[ previous ] [ next ] [ threads ]
 
 From:  edward mzj <edward dot mzj at gmail dot com>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: A few modification to m0n0, anyone interested?
 Date:  Mon, 8 Aug 2005 17:12:17 +0800
news, files are updated since the last post(bug fix)

how to apply the patch
1. login to a freebsd box;
2. download m0n0 image files, generic-pc-1.2b9.img for example and patch;
	cd $HOME; fetch http://61.132.118.190/m0n0/1.2b9/p3.patch
	fetch http://m0n0wall.absinet.net/m0n0wall/generic-pc-1.2b9.img
3. create vn node and mount points;
	cd /dev ; ./MAKEDEV vn{1,2} ; cd $HOME
	mkdir /mnt/vn{1,2}
4. unzip and mount the image file;
	gunzip -S ".img" generic-pc-1.2b9.img
	vnconfig vn1 generic-pc-1.2b9 && mount /dev/vn1 /mnt/vn1
	gunzip -c /mnt/vn1/mfsroot.gz > mfsroot
	vnconfig vn2 mfsroot && mount /dev/vn2 /mnt/vn2
5. apply the patch;
	cd /mnt/vn2; patch -p3 < $OLDPWD/p3.patch ; cd $HOME
6. repack the rootfs and image file
	sync ; umount /mnt/vn2 && vnconfig -u vn2
	gzip -9c mfsroot > /mnt/vn1/mfsroot.gz
	sync ; umount /mnt/vn1 && vnconfig -u vn1
	gzip -9S ".img" generic-pc-1.2b9
7. upload the updated image file to a running m0n0

an alternative way to apply the patch
1. download the individual modified files:
	http://61.132.118.190/m0n0/1.2b9/etc/rc.newwanip
	http://61.132.118.190/m0n0/1.2b9/etc/inc/filter.inc
	http://61.132.118.190/m0n0/1.2b9/usr/local/www/firewall_nat.php
	http://61.132.118.190/m0n0/1.2b9/usr/local/www/firewall_nat_edit.php
	http://61.132.118.190/m0n0/1.2b9/usr/local/www/firewall_nat_out.php
	http://61.132.118.190/m0n0/1.2b9/usr/local/www/firewall_nat_out_edit.php
2. open http://your-m0n0-addr/exec.php in your browser and upload the
those files
3. execute the following commands in exec.php
	umount /cf
	mount -rw /cf
	mkdir /cf/patch /cf/patch/etc /cf/patch/etc/inc
	mkdir /cf/patch/usr /cf/patch/usr/local /cf/patch/usr/local/www
	cp /tmp/*php /cf/patch/usr/local/www
	cp /tmp/*inc /cf/patch/etc/inc
	cp /tmp/rc* /cf/patch/etc
	sync
	umount /cf
	mount /cf
4. download your current configuration
5. add the following option in the <system></system> section
	<earlyshellcmd>echo Patcing files</earlyshellcmd>
	<earlyshellcmd>cp -R /cf/patch/* /</earlyshellcmd>
6. reboot m0n0

Also, i made a image for pc platform and it can be downloaded at 
	http://61.132.118.190/m0n0/1.2b9/generic-pc-1.2b9.0508081635.img
	
how to use/test the new feature
let's say A.B.C.D1 is the LAN address of the m0n0. the WAN address is
dynamically assigned and test.dydns.org is the external dns name of
the m0n0 box. A.B.C.D2 and D3 are 2 internal web servers to be
published to the outside world. D4 is a ftp server to be published.
the passive port range of the ftp server is 65000-65100. And D5 is a
squid proxy with transparent proxying enabled listening on the default
3128 port.

we want all published serveric accessible to lan users using the dydns
name but we don't want to enable dns-masquading on the m0n0 box. and
user's web browsing traffic should go through the squid proxy. we
allow all traffic on lan by default.

the setup steps:
1. enable the advanced outbound nat
2. add a default outbound nat rule for all lan users
	Interface:			WAN
	Source:				A.B.C.0/24
	Destination.Type:	any
	
3. add inbound/outbound nat rules for transparent proxying
	inbound rules 1:
		Interface:			LAN
		External address:	Any Address
		Protocol:			TCP
		External port range.from:	80
		NAT IP:				A.B.C.D5
		Local port:			3128
	outbound rules 1:
		Interface:			LAN
		Source:				A.B.C.0/24
		Destination.Type:	A.B.C.D5/32
		Policy NAT.Enable:	yes
		Policy NAT.Protocol:TCP
		Policy NAT.from:	3128
	
