Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Chris Buechler Manuel Kasper m0n0wall written by Manuel Kasper. Most documentation written by Chris Buechler. Additional Contributors listed in Contributors and Credits
m0n0wallVersion1.2and1.3b Copyright2008m0n0wallDocumentationProject Allrightsreserved. Redistributionanduseinanyform,withorwithoutmodification,arepermittedprovidedthatthe followingconditionsaremet: Redistributionsmustretaintheabovecopyrightnotice,thislistofconditionsandthefollowing disclaimer. Neitherthenameofthem0n0wallDocumentationProjectnorthenamesofitscontributors maybeusedtoendorseorpromoteproductsderivedfromthisdocumentationwithoutspecific priorwrittenpermission. THISDOCUMENTATIONISPROVIDEDBYTHECOPYRIGHTHOLDERSAND CONTRIBUTORS"ASIS"ANDANYEXPRESSORIMPLIEDWARRANTIES,INCLUDING, BUTNOTLIMITEDTO,THEIMPLIEDW ARRANTIESOFMERCHANTABILITYAND FITNESSFORAPARTICULARPURPOSEAREDISCLAIMED.INNOEVENTSHALLTHE COPYRIGHTOWNERORCONTRIBUTORSBELIABLEFORANYDIRECT,INDIRECT, INCIDENTAL,SPECIAL,EXEMPLARY,ORCONSEQUENTIALDAMAGES(INCLUDING, BUTNOTLIMITEDTO,PROCUREMENTOFSUBSTITUTEGOODSORSERVICES;LOSSOF USE,DATA,ORPROFITS;ORBUSINESSINTERRUPTION)HOWEVERCAUSEDANDON ANYTHEORYOFLIABILITY,WHETHERINCONTRACT,STRICTLIABILITY,ORTORT (INCLUDINGNEGLIGENCEOROTHERWISE)ARISINGINANYWAYOUTOFTHEUSEOF THISDOCUMENTATIONORTHEASSOCIATEDSOFTWARE,EVENIFADVISEDOFTHE POSSIBILITYOFSUCHDAMAGE. June2008 Abstract Afreelyredistributablecompleteembeddedfirewallsoftwarepackage.
TableofContents 1.Introduction 1.1.Whatm0n0wallis 1.2.Whatm0n0wallisnot 1.3.History 1.4.Features 1.5.SoftwareCopyrightandDistribution(Licenses) 1.6.ContributorsandCredits 2.HardwareCompatibility 2.1.SupportedHardwareArchitectures 2.2.SupportedStandardPCBasedHardware 2.3.SupportedEmbeddedDevices 2.4.Virtualization 2.5.HardwareSizing 2.6.WirelessCards 2.7.EthernetCards 3.Setup 3.1.GettingtheSoftware 3.2.InstallingtheSoftware 3.3.Bootingm0n0wall 4.Configuration 4.1.TheConsoleMenu 4.2.TheWebGUI 4.3.TheSystemScreens 4.4.TheInterfacesScreens 4.5.TheServicesScreens 4.6.TheStatusScreens 4.7.TheDiagnosticsScreens 5.TheFirewallScreens 5.1.Rules 5.2.Aliases 6.NetworkAddressTranslation 6.1.NATPrimer 6.2.InboundNAT 6.3.OutboundNAT 6.4.ServerNAT 6.5.1:1NAT 6.6.ChoosingtheappropriateNATforyournetwork 7.TrafficShaper 8.IPsec 8.1.Preface 8.2.Prerequisites 8.3.ConfiguringtheVPNTunnel
8.4.Whatifyourm0n0wallisntthemainInternetFirewall? 9.PPTP 9.1.Preface 9.2.Audience 9.3.Assumptions 9.4.SubnettingandVLANrouting 9.5.Setupofm0n0wallsoftware 9.6.PPTPUserSetup 9.7.PPTPFirewallRules 9.8.SettingupaPPTPClientonWindowsXP 9.9.SomethingsIhavefoundnottoworkoverthePPTPConnection 10.OpenVPN 11.Wireless 11.1.AddingAWirelessInterface 11.2.WirelessParameters1.2.x 11.3.WirelessParameters1.3.x 11.4.WirelessStatus 12.CaptivePortal 12.1.ConnectionManagement 12.2.AuthenticationManagement 12.3.CustomPagesAndFiles 12.4.Vouchers 12.5.Limitations 12.6.AdditionalInformation A.Reference A.1.IPBasics A.2.IPFiltering A.3.NAT A.4.TrafficShaping A.5.DNS A.6.Encryption(PPTP/IPsec) A.7.Logging(syslog) 13.ExampleConfigurations 13.1.ConfiguringaDMZInterfaceUsingNAT 13.2.LockingDownDMZOutboundInternetAccess 13.3.Configuringafilteredbridge 14.ExampleIPSecVPNConfigurations 14.1.CiscoPIXFirewall 14.2.Smoothwall 14.3.FreeS/WAN 14.4.Sonicwall 14.5.Nortel 14.6.MobileUserVPNwithIPsec?
