIGN=right><A href="#freebsd0">back</A> <A href="#top">top</A></P>\r
-\r
-\r
-<H4><!-- ************ 2 ************** --><A href="#freebsd2" name=freebsd2>B.2 Adding\r
-NAT and Firewall</A></H4>\r
-<P>Preparing the kernel to include IPFW and IP6FW functionality.</P>\r
-<P>Copy the kernel configuration file:</P>\r
-<TABLE CELLPADDING=2 CELLSPACING=2>\r
- <TR>\r
- <TD>\r
- <PRE># cd /usr/src/sys/i386/conf\r
-# cp GENERIC MYKERNEL</PRE>\r
- </TD>\r
- </TR>\r
-</TABLE>\r
-<P>Add the following lines to the kernel configuration file:</P>\r
-\r
-\r
-<TABLE CELLPADDING=2 CELLSPACING=2>\r
-<TR><TD>\r
-<PRE>options IPDIVERT\r
-\r
-options IPFIREWALL\r
-options IPFIREWALL_FORWARD\r
-options IPFIREWALL_VERBOSE\r
-options IPFIREWALL_VERBOSE_LIMIT=100\r
-\r
-options IPSEC\r
-device crypto</PRE>\r
-</TD></TR>\r
-</TABLE>\r
-\r
-<P>compile and install the new kernel (incl. added support for IPFW\r
-and IP6FW).</P>\r
-<TABLE CELLPADDING=2 CELLSPACING=2>\r
-<TR><TD>\r
-<PRE>#cd /usr/src\r
-#make buildkernel KERNCONF=MYKERNEL\r
-#make installkernel KERNCONF=MYKERNEL\r
-</PRE>\r
-</TD></TR>\r
-</TABLE>\r
-<P>It might be failed in old FreeBSD. In the case, execute the following.</P>\r
-<TABLE CELLPADDING=2 CELLSPACING=2>\r
-<TR><TD>\r
-<PRE># config MYKERNEL\r
-# cd ../compile/MYKERNEL\r
-# make depend\r
-# make\r
-# make install</PRE>\r
-</TD></TR>\r
-</TABLE>\r
-<P>"make clean" might be requested before "make\r
-depend". \r
-</P>\r
-<P>Add the following lines to "/etc/rc.conf":</P>\r
-<P>a. FreeBSD6.0 or earlier</P>\r
-<TABLE CELLPADDING=2 CELLSPACING=2>\r
- <TR>\r
- <TD>\r
- <PRE>firewall_enable="YES"\r
-firewall_script="/etc/rc.firewall"\r
-firewall_type="open"\r
-\r
-ipv6_firewall_enable="YES"\r
-ipv6_firewall_script="/etc/rc.firewall6"\r
-ipv6_firewall_type="open"\r
-\r
-natd_enable="YES"\r
-natd_interface="fxp1"</PRE>\r
- </TD>\r
- </TR>\r
-</TABLE>\r
-<P>b. FreeBSD6.1 or later</P>\r
-<TABLE CELLPADDING=2 CELLSPACING=2>\r
- <TR>\r
- <TD>\r
- <PRE>firewall_enable="YES"\r
-firewall_script="/etc/rc.firewall"\r
-firewall_type="open"\r
-\r
-natd_enable="YES"\r
-natd_interface="fxp1"</PRE>\r
- </TD>\r
- </TR>\r
-</TABLE>\r
-<P>When enabling IPFW (and IP6FW), make sure\r
-to also set the firewall_type to 'OPEN', to prevent unpredictable\r
-system behavior during installation. <BR>To enable NAT, set\r
-natd_enable to 'YES' and define the natd interface (Upper-side\r
-interface).</P>\r
-<P>Connect a client pc to the lower-side\r
-network and check the IPv4 behavior.<BR>Since DHCP is not yet set up,\r
-the client's network settings must be configured manually.</P>\r
-<P ALIGN=right><A href="#freebsd0">back</A> <A href="#top">top</A></P>\r
-\r
-\r
-<H4><!-- ************ 3 ************** -->\r
-<A href="#freebsd3" name=freebsd3>B.3 Setting up IPv6</A></H4>\r
-<P>If you need IPv4 only, this section can\r
-be skipped. <BR>Though explanation is omitted, many parameters, like\r
-the ones used in the following sample, can be set in /etc/rc.conf.\r
-<BR>It is advised to read up on IPv6 and carefully set up its\r
-parameters. \r
-</P>\r
-<TABLE CELLPADDING=2 CELLSPACING=2>\r
- <TR>\r
- <TD>\r
- <PRE>##ENABLE IPv6\r
-ipv6_enable="YES"\r
-ipv6_network_interfaces="gif0 fxp0"\r
-\r
-##TUNNELLING INTERFACE\r
-gif_interfaces="gif0"\r
-gifconfig_gif0="192.168.0.124 192.168.0.126"\r
-\r
-##IPv6 ADDRESS \r
-ipv6_prefix_fxp0="2001:5:6:7"\r
-ipv6_ifconfig_fxp0="2001:5:6:7::1 prefixlen 64"\r
-\r
-##ADVERTISE\r
-rtadvd_enable="YES"\r
-rtadvd_interfaces="fxp0"\r
-\r
-##DEFAULT GATEWAY\r
-ipv6_default_interface="gif0"\r
-ipv6_defaultrouter="fe80::a:b:c:d%gif0"\r
-\r
-##ROUTING(RIPv6)\r
-ipv6_gateway_enable="YES"\r
-ipv6_router_enable="YES"\r
-ipv6_router="/usr/sbin/route6d"\r
-ipv6_router_flags="-O 2001:5:6:7::/64,gif0"</PRE>\r
- </TD>\r
- </TR>\r
-</TABLE>\r
-<P>Connect a client pc to the lower-side\r
-network and check the behavior of IPv6.<BR>On a Windows pc, the\r
-command "ipv6 install" might be needed to activate IPv6.</P>\r
-<P ALIGN=right STYLE="MARGIN-BOTTOM: 0in"><A href="#ipfw0">back</A> <A href="#top">top</A></P>\r
-<HR>\r
-\r
-\r
-<H3><!-- Start:BIND9 Install --><A href="#bind0" name=bind0>C BIND9\r
-Install(Optional)</A></H3>\r
-<UL>\r
- <LI><A href="#bind1">Ports Install</A></LI>\r
- <LI><A href="#bind2">Making RNDC Key</A></LI>\r
- <LI><A href="#bind3">Setting up named.conf</A></LI>\r
- <LI><A href="#bind4">Creating up a Zone file</A> </LI>\r
- <LI><A href="#bind5">Checking Behavior</A> </LI>\r
-</UL>\r
-\r
-\r
-<H4><!-- ********** 1 *********** -->\r
-<A href="#bind1" name=bind1>C.1 Ports Install</A></H4>\r
-\r
-<P> You can ignore DNS\r
-settings, if you control with IP address base\r
-or use existing DNS servers.</P>\r
-<P> Installing BIND9 from\r
-ports:<BR> \r
-Note: The "sysinstall" command can also be used.</P>\r
-<TABLE CELLPADDING=2 CELLSPACING=2>\r
- <TR>\r
- <TD>\r
- <PRE># cd /usr/ports/dns/bind9/\r
-# make clean\r
-# make install clean ; rehash</PRE>\r
- </TD>\r
- </TR>\r
-</TABLE>\r
-<P>During installation the directory "/etc/namedb\r
-(/var/named/etc/namedb)" is created.</P>\r
-<P ALIGN=right><A href="#bind0">back</A> <A href="#top">top</A></P>\r
-\r
-\r
-<H4><!-- ********** 2 ********** -->\r
-<A href="#bind2" name=bind2>C.2 Making RNDC key</A></H4>\r
-<P>Use the "rndc" command to further secure BIND9.</P>\r
-<P>Create the rndc key as follows:</P>\r
-<TABLE CELLPADDING=2 CELLSPACING=2>\r
- <TR>\r
- <TD>\r
- <PRE># cd /etc/namebd/\r
-# rndc-confgen -b 512 > rndc.conf</PRE>\r
- </TD>\r
- </TR>\r
-</TABLE>\r
-<P>This will generate the "rndc.conf" file.</P>\r
-<TABLE CELLPADDING=2 CELLSPACING=2>\r
- <TR>\r
- <TD>\r
- <PRE># Start of rndc.conf\r
-key "rndc-key" {\r
- algorithm hmac-md5;\r
- secret "wMpASEmnRVnD602MtEb+RqtMee5+n0RVgpaUrlAHvPpgH3SoK7f2nRZBUH7a0urvmyBuAg0dwtk/Otg9Ker3gA==";\r
-};\r
-\r
-options {\r
- default-key "rndc-key";\r
- default-server 127.0.0.1;\r
- default-port 953;\r
-};\r
-# End of rndc.conf\r
-\r
-# Use with the following in named.conf, adjusting the allow list as needed:\r
-# key "rndc-key" {\r
-# algorithm hmac-md5;\r
-# secret "wMpASEmnRVnD602MtEb+RqtMee5+n0RVgpaUrlAHvPpgH3SoK7f2nRZBUH7a0urvmyBuAg0dwtk/Otg9Ker3gA==";\r
-# };\r
-# \r
-# controls {\r
-# inet 127.0.0.1 port 953\r
-# allow { 127.0.0.1; } keys { "rndc-key"; };\r
-# };\r
-# End of named.conf</PRE>\r
- </TD>\r
- </TR>\r
-</TABLE>\r
-<P ALIGN=right><A href="#bind0">back</A> <A href="#top">top</A></P>\r
-\r
-\r
-<H4><!-- ********* 3 ********* -->\r
-<A href="#bind3" name=bind3>C.3 Setting up named.conf</A></H4>\r
-<P>After installation, look for the\r
-"/etc/namedb/named.conf" file and copy the last half of the\r
-"rndc.conf" file to it, making sure to remove comments, and\r
-add IPv6 configuration where/if required.</P>\r
-<TABLE CELLPADDING=2 CELLSPACING=2>\r
- <TR>\r
- <TD>\r
- <PRE># Use with the following in named.conf, adjusting the allow list as needed:\r
-key "rndc-key" {\r
- algorithm hmac-md5;\r
- secret "wMpASEmnRVnD602MtEb+RqtMee5+n0RVgpaUrlAHvPpgH3SoK7f2nRZBUH7a0urvmyBuAg0dwtk/Otg9Ker3gA==";\r
-};\r
-\r
-controls {\r
- inet ::1 port 953 allow { ::1; } keys { "rndc-key"; };\r
- inet 127.0.0.1 port 953 allow { 127.0.0.1; } keys { "rndc-key"; };\r
-};\r
-# End of named.conf</PRE>\r
- </TD>\r
- </TR>\r
-</TABLE>\r
-<P>For security reasons, it is better to write the "key"\r
-directive in the other file.</P>\r
-<P>Edit the "options" directive in "named.conf":</P>\r
-<TABLE CELLPADDING=2 CELLSPACING=2>\r
- <TR>\r
- <TD>\r
- <PRE>options {\r
- directory "/etc/namedb";\r
- pid-file "/var/run/named/pid";\r
- auth-nxdomain yes;\r
- listen-on-v6 { any; };\r
-};</PRE>\r
- </TD>\r
- </TR>\r
-</TABLE>\r
-<P>Create the corresponding "pid" directory.</P>\r
-<P ALIGN=right><A href="#bind0">back</A> <A href="#top">top</A></P>\r
-\r
-\r
-<H4><!-- ******** 4 ********* -->\r
-<A href="#bind4" name=bind4>C.4 Creating a Zone file</A></H4>\r
-<P>Edit the "view" and "zone" directives in "named.conf".</P>\r
-<P>The "view" directive is implemented in BIND9. Replying\r
-to the inquiries from matched-clients, BIND9 sends the information as\r
-described in the corresponding "view"</P>\r
-<TABLE CELLPADDING=2 CELLSPACING=2>\r
- <TR>\r
- <TD>\r
- <PRE>view "og" {\r
- match-clients\r
- {\r
- 192.168.1.0/24;\r
- };\r
-\r
- recursion yes;\r
-\r
- zone "." {\r
- type hint;\r
- file "named.root";\r
- };\r
-\r
- zone "og.saga-u.ac.jp" {\r
- type master;\r
- file "og.saga-u.ac.jp";\r
- };\r
-\r
- zone "0.0.127.IN-ADDR.ARPA" {\r
- type master;\r
- file "master/localhost.rev";\r
- };\r
-\r
- // RFC 3152\r
- zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.\\r
- 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA" {\r
- type master;\r
- file "master/localhost-v6.rev";\r
- };\r
-\r
- // RFC 1886 -- deprecated\r
- zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.\\r
- 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.INT" {\r
- type master;\r
- file "master/localhost-v6.rev";\r
- };\r
-};</PRE>\r
- </TD>\r
- </TR>\r
-</TABLE>\r
-<P><BR>Make a "zone" file for the domain "og.saga-u.ac.jp".\r
-<BR>The domain name and IPv4/6 addresses should be modified properly.\r
-If you don't need IPv6, remove the line containing "AAAA ....".</P>\r
-<TABLE CELLPADDING=2 CELLSPACING=2>\r
- <TR>\r
- <TD>\r
- <PRE>$TTL 3600\r
-$ORIGIN og.saga-u.ac.jp.\r
-\r
-@ IN SOA ns.og.saga-u.ac.jp. postmaster (\r
- 2005051702 ;\r
- 3600\r
- 1200\r
- 2419200\r
- 86400 )\r
- IN NS ns.og.saga-u.ac.jp.\r
- IN A 192.168.1.1\r
