thebeastie.org Projects
IP Filter / IP Nat / PPPoE DSL and DHCP Server setup script "Automagic" setup perl script for internet sharing and firewalling for FreeBSD with IP Filter When finished installing FreeBSD on your machine, run this script answer the questions and your internet connection sharing and powerful stateful firewalling setup will be complete. No kernel recompiling needed if your using FreeBSD 4.x, it utilizes the recommended loadable ipfilter kernel module method that's part of FreeBSD. Download tarball here. ipfilterscript.tar.gz Change log here change.log last updated: Tue May 10 11:37:59 GMT 2005 The firewall will be a stateful"black hole" type, where if you didn't initiate the connection from the inside of the firewall then it will just "suck in" (block) those packets, making nmap scans or any type of port scan extremely painfully slow and completely unrewarding because no packets at all will be returned, what most people want from firewalls these days (I would hope). It also contains commented out example firewall rules for services such as web and for port forwarding / redirect to internal IP's so you can get everything you want in your firewall done faster. I got the idea for this script after a friend tried to setup a IP Filter and NAT firewall and had a lot of trouble. I coded this IP Filter and IPnat setup script for people trying to setup a internet sharing firewall and either are sick of ipfw NATD :) / linux ipchains masquerade or linux iptables netfilter masquerade, old MS windows internet connection sharing machines that are often ironically destroyed by the latest round of MS worms , those who forget the necessary configuration settings, or just haven't done it before and want secure BSD firewall setup fast :) This is also a good start off template for those aiming for a more rigorous firewall. It can also be used for a simple firewall for a desktop machine, just choose your ethernet link as the external nic and lo0 as your internal and remove the last set of rules when the ruleset is done. Linux distributions Red Hat , Debian etc have enjoyed stateful firewalling via iptables / netfilter since the 2.4 kernel releases, while the BSDs have had full stateful firewalling via IPfilter for over 10 years! Just check/tail your history file "tail /usr/src/contrib/ipfilter/HISTORY" 1.0 22/04/93 - Released This script assumes: · You have installed FreeBSD 4.3 or newer (tested on 4.6 and 5.1). · You have 1 ethernet interface (if pluged into hub for adsl modem setups) or 2 Network cards in your server 1 for internal and 1 for external (Cable /ADSL modem etc). · Have perl installed. (If you didn't install Perl during a FreeBSD 5 install you can add it from the net by typing pkg_add -r perl.tbz) · If you are going to use this script to setup a nat firewall with more then 20 people behind it you should increase the max state table size in ipfilter. If your new to the unix world, start off with commands "fetch http://www.thebeastie.org/bsd/ipfilterscript.tar.gz" to download it to your box, then "tar -zxf ipfilterscript.tar.gz" to extract it, then "./ipfilter.pl" · IPFilter / IPNat setup This will: Ask you for your internal and external Network card internface names (eg rl0,fxp0,tun0 for PPPoE ADSL or dialup as external interface), after that you can just hit "enter" for defaults for everything else. Ask for the settings of these Nics, Either DHCP or the IP and netmask. Ask for other options such as Port forwarding,Logging options,- Install and setup a stateful firewall with those settings. Setup NAT for all ips on the internal NIC. · DSL setup Easy PPPOE setup for typical home/business ADSL connections No kernel recompiling required, it uses the recommended ppp loadable kernel modules. (As long as you are using FreeBSD 4.5+ or FreeBSD 5 ) This will ask you for your login name, password and ethernet nic to generate a /etc/ppp/ppp.conf file and insert the needed ppp start variables in /etc/rc.conf so it loads the ppp kernel modules at start up and will start ppp for a "always on" pppoe connection From this you can then use the firewalling options in this script to firewall your ADSL connection For dial up use tun0 as external interface but manually configure the default ppp.conf file · DHCP Server setup Easy setup script for DHCP server for machines behind firewall This will: Check for installation of the DHCP server, if not installed will give the choice of installing the latest version of ISC DHCP server via the ports system live from the internet. Then ask the follow questions for setup of typical client settings for DHCP What are your DNS servers to use for your clients, (use your ISPS) What will be your gateway IP for internal machines to route to, (use your internal nic IP) Subnet and netmask for internal nic Range for dhcp IPs for allocation · Serial Console setup This script will attempt to setup serial console to allow serial login connections onto serial port com1 for those who do not feel their machine is worthy of having a keyboard or monitor attached, use 'tip com1' to do a serial connect from your client bsd machine.

