[ previous ] [ next ] [ threads ]
 
 From:  "Robo.K." <mono at inmail dot sk>
 To:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  RE: [m0n0wall] Re: A few modification to m0n0, anyone interested?
 Date:  Mon, 8 Aug 2005 13:55:55 +0200
I have a question. There will be very interesting implement  to MonoWall`s
traffic shaper the HTB with HFSC. As I know, in 4.11 it isn`t possible, but
only in 5.xx. Right?
There don`exist another way implement to Mono such traffic shaper, which
know a "borrowing" pipes beetwen them ?

Best regards.
Robo.K.
-----Original Message-----
From: edward mzj [mailto:edward dot mzj at gmail dot com] 
Sent: Monday, August 08, 2005 11:12 AM
To: m0n0wall at lists dot m0n0 dot ch
Subject: [m0n0wall] Re: A few modification to m0n0, anyone interested?

news, files are updated since the last post(bug fix)

how to apply the patch
1. login to a freebsd box;
2. download m0n0 image files, generic-pc-1.2b9.img for example and patch;
	cd $HOME; fetch http://61.132.118.190/m0n0/1.2b9/p3.patch
	fetch http://m0n0wall.absinet.net/m0n0wall/generic-pc-1.2b9.img
3. create vn node and mount points;
	cd /dev ; ./MAKEDEV vn{1,2} ; cd $HOME
	mkdir /mnt/vn{1,2}
4. unzip and mount the image file;
	gunzip -S ".img" generic-pc-1.2b9.img
	vnconfig vn1 generic-pc-1.2b9 && mount /dev/vn1 /mnt/vn1
	gunzip -c /mnt/vn1/mfsroot.gz > mfsroot
	vnconfig vn2 mfsroot && mount /dev/vn2 /mnt/vn2 5. apply the patch;
	cd /mnt/vn2; patch -p3 < $OLDPWD/p3.patch ; cd $HOME 6. repack the
rootfs and image file
	sync ; umount /mnt/vn2 && vnconfig -u vn2
	gzip -9c mfsroot > /mnt/vn1/mfsroot.gz
	sync ; umount /mnt/vn1 && vnconfig -u vn1
	gzip -9S ".img" generic-pc-1.2b9
7. upload the updated image file to a running m0n0

an alternative way to apply the patch
1. download the individual modified files:
	http://61.132.118.190/m0n0/1.2b9/etc/rc.newwanip
	http://61.132.118.190/m0n0/1.2b9/etc/inc/filter.inc
	http://61.132.118.190/m0n0/1.2b9/usr/local/www/firewall_nat.php
	http://61.132.118.190/m0n0/1.2b9/usr/local/www/firewall_nat_edit.php
	http://61.132.118.190/m0n0/1.2b9/usr/local/www/firewall_nat_out.php
	
http://61.132.118.190/m0n0/1.2b9/usr/local/www/firewall_nat_out_edit.php
2. open http://your-m0n0-addr/exec.php in your browser and upload the those
files 3. execute the following commands in exec.php
	umount /cf
	mount -rw /cf
	mkdir /cf/patch /cf/patch/etc /cf/patch/etc/inc
	mkdir /cf/patch/usr /cf/patch/usr/local /cf/patch/usr/local/www
	cp /tmp/*php /cf/patch/usr/local/www
	cp /tmp/*inc /cf/patch/etc/inc
	cp /tmp/rc* /cf/patch/etc
	sync
	umount /cf
	mount /cf
4. download your current configuration
5. add the following option in the <system></system> section
	<earlyshellcmd>echo Patcing files</earlyshellcmd>
	<earlyshellcmd>cp -R /cf/patch/* /</earlyshellcmd> 6. reboot m0n0

Also, i made a image for pc platform and it can be downloaded at 
	http://61.132.118.190/m0n0/1.2b9/generic-pc-1.2b9.0508081635.img
	
how to use/test the new feature
let's say A.B.C.D1 is the LAN address of the m0n0. the WAN address is
dynamically assigned and test.dydns.org is the external dns name of the m0n0
box. A.B.C.D2 and D3 are 2 internal web servers to be published to the
outside world. D4 is a ftp server to be published.
the passive port range of the ftp server is 65000-65100. And D5 is a squid
proxy with transparent proxying enabled listening on the default
3128 port.

we want all published serveric accessible to lan users using the dydns name
but we don't want to enable dns-masquading on the m0n0 box. and user's web
browsing traffic should go through the squid proxy. we allow all traffic on
lan by default.

the setup steps:
1. enable the advanced outbound nat
2. add a default outbound nat rule for all lan users
	Interface:			WAN
	Source:				A.B.C.0/24
	Destination.Type:	any
	
3. add inbound/outbound nat rules for transparent proxying
	inbound rules 1:
		Interface:			LAN
		External address:	Any Address
		Protocol:			TCP
		External port range.from:	80
		NAT IP:				A.B.C.D5
		Local port:			3128
	outbound rules 1:
		Interface:			LAN
		Source:				A.B.C.0/24
		Destination.Type:	A.B.C.D5/32
		Policy NAT.Enable:	yes
		Policy NAT.Protocol:TCP
		Policy NAT.from:	3128
	