- IN MX 10 opengate.og.saga-u.ac.jp.\r
-\r
-ns IN A 192.168.1.1\r
-\r
-opengate IN A 192.168.1.1\r
- AAAA 2001:5:6:7::1</PRE>\r
- </TD>\r
- </TR>\r
-</TABLE>\r
-<P ALIGN=right><A href="#bind0">back</A> <A href="#top">top</A></P>\r
-\r
-\r
-<H4><!-- ********* 5 ********* -->\r
-<A href="#bind5" name=bind5>C.5 Checking Behavior</A></H4>\r
-<P>Confirm starting of "named" after completings its\r
-configuration.</P>\r
-<TABLE CELLPADDING=2 CELLSPACING=2>\r
- <TR>\r
- <TD>\r
- <PRE># /usr/local/sbin/named -u bind -c /etc/namedb/named.conf</PRE>\r
- </TD>\r
- </TR>\r
-</TABLE>\r
-<P>If "named" starts without problems, add the following\r
-lines to "/etc/rc.conf" to allow it to automatically start\r
-on boot up.</P>\r
-<TABLE CELLPADDING=2 CELLSPACING=2>\r
- <TR>\r
- <TD>\r
- <PRE>named_enable="YES"\r
-named_program="/usr/local/sbin/named"\r
-named_flags="-u bind -c /etc/namedb/named.conf"</PRE>\r
- </TD>\r
- </TR>\r
-</TABLE>\r
-<P>Because the management of a DNS server\r
-can be complicated, it is strongly advised to carefully read the\r
-BIND9 manual, and/or consult other documentation.</P>\r
-<P ALIGN=right STYLE="MARGIN-BOTTOM: 0in"><A href="#bind0">back</A> <A href="#top">top</A></P>\r
-\r
-\r
-<HR>\r
-<H3><!-- Start:isc-dhcp3 Install -->\r
-<A href="#dhcp0" name=dhcp0>D isc-dhcp3 Installation (Optional)</A></H3>\r
-<UL>\r
- <LI><A href="#dhcp1">Ports Installation</A> \r
- <LI><A href="#dhcp2">Setting up DHCP</A> </LI>\r
-</UL>\r
-\r
-\r
-<H4><!-- *********** 1 ************* -->\r
-<A href="#dhcp1" name=dhcp1>D.1 Ports Install</A></H4>\r
-<P>If many client PCs are going to be\r
-connected, using the DHCP service might be a desirable solution for\r
-assigning IP addresses to these clients.</P>\r
-<P>Installing isc-dhcp3 from ports:<BR>Note:\r
-the "sysinstall" command can also be used.</P>\r
-<TABLE CELLPADDING=2 CELLSPACING=2>\r
- <TR>\r
- <TD>\r
- <PRE># cd /usr/ports/net/isc-dhcp3-server\r
-# make clean\r
-# make install clean ; rehash</PRE>\r
- </TD>\r
- </TR>\r
-</TABLE>\r
-<P ALIGN=right><A href="#dhcp0">back</A> <A href="#top">top</A></P>\r
-\r
-\r
-<H4><!-- ************ 2 ************** -->\r
-<A href="#dhcp2" name=dhcp2>D.2 Setting up DHCP</A></H4>\r
-<P>The"/usr/local/etc/dhcpd.conf.sample"\r
- configuration file is created during installation. <BR>Copy\r
-"dhcpd.conf.sample" to "dhcpd.conf" and edit the\r
-file. <BR><BR>The following is an example setup: <BR>The lease time\r
-must be greater than the maximum usage duration (Duration/Max in\r
-opengatesrv.conf).<BR>The domain name and IP addresses should be\r
-modified. \r
-</P>\r
-<TABLE CELLPADDING=2 CELLSPACING=2>\r
- <TR>\r
- <TD>\r
- <PRE>option domain-name "og.saga-u.ac.jp";\r
-option domain-name-servers 192.168.1.1;\r
-option subnet-mask 255.255.255.0;\r
-option broadcast-address 192.168.1.255;\r
-option routers 192.168.1.1;\r
-\r
-default-lease-time 86400;\r
-max-lease-time 604800;\r
-ddns-update-style none;\r
-log-facility local7;\r
-\r
-subnet 192.168.55.0 netmask 255.255.255.0 {\r
- range 192.168.1.10 192.168.1.250;\r
-}</PRE>\r
- </TD>\r
- </TR>\r
-</TABLE>\r
-<P>Add the following lines to "/etc/rc.conf" to allow it to\r
-automatically start on boot up.</P>\r
-<TABLE CELLPADDING=2 CELLSPACING=2>\r
- <TR>\r
- <TD>\r
- <PRE>dhcpd_enable="YES"\r
-dhcpd_ifaces="fxp0"\r
-dhcpd_conf="/usr/local/etc/dhcpd.conf"</PRE>\r
- </TD>\r
- </TR>\r
-</TABLE>\r
-<P>In this example, the value of\r
-"dhcpd_ifaces" is the interface providing the DHCP service\r
-<BR>(to the lower-side network).</P>\r
-<P ALIGN=right STYLE="MARGIN-BOTTOM: 0in"><A href="#dhcp0">back</A> <A href="#top">top</A></P>\r
-<HR>\r
-\r
-\r
-<H3><!-- Start:Apache2 Install--><A href="#apache0" name=apache0>E Apache2\r
-Installation</A></H3>\r
-<UL>\r
- <LI><A href="#apache1">Ports Installation</A> </LI>\r
- <LI><A href="#apache2">Making Certificates</A> </LI>\r
- <LI><A href="#apache3">Setting up SSL</A></LI>\r
- <LI><A href="#apache4">Other Settings and Checking the installation</A> </LI>\r
-</UL>\r
-\r
-\r
-<H4><!-- ************ 1 ************** --><A href="#apache1" name=apache1>E.1 Ports\r
-Install</A></H4>\r
-<P>When using IPv6, Opengate needs Apache2\r
-to support IPv6. <BR>By default, Apache2 supports SSL which is\r
-preferred for secure authentication.</P>\r
-<P>Installing Apache2 from ports:<BR>Note:\r
-The "sysinstall" command can also be used.</P>\r
-<TABLE CELLPADDING=2 CELLSPACING=2>\r
- <TR>\r
- <TD>\r
- <PRE># cd /usr/ports/www/apache22\r
-# make clean\r
-# make install clean ; rehash</PRE>\r
- </TD>\r
- </TR>\r
-</TABLE>\r
-<P ALIGN=right><A href="#apache0">back</A> <A href="#top">top</A></P>\r
-\r
-\r
-<H4><!-- ************ 2 ************** --><A href="#apache2" name=apache2>E.2 Making\r
-Certificates</A></H4>\r
-<P>It is better to obtain a formal key from\r
-some CA. But we will show you how to create a self-signed private key\r
-and certificate. \r
-</P>\r
-<P>Creating a private key:</P>\r
-<TABLE CELLPADDING=2 CELLSPACING=2>\r
- <TR>\r
- <TD>\r
- <PRE># cd /usr/local/etc/apache22\r
-# mkdir ssl.key ssl.crt\r
-# chmod 700 ssl.key ssl.crt\r
-\r
-# /usr/bin/openssl genrsa -out /usr/local/etc/apache22/server.key 1024</PRE>\r
- </TD>\r
- </TR>\r
-</TABLE>\r
-<P><BR>Making a certificate from the created key:</P>\r
-<TABLE CELLPADDING=2 CELLSPACING=2>\r
- <TR>\r
- <TD>\r
- <PRE># /usr/bin/openssl req -new -x509 -days 365 \\r
- -key /usr/local/etc/apache22/server.key \\r
- -out /usr/local/etc/apache22/server.crt\r
-\r
-You are about to be asked to enter information that will be incorporated\r
-into your certificate request.\r
-What you are about to enter is what is called a Distinguished Name or a DN.\r
-There are quite a few fields but you can leave some blank\r
-For some fields there will be a default value,\r
-If you enter '.', the field will be left blank.\r
------\r
-Country Name (2 letter code) [AU]:JP\r
-State or Province Name (full name) [Some-State]:Saga\r
-Locality Name (eg, city) []:Saga-city\r
-Organization Name (eg, company) [Internet Widgits Pty Ltd]:Saga-university\r
-Organizational Unit Name (eg, subsection) []:Opengate Management\r
-Common Name (eg, YOUR name) []:opengate.og.saga-u.ac.jp\r
-Email Address []:administrator@opengate.og.saga-u.ac.jp\r
-\r
-Please enter the following 'extra' attributes\r
-to be sent with your certificate request\r
-A challenge password []:\r
-An optional company name []:</PRE>\r
- </TD>\r
- </TR>\r
-</TABLE>\r
-<P ALIGN=right><A href="#apache0">back</A> <A href="#top">top</A></P>\r
-\r
-\r
-<H4><!-- ************ 3 ************** --><A href="#apache3" name=apache3>E.3 \r
-Setting up SSL</A></H4>\r
-<P>Edit "/usr/local/etc/apache22/extra/httpd-ssl.conf" as\r
-shown in the following example:</P>\r
-<TABLE CELLPADDING=2 CELLSPACING=2>\r
- <TR>\r
- <TD>\r
- <P>ssl.conf \r
- </P>\r
- </TD>\r
- </TR>\r
- <TR>\r
- <TD>\r
- <PRE><VirtualHost _default_:443>\r
- DocumentRoot "/usr/local/www/apache22/data"\r
- ServerName opengate.og.saga-u.ac.jp:443\r
- ServerAdmin administrator@opengate.og.saga-u.ac.jp\r
- ErrorLog "|/usr/bin/logger -p local6.info"\r
- CustomLog "|/usr/bin/logger -p local5.info" combined\r
-\r
- SSLEngine on\r
- SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL\r
- SSLCertificateFile /usr/local/etc/apache22/server.crt\r
- SSLCertificateKeyFile /usr/local/etc/apache22/server.key\r
-</VirtualHost></PRE>\r
- </TD>\r
- </TR>\r
-</TABLE>\r
-<P>Since Apache2 has many settings,\r
-familiarize yourself with the Apache2 configuration options for\r
-adequate control.</P>\r
-<P ALIGN=right><A href="#apache0">back</A> <A href="#top">top</A></P>\r
-\r
-\r
-<H4><!-- ************ 4 ************** --><A href="#apache4" name=apache4>E.4 Other\r
-Settings and Checking the Installation</A></H4>\r
-<P>Edit "/usr/local/etc/apache22/httpd.conf" as follows:</P>\r
-<P>Opengate should send back the\r
-authentication page in response to any kind of HTTP request. <BR>To\r
-do so, add the following line to httpd.conf: <BR> (the top page will\r
-be sent back on an HTTP_ERROR 404 [file not found] error).</P>\r
-<TABLE CELLPADDING=2 CELLSPACING=2>\r
- <TR>\r
- <TD>\r
- <PRE>ErrorDocument 404 /</PRE>\r
- </TD>\r
- </TR>\r
-</TABLE>\r
-<P><BR>Add "ExecCGI" to allow executing CGI programs in the\r
-cgi-bin directory.</P>\r
-<TABLE CELLPADDING=2 CELLSPACING=2>\r
- <TR>\r
- <TD>\r
- <PRE><Directory "/usr/local/www/cgi-bin">\r
- ...\r
- Options ExecCGI\r
- ...\r
-</Directory></PRE>\r
- </TD>\r
- </TR>\r
-</TABLE>\r
-<P>Remove the comment mark ("#") to\r
-enable the following setting: \r
-</P>\r
-<TABLE CELLPADDING=2 CELLSPACING=2>\r
- <TR>\r
- <TD>\r
- <PRE>AddHandler cgi-script .cgi\r
-AddHandler type-map .var</PRE>\r
- </TD>\r
- </TR>\r
-</TABLE>\r
-<P>Add "index.html.var" to\r
-DirectoryIndex: \r
-</P>\r
-<TABLE CELLPADDING=2 CELLSPACING=2>\r
- <TR>\r
- <TD>\r
- <PRE>DirectoryIndex index.html.var index.html</PRE>\r
- </TD>\r
- </TR>\r
-</TABLE>\r
-<P>Include ssl conf file:</P>\r
-<TABLE CELLPADDING=2 CELLSPACING=2>\r
- <TR>\r
- <TD>\r
- <PRE>Include etc/apache22/extra/httpd-ssl.conf</PRE>\r
- </TD>\r
- </TR>\r
-</TABLE>\r
-<P>Set ServerName: \r
-</P>\r
-<TABLE CELLPADDING=2 CELLSPACING=2>\r
- <TR>\r
- <TD>\r
- <PRE>ServerName opengate.og.saga-u.ac.jp</PRE>\r
- </TD>\r
- </TR>\r
-</TABLE>\r
-<P>Start Apache2 with "apachectl start"\r
-and check for errors. <BR>If no errors are displayed, add the\r
-following lines to "/etc/rc.conf" to allow Apache to start\r
-on boot up:</P>\r
-<TABLE CELLPADDING=2 CELLSPACING=2>\r
- <TR>\r