4. add inbound/outbound nat rules for ftp server
	inbound rules 1:
		Interface:			WAN
		External address:	WAN Address
		Protocol:			TCP
		External port range.from:	21
		NAT IP:				A.B.C.D4
		Local port:			21
		Auto Firewall rule: yes
	inbound rules 2:
		Interface:			LAN
		External address:	WAN Address
		Protocol:			TCP
		External port range.from:	21
		NAT IP:				A.B.C.D4
		Local port:			21
	outbound rules 1:
		Interface:			LAN
		Source:				A.B.C.0/24
		Destination.Type:	A.B.C.D4/32
		Policy NAT.Enable:	yes
		Policy NAT.Protocol:TCP
		Policy NAT.from:	21
		
5. add inbound/outbound nat rules for ftp server passive port range
	inbound rules 1:
		Interface:			WAN
		External address:	WAN Address
		Protocol:			TCP
		External port range.from:	65000
		External port range.to:		65100
		NAT IP:				A.B.C.D4
		Local port:			65000
		Auto Firewall rule: yes
	inbound rules 2:
		Interface:			LAN
		External address:	WAN Address
		Protocol:			TCP
		External port range.from:	65000
		External port range.to:		65100
		NAT IP:				A.B.C.D4
		Local port:			65000
	outbound rules 1:
		Interface:			LAN
		Source:				A.B.C.0/24
		Destination.Type:	A.B.C.D4/32
		Policy NAT.Enable:	yes
		Policy NAT.Protocol:TCP
		Policy NAT.from:	65000
		Policy NAT.to:		65100
		
6. add inbound/outbound nat rules for web servers
	inbound rules 1:
		Interface:			WAN
		External address:	WAN Address
		Protocol:			TCP
		External port range.from:	80
		NAT IP:				A.B.C.D2
		Local port:			80
		Load-balancing:		yes
		Auto Firewall rule: yes
	inbound rules 2:
		Interface:			WAN
		External address:	WAN Address
		Protocol:			TCP
		External port range.from:	80
		NAT IP:				A.B.C.D3
		Local port:			80
		Load-balancing:		yes
		Auto Firewall rule: yes
	inbound rules 3:
		Interface:			LAN
		External address:	WAN Address
		Protocol:			TCP
		External port range.from:	80
		NAT IP:				A.B.C.D2
		Local port:			80
		Load-balancing:		yes
	inbound rules 4:
		Interface:			LAN
		External address:	WAN Address
		Protocol:			TCP
		External port range.from:	80
		NAT IP:				A.B.C.D3
		Local port:			80
		Load-balancing:		yes
	outbound rules 1:
		Interface:			LAN
		Source:				A.B.C.0/24
		Destination.Type:	A.B.C.D2/32
		Policy NAT.Enable:	yes
		Policy NAT.Protocol:TCP
		Policy NAT.from:	80
	outbound rules 2:
		Interface:			LAN
		Source:				A.B.C.0/24
		Destination.Type:	A.B.C.D3/32
		Policy NAT.Enable:	yes
		Policy NAT.Protocol:TCP
		Policy NAT.from:	80

note, if those servers are in a dmz area connected to an option
interface, then the outbound rules are not needed and advanced
outbound nat can be disabled. the "NAT IP" filed in the inbound rules
should be changed of course to match that scenario. i prefer the dmz
setup 'cause it has a few advantages, like the ability to tracking the
source address of each connection, etc.

that's it. questions and bugs?

what's next? may be add support for 'span' interface, like span ports
in most managable switches, so that interested traffic can be arbita
to a packet sniffer or a snort ids.

sorry for my poor english.

2005/8/7, edward mzj <edward dot mzj at gmail dot com>:
> sorry. gmail messed up the patch file. it can be downloaded @
> http://61.132.118.190/m0n0/1.2b9/p3.patch
> 
> and the individual modified files
> http://61.132.118.190/m0n0/1.2b9/etc/rc.newwanip
> http://61.132.118.190/m0n0/1.2b9/etc/inc/filter.inc
> http://61.132.118.190/m0n0/1.2b9/usr/local/www/firewall_nat.php
> http://61.132.118.190/m0n0/1.2b9/usr/local/www/firewall_nat_edit.php
> http://61.132.118.190/m0n0/1.2b9/usr/local/www/firewall_nat_out.php
> http://61.132.118.190/m0n0/1.2b9/usr/local/www/firewall_nat_out_edit.php
> 
> 2005/8/7, edward mzj <edward dot mzj at gmail dot com>:
> > hi guys, i just added a few codes to m0n0, enabling inbound/outbound
> > nat on lan interface, policy outbound nat, and inbound load-balancing
> > on a simple round-robin basis. anyone interested?
>