4. add inbound/outbound nat rules for ftp server
	inbound rules 1:
		Interface:			WAN
		External address:	WAN Address
		Protocol:			TCP
		External port range.from:	21
		NAT IP:				A.B.C.D4
		Local port:			21
		Auto Firewall rule: yes
	inbound rules 2:
		Interface:			LAN
		External address:	WAN Address
		Protocol:			TCP
		External port range.from:	21
		NAT IP:				A.B.C.D4
		Local port:			21
	outbound rules 1:
		Interface:			LAN
		Source:				A.B.C.0/24
		Destination.Type:	A.B.C.D4/32
		Policy NAT.Enable:	yes
		Policy NAT.Protocol:TCP
		Policy NAT.from:	21
		
5. add inbound/outbound nat rules for ftp server passive port range
	inbound rules 1:
		Interface:			WAN
		External address:	WAN Address
		Protocol:			TCP
		External port range.from:	65000
		External port range.to:		65100
		NAT IP:				A.B.C.D4
		Local port:			65000
		Auto Firewall rule: yes
	inbound rules 2:
		Interface:			LAN
		External address:	WAN Address
		Protocol:			TCP
		External port range.from:	65000
		External port range.to:		65100
		NAT IP:				A.B.C.D4
		Local port:			65000
	outbound rules 1:
		Interface:			LAN
		Source:				A.B.C.0/24
		Destination.Type:	A.B.C.D4/32
		Policy NAT.Enable:	yes
		Policy NAT.Protocol:TCP
		Policy NAT.from:	65000
		Policy NAT.to:		65100
		
6. add inbound/outbound nat rules for web servers
	inbound rules 1:
		Interface:			WAN
		External address:	WAN Address
		Protocol:			TCP
		External port range.from:	80
		NAT IP:				A.B.C.D2
		Local port:			80
		Load-balancing:		yes
		Auto Firewall rule: yes
	inbound rules 2:
		Interface:			WAN
		External address:	WAN Address
		Protocol:			TCP
		External port range.from:	80
		NAT IP:				A.B.C.D3
		Local port:			80
		Load-balancing:		yes
		Auto Firewall rule: yes
	inbound rules 3:
		Interface:			LAN
		External address:	WAN Address
		Protocol:			TCP
		External port range.from:	80
		NAT IP:				A.B.C.D2
		Local port:			80
		Load-balancing:		yes
	inbound rules 4:
		Interface:			LAN
		External address:	WAN Address
		Protocol:			TCP
		External port range.from:	80
		NAT IP:				A.B.C.D3
		Local port:			80
		Load-balancing:		yes
	outbound rules 1:
		Interface:			LAN
		Source:				A.B.C.0/24
		Destination.Type:	A.B.C.D2/32
		Policy NAT.Enable:	yes
		Policy NAT.Protocol:TCP
		Policy NAT.from:	80
	outbound rules 2:
		Interface:			LAN
		Source:				A.B.C.0/24
		Destination.Type:	A.B.C.D3/32
		Policy NAT.Enable:	yes
		Policy NAT.Protocol:TCP
		Policy NAT.from:	80

note, if those servers are in a dmz area connected to an option interface,
then the outbound rules are not needed and advanced outbound nat can be
disabled. the "NAT IP" filed in the inbound rules should be changed of
course to match that scenario. i prefer the dmz setup 'cause it has a few
advantages, like the ability to tracking the source address of each
connection, etc.

that's it. questions and bugs?

what's next? may be add support for 'span' interface, like span ports in
most managable switches, so that interested traffic can be arbita to a
packet sniffer or a snort ids.

sorry for my poor english.

2005/8/7, edward mzj <edward dot mzj at gmail dot com>:
> sorry. gmail messed up the patch file. it can be downloaded @ 
> http://61.132.118.190/m0n0/1.2b9/p3.patch
> 
> and the individual modified files
> http://61.132.118.190/m0n0/1.2b9/etc/rc.newwanip
> http://61.132.118.190/m0n0/1.2b9/etc/inc/filter.inc
> http://61.132.118.190/m0n0/1.2b9/usr/local/www/firewall_nat.php
> http://61.132.118.190/m0n0/1.2b9/usr/local/www/firewall_nat_edit.php
> http://61.132.118.190/m0n0/1.2b9/usr/local/www/firewall_nat_out.php
> http://61.132.118.190/m0n0/1.2b9/usr/local/www/firewall_nat_out_edit.p
> hp
> 
> 2005/8/7, edward mzj <edward dot mzj at gmail dot com>:
> > hi guys, i just added a few codes to m0n0, enabling inbound/outbound 
> > nat on lan interface, policy outbound nat, and inbound 
> > load-balancing on a simple round-robin basis. anyone interested?
>

---------------------------------------------------------------------
To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch



----------
* www.inMail.sk - Vasa emailova adresa na cely zivot ZDARMA
* www.EuropskaDomena.sk - bezplatna predregistracia domen .EU
* www.php5.sk - novy freehosting s php5 a MySQL, forum o php5


--
No virus found in this incoming message.
Checked by AVG Anti-Virus.
Version: 7.0.338 / Virus Database: 267.10.2/65 - Release Date: 7.8.2005
 

-- 
No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.0.338 / Virus Database: 267.10.2/65 - Release Date: 7.8.2005