- <TD>\r
- <PRE>apache22_enable="YES"\r
-apache22ssl_enable="YES"</PRE>\r
- </TD>\r
- </TR>\r
-</TABLE>\r
-<P>If the system shows "Failed to\r
-enable the 'httpready' Accept Filter", add the following to\r
-/boot/loader.conf :</P>\r
-<TABLE CELLPADDING=2 CELLSPACING=2>\r
- <TR>\r
- <TD>\r
- <PRE>accf_http_load="YES"</PRE>\r
- </TD>\r
- </TR>\r
-</TABLE>\r
-<P>Should the certificate require a PASSPHRASE, Apache will ask for it during\r
-boot up.<BR> If you do not enter the passphrase (reboot due to\r
-power outage, remote reboot, ,...), this will prevent <BR> the server from starting Apache normally, \r
-i.e. leaving you with a possible "crippled" server.</P>\r
-<BLOCKQUOTE>\r
-<P>\r
-Easy fix:<BR>\r
-1. create a simple script containing the following:<BR>\r
-#!/bin/sh<BR>\r
-echo "<passphrase goes here>"<BR>\r
-<BR>2. add the following to httpd.conf:<BR>\r
-SSLPassPhraseDialog exec:/path/to/above/script\r
-</P></BLOCKQUOTE>\r
-\r
-<P ALIGN=right STYLE="MARGIN-BOTTOM: 0in"><A href="#apache0">back</A> <A href="#top">top</A></P>\r
-\r
-\r
-<!-- Start:SQLite3 Installation -->\r
-<h3><A class=anchor href="#sqlite0" name=sqlite0>F SQLite3 Installation</A></h3>\r
-<ul>\r
- <li class="list_num"><A href="#sqlite1">Inatallation</A></li>\r
- <li class="list_num"><A href="#sqlite2">Checking</A></li>\r
-</ul>\r
-\r
-<!-- ************ 1 ************** -->\r
-<h4><A class=anchor href="#sqlite1" name=sqlite1>F.1 Installation</A></h4>\r
-\r
-\r
-<p>Download archive file from SQLite site(www.sqlite.org). Install it as follows.</p>\r
-\r
-<table><tr><td><pre>\r
-# tar xzvf sqlite-amalgamation-3.xx.xx.tar.gz\r
-# cd sqlite-3.xx.xx\r
-# ./configure\r
-# make\r
-# make install\r
-</pre></td></tr></table>\r
-\r
-<div align="right"><A href="#sqlite0">back</A> <A href="#top">top</A></div>\r
-\r
-<!-- ************ 2 ************** -->\r
-<h4><A class=anchor href="#sqlite2" name=sqlite2>F.2 Checking</A></h4>\r
-\r
-<p>\r
-Check the normal execution.\r
-\r
-<table><tr><td><pre>\r
-# sqlite3\r
-SQLite version 3.xx.xx\r
-Enter ".help" for instructions\r
-Enter SQL statements terminated with a ";"\r
-sqlite> .quit\r
-#\r
-</pre></td></tr></table>\r
-\r
-<div align="right"><A href="#sqlite0">back</A> <A href="#top">top</A></div>\r
-\r
-<HR>\r
-<H3><!-- Start:Opengate Install -->\r
-<A href="#opengate0" name=opengate0>G Opengate Installation</A></H3>\r
-<UL>\r
- <LI><A href="#opengate1">Opengate Package</A> \r
- <LI><A href="#opengate2">Installation</A> </LI>\r
- <LI><A href="#opengate3">Setting up Config File</A> </LI>\r
- <LI><A href="#opengate4">Setting up IPFW</A> </LI>\r
- <LI><A href="#opengate5">Setting up syslog</A> </LI>\r
- <LI><A href="#opengate6">Checking Behavior</A> </LI>\r
- <LI><A href="#opengate7">Modifying Pages</A> </LI>\r
- <LI><A href="#opengate8">Setting up SQLite3</A> </LI>\r
-</UL>\r
-\r
-\r
-<H4><!-- ************1************* -->\r
-<A href="#opengate1" name=opengate1>G.1 Opengate\r
-Package</A></H4>\r
-<P>Unpack the Opengate compressed file: \r
-</P>\r
-<TABLE CELLPADDING=2 CELLSPACING=2>\r
- <TR>\r
- <TD>\r
- <PRE># tar xzvf opengatexxxx.tar.gz</PRE>\r
- </TD>\r
- </TR>\r
-</TABLE>\r
-<P>It contains the following directories:</P>\r
-<TABLE CELLPADDING=2 CELLSPACING=2>\r
- <TR>\r
- <TD>\r
- <PRE>doc: Documentation\r
-conf: Configuration files and firewall control Perl script sample\r
-javahtml: Client Programs and HTML files\r
-opengatesrv: Server CGI programs\r
-tools: Some related tools\r
-ezxml: XML parser (Copyright Aaron Voisine)</PRE>\r
- </TD>\r
- </TR>\r
-</TABLE>\r
-<P ALIGN=right><A href="#opengate0">back</A> <A href="#top">top</A></P>\r
-\r
-\r
-<H4><!-- ************2************* -->\r
-<A href="#opengate2" name=opengate2>G.2 Installation</A></H4>\r
-<P>Check the settings in "opengatesrv/Makefile" and modify\r
-if needed:</P>\r
-<TABLE CELLPADDING=2 CELLSPACING=2>\r
- <TR>\r
- <TD>\r
- <PRE>HTMLTOP = /usr/local/www/apache22\r
-DOCDIR = /data\r
-CGIDIR = /cgi-bin\r
-OPENGATEDIR = /opengate\r
-CONFIGPATH = /etc/opengate</PRE>\r
- </TD>\r
- </TR>\r
-</TABLE>\r
-<P>Compile and Install:</P>\r
-<TABLE CELLPADDING=2 CELLSPACING=2>\r
- <TR>\r
- <TD>\r
- <PRE># make clean\r
-# make install</PRE>\r
- </TD>\r
- </TR>\r
-</TABLE>\r
-<P ALIGN=right><A href="#opengate0">back</A> <A href="#top">top</A></P>\r
-\r
-\r
-<H4><!-- ************ 3 ************** -->\r
-<A href="#opengate3" name=opengate3>G.3 Setting up Config File</A></H4>\r
-\r
-<P>Copy the sample configuration file\r
-"/etc/opengate/opengatesrv.conf.sample" to\r
-"/etc/opengate/opengatesrv.conf" and modify. <BR>The\r
-following settings must be changed:</P>\r
-<TABLE CELLPADDING=2 CELLSPACING=2>\r
- <TR>\r
- <TD>\r
- <PRE> <OpengateServerName>opengate.og.saga-u.ac.jp</OpengateServerName>\r
-\r
- <AuthServer>\r
- <Protocol>pop3s</Protocol>\r
- <Address>192.168.0.2</Address>\r
- </AuthServer></PRE>\r
- </TD>\r
- </TR>\r
-</TABLE>\r
-<P>In <OpengateServerName>, set the\r
-HOSTNAME(FQDN) or IP address of the opengate gateway server. If you\r
-want to use IPv6, you need to set the FQDN corresponding to both IPv4\r
-and IPv6 addresses.</P>\r
-<P>In <AuthServer>, set the\r
-information for the authentication server. Opengate supports various\r
-authentication protocols. See the config file for details. <BR>To\r
-differentiate between erorrs caused by authentication server or those\r
-caused by the opengate server, try the following setting first. This\r
-means that any userid and password combination is accepted.</P>\r
-<TABLE CELLPADDING=2 CELLSPACING=2>\r
- <TR>\r
- <TD>\r
- <PRE> ****Do not use this setting in real service****\r
- <AuthServer>\r
- <Protocol>accept</Protocol> \r
- <AuthServer></PRE>\r
- </TD>\r
- </TR>\r
-</TABLE>\r
-<P>The config file is XML. "#" marks in\r
-the file do not represent the start of a comment. <BR>Use\r
-XML-formatted comments like <!-- Comment String --> to disable\r
-a description.</P>\r
-<P>Opengate can pass authentication settings\r
-in the form of "userid@extid". <BR>See the config file for\r
-more details. <BR>By using this function, you can use different\r
-authentication servers for many sections or guests.</P>\r
-<P>When the primary authentication server\r
-does not reply, Opengate can resend the request to other\r
-authentication servers. See the config file for more details.</P>\r
-<P>Caution: Do not delete the IPv6 related\r
-settings in the config file! <BR> The IPv6 access is executed when\r
-the FQDN for IPv6 is prepared.</P>\r
-\r
-<P ALIGN=right><A href="#opengate0">back</A> <A href="#top">top</A></P>\r
-\r
-\r
-<H4><!-- ************ 4 ************** -->\r
-<A href="#opengate4" name=opengate4>G.4 Setting up IPFW</A></H4>\r
-<P>Write IPFW rules for Opengate. \r
-</P>\r
-<P>Both IPv4 and IPv6 packets are controlled by IPFW.</P>\r
-<P>A sample rule set for IPFW can be found in\r
-"/etc/opengate/rc.firewall.sample"</P>\r
-<P>Copy the script and modify to fit your needs. <BR> If you are\r
-not familiar with Ipv6, set IPv6 addresses as localhost (*net6="0",\r
-*ip6="::1").</P>\r
-<TABLE CELLPADDING=2 CELLSPACING=2>\r
- <TR>\r
- <TD>\r
- <PRE># cd /etc/opengate\r
-# cp rc.firewall.sample rc.firewall\r
-# vi rc.firewall</PRE>\r
- </TD>\r
- </TR>\r
-</TABLE>\r
-<P>Modify the firewall settings in /etc/rc.conf as follows:<BR> Be\r
-careful not to lock yourself out of the system after reloading the\r
-firewall.</P>\r
-<TABLE CELLPADDING=2 CELLSPACING=2>\r
- <TR>\r
- <TD>\r
- <PRE>firewall_enable="YES"\r
-firewall_script="/etc/opengate/rc.firewall"</PRE>\r
- </TD>\r
- </TR>\r
-</TABLE>\r
-<P>Familiarise yourself with the "ipfw" command. <BR> The\r
-Opengate software sends out ipfw add/delete commands.</P>\r
-<P ALIGN=right><A href="#opengate0">back</A> <A href="#top">top</A></P>\r
-\r
-\r
-<H4><!-- ************ 5 ************** -->\r
-<A href="#opengate5" name=opengate5>G.5 Setting\r
-up syslog</A></H4>\r
-<P>Edit /etc/syslog.conf to save log entries for Opengate.</P>\r
-<TABLE CELLPADDING=2 CELLSPACING=2>\r
- <TR>\r
- <TD>\r
- <PRE> | Separated by TAB code\r
- V\r
-local1.* /var/log/opengate.log</PRE>\r
- </TD>\r
- </TR>\r
-</TABLE>\r
-<P>Make the log file as follows: <BR> Consider using log rotation to\r
-control the size of this log file.</P>\r
-<TABLE CELLPADDING=2 CELLSPACING=2>\r
- <TR>\r
- <TD>\r
- <PRE># touch /var/log/opengate.log</PRE>\r
- </TD>\r
- </TR>\r
-</TABLE>\r
-<P ALIGN=right><A href="#opengate0">back</A> <A href="#top">top</A></P>\r
-\r
-\r
-<H4><!-- ************ 6 ************** -->\r
-<A href="#opengate6" name=opengate6>G.6 Checking\r
-Behavior</A></H4>\r
-<P>Connect a PC to the lower-side network\r
-and try to access a site in the upper-side network. <BR>If it does\r
-not work properly, consult doc/progflow.html and doc/protocol.txt to\r
-better understand the procedure. Also check the log files for\r
-Opengate, httpd, system and others. To dump more information from\r
-Opengate, set the <Debug> switch to "2" in\r
-opengatesrv.conf. Also check the functions of related software. The\r
-error checking document (errcheck.html) and Q&A documents\r
-(qa.html, recentqa.html on the web) can be used for problem solving.</P>\r
-<P ALIGN=right><A href="#opengate0">back</A> <A href="#top">top</A></P>\r
-\r
-\r
-<H4><!-- ************ 7 ************** -->\r
-<A href="#opengate7" name=opengate7>G.7 Modifying\r
-Pages</A></H4>\r
-<P>If you want to modify the contents of the\r
-web pages, edit the html files in the Opengate directories. The\r