15.FAQ 15.1.HowdoIsetupmobileuserVPNwithIPsec? 15.2.HowcanIprioritizeACKpacketswithm0n0wall? 15.3.Whyisn'titpossibletoaccessNATedservicesbythepublicIPaddressfromLAN? 15.4.IenabledmyPPTPserver,butamunabletopasstrafficintomyLAN 15.5.Ijustaddedanewinterfacetomym0n0wallbox,andnowitdoesn'tshowupinthe webGUI! 15.6.Doesm0n0wallsupportMACaddressfiltering? 15.7.Doesm0n0wallsupportSMPsystems? 15.8.Whycan'thostsonaNATedinterfacetalktohostsonabridgedinterface? 15.9.Whatwerethegoalsbehindthem0n0wallproject? 15.10.HowdoIsetupmultipleIPaddressesontheWANinterface? 15.11.CanIfilter/restrict/blockcertainwebsiteswithm0n0wall? 15.12.Whyaresomepasswordsstoredinplaintextinconfig.xml? 15.13.Arethereanyperformancebenchmarksavailable? 15.14.Whatabouthiddenconfig.xmloptions? 15.15.Whycan'tIquerySNMPoverVPN? 15.16.CanIusem0n0wall'sWANPPTPfeaturetoconnecttoaremotePPTPVPN? 15.17.CanIusemultipleWANconnectionsforloadbalancingorfailoveronm0n0wall? 15.18.CanIaccessthewebGUIfromtheWAN? 15.19.CanIaccessashellprompt? 15.20.CanIputmyconfigurationfileintothem0n0wallCD? 15.21.HowcanImonitor/graph/reportonbandwidthusageperLANhost? 15.22.Willthereeverbetranslatedversionsofm0n0wall?CanItranslatem0n0wallintomy language? 15.23.Doesm0n0wallsupporttransparentproxying? 15.24.ShouldIusem0n0wallasanaccesspoint? 15.25.WhyamIseeingtrafficthatIpermittedgettingdropped? 15.26.HowcanIroutemultiplesubnetsoverasitetositeIPsecVPN? 15.27.HowcanIblock/permitarangeofIPaddressesinafirewallrule? 15.28.WhydoesmyMSNMessengertransferfilesveryslowlywhenusingtrafficshaper? 15.29.CanIforwardbroadcastsoverVPNforgamingorotherpurposes? 15.30.HowcanIusepublicIP'sontheLANside?OrhowcanIdisableNAT? 15.31.ArePCMCIAcardssupported? 15.32.Arethereanytweaksforsystemsthatwillneedtosupportlargeloads? 15.33.CanIaddMRTGorsomeotherhistoricalgraphingpackagetom0n0wall? 15.34.CanCaptivePortalbeusedonabridgedinterface? 15.35.CanIrunCaptivePortalonmorethanoneinterface? 15.36.WhydomySSHsessionstimeoutaftertwohours? 15.37.Whyisn'tthereplyaddressofthelistsettothelist? 15.38.WhyamIseeing"IPFirewallUnloaded"log/consolemessages? 15.39.Whycan'tmyIPsecVPNclientsconnectfrombehindNAT? 15.40.Whydoesn'tm0n0wallhavealogoutbutton? 15.41.CanIhavemorethan16simultaneousPPTPusers?