thebeastie.org Projects

IP Filter / IP Nat / PPPoE DSL and DHCP Server setup script

"Automagic" setup perl script for internet sharing and firewalling for FreeBSD with IP Filter

When finished installing FreeBSD on your machine, run this script answer the questions and your internet connection sharing and powerful stateful firewalling setup will be complete.
No kernel recompiling needed if your using FreeBSD 4.x, it utilizes the recommended loadable ipfilter kernel module method that's part of FreeBSD.
Download tarball here. ipfilterscript.tar.gz
Change log here change.log last updated: Tue May 10 11:37:59 GMT 2005

The firewall will be a stateful"black hole" type, where if you didn't initiate the connection from the inside of the firewall then it will just "suck in" (block) those packets, making nmap scans or any type of port scan extremely painfully slow and completely unrewarding because no packets at all will be returned, what most people want from firewalls these days (I would hope).
It also contains commented out example firewall rules for services such as web and for port forwarding / redirect to internal IP's so you can get everything you want in your firewall done faster.

I got the idea for this script after a friend tried to setup a IP Filter and NAT firewall and had a lot of trouble.
I coded this IP Filter and IPnat setup script for people trying to setup a internet sharing firewall and either are sick of ipfw NATD :) / linux ipchains masquerade or linux iptables netfilter masquerade, old MS windows internet connection sharing machines that are often ironically destroyed by the latest round of MS worms , those who forget the necessary configuration settings, or just haven't done it before and want secure BSD firewall setup fast :)
This is also a good start off template for those aiming for a more rigorous firewall.
It can also be used for a simple firewall for a desktop machine, just choose your ethernet link as the external nic and lo0 as your internal
and remove the last set of rules when the ruleset is done.

Linux distributions Red Hat , Debian etc have enjoyed stateful firewalling via iptables / netfilter since
the 2.4 kernel releases, while the BSDs have had full stateful firewalling via IPfilter for over 10 years!
Just check/tail your history file "tail /usr/src/contrib/ipfilter/HISTORY"
1.0 22/04/93 - Released

This script assumes:
· You have installed FreeBSD 4.3 or newer (tested on 4.6 and 5.1).
· You have 1 ethernet interface (if pluged into hub for adsl modem setups) or 2 Network cards in your server 1 for internal and 1 for external (Cable /ADSL modem etc).
· Have perl installed. (If you didn't install Perl during a FreeBSD 5 install you can add it from the net by typing pkg_add -r perl.tbz)
· If you are going to use this script to setup a nat firewall with more then 20 people behind it you should increase the max state table size in ipfilter.
If your new to the unix world, start off with commands "fetch http://www.thebeastie.org/bsd/ipfilterscript.tar.gz" to download it to your box,
then "tar -zxf ipfilterscript.tar.gz" to extract it, then "./ipfilter.pl"

· IPFilter / IPNat setup

This will:
Ask you for your internal and external Network card internface names (eg rl0,fxp0,tun0 for PPPoE ADSL or dialup as external interface), after that you can just hit "enter" for defaults for everything else.
Ask for the settings of these Nics, Either DHCP or the IP and netmask.
Ask for other options such as Port forwarding,Logging options,- Install and setup a stateful firewall with those settings.
Setup NAT for all ips on the internal NIC.

· DSL setup
Easy PPPOE setup for typical home/business ADSL connections
No kernel recompiling required, it uses the recommended ppp loadable kernel modules. (As long as you are using FreeBSD 4.5+ or FreeBSD 5 )
This will ask you for your login name, password and ethernet nic to generate a /etc/ppp/ppp.conf file and insert the needed ppp start variables in /etc/rc.conf so it loads the ppp kernel modules at start up and will start ppp for a "always on" pppoe connection
From this you can then use the firewalling options in this script to firewall your ADSL connection
For dial up use tun0 as external interface but manually configure the default ppp.conf file

· DHCP Server setup
Easy setup script for DHCP server for machines behind firewall
This will:
Check for installation of the DHCP server, if not installed will give the choice of installing the latest version of ISC DHCP server via the ports system live from the internet.
Then ask the follow questions for setup of typical client settings for DHCP What are your DNS servers to use for your clients, (use your ISPS)
What will be your gateway IP for internal machines to route to, (use your internal nic IP)
Subnet and netmask for internal nic
Range for dhcp IPs for allocation

· Serial Console setup
This script will attempt to setup serial console to allow serial login connections
onto serial port com1 for those who do not feel their machine is worthy of having a keyboard
or monitor attached, use 'tip com1' to do a serial connect from your client bsd machine.