-relative path cannot be used in httpkeep.html. Use the full URL\r
-description. The descriptions such as %%XXX%% are variables replaced\r
-by their proper values during CGI runtime. \r
-</P>\r
-<P ALIGN=right STYLE="MARGIN-BOTTOM: 0in"><A href="#opengate0">back</A> <A href="#top">top</A></P>\r
-\r
-\r
-<!-- ************ 8 ************** -->\r
-<h4><A class=anchor href="#opengate8" name=opengate8>G.8 Setting up SQLite3</A></h4>\r
-\r
-<p>\r
-Opengate uses the SQLite3 database to hold session information. \r
-The path of the database file is indicated with <SqliteDb> \r
-in opengatesrv.conf.\r
-It is recommended to change the default value \r
-to the proper directory.\r
-WWW sholud have write permission for the directory.\r
-</p>\r
-<table><tr><td><pre>\r
-Example:\r
--- opengatesrv.conf --\r
-<SqliteDb>/home/sqlitedb/opengate.db</SqliteDb>\r
-\r
--- shell commands --\r
-# mkdir /home/sqlitedb\r
-# chown www /home/sqlitedb\r
-</pre></td></tr></table>\r
-<p> \r
-The file and database table are created automatically.\r
-</p>\r
-\r
-As the file size incleases steadily, you should periodically trim or remove the file with cron (or manually). Following is a sample script to delete 3 day old records.</p>\r
-\r
-<table>\r
-<tr><td><pre>\r
-#!/bin/sh\r
-echo "delete from session where closeTime < datetime('now','localtime','-3days');" | sqlite3 /tmp/opengate.db\r
-exit 0\r
-</pre></td></tr>\r
-</table>\r
-\r
-<div align="right"><A href="#opengate0">back</A> <A href="#top">top</A></div>\r
-\r
-<hr>\r
-\r
-\r
-<H3><!-- Start:Install MRTG -->\r
-<A href="#mrtg0" name=mrtg0>H MRTG Installion (Optional)</A></H3>\r
-<UL>\r
- <LI><A href="#mrtg1">Ports Installation</A> </LI>\r
- <LI><A href="#mrtg2">Setting up MRTG</A> </LI>\r
- <LI><A href="#mrtg3">Confirming proper startup</A> </LI>\r
- <LI><A href="#mrtg4">Setting up crontab</A> </LI>\r
-</UL>\r
-\r
-<H4><!-- ************ 1 ************** -->\r
-<A href="#mrtg1" name=mrtg1>H.1 Ports Installation</A></H4>\r
-\r
-<P>This section is optional. <BR> If you want to graphically\r
-monitor the state of Opengate, MRTG can be used but is not required.</P>\r
-<P><A HREF="http://people.ee.ethz.ch/%7Eoetiker/webtools/mrtg/" TARGET="_blank">MRTG<SPAN STYLE="TEXT-DECORATION: none">\r
-</SPAN></A>(Multi Router Traffic Grapher) is a system to monitor\r
-network traffic. MRTG produces graphic images and HTML files. \r
-</P>\r
-<P>You can install MRTG on the gateway\r
-server or another server. If you need to monitor multiple Opengate\r
-systems, it is advised to install MRTG on a separate server.</P>\r
-<TABLE CELLPADDING=2 CELLSPACING=2>\r
- <TR>\r
- <TD>\r
- <PRE># cd /usr/ports/net-mgmt/mrtg/\r
-# make clean\r
-# make install clean ; rehash</PRE>\r
- </TD>\r
- </TR>\r
-</TABLE>\r
-<P ALIGN=right><A href="#mrtg0">back</A> <A href="#top">top</A></P>\r
-\r
-\r
-<H4><!-- ************ 2 ************** -->\r
-<A href="#mrtg2" name=mrtg2>H.2 Setting up MRTG</A></H4>\r
-<P>MRTG creates\r
-"/usr/local/etc/mrtg/mrtg.cfg.sample" as the sample\r
-configuration file during installation. Copy mrtg.cfg.sample to\r
-opengate.cfg and edit the file:</P>\r
-<TABLE CELLPADDING=2 CELLSPACING=2>\r
- <TR>\r
- <TD>\r
- <PRE>##################################################\r
-# opengate user counter\r
-\r
-WorkDir: /usr/home/user/public_html/mrtg/opengate/\r
-\r
-##### Options\r
-Options[^]: growright,gauge,nopercent,integer\r
-\r
-Target[opengate]:`/usr/home/user/bin/input.sh`\r
-Title[opengate]: Opengate user counter\r
-\r
-PageTop[opengate]: <h1>Opengate user counter</h1>\r
- <p>Show the number of people using Opengate</p>\r
-\r
-# Max Number\r
-MaxBytes[opengate]: 200\r
-\r
-# Title of Y axis\r
-YLegend[opengate]: Opengate User\r
-# unit\r
-ShortLegend[opengate]: s\r
-# Title of graph LegendI: first line LegendO: second line\r
-LegendI[opengate]: IPv6 Users\r
-LegendO[opengate]: Total Users</PRE>\r
- </TD>\r
- </TR>\r
-</TABLE>\r
-<P>Be sure to actually create the directory\r
-which you appointed in "WorkDir". MRTG creates its graphic\r
-images and HTML files in "WorkDir"</P>\r
-<P>"Target[opengate]" contains the\r
-path to the program that hands its data to MRTG. <BR>(details\r
-explained below)</P>\r
-\r
-<H5>H.2.1 Scenario 1: Running MRTG on the gateway server</H5>\r
-<P>Create the shell script "/usr/home/user/bin/input.sh"\r
-with the following contents:</P>\r
-<TABLE CELLPADDING=2 CELLSPACING=2>\r
- <TR>\r
- <TD>\r
- <PRE>#!/bin/sh\r
-\r
-#######################################\r
-##\r
-## show opengate status for MRTG\r
-##\r
-## 1 line : IPv6 Users\r
-## 2 line : Total Users\r
-## 3 line : uptime\r
-## 4 line : comment for data\r
-##\r
-#######################################\r
-\r
-LANG=C\r
-COLUMNS=256\r
-\r
-export LANG\r
-export COLUMNS\r
-\r
-### IPv6 prefix\r
-prefix="2001:2f8:22:801:"\r
-###opengateprocessname\r
-process="opengatesrv.cgi" \r
-\r
-###tmp file name\r
-tmp_all="/tmp/og_count_all.tmp"\r
-tmp_6="/tmp/og_count_6.tmp"\r
-\r
-######################################################\r
-psax | grep $process > $tmp_all\r
-COUNT = `wc-l $tmp_all | awk '{print $1}'` \r
-grep $prefix $tmp_all > $tmp_6\r
-COUNT6=`wc -l $tmp_6 | awk '{print $1}'`\r
-UPTIME=`uptime | awk '{print $3$4}' | sed -e "s/,//g"`\r
-\r
-rm $tmp_all\r
-rm $tmp_6\r
-\r
-echo "$COUNT6"\r
-echo "$COUNT"\r
-echo "$UPTIME"\r
-echo "Opengate User Counter"</PRE>\r
- </TD>\r
- </TR>\r
-</TABLE>\r
-<P>Run this shell script as standalone and confirm that you can\r
-acquire the following data:</P>\r
-<TABLE CELLPADDING=2 CELLSPACING=2>\r
- <TR>\r
- <TD>\r
- <PRE>5\r
-48\r
-10days\r
-Opengate User Counter</PRE>\r
- </TD>\r
- </TR>\r
-</TABLE>\r
-<H5>H.2.2 Scenario 2: Running MRTG on a separate server</H5>\r
-<P>Create the shell script "/usr/home/user/bin/input.sh" on\r
-a separate server.</P>\r
-<TABLE CELLPADDING=2 CELLSPACING=2>\r
- <TR>\r
- <TD>\r
- <PRE>#!/bin/sh\r
-\r
-#######################################\r
-##\r
-## input data for MRTG\r
-##\r
-## 1 line : IPv6 Users\r
-## 2 line : Total Users\r
-## 3 line : uptime\r
-## 4 line : comment for data\r
-##\r
-#######################################\r
-\r
-# tmp file name\r
-file="/tmp/opengate.tmp"\r
-\r
-# URL of output.sh at opengate\r
-url="http://opengate.saga-u.ac.jp/cgi-bin/output.sh"\r
-\r
-fetch -o $file $url &> /dev/null\r
-\r
-more $file</PRE>\r
- </TD>\r
- </TR>\r
-</TABLE>\r
-<P STYLE="TEXT-INDENT: 0in">Create the shell script\r
-"/usr/local/apache2/cgi-bin/output.sh" on the Opengate\r
-(gateway) server, and set the URL to $url, as explained above.</P>\r
-<TABLE CELLPADDING=2 CELLSPACING=2>\r
- <TR>\r
- <TD>\r
- <PRE>#!/bin/sh\r
-\r
-#######################################\r
-##\r
-## show opengate status for MRTG\r
-##\r
-## 1 line : IPv6 Users\r
-## 2 line : Total Users\r
-## 3 line : uptime\r
-## 4 line : comment for data\r
-##\r
-#######################################\r
-\r
-LANG=C\r
-COLUMNS=256\r
-\r
-export LANG\r
-export COLUMNS\r
-\r
-### IPv6 prefix\r
-prefix="2001:2f8:22:801:"\r
-###opengateprocessname\r
-process="opengatesrv.cgi" \r
-\r
-###tmp file name\r
-tmp_all="/tmp/og_count_all.tmp"\r
-tmp_6="/tmp/og_count_6.tmp"\r
-\r
-######################################################\r
-psax | grep $process > $tmp_all \r
-COUNT = `wc-l $tmp_all | awk '{print $1}'` \r
-grep $prefix $tmp_all > $tmp_6\r
-COUNT6=`wc -l $tmp_6 | awk '{print $1}'`\r
-UPTIME=`uptime | awk '{print $3$4}' | sed -e "s/,//g"`\r
-rm $tmp_all\r
-rm $tmp_6\r
-\r
-echo "Content-type: text/plain; charset=iso-8859-1"\r
-echo\r
-\r
-echo "$COUNT6"\r
-echo "$COUNT"\r
-echo "$UPTIME"\r
-echo "Opengate User Counter"</PRE>\r
- </TD>\r
- </TR>\r
-</TABLE>\r
-<P>Run "input.sh" on another server and confirm that you\r
-can acquire the following data:</P>\r
-<TABLE CELLPADDING=2 CELLSPACING=2>\r
- <TR>\r
- <TD>\r
- <PRE>5\r
-48\r
-10days\r
-Opengate User Counter</PRE>\r
- </TD>\r
- </TR>\r
-</TABLE>\r
-<P ALIGN=right><A href="#mrtg0">back</A> <A href="#top">top</A></P>\r
-\r
-<H4><!-- ************ 3 ************** -->\r
-<A href="#mrtg3" name=mrtg3>H.3 Confirming MRTG Startup Operation:</A></H4>\r
-\r
-<P>Use the following command to confirm MRTG is working with your\r
-config:</P>\r
-<TABLE CELLPADDING=2 CELLSPACING=2>\r
- <TR>\r
- <TD>\r
- <PRE># /usr/local/bin/mrtg /usr/local/etc/mrtg/opengate.cfg</PRE>\r
- </TD>\r
- </TR>\r
-</TABLE>\r
-<P STYLE="TEXT-INDENT: 0in">Various WARNING messages are output the\r
-first and second time, this is normal behavior <BR>(as explained in\r
-the MRTG documentation)!<BR>Some files are created in "WorkDir".</P>\r
-<TABLE CELLPADDING=2 CELLSPACING=2>\r
- <TR>\r
- <TD>\r
- <PRE>> ls -l\r
--rw-r--r-- 1 root wheel 538 12 14 04:40 mrtg-l.png\r
--rw-r--r-- 1 root wheel 414 12 14 04:40 mrtg-m.png\r
--rw-r--r-- 1 root wheel 1759 12 14 04:40 mrtg-r.png\r
--rw-r--r-- 1 root wheel 2941 12 20 15:15 opengate-day.png\r
--rw-r--r-- 1 root wheel 2146 12 20 14:35 opengate-month.png\r
--rw-r--r-- 1 root wheel 2867 12 20 14:55 opengate-week.png\r
--rw-r--r-- 1 root wheel 1897 12 20 05:00 opengate-year.png\r
--rw-r--r-- 1 root wheel 5961 12 20 15:15 opengate.html\r
--rw-r--r-- 1 root wheel 48786 12 20 15:15 opengate.log\r
--rw-r--r-- 1 root wheel 48784 12 20 15:10 opengate.old</PRE>\r
- </TD>\r
- </TR>\r
-</TABLE>\r
-<P ALIGN=right><A href="#mrtg0">back</A> <A href="#top">top</A></P>\r
-\r
-<H4><!-- ************ 4 ************** -->\r
-<A href="#mrtg4" name=mrtg4>H.4 Registering to Crontab</A></H4>\r
-\r
-<P>Add the following line to "/etc/crontab":</P>\r