15.42.CanIsellm0n0wall(oruseitinacommercialproduct)? 15.43.WherecanIgetahighresolutionversionofthem0n0walllogo? 15.44.Whenwillm0n0wallbeavailableonanewerFreeBSDversion? 15.45.IsthereanyextraCaptivePortalRADIUSfunctionalityavailable? 15.46.HowcanIincreasethesizeofthestatetable? 16.OtherDocumentation 16.1.Installation 16.2.VPN/IPsec/PPTP 16.3.Wireless B.ThirdPartySoftware B.1.Introduction B.2.InstallingSVGVieweronMozillaFirefox B.3.CollectingandGraphingm0n0wallInterfaceStatisticswithifgraph B.4.UpdatingmorethanoneDynamicDNShostnamewithddclient B.5.UsingMultiTech'sFreeWindowsRADIUSServer B.6.ConfiguringApacheforMultipleServersonOnePublicIP B.7.OpeningPortsforBitTorrentinm0n0wall B.8.Automatedconfig.xmlbackupsolutions B.9.HistoricalInterfaceGraphingUsingMRTGonWindows 17.Troubleshooting 17.1.Interfacesarenotdetected 17.2.Afterreplacingmycurrentfirewallwithm0n0wallusingthesamepublicIP,m0n0wall cannotgetanInternetconnection. 17.3.NoLinkLight 17.4.CannotAccesswebGUI 17.5.CannotAccessInternetfromLANafterWANConfiguration 17.6.TroubleshootingFirewallRules 17.7.TroubleshootingBridging 17.8.TroubleshootingIPsecSitetoSiteVPN 17.9.TroubleshootingSolidFreezes 18.Bibliography 18.1.Books 18.2.Newspapers 18.3.Magazines 18.4.Television 18.5.PopularWebsites 18.6.Conferences Glossary C.License C.1.TheFreeBSDCopyright C.2.ThePHPLicense C.3.mini_httpdLicense C.4.ISCDHCPServerLicense C.5.ipfilterLicense
C.6.MPDLicense C.7.ezipupdateLicense C.8.CircularlogsupportforFreeBSDsyslogdLicense C.9.dnsmasqLicense C.10.racoonLicense C.11.GeneralPublicLicenseforthesoftwareknownasMSNTP C.12.ucdsnmpLicense C.13.choparpLicense C.14.bpaloginLicense C.15.phpradiusLicense C.16.wolLicense Index ListofFigures 4.1.TheGeneralSetupscreen 4.2.TheFirmwarescreen 4.3.TheSystemStatusscreen 4.4.TheTrafficGraphscreen 8.1.Example:m0n0wallbehindarouter 13.1.ExampleNetworkDiagram 13.2.FilteredBridgeDiagram 14.1.Networkdiagram 14.2.ExampleofSonicwallconfiguration 17.1.TrobleshootingInternetAccess 11.TypicalDMZNetwork ListofTables 4.1.GeneralSetupparameters 4.2.AdvancedSystemOptions 4.3.SIPProxyParameters 4.4.LogSettingsParameters 4.5.ThetwoentriesforeachVPNconnectionareasfollows: 11.1.Wireless1.2Parameters 11.2.Wireless1.3Parameters 12.1.ConnectionParameters 12.2.SecureAuthenticationParameters 12.3.UserParameters 12.4.RadiusServerParameters 12.5.VoucherParameters 12.6.VoucherRollParameters
Chapter 1. Introduction
TableofContents 1.1.Whatm0n0wallis 1.2.Whatm0n0wallisnot 1.3.History 1.4.Features 1.4.1.Components 1.4.2.Specifications 1.5.SoftwareCopyrightandDistribution(Licenses) 1.5.1.OtherSoftwarePackages 1.6.ContributorsandCredits 1.6.1.Code 1.6.2.Documentation
m0n0wallisafirewall,andthepurposeofafirewallistoprovidesecurity.Themorefunctionalityis added,thegreaterthechancethatavulnerabilityinthatadditionalfunctionalitywillcompromisethe securityofthefirewall.Itistheopinionofthem0n0wallfounderandcorecontributorsthatanything outsidethebaseservicesofalayer3and4firewalldonotbelonginm0n0wall.Someservicesthat maybeappropriateareveryCPUintensiveandmemoryhungry,andm0n0wallisfocusedtowards embeddeddeviceswithlimitedCPUandmemoryresources.Thenonpersistantfilesystemduetoour focusonCompactFlashinstallationsisanotherlimitingfactor.Lastly,imagesizeconstraints eliminateotherpossibilities. Wefeeltheseservicesshouldberunonanotherserver,andareintentionallynotpartofm0n0wall: IntrusionDetection/PreventionSystem ProxyServer Packetinspectionatanylayersotherthan3and4 Ageneralpurposewebserver AnFTPserver Anetworktimeserver Alogfileanalyzer Forthesamereason,m0n0walldoesnotallowlogins:thereisnologinpromptattheconsole(it displaysamenuinstead),andnotelnetorsshdaemon.
