CS & IT Solutions

Step 1. Create named.conf file with the following content:

Note: options “directory”, “, “pid-file”, “dump-file”, “statistics-file” might have other values if you configure bind server on Linux. The following values are for FreeBSD.

Note: do not forget to put “;” after every IP, incuding last IP, and to enclose rules between { }.

options {
        directory       "/etc/namedb";
        pid-file        "/var/run/named/pid";
        dump-file       "/var/dump/named_dump.db";
        statistics-file "/var/stats/named.stats";

        forwarders      { 213.157.176.3; 213.157.176.1; };
        allow-recursion { 10.0.0.1/16; 127.0.0.1; };
        allow-transfer  { 213.157.176.3; 213.157.176.1; 192.162.16.0/24; };
        listen-on       { 127.0.0.1; 86.X.Y.Z; };
};

zone "." {
        type hint;
        file "named.root";
};

zone "0.0.127.IN-ADDR.ARPA" {
        type master;
        file "master/localhost.rev";
};

zone "Z.Y.X.86.in-addr.arpa" {
        type master;
        file "master/Z.Y.X.86.in-addr.arpa";
};

zone "example.com" in {
        type master;
        file "/etc/namedb/example.com";
};

Few explanations regarding following variables: Read the rest of this entry »

Howto setup a ipfw stateful firewall on FreeBSD with a simple ruleset and explain certain details, including natd interaction.

Introduction

Why have protection? Computers on the internet run the risk of being damaged or hijacked. Firewall software is a very powerful tool in fighting this. Having FreeBSD firewall software doesn’t mean that your safe. You will still have to update your system in order to fix security bugs and check for viruses. Although the later isn’t much of a problem for Unix like computers at the time of writing.

The goal of this howto is to setup a simple firewall for FreeBSD and explain certain details of the ipfw firewall, from the user point of view, while doing so. At the end of this howto you will have a firewall for FreeBSD with a simple ruleset. The questions this article will give anwsers to are:

• How packet’s are checked against the rules.
• Howto natd effects the rules and howto deal with those effects.
• Howto setup statefull rules and why the can not be used with natd.

Related howto’s

• Firewall Setup – A more complex firewall setup for FreeBSD, that also includes a traffic shaper and network address translation (NAT). This particular howto lays the basis for the next howto.
• Traffic Reports – Howto create traffic graphs with MRTG, IPA and IPFW.

Notes

The newer versions of FreeBSD can load the ipfw firewall software when this is requires. Older versions of FreeBSD don’t have this ability and need to have a kernel compiles. You also need to do this with the newer version when you like to create more advanced rules, like logging of traffic shaping.

Summary Read the rest of this entry »

This is going to be an overview of the steps it takes to create a Walled Garden using FreeBSD, natd, ipfw and squid.

The basic scenario: You have a private IP network that you want to allow people to connect with, and you allow them basic web access (we’ll just do port 80 for now). For your default access you only want to allow these users to access certain URL’s – if they try to access anything else it will redirect them to your “portal” page. Presumbably your portal would have software that would do account signups and such, and once you authorize an ip you would allow it to connect to anything on the internet. Portal design won’t be discussed here, but I will show you how to punch a whole through the firewall.

For this exercise we are going to have a private ip network, and a public ip. Splitting off a management IP is highly advisable, but that won’t be covered here.

Our private IP network is going to be 10.7.0.0/16 our “public ip” is going to be 192.168.0.1 (which is really private, but ignore that – when deploying this substitute in a real public ip here)

First things first, you need to make sure your kernel has some options compiled into it, before doing anything else, go compile these in right now:

options IPFIREWALL
options IPDIVERT
options IPFIREWALL_FORWARD

Once you install that kernel and reboot your server we can proceed with configuration.

For the next step let’s go ahead and install squid. This can be done using whatever method for installing software you prefer, but I’m going to list the package add method, because it’s so simple:

# pkg_add -r squid Read the rest of this entry »

This How-To details the steps required to manage and rotate your server’s log files. A simple truth about Linux/Unix logs are that they are everywhere. Your kernel, program daemons, firewalls, etc, generate their respective log files. In fact, there are so many log files of various levels that sometimes, it can be a nightmare to maintain them. Hence, this guide is a simple step towards maintaining those log files to keep your system in check and in good health.

Log files are one of the most important files where almost all precious and sometimes unnecessary information are stored in regard to your server’s running state. For example, if your system’s security has been breached or compromised, it’s these log files which will come to your rescue to help you identity where or what went wrong.

In case if you don’t know, your Linux/Unix server is currently logging kernel and security logs in the file called /var/log/messages. Just do a simple ” tail -f /var/log/messages ” to get feel and see the actual current logs generated by various daemons running on your system.

Now if your server also has a Apache Web server or a Squid Proxy server running and you want to manage their respective logs in your own fashion, then the following information might help you out.

First of all, you will need the program called “logrotate”. Logrotate is very useful utility which can rotate log files and archive them in a location that you specify. We will be using “logrotate” in conjunction with “cron“.

In Linux/Unix, cron is a time-based scheduling service in Unix-like computer operating systems. It is available on almost all versions of Linux and Unix.

Having said that, logrotate should be installed in your Linux/Unix distribution but if is not, simply use your system package management system to install it.

For example, for Debian based system, all you need to do to install logrotate is:

apt-get install logrotate

For this guide, we will be rotating and managing the log files generated by Apache and Squid on a FreeBSD-6.x and a Linux Debian-4.1 box. However, it should be also work on other Linux distributions like RedHat, Slackware or SuSE since the fundamentals are the same of all Linux based distributions.

I also assume that your Apache logs are kept in /var/log/apache and your Squid logs are kept in /var/log/squid.

On a FreeBSD-6.x box:

(1.) Make and Install from ports: Read the rest of this entry »