-<TABLE CELLPADDING=2 CELLSPACING=2>\r
- <TR>\r
- <TD>\r
- <PRE>*/5 * * * * root /usr/local/bin/mrtg /usr/local/etc/mrtg/opengate.cfg</PRE>\r
- </TD>\r
- </TR>\r
-</TABLE>\r
-<P ALIGN=right><A href="#mrtg0">back</A> <A href="#top">top</A></P>\r
-\r
-<HR>\r
-<H3><!-- Start:Install rulechk -->\r
-<A href="#rulechk" name=rulechk>I rulechk Installation (Optional)</A></H3>\r
-\r
-<P>This section is optional. <BR>When the\r
-Opengate process is not exited normally, superfluous rules might be\r
-left behind. <BR>Though it is \r
-very rare, the tools/rulechk script is made to handle such situations. This \r
-script compares the Opengate process list and the firewall rule list, and \r
-deletes the obsolete rules.<BR>This script is compatible with Opengate Ver1.3.1 or above. \r
-</P>\r
-<P ALIGN=right STYLE="MARGIN-BOTTOM: 0in"><A href="#rulechk">back</A> <A href="#top">top</A></P>\r
-</BODY>\r
-</HTML>\r
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
+<HTML>
+<HEAD>
+ <META HTTP-EQUIV="CONTENT-TYPE" CONTENT="text/html; charset=utf-8">
+ <TITLE>Opengate Install</TITLE>
+
+</HEAD>
+<BODY LANG="en-US" BGCOLOR="#fafff0" DIR="ltr">
+<H2><A href="#top" name=top><FONT SIZE=4>Opengate Installation
+Procedure</FONT></A></H2>
+
+<!-- Start:content table -->
+<UL>
+ <LI><A href="#outline0">Outline</A>
+
+ <UL>
+ <LI><A href="#outline1">System Configuration</A> </LI>
+ <LI><A href="#outline2">Installation Procedure</A> </LI>
+ <LI><A href="#outline3">Support Page</A></LI>
+ </UL>
+ <LI><A href="#freebsd0">FreeBSD Installation</A> </LI>
+ <UL>
+ <LI><A href="#freebsd1">Basic Installation</A> </LI>
+ <LI><A href="#freebsd2">Adding NAT and Firewall</A> </LI>
+ <LI><A href="#freebsd3">Setting up IPv6</A></LI>
+ </UL>
+ <LI><A href="#bind0">BIND9 Installation (Optional)</A> </LI>
+ <UL>
+ <LI><A href="#bind1">Ports Installation</A> </LI>
+ <LI><A href="#bind2">Making RNDC Key</A> </LI>
+ <LI><A href="#bind3">Setting up named.conf</A> </LI>
+ <LI><A href="#bind4">Creating a Zone file</A> </LI>
+ <LI><A href="#bind5">Checking Behavior</A></LI>
+ </UL>
+ <LI><A href="#dhcp0">isc-dhcp3 Installation (Optional)</A>
+ <UL>
+ <LI><A href="#dhcp1">Ports Installation</A> </LI>
+ <LI><A href="#dhcp2">Setting up DHCP</A></LI>
+ </UL>
+ <LI><A href="#apache0">Apache2 Installation</A> </LI>
+ <UL>
+ <LI><A href="#apache1">Ports Installation</A> </LI>
+ <LI><A href="#apache2">Making Certificates</A> </LI>
+ <LI><A href="#apache3">Setting up VirtualHost</A> </LI>
+ <LI><A href="#apache4">Other Settings and Checking the Installation</A></LI>
+ </UL>
+ <li class="list_alpha"><A href="#sqlite0">SQLite3 Installation</A>
+ <ul>
+ <li class="list_num"><A href="#sqlite1">Installation</A></li>
+ <li class="list_num"><A href="#sqlite2">Checking</A></li>
+ </ul></li>
+ <LI><A href="#opengate0">Opengate Installation</A> </LI>
+ <UL>
+ <LI><A href="#opengate1">Opengate Package</A> </LI>
+ <LI><A href="#opengate2">Installation</A> </LI>
+ <LI><A href="#opengate3">Setting up Config File</A> </LI>
+ <LI><A href="#opengate4">Setting up IPFW</A> </LI>
+ <LI><A href="#opengate5">Setting up Syslog</A> </LI>
+ <LI><A href="#opengate6">Checking Behavior</A> </LI>
+ <LI><A href="#opengate7">Modifying Pages</A> </LI>
+ <LI><A href="#opengate8">Setting up SQLite3</A> </LI>
+ </UL>
+ <LI><A href="#mrtg0">MRTG Install(Optional)</A> </LI>
+ <UL>
+ <LI><A href="#mrtg1">Ports Installation</A> </LI>
+ <LI><A href="#mrtg2">Setting up MRTG</A> </LI>
+ <LI><A href="#mrtg3">Confirming MRTG Startup Operation</A> </LI>
+ <LI><A href="#mrtg4">Registering to Crontab</A> </LI>
+ </UL>
+ <LI><A href="#rulechk">rulechk Installation (Optional)</A> </LI>
+</UL>
+
+<BR><BR>
+<P></P><!-- End:content table --><!-- Start:Outline -->
+
+
+<H3><A href="#outline0" name=outline0>A Outline</A></H3>
+<UL>
+ <LI><A href="#outline1">System Configuration</A> </LI>
+
+ <LI><A href="#outline2">Installation Procedure</A> </LI>
+</UL>
+
+<H4><!-- ************1************* -->
+<A href="#outline1" name=outline1>A.1 System
+Configuration</A></H4>
+<UL>
+ <LI>Gateway Machine </LI>
+ <UL>
+ <LI>FreeBSD Ver 6.1 or later </LI>
+ <LI>Having two or more NICs </LI>
+ </UL></LI>
+</UL>
+<P>In this document, we use the system configuration as follows. The
+network connecting terminals is called "lower-side network" and
+the network having servers is called "upper-side network".</P>
+<TABLE CELLPADDING=2 CELLSPACING=2>
+ <TR>
+ <TD>
+ <PRE>upper-side network:192.168.0.0/24, 2001:1:2:3/64
+Gateway to upper-side network:fxp1, 192.168.0.124, 2001:1:2:3::4
+Gateway to lower-side network:fxp0, 192.168.1.1, 2001:5:6:7::1
+lower-side network:192.168.1.0/24, 2001:5:6:7/64</PRE>
+ </TD>
+ </TR>
+</TABLE>
+<P>Opengate recognizes both IPv4 and IPv6 addresses, and controls
+both firewalls. It can be used for IPv4 control only if the FreeBSD
+environment is not set up for IPv6.</P>
+
+
+<H4><!-- ***********2************** -->
+<A href="#outline2" name=outline2>A.2 Installation
+Procedure</A></H4>
+<P>The following steps are necessary to complete the installation of
+Opengate. <BR>Items marked with '*' are mandatory.</P>
+<UL>
+ <LI>FreeBSD Installation * </LI>
+
+ <LI>Adding the Firewall * </LI>
+
+ <LI>BIND9 Installation and Setup </LI>
+
+ <LI>DHCP Installation and Setup </LI>
+
+ <LI>Apache2 Installation and Setup *</LI>
+
+ <LI>Opengate Installation and Setup *</LI>
+</UL>
+
+
+<H4><!-- ***********3************** -->
+<A href="#outline3" name=outline3>A.2 Support Page</A></H4>
+<P STYLE="MARGIN-BOTTOM: 0in">The Opengate support page can be
+consulted at:
+</P>
+<TABLE CELLPADDING=2 CELLSPACING=2>
+ <TR>
+ <TD>
+ <PRE> http://www.cc.saga-u.ac.jp/opengate/index-e.html</PRE>
+ </TD>
+ </TR>
+</TABLE>
+<P ALIGN=right STYLE="MARGIN-BOTTOM: 0in"><A href="#outline0">back</A> <A href="#top">top</A></P>
+<HR>
+
+
+<!-- Start:FreeBSD Install-->
+<H3><A href="#freebsd0" name=freebsd0>B FreeBSD Installation</A></H3>
+<UL>
+ <LI><A href="#freebsd1">Basic Installation</A> </LI>
+ <LI><A href="#freebsd2">Adding NAT and Firewall</A> </LI>
+ <LI><A href="#freebsd3">Setting up IPv6</A> </LI>
+</UL>
+
+
+<H4><!-- ************1************* -->
+<A href="#freebsd1" name=freebsd1>B.1 Basic Installation</A></H4>
+
+<P>Use FreeBSD4.x or later. FreeBSD6.1 or later is preferred. <BR>Choose
+distribution "Developer (Full sources, binaries and doc)" or
+"all" because we have to compile a custom kernel.</P>
+<P>Add the following line to "/etc/rc.conf", to enable the
+gateway function:</P>
+<TABLE CELLPADDING=2 CELLSPACING=2>
+ <TR>
+ <TD>
+ <P><CODE>gateway_enable="YES"</CODE></P>
+ </TD>
+ </TR>
+</TABLE>
+<P ALIGN=right><A href="#freebsd0">back</A> <A href="#top">top</A></P>
+
+
+<H4><!-- ************ 2 ************** --><A href="#freebsd2" name=freebsd2>B.2 Adding
+NAT and Firewall</A></H4>
+<P>Preparing the kernel to include IPFW and IP6FW functionality.</P>
+<P>Copy the kernel configuration file:</P>
+<TABLE CELLPADDING=2 CELLSPACING=2>
+ <TR>
+ <TD>
+ <PRE># cd /usr/src/sys/i386/conf
+# cp GENERIC MYKERNEL</PRE>
+ </TD>
+ </TR>
+</TABLE>
+<P>Add the following lines to the kernel configuration file:</P>
+
+
+<TABLE CELLPADDING=2 CELLSPACING=2>
+<TR><TD>
+<PRE>options IPDIVERT
+
+options IPFIREWALL
+options IPFIREWALL_FORWARD
+options IPFIREWALL_VERBOSE
+options IPFIREWALL_VERBOSE_LIMIT=100
+
+options IPSEC
+device crypto</PRE>
+</TD></TR>
+</TABLE>
+
+<P>compile and install the new kernel (incl. added support for IPFW
+and IP6FW).</P>
+<TABLE CELLPADDING=2 CELLSPACING=2>
+<TR><TD>
+<PRE>#cd /usr/src
+#make buildkernel KERNCONF=MYKERNEL
+#make installkernel KERNCONF=MYKERNEL
+</PRE>
+</TD></TR>
+</TABLE>
+<P>It might be failed in old FreeBSD. In the case, execute the following.</P>
+<TABLE CELLPADDING=2 CELLSPACING=2>
+<TR><TD>
+<PRE># config MYKERNEL
+# cd ../compile/MYKERNEL
+# make depend
+# make
+# make install</PRE>
+</TD></TR>
+</TABLE>
+<P>"make clean" might be requested before "make
+depend".
+</P>
+<P>Add the following lines to "/etc/rc.conf":</P>
+<P>a. FreeBSD6.0 or earlier</P>
+<TABLE CELLPADDING=2 CELLSPACING=2>
+ <TR>
+ <TD>
+ <PRE>firewall_enable="YES"
+firewall_script="/etc/rc.firewall"
+firewall_type="open"
+
+ipv6_firewall_enable="YES"
+ipv6_firewall_script="/etc/rc.firewall6"
+ipv6_firewall_type="open"
+
+natd_enable="YES"
+natd_interface="fxp1"</PRE>
+ </TD>
+ </TR>
+</TABLE>
+<P>b. FreeBSD6.1 or later</P>
+<TABLE CELLPADDING=2 CELLSPACING=2>
+ <TR>
+ <TD>
+ <PRE>firewall_enable="YES"
+firewall_script="/etc/rc.firewall"
+firewall_type="open"
+
+natd_enable="YES"
+natd_interface="fxp1"</PRE>
+ </TD>
+ </TR>
+</TABLE>
+<P>When enabling IPFW (and IP6FW), make sure
+to also set the firewall_type to 'OPEN', to prevent unpredictable
+system behavior during installation. <BR>To enable NAT, set
+natd_enable to 'YES' and define the natd interface (Upper-side
+interface).</P>
+<P>Connect a client pc to the lower-side
+network and check the IPv4 behavior.<BR>Since DHCP is not yet set up,
+the client's network settings must be configured manually.</P>
+<P ALIGN=right><A href="#freebsd0">back</A> <A href="#top">top</A></P>
+
+
+<H4><!-- ************ 3 ************** -->
+<A href="#freebsd3" name=freebsd3>B.3 Setting up IPv6</A></H4>
+<P>If you need IPv4 only, this section can
+be skipped. <BR>Though explanation is omitted, many parameters, like
+the ones used in the following sample, can be set in /etc/rc.conf.
+<BR>It is advised to read up on IPv6 and carefully set up its
+parameters.
+</P>
+<TABLE CELLPADDING=2 CELLSPACING=2>
+ <TR>
+ <TD>
+ <PRE>##ENABLE IPv6
+ipv6_enable="YES"
+ipv6_network_interfaces="gif0 fxp0"
+
+##TUNNELLING INTERFACE
+gif_interfaces="gif0"
+gifconfig_gif0="192.168.0.124 192.168.0.126"
+
+##IPv6 ADDRESS
+ipv6_prefix_fxp0="2001:5:6:7"
+ipv6_ifconfig_fxp0="2001:5:6:7::1 prefixlen 64"
+
+##ADVERTISE
+rtadvd_enable="YES"
+rtadvd_interfaces="fxp0"
+
+##DEFAULT GATEWAY
+ipv6_default_interface="gif0"
+ipv6_defaultrouter="fe80::a:b:c:d%gif0"
+
+##ROUTING(RIPv6)
+ipv6_gateway_enable="YES"
+ipv6_router_enable="YES"
+ipv6_router="/usr/sbin/route6d"
+ipv6_router_flags="-O 2001:5:6:7::/64,gif0"</PRE>
+ </TD>
+ </TR>
+</TABLE>
+<P>Connect a client pc to the lower-side
+network and check the behavior of IPv6.<BR>On a Windows pc, the
+command "ipv6 install" might be needed to activate IPv6.</P>
+<P ALIGN=right STYLE="MARGIN-BOTTOM: 0in"><A href="#ipfw0">back</A> <A href="#top">top</A></P>
+<HR>
+
+
+<H3><!-- Start:BIND9 Install --><A href="#bind0" name=bind0>C BIND9
+Install(Optional)</A></H3>
+<UL>
+ <LI><A href="#bind1">Ports Install</A></LI>
+ <LI><A href="#bind2">Making RNDC Key</A></LI>
+ <LI><A href="#bind3">Setting up named.conf</A></LI>
+ <LI><A href="#bind4">Creating up a Zone file</A> </LI>
+ <LI><A href="#bind5">Checking Behavior</A> </LI>
+</UL>
+
+
+<H4><!-- ********** 1 *********** -->
+<A href="#bind1" name=bind1>C.1 Ports Install</A></H4>
+
+<P> You can ignore DNS
+settings, if you control with IP address base
+or use existing DNS servers.</P>
+<P> Installing BIND9 from
+ports:<BR>
+Note: The "sysinstall" command can also be used.</P>
+<TABLE CELLPADDING=2 CELLSPACING=2>
+ <TR>
+ <TD>
+ <PRE># cd /usr/ports/dns/bind9/
+# make clean
+# make install clean ; rehash</PRE>
+ </TD>
+ </TR>
+</TABLE>
+<P>During installation the directory "/etc/namedb
+(/var/named/etc/namedb)" is created.</P>
+<P ALIGN=right><A href="#bind0">back</A> <A href="#top">top</A></P>
+
+
+<H4><!-- ********** 2 ********** -->
+<A href="#bind2" name=bind2>C.2 Making RNDC key</A></H4>
+<P>Use the "rndc" command to further secure BIND9.</P>
+<P>Create the rndc key as follows:</P>
+<TABLE CELLPADDING=2 CELLSPACING=2>
+ <TR>
+ <TD>
+ <PRE># cd /etc/namebd/
+# rndc-confgen -b 512 > rndc.conf</PRE>
+ </TD>
+ </TR>
+</TABLE>
+<P>This will generate the "rndc.conf" file.</P>
+<TABLE CELLPADDING=2 CELLSPACING=2>
+ <TR>
+ <TD>
+ <PRE># Start of rndc.conf
+key "rndc-key" {
+ algorithm hmac-md5;
+ secret "wMpASEmnRVnD602MtEb+RqtMee5+n0RVgpaUrlAHvPpgH3SoK7f2nRZBUH7a0urvmyBuAg0dwtk/Otg9Ker3gA==";
+};
+
+options {
+ default-key "rndc-key";
+ default-server 127.0.0.1;
+ default-port 953;
+};
+# End of rndc.conf
+
+# Use with the following in named.conf, adjusting the allow list as needed:
+# key "rndc-key" {
+# algorithm hmac-md5;
+# secret "wMpASEmnRVnD602MtEb+RqtMee5+n0RVgpaUrlAHvPpgH3SoK7f2nRZBUH7a0urvmyBuAg0dwtk/Otg9Ker3gA==";
+# };
+#
+# controls {
+# inet 127.0.0.1 port 953
+# allow { 127.0.0.1; } keys { "rndc-key"; };
+# };
+# End of named.conf</PRE>
+ </TD>
+ </TR>
+</TABLE>
+<P ALIGN=right><A href="#bind0">back</A> <A href="#top">top</A></P>
+
+
+<H4><!-- ********* 3 ********* -->
+<A href="#bind3" name=bind3>C.3 Setting up named.conf</A></H4>
+<P>After installation, look for the
+"/etc/namedb/named.conf" file and copy the last half of the
+"rndc.conf" file to it, making sure to remove comments, and
+add IPv6 configuration where/if required.</P>
+<TABLE CELLPADDING=2 CELLSPACING=2>
+ <TR>
+ <TD>
+ <PRE># Use with the following in named.conf, adjusting the allow list as needed:
+key "rndc-key" {
+ algorithm hmac-md5;
+ secret "wMpASEmnRVnD602MtEb+RqtMee5+n0RVgpaUrlAHvPpgH3SoK7f2nRZBUH7a0urvmyBuAg0dwtk/Otg9Ker3gA==";
+};
+
+controls {
+ inet ::1 port 953 allow { ::1; } keys { "rndc-key"; };
+ inet 127.0.0.1 port 953 allow { 127.0.0.1; } keys { "rndc-key"; };
+};
+# End of named.conf</PRE>
+ </TD>
+ </TR>
+</TABLE>
+<P>For security reasons, it is better to write the "key"
+directive in the other file.</P>
+<P>Edit the "options" directive in "named.conf":</P>
+<TABLE CELLPADDING=2 CELLSPACING=2>
+ <TR>
+ <TD>
+ <PRE>options {
+ directory "/etc/namedb";
+ pid-file "/var/run/named/pid";
+ auth-nxdomain yes;
+ listen-on-v6 { any; };
+};</PRE>
+ </TD>
+ </TR>
+</TABLE>
+<P>Create the corresponding "pid" directory.</P>
+<P ALIGN=right><A href="#bind0">back</A> <A href="#top">top</A></P>
+
+
+<H4><!-- ******** 4 ********* -->
+<A href="#bind4" name=bind4>C.4 Creating a Zone file</A></H4>
+<P>Edit the "view" and "zone" directives in "named.conf".</P>
+<P>The "view" directive is implemented in BIND9. Replying
+to the inquiries from matched-clients, BIND9 sends the information as
+described in the corresponding "view"</P>
+<TABLE CELLPADDING=2 CELLSPACING=2>
+ <TR>
+ <TD>
+ <PRE>view "og" {
+ match-clients
+ {
+ 192.168.1.0/24;
+ };
+
+ recursion yes;
+
+ zone "." {
+ type hint;
+ file "named.root";
+ };
+
+ zone "og.saga-u.ac.jp" {
+ type master;
+ file "og.saga-u.ac.jp";
+ };
+
+ zone "0.0.127.IN-ADDR.ARPA" {
+ type master;
+ file "master/localhost.rev";
+ };
+
+ // RFC 3152
+ zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.\
+ 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA" {
+ type master;
+ file "master/localhost-v6.rev";
+ };
+
+ // RFC 1886 -- deprecated
+ zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.\
+ 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.INT" {
+ type master;
+ file "master/localhost-v6.rev";
+ };
+};</PRE>
+ </TD>
+ </TR>
+</TABLE>
+<P><BR>Make a "zone" file for the domain "og.saga-u.ac.jp".
+<BR>The domain name and IPv4/6 addresses should be modified properly.
+If you don't need IPv6, remove the line containing "AAAA ....".</P>
+<TABLE CELLPADDING=2 CELLSPACING=2>
+ <TR>
+ <TD>
+ <PRE>$TTL 3600
+$ORIGIN og.saga-u.ac.jp.
+
+@ IN SOA ns.og.saga-u.ac.jp. postmaster (
+ 2005051702 ;
+ 3600
+ 1200
+ 2419200
+ 86400 )
+ IN NS ns.og.saga-u.ac.jp.
+ IN A 192.168.1.1
+ IN MX 10 opengate.og.saga-u.ac.jp.
+
+ns IN A 192.168.1.1
+
+opengate IN A 192.168.1.1
+ AAAA 2001:5:6:7::1</PRE>
+ </TD>
+ </TR>
+</TABLE>
+<P ALIGN=right><A href="#bind0">back</A> <A href="#top">top</A></P>
+
+
+<H4><!-- ********* 5 ********* -->
+<A href="#bind5" name=bind5>C.5 Checking Behavior</A></H4>
+<P>Confirm starting of "named" after completings its
+configuration.</P>
+<TABLE CELLPADDING=2 CELLSPACING=2>
+ <TR>
+ <TD>
+ <PRE># /usr/local/sbin/named -u bind -c /etc/namedb/named.conf</PRE>
+ </TD>
+ </TR>
+</TABLE>
+<P>If "named" starts without problems, add the following
+lines to "/etc/rc.conf" to allow it to automatically start
+on boot up.</P>
+<TABLE CELLPADDING=2 CELLSPACING=2>
+ <TR>
+ <TD>
+ <PRE>named_enable="YES"
+named_program="/usr/local/sbin/named"
+named_flags="-u bind -c /etc/namedb/named.conf"</PRE>
+ </TD>
+ </TR>
+</TABLE>
+<P>Because the management of a DNS server
+can be complicated, it is strongly advised to carefully read the
+BIND9 manual, and/or consult other documentation.</P>
+<P ALIGN=right STYLE="MARGIN-BOTTOM: 0in"><A href="#bind0">back</A> <A href="#top">top</A></P>
+
+
+<HR>
+<H3><!-- Start:isc-dhcp3 Install -->
+<A href="#dhcp0" name=dhcp0>D isc-dhcp3 Installation (Optional)</A></H3>
+<UL>
+ <LI><A href="#dhcp1">Ports Installation</A>
+ <LI><A href="#dhcp2">Setting up DHCP</A> </LI>
+</UL>
+
+
+<H4><!-- *********** 1 ************* -->
+<A href="#dhcp1" name=dhcp1>D.1 Ports Install</A></H4>
+<P>If many client PCs are going to be
+connected, using the DHCP service might be a desirable solution for
+assigning IP addresses to these clients.</P>
+<P>Installing isc-dhcp3 from ports:<BR>Note:
+the "sysinstall" command can also be used.</P>
+<TABLE CELLPADDING=2 CELLSPACING=2>
+ <TR>
+ <TD>
+ <PRE># cd /usr/ports/net/isc-dhcp3-server
+# make clean
+# make install clean ; rehash</PRE>
+ </TD>
+ </TR>
+</TABLE>
+<P ALIGN=right><A href="#dhcp0">back</A> <A href="#top">top</A></P>
+
+
+<H4><!-- ************ 2 ************** -->
+<A href="#dhcp2" name=dhcp2>D.2 Setting up DHCP</A></H4>
+<P>The"/usr/local/etc/dhcpd.conf.sample"
+ configuration file is created during installation. <BR>Copy
+"dhcpd.conf.sample" to "dhcpd.conf" and edit the
+file. <BR><BR>The following is an example setup: <BR>The lease time
+must be greater than the maximum usage duration (Duration/Max in
+opengatesrv.conf).<BR>The domain name and IP addresses should be
+modified.
+</P>
+<TABLE CELLPADDING=2 CELLSPACING=2>
+ <TR>
+ <TD>
+ <PRE>option domain-name "og.saga-u.ac.jp";
+option domain-name-servers 192.168.1.1;
+option subnet-mask 255.255.255.0;
+option broadcast-address 192.168.1.255;
+option routers 192.168.1.1;
+
+default-lease-time 86400;
+max-lease-time 604800;
+ddns-update-style none;
+log-facility local7;
+
+subnet 192.168.55.0 netmask 255.255.255.0 {
+ range 192.168.1.10 192.168.1.250;
+}</PRE>
+ </TD>
+ </TR>
+</TABLE>
+<P>Add the following lines to "/etc/rc.conf" to allow it to
+automatically start on boot up.</P>
+<TABLE CELLPADDING=2 CELLSPACING=2>
+ <TR>
+ <TD>
+ <PRE>dhcpd_enable="YES"
+dhcpd_ifaces="fxp0"
+dhcpd_conf="/usr/local/etc/dhcpd.conf"</PRE>
+ </TD>
+ </TR>
+</TABLE>
+<P>In this example, the value of
+"dhcpd_ifaces" is the interface providing the DHCP service
+<BR>(to the lower-side network).</P>
+<P ALIGN=right STYLE="MARGIN-BOTTOM: 0in"><A href="#dhcp0">back</A> <A href="#top">top</A></P>
+<HR>
+
+
+<H3><!-- Start:Apache2 Install--><A href="#apache0" name=apache0>E Apache2
+Installation</A></H3>
+<UL>
+ <LI><A href="#apache1">Ports Installation</A> </LI>
+ <LI><A href="#apache2">Making Certificates</A> </LI>
+ <LI><A href="#apache3">Setting up SSL</A></LI>
+ <LI><A href="#apache4">Other Settings and Checking the installation</A> </LI>
+</UL>
+
+
+<H4><!-- ************ 1 ************** --><A href="#apache1" name=apache1>E.1 Ports
+Install</A></H4>
+<P>When using IPv6, Opengate needs Apache2
+to support IPv6. <BR>By default, Apache2 supports SSL which is
+preferred for secure authentication.</P>
+<P>Installing Apache2 from ports:<BR>Note:
+The "sysinstall" command can also be used.</P>
+<TABLE CELLPADDING=2 CELLSPACING=2>
+ <TR>
+ <TD>
+ <PRE># cd /usr/ports/www/apache22
+# make clean
+# make install clean ; rehash</PRE>
+ </TD>
+ </TR>
+</TABLE>
+<P ALIGN=right><A href="#apache0">back</A> <A href="#top">top</A></P>
+
+
+<H4><!-- ************ 2 ************** --><A href="#apache2" name=apache2>E.2 Making
+Certificates</A></H4>
+<P>It is better to obtain a formal key from
+some CA. But we will show you how to create a self-signed private key
+and certificate.
+</P>
+<P>Creating a private key:</P>
+<TABLE CELLPADDING=2 CELLSPACING=2>
+ <TR>
+ <TD>
+ <PRE># cd /usr/local/etc/apache22
+# mkdir ssl.key ssl.crt
+# chmod 700 ssl.key ssl.crt
+
+# /usr/bin/openssl genrsa -out /usr/local/etc/apache22/server.key 1024</PRE>
+ </TD>
+ </TR>
+</TABLE>
+<P><BR>Making a certificate from the created key:</P>
+<TABLE CELLPADDING=2 CELLSPACING=2>
+ <TR>
+ <TD>
+ <PRE># /usr/bin/openssl req -new -x509 -days 365 \
+ -key /usr/local/etc/apache22/server.key \
+ -out /usr/local/etc/apache22/server.crt
+
+You are about to be asked to enter information that will be incorporated
+into your certificate request.
+What you are about to enter is what is called a Distinguished Name or a DN.
+There are quite a few fields but you can leave some blank
+For some fields there will be a default value,
+If you enter '.', the field will be left blank.
+-----
+Country Name (2 letter code) [AU]:JP
+State or Province Name (full name) [Some-State]:Saga
+Locality Name (eg, city) []:Saga-city
+Organization Name (eg, company) [Internet Widgits Pty Ltd]:Saga-university
+Organizational Unit Name (eg, subsection) []:Opengate Management
+Common Name (eg, YOUR name) []:opengate.og.saga-u.ac.jp
+Email Address []:administrator@opengate.og.saga-u.ac.jp
+
+Please enter the following 'extra' attributes
+to be sent with your certificate request
+A challenge password []:
+An optional company name []:</PRE>
+ </TD>
+ </TR>
+</TABLE>
+<P ALIGN=right><A href="#apache0">back</A> <A href="#top">top</A></P>
+
+
+<H4><!-- ************ 3 ************** --><A href="#apache3" name=apache3>E.3
+Setting up SSL</A></H4>
+<P>Edit "/usr/local/etc/apache22/extra/httpd-ssl.conf" as
+shown in the following example:</P>
+<TABLE CELLPADDING=2 CELLSPACING=2>
+ <TR>
+ <TD>
+ <P>ssl.conf
+ </P>
+ </TD>
+ </TR>
+ <TR>
+ <TD>
+ <PRE><VirtualHost _default_:443>
+ DocumentRoot "/usr/local/www/apache22/data"
+ ServerName opengate.og.saga-u.ac.jp:443
+ ServerAdmin administrator@opengate.og.saga-u.ac.jp
+ ErrorLog "|/usr/bin/logger -p local6.info"
+ CustomLog "|/usr/bin/logger -p local5.info" combined
+
+ SSLEngine on
+ SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
+ SSLCertificateFile /usr/local/etc/apache22/server.crt
+ SSLCertificateKeyFile /usr/local/etc/apache22/server.key
+</VirtualHost></PRE>
+ </TD>
+ </TR>
+</TABLE>
+<P>Since Apache2 has many settings,
+familiarize yourself with the Apache2 configuration options for
+adequate control.</P>
+<P ALIGN=right><A href="#apache0">back</A> <A href="#top">top</A></P>
+
+
+<H4><!-- ************ 4 ************** --><A href="#apache4" name=apache4>E.4 Other
+Settings and Checking the Installation</A></H4>
+<P>Edit "/usr/local/etc/apache22/httpd.conf" as follows:</P>
+<P>Opengate should send back the
+authentication page in response to any kind of HTTP request. <BR>To
+do so, add the following line to httpd.conf: <BR> (the top page will
+be sent back on an HTTP_ERROR 404 [file not found] error).</P>
+<TABLE CELLPADDING=2 CELLSPACING=2>
+ <TR>
+ <TD>
+ <PRE>ErrorDocument 404 /</PRE>
+ </TD>
+ </TR>
+</TABLE>
+<P><BR>Add "ExecCGI" to allow executing CGI programs in the
+cgi-bin directory.</P>
+<TABLE CELLPADDING=2 CELLSPACING=2>
+ <TR>
+ <TD>
+ <PRE><Directory "/usr/local/www/cgi-bin">
+ ...
+ Options ExecCGI
+ ...
+</Directory></PRE>
+ </TD>
+ </TR>
+</TABLE>
+<P>Remove the comment mark ("#") to
+enable the following setting:
+</P>
+<TABLE CELLPADDING=2 CELLSPACING=2>
+ <TR>
+ <TD>
+ <PRE>AddHandler cgi-script .cgi
+AddHandler type-map .var</PRE>
+ </TD>
+ </TR>
+</TABLE>
+<P>Add "index.html.var" to
+DirectoryIndex:
+</P>
+<TABLE CELLPADDING=2 CELLSPACING=2>
+ <TR>
+ <TD>
+ <PRE>DirectoryIndex index.html.var index.html</PRE>
+ </TD>
+ </TR>
+</TABLE>
+<P>Include ssl conf file:</P>
+<TABLE CELLPADDING=2 CELLSPACING=2>
+ <TR>
+ <TD>
+ <PRE>Include etc/apache22/extra/httpd-ssl.conf</PRE>
+ </TD>
+ </TR>
+</TABLE>
+<P>Set ServerName:
+</P>
+<TABLE CELLPADDING=2 CELLSPACING=2>
+ <TR>
+ <TD>
+ <PRE>ServerName opengate.og.saga-u.ac.jp</PRE>
+ </TD>
+ </TR>
+</TABLE>
+<P>Start Apache2 with "apachectl start"
+and check for errors. <BR>If no errors are displayed, add the
+following lines to "/etc/rc.conf" to allow Apache to start
+on boot up:</P>
+<TABLE CELLPADDING=2 CELLSPACING=2>
+ <TR>
+ <TD>
+ <PRE>apache22_enable="YES"
+apache22ssl_enable="YES"</PRE>
+ </TD>
+ </TR>
+</TABLE>
+<P>If the system shows "Failed to
+enable the 'httpready' Accept Filter", add the following to
+/boot/loader.conf :</P>
+<TABLE CELLPADDING=2 CELLSPACING=2>
+ <TR>
+ <TD>
+ <PRE>accf_http_load="YES"</PRE>
+ </TD>
+ </TR>
+</TABLE>
+<P>Should the certificate require a PASSPHRASE, Apache will ask for it during
+boot up.<BR> If you do not enter the passphrase (reboot due to
+power outage, remote reboot, ,...), this will prevent <BR> the server from starting Apache normally,
+i.e. leaving you with a possible "crippled" server.</P>
+<BLOCKQUOTE>
+<P>
+Easy fix:<BR>
+1. create a simple script containing the following:<BR>
+#!/bin/sh<BR>
+echo "<passphrase goes here>"<BR>
+<BR>2. add the following to httpd.conf:<BR>
+SSLPassPhraseDialog exec:/path/to/above/script
+</P></BLOCKQUOTE>
+
+<P ALIGN=right STYLE="MARGIN-BOTTOM: 0in"><A href="#apache0">back</A> <A href="#top">top</A></P>
+
+
+<!-- Start:SQLite3 Installation -->
+<h3><A class=anchor href="#sqlite0" name=sqlite0>F SQLite3 Installation</A></h3>
+<ul>
+ <li class="list_num"><A href="#sqlite1">Inatallation</A></li>
+ <li class="list_num"><A href="#sqlite2">Checking</A></li>
+</ul>
+
+<!-- ************ 1 ************** -->
+<h4><A class=anchor href="#sqlite1" name=sqlite1>F.1 Installation</A></h4>
+
+
+<p>Download archive file from SQLite site(www.sqlite.org). Install it as follows.</p>
+
+<table><tr><td><pre>
+# tar xzvf sqlite-amalgamation-3.xx.xx.tar.gz
+# cd sqlite-3.xx.xx
+# ./configure
+# make
+# make install
+</pre></td></tr></table>
+
+<div align="right"><A href="#sqlite0">back</A> <A href="#top">top</A></div>
+
+<!-- ************ 2 ************** -->
+<h4><A class=anchor href="#sqlite2" name=sqlite2>F.2 Checking</A></h4>
+
+<p>
+Check the normal execution.
+
+<table><tr><td><pre>
+# sqlite3
+SQLite version 3.xx.xx
+Enter ".help" for instructions
+Enter SQL statements terminated with a ";"
+sqlite> .quit
+#
+</pre></td></tr></table>
+
+<div align="right"><A href="#sqlite0">back</A> <A href="#top">top</A></div>
+
+<HR>
+<H3><!-- Start:Opengate Install -->
+<A href="#opengate0" name=opengate0>G Opengate Installation</A></H3>
+<UL>
+ <LI><A href="#opengate1">Opengate Package</A>
+ <LI><A href="#opengate2">Installation</A> </LI>
+ <LI><A href="#opengate3">Setting up Config File</A> </LI>
+ <LI><A href="#opengate4">Setting up IPFW</A> </LI>
+ <LI><A href="#opengate5">Setting up syslog</A> </LI>
+ <LI><A href="#opengate6">Checking Behavior</A> </LI>
+ <LI><A href="#opengate7">Modifying Pages</A> </LI>
+ <LI><A href="#opengate8">Setting up SQLite3</A> </LI>
+</UL>
+
+
+<H4><!-- ************1************* -->
+<A href="#opengate1" name=opengate1>G.1 Opengate
+Package</A></H4>
+<P>Unpack the Opengate compressed file:
+</P>
+<TABLE CELLPADDING=2 CELLSPACING=2>
+ <TR>
+ <TD>
+ <PRE># tar xzvf opengatexxxx.tar.gz</PRE>
+ </TD>
+ </TR>
+</TABLE>
+<P>It contains the following directories:</P>
+<TABLE CELLPADDING=2 CELLSPACING=2>
+ <TR>
+ <TD>
+ <PRE>doc: Documentation
+conf: Configuration files and firewall control Perl script sample
+javahtml: Client Programs and HTML files
+opengatesrv: Server CGI programs
+tools: Some related tools
+ezxml: XML parser (Copyright Aaron Voisine)</PRE>
+ </TD>
+ </TR>
+</TABLE>
+<P ALIGN=right><A href="#opengate0">back</A> <A href="#top">top</A></P>
+
+
+<H4><!-- ************2************* -->
+<A href="#opengate2" name=opengate2>G.2 Installation</A></H4>
+<P>Check the settings in "opengatesrv/Makefile" and modify
+if needed:</P>
+<TABLE CELLPADDING=2 CELLSPACING=2>
+ <TR>
+ <TD>
+ <PRE>HTMLTOP = /usr/local/www/apache22
+DOCDIR = /data
+CGIDIR = /cgi-bin
+OPENGATEDIR = /opengate
+CONFIGPATH = /etc/opengate</PRE>
+ </TD>
+ </TR>
+</TABLE>
+<P>Compile and Install:</P>
+<TABLE CELLPADDING=2 CELLSPACING=2>
+ <TR>
+ <TD>
+ <PRE># make clean
+# make install</PRE>
+ </TD>
+ </TR>
+</TABLE>
+<P ALIGN=right><A href="#opengate0">back</A> <A href="#top">top</A></P>
+
+
+<H4><!-- ************ 3 ************** -->
+<A href="#opengate3" name=opengate3>G.3 Setting up Config File</A></H4>
+
+<P>Copy the sample configuration file
+"/etc/opengate/opengatesrv.conf.sample" to
+"/etc/opengate/opengatesrv.conf" and modify. <BR>The
+following settings must be changed:</P>
+<TABLE CELLPADDING=2 CELLSPACING=2>
+ <TR>
+ <TD>
+ <PRE> <OpengateServerName>opengate.og.saga-u.ac.jp</OpengateServerName>
+
+ <AuthServer>
+ <Protocol>pop3s</Protocol>
+ <Address>192.168.0.2</Address>
+ </AuthServer></PRE>
+ </TD>
+ </TR>
+</TABLE>
+<P>In <OpengateServerName>, set the
+HOSTNAME(FQDN) or IP address of the opengate gateway server. If you
+want to use IPv6, you need to set the FQDN corresponding to both IPv4
+and IPv6 addresses.</P>
+<P>In <AuthServer>, set the
+information for the authentication server. Opengate supports various
+authentication protocols. See the config file for details. <BR>To
+differentiate between erorrs caused by authentication server or those
+caused by the opengate server, try the following setting first. This
+means that any userid and password combination is accepted.</P>
+<TABLE CELLPADDING=2 CELLSPACING=2>
+ <TR>
+ <TD>
+ <PRE> ****Do not use this setting in real service****
+ <AuthServer>
+ <Protocol>accept</Protocol>
+ <AuthServer></PRE>
+ </TD>
+ </TR>
+</TABLE>
+<P>The config file is XML. "#" marks in
+the file do not represent the start of a comment. <BR>Use
+XML-formatted comments like <!-- Comment String --> to disable
+a description.</P>
+<P>Opengate can pass authentication settings
+in the form of "userid@extid". <BR>See the config file for
+more details. <BR>By using this function, you can use different
+authentication servers for many sections or guests.</P>
+<P>When the primary authentication server
+does not reply, Opengate can resend the request to other
+authentication servers. See the config file for more details.</P>
+<P>Caution: Do not delete the IPv6 related
+settings in the config file! <BR> The IPv6 access is executed when
+the FQDN for IPv6 is prepared.</P>
+
+<P ALIGN=right><A href="#opengate0">back</A> <A href="#top">top</A></P>
+
+
+<H4><!-- ************ 4 ************** -->
+<A href="#opengate4" name=opengate4>G.4 Setting up IPFW</A></H4>
+<P>Write IPFW rules for Opengate.
+</P>
+<P>Both IPv4 and IPv6 packets are controlled by IPFW.</P>
+<P>A sample rule set for IPFW can be found in
+"/etc/opengate/rc.firewall.sample"</P>
+<P>Copy the script and modify to fit your needs. <BR> If you are
+not familiar with Ipv6, set IPv6 addresses as localhost (*net6="0",
+*ip6="::1").</P>
+<TABLE CELLPADDING=2 CELLSPACING=2>
+ <TR>
+ <TD>
+ <PRE># cd /etc/opengate
+# cp rc.firewall.sample rc.firewall
+# vi rc.firewall</PRE>
+ </TD>
+ </TR>
+</TABLE>
+<P>Modify the firewall settings in /etc/rc.conf as follows:<BR> Be
+careful not to lock yourself out of the system after reloading the
+firewall.</P>
+<TABLE CELLPADDING=2 CELLSPACING=2>
+ <TR>
+ <TD>
+ <PRE>firewall_enable="YES"
+firewall_script="/etc/opengate/rc.firewall"</PRE>
+ </TD>
+ </TR>
+</TABLE>
+<P>Familiarise yourself with the "ipfw" command. <BR> The
+Opengate software sends out ipfw add/delete commands.</P>
+<P ALIGN=right><A href="#opengate0">back</A> <A href="#top">top</A></P>
+
+
+<H4><!-- ************ 5 ************** -->
+<A href="#opengate5" name=opengate5>G.5 Setting
+up syslog</A></H4>
+<P>Edit /etc/syslog.conf to save log entries for Opengate.</P>
+<TABLE CELLPADDING=2 CELLSPACING=2>
+ <TR>
+ <TD>
+ <PRE> | Separated by TAB code
+ V
+local1.* /var/log/opengate.log</PRE>
+ </TD>
+ </TR>
+</TABLE>
+<P>Make the log file as follows: <BR> Consider using log rotation to
+control the size of this log file.</P>
+<TABLE CELLPADDING=2 CELLSPACING=2>
+ <TR>
+ <TD>
+ <PRE># touch /var/log/opengate.log</PRE>
+ </TD>
+ </TR>
+</TABLE>
+<P ALIGN=right><A href="#opengate0">back</A> <A href="#top">top</A></P>
+
+
+<H4><!-- ************ 6 ************** -->
+<A href="#opengate6" name=opengate6>G.6 Checking
+Behavior</A></H4>
+<P>Connect a PC to the lower-side network
+and try to access a site in the upper-side network. <BR>If it does
+not work properly, consult doc/progflow.html and doc/protocol.txt to
+better understand the procedure. Also check the log files for
+Opengate, httpd, system and others. To dump more information from
+Opengate, set the <Debug> switch to "2" in
+opengatesrv.conf. Also check the functions of related software. The
+error checking document (errcheck.html) and Q&A documents
+(qa.html, recentqa.html on the web) can be used for problem solving.</P>
+<P ALIGN=right><A href="#opengate0">back</A> <A href="#top">top</A></P>
+
+
+<H4><!-- ************ 7 ************** -->
+<A href="#opengate7" name=opengate7>G.7 Modifying
+Pages</A></H4>
+<P>If you want to modify the contents of the
+web pages, edit the html files in the Opengate directories. The
+relative path cannot be used in httpkeep.html. Use the full URL
+description. The descriptions such as %%XXX%% are variables replaced
+by their proper values during CGI runtime.
+</P>
+<P ALIGN=right STYLE="MARGIN-BOTTOM: 0in"><A href="#opengate0">back</A> <A href="#top">top</A></P>
+
+
+<!-- ************ 8 ************** -->
+<h4><A class=anchor href="#opengate8" name=opengate8>G.8 Setting up SQLite3</A></h4>
+
+<p>
+Opengate uses the SQLite3 database to hold session information.
+The path of the database file is indicated with <SqliteDb>
+in opengatesrv.conf.
+It is recommended to change the default value
+to the proper directory.
+WWW sholud have write permission for the directory.
+</p>
+<table><tr><td><pre>
+Example:
+-- opengatesrv.conf --
+<SqliteDb>/home/sqlitedb/opengate.db</SqliteDb>
+
+-- shell commands --
+# mkdir /home/sqlitedb
+# chown www /home/sqlitedb
+</pre></td></tr></table>
+<p>
+The file and database table are created automatically.
+</p>
+
+As the file size incleases steadily, you should periodically trim or remove the file with cron (or manually). Following is a sample script to delete 3 day old records.</p>
+
+<table>
+<tr><td><pre>
+#!/bin/sh
+echo "delete from session where closeTime < datetime('now','localtime','-3days');" | sqlite3 /tmp/opengate.db
+exit 0
+</pre></td></tr>
+</table>
+
+<div align="right"><A href="#opengate0">back</A> <A href="#top">top</A></div>
+
+<hr>
+
+
+<H3><!-- Start:Install MRTG -->
+<A href="#mrtg0" name=mrtg0>H MRTG Installion (Optional)</A></H3>
+<UL>
+ <LI><A href="#mrtg1">Ports Installation</A> </LI>
+ <LI><A href="#mrtg2">Setting up MRTG</A> </LI>
+ <LI><A href="#mrtg3">Confirming proper startup</A> </LI>
+ <LI><A href="#mrtg4">Setting up crontab</A> </LI>
+</UL>
+
+<H4><!-- ************ 1 ************** -->
+<A href="#mrtg1" name=mrtg1>H.1 Ports Installation</A></H4>
+
+<P>This section is optional. <BR> If you want to graphically
+monitor the state of Opengate, MRTG can be used but is not required.</P>
+<P><A HREF="http://people.ee.ethz.ch/%7Eoetiker/webtools/mrtg/" TARGET="_blank">MRTG<SPAN STYLE="TEXT-DECORATION: none">
+</SPAN></A>(Multi Router Traffic Grapher) is a system to monitor
+network traffic. MRTG produces graphic images and HTML files.
+</P>
+<P>You can install MRTG on the gateway
+server or another server. If you need to monitor multiple Opengate
+systems, it is advised to install MRTG on a separate server.</P>
+<TABLE CELLPADDING=2 CELLSPACING=2>
+ <TR>
+ <TD>
+ <PRE># cd /usr/ports/net-mgmt/mrtg/
+# make clean
+# make install clean ; rehash</PRE>
+ </TD>
+ </TR>
+</TABLE>
+<P ALIGN=right><A href="#mrtg0">back</A> <A href="#top">top</A></P>
+
+
+<H4><!-- ************ 2 ************** -->
+<A href="#mrtg2" name=mrtg2>H.2 Setting up MRTG</A></H4>
+<P>MRTG creates
+"/usr/local/etc/mrtg/mrtg.cfg.sample" as the sample
+configuration file during installation. Copy mrtg.cfg.sample to
+opengate.cfg and edit the file:</P>
+<TABLE CELLPADDING=2 CELLSPACING=2>
+ <TR>
+ <TD>
+ <PRE>##################################################
+# opengate user counter
+
+WorkDir: /usr/home/user/public_html/mrtg/opengate/
+
+##### Options
+Options[^]: growright,gauge,nopercent,integer
+
+Target[opengate]:`/usr/home/user/bin/input.sh`
+Title[opengate]: Opengate user counter
+
+PageTop[opengate]: <h1>Opengate user counter</h1>
+ <p>Show the number of people using Opengate</p>
+
+# Max Number
+MaxBytes[opengate]: 200
+
+# Title of Y axis
+YLegend[opengate]: Opengate User
+# unit
+ShortLegend[opengate]: s
+# Title of graph LegendI: first line LegendO: second line
+LegendI[opengate]: IPv6 Users
+LegendO[opengate]: Total Users</PRE>
+ </TD>
+ </TR>
+</TABLE>
+<P>Be sure to actually create the directory
+which you appointed in "WorkDir". MRTG creates its graphic
+images and HTML files in "WorkDir"</P>
+<P>"Target[opengate]" contains the
+path to the program that hands its data to MRTG. <BR>(details
+explained below)</P>
+
+<H5>H.2.1 Scenario 1: Running MRTG on the gateway server</H5>
+<P>Create the shell script "/usr/home/user/bin/input.sh"
+with the following contents:</P>
+<TABLE CELLPADDING=2 CELLSPACING=2>
+ <TR>
+ <TD>
+ <PRE>#!/bin/sh
+
+#######################################
+##
+## show opengate status for MRTG
+##
+## 1 line : IPv6 Users
+## 2 line : Total Users
+## 3 line : uptime
+## 4 line : comment for data
+##
+#######################################
+
+LANG=C
+COLUMNS=256
+
+export LANG
+export COLUMNS
+
+### IPv6 prefix
+prefix="2001:2f8:22:801:"
+###opengateprocessname
+process="opengatesrv.cgi"
+
+###tmp file name
+tmp_all="/tmp/og_count_all.tmp"
+tmp_6="/tmp/og_count_6.tmp"
+
+######################################################
+psax | grep $process > $tmp_all
+COUNT = `wc-l $tmp_all | awk '{print $1}'`
+grep $prefix $tmp_all > $tmp_6
+COUNT6=`wc -l $tmp_6 | awk '{print $1}'`
+UPTIME=`uptime | awk '{print $3$4}' | sed -e "s/,//g"`
+
+rm $tmp_all
+rm $tmp_6
+
+echo "$COUNT6"
+echo "$COUNT"
+echo "$UPTIME"
+echo "Opengate User Counter"</PRE>
+ </TD>
+ </TR>
+</TABLE>
+<P>Run this shell script as standalone and confirm that you can
+acquire the following data:</P>
+<TABLE CELLPADDING=2 CELLSPACING=2>
+ <TR>
+ <TD>
+ <PRE>5
+48
+10days
+Opengate User Counter</PRE>
+ </TD>
+ </TR>
+</TABLE>
+<H5>H.2.2 Scenario 2: Running MRTG on a separate server</H5>
+<P>Create the shell script "/usr/home/user/bin/input.sh" on
+a separate server.</P>
+<TABLE CELLPADDING=2 CELLSPACING=2>
+ <TR>
+ <TD>
+ <PRE>#!/bin/sh
+
+#######################################
+##
+## input data for MRTG
+##
+## 1 line : IPv6 Users
+## 2 line : Total Users
+## 3 line : uptime
+## 4 line : comment for data
+##
+#######################################
+
+# tmp file name
+file="/tmp/opengate.tmp"
+
+# URL of output.sh at opengate
+url="http://opengate.saga-u.ac.jp/cgi-bin/output.sh"
+
+fetch -o $file $url &> /dev/null
+
+more $file</PRE>
+ </TD>
+ </TR>
+</TABLE>
+<P STYLE="TEXT-INDENT: 0in">Create the shell script
+"/usr/local/apache2/cgi-bin/output.sh" on the Opengate
+(gateway) server, and set the URL to $url, as explained above.</P>
+<TABLE CELLPADDING=2 CELLSPACING=2>
+ <TR>
+ <TD>
+ <PRE>#!/bin/sh
+
+#######################################
+##
+## show opengate status for MRTG
+##
+## 1 line : IPv6 Users
+## 2 line : Total Users
+## 3 line : uptime
+## 4 line : comment for data
+##
+#######################################
+
+LANG=C
+COLUMNS=256
+
+export LANG
+export COLUMNS
+
+### IPv6 prefix
+prefix="2001:2f8:22:801:"
+###opengateprocessname
+process="opengatesrv.cgi"
+
+###tmp file name
+tmp_all="/tmp/og_count_all.tmp"
+tmp_6="/tmp/og_count_6.tmp"
+
+######################################################
+psax | grep $process > $tmp_all
+COUNT = `wc-l $tmp_all | awk '{print $1}'`
+grep $prefix $tmp_all > $tmp_6
+COUNT6=`wc -l $tmp_6 | awk '{print $1}'`
+UPTIME=`uptime | awk '{print $3$4}' | sed -e "s/,//g"`
+rm $tmp_all
+rm $tmp_6
+
+echo "Content-type: text/plain; charset=iso-8859-1"
+echo
+
+echo "$COUNT6"
+echo "$COUNT"
+echo "$UPTIME"
+echo "Opengate User Counter"</PRE>
+ </TD>
+ </TR>
+</TABLE>
+<P>Run "input.sh" on another server and confirm that you
+can acquire the following data:</P>
+<TABLE CELLPADDING=2 CELLSPACING=2>
+ <TR>
+ <TD>
+ <PRE>5
+48
+10days
+Opengate User Counter</PRE>
+ </TD>
+ </TR>
+</TABLE>
+<P ALIGN=right><A href="#mrtg0">back</A> <A href="#top">top</A></P>
+
+<H4><!-- ************ 3 ************** -->
+<A href="#mrtg3" name=mrtg3>H.3 Confirming MRTG Startup Operation:</A></H4>
+
+<P>Use the following command to confirm MRTG is working with your
+config:</P>
+<TABLE CELLPADDING=2 CELLSPACING=2>
+ <TR>
+ <TD>
+ <PRE># /usr/local/bin/mrtg /usr/local/etc/mrtg/opengate.cfg</PRE>
+ </TD>
+ </TR>
+</TABLE>
+<P STYLE="TEXT-INDENT: 0in">Various WARNING messages are output the
+first and second time, this is normal behavior <BR>(as explained in
+the MRTG documentation)!<BR>Some files are created in "WorkDir".</P>
+<TABLE CELLPADDING=2 CELLSPACING=2>
+ <TR>
+ <TD>
+ <PRE>> ls -l
+-rw-r--r-- 1 root wheel 538 12 14 04:40 mrtg-l.png
+-rw-r--r-- 1 root wheel 414 12 14 04:40 mrtg-m.png
+-rw-r--r-- 1 root wheel 1759 12 14 04:40 mrtg-r.png
+-rw-r--r-- 1 root wheel 2941 12 20 15:15 opengate-day.png
+-rw-r--r-- 1 root wheel 2146 12 20 14:35 opengate-month.png
+-rw-r--r-- 1 root wheel 2867 12 20 14:55 opengate-week.png
+-rw-r--r-- 1 root wheel 1897 12 20 05:00 opengate-year.png
+-rw-r--r-- 1 root wheel 5961 12 20 15:15 opengate.html
+-rw-r--r-- 1 root wheel 48786 12 20 15:15 opengate.log
+-rw-r--r-- 1 root wheel 48784 12 20 15:10 opengate.old</PRE>
+ </TD>
+ </TR>
+</TABLE>
+<P ALIGN=right><A href="#mrtg0">back</A> <A href="#top">top</A></P>
+
+<H4><!-- ************ 4 ************** -->
+<A href="#mrtg4" name=mrtg4>H.4 Registering to Crontab</A></H4>
+
+<P>Add the following line to "/etc/crontab":</P>
+<TABLE CELLPADDING=2 CELLSPACING=2>
+ <TR>
+ <TD>
+ <PRE>*/5 * * * * root /usr/local/bin/mrtg /usr/local/etc/mrtg/opengate.cfg</PRE>
+ </TD>
+ </TR>
+</TABLE>
+<P ALIGN=right><A href="#mrtg0">back</A> <A href="#top">top</A></P>
+
+<HR>
+<H3><!-- Start:Install rulechk -->
+<A href="#rulechk" name=rulechk>I rulechk Installation (Optional)</A></H3>
+
+<P>This section is optional. <BR>When the
+Opengate process is not exited normally, superfluous rules might be
+left behind. <BR>Though it is
+very rare, the tools/rulechk script is made to handle such situations. This
+script compares the Opengate process list and the firewall rule list, and
+deletes the obsolete rules.<BR>This script is compatible with Opengate Ver1.3.1 or above.
+</P>
+<P ALIGN=right STYLE="MARGIN-BOTTOM: 0in"><A href="#rulechk">back</A> <A href="#top">top</A></P>
+</BODY>
+</HTML>