1.3. History
ManuelKasper,m0n0wall'sauthor,says: EversinceIstartedplayingwithpacketfiltersonembeddedPCs,Iwantedtohaveanice
webbasedGUItocontrolallaspectsofmyfirewallwithouthavingtotypeasingleshell command.Therearenumerouseffortstocreatenicefirewallpackageswithwebinterfaces ontheInternet(mostofthemLinuxbased),butnonemetallmyrequirements(free,fast, simple,cleanandwithallthefeaturesIneed).So,Ieventuallystartedwritingmyown webGUI.ButsoonIfiguredthatIdidn'twanttocreateanotherincarnationofwebmin?I wantedtocreateacomplete,newembeddedfirewallsoftwarepackage.Itallevolvedto thepointwhereonecouldpluginthebox,settheLANIPaddressviatheserialconsole, logintothewebinterfaceandsetitup.ThenIdecidedthatIdidn'tliketheusualbootup systemconfigurationwithshellscripts(IalreadyhadtowriteaCprogramtogeneratethe filterrulessincethat'salmostimpossibleinashellscript),andsincemywebinterfacewas basedonPHP ,itdidn'ttakemelongtofigureoutthatImightusePHPforthesystem configurationaswell.Thatway,theconfigurationdatawouldnolongerhavetobestored intextfilesthatcanbeparsedinashellscript?ItcouldnowbestoredinanXMLfile.So Icompletelyrewrotethewholesystemagain,notchangingmuchinthelookandfeel,but quitealot"underthehood". Thefirstpublicbetareleaseofm0n0wallwasonFebruary15,2003.Version1.0wasreleasedexactly oneyearlater,onFebruary15,2004.Betweenthosetwowereanadditional26publicbetareleases,an averageofonereleaseeverytwoweeks.Version1.1wasreleasedinAugust2004,with1.11released withasecurityupdateform0n0wall'sdynamicDNScomponentezipupdateonNovember11,2004. Version1.2hasbeeninbetasince,withafinalreleaseinOctober2005.Acompletelistofchangesfor eachversioncanbefoundonthem0n0wallwebsiteunderChangeLog.
1.4. Features
m0n0wallprovidesmanyofthefeaturesofexpensivecommercialfirewalls,andsomeyouwon'tfind inanycommercialfirewalls,including: webinterface(supportsSSL) serialconsoleinterfaceforrecovery setLANIPaddress resetpassword restorefactorydefaults rebootsystem wirelesssupport(accesspointwithPRISMII/2.5cards,BSS/IBSSwithothercardsincluding Cisco) statefulpacketfiltering block/passrules logging NAT/PAT(including1:1) DHCPclient,PPPoEandPPTPsupportontheWANinterface IPsecVPNtunnels(IKE;withsupportforhardwarecryptocardsandmobileclients) PPTPVPN(withRADIUSserversupport) staticroutes DHCPserver cachingDNSforwarder DynDNSclient SNMPagent
1.4.1. Components
m0n0wallcontainsthefollowingsoftwarecomponents: FreeBSDcomponents(kernel,userprograms) ipfilter PHP(CGIversion) thttpd MPD ISCDHCPserver ezipupdate(forDynDNSupdates) Dnsmasq(forthecachingDNSforwarder) racoon(forIPsecIKE)
1.4.2. Specifications
POSSIBILITYOFSUCHDAMAGE.
m0n0wallwaswrittenbyManuelKasper. Thefollowingpersonshavecontributedcodetom0n0wall: BobZoller(bobatkludgeboxdotcom):Diagnostics:Pingfunction;WLANchannelautoselect;DNS forwarder MichaelMee(m0n0wallatmikemeedotcom):TimezoneandNTPclientsupport MagneAndreassen(magned otandreassenatbluezonedotno):Remotesyslog'ing;somecodebitsfor DHCPserveronoptionalinterfaces RobWhyte(robatglabsdotcom):Idea/codebitsforencryptedwebGUIpasswords;minimalized SNMPagent
PetrVerner(verneratippsdotcz):AdvancedoutboundNAT:destinationselection BruceA.Mah(bmahatacmdotorg):Filteringbridgepatches JimMcBeath(monowallatjdotjimmcdotorg):Filterrulepatches(ordering,block/pass,disabled); betterstatuspage;webGUIassignnetworkportspage ChrisOlive(chrisattechnologEasedotcom):enhanced"executecommand"page PaulineMiddelink(middelinkatpolywaredotnl):DHCPclient:sendhostnamepatch BjrnPlsson(bjornatnetworksabdotcom):DHCPleaselistpage PeterAllgeyer(allgeyeratwebdotde):"reject"typefilterrules ThierryLechat(devatlechatdotorg):SVGbasedtrafficgrapher StevenHonson(stevenathonsondotorg):peruserIPaddressassignmentsforPPTPVPN KurtIngeSmdal(kurtatemspdotno):NATonoptionalinterfaces DineshNair(dineshatalphaquedotcom):captiveportal:passthroughMAC/IPaddresses,RADIUS authenticationHTTPserverconcurrencylimit JustinEllison(justinattechadvisedotcom):trafficshaperTOSmatching;magicshaper;DHCPdeny unknownclients;IPsecuserFQDNs FredWright(fwatwelldotcom):ipfilterwindowscalingfix;ipnatICMPchecksumadjustmentfix
1.6.2. Documentation
m0n0wallwaswrittenbyManuelKasper. Thefollowingpersonshavecontributeddocumentationtom0n0wall: ChrisBuechler(m0n0wallatchrisbuechler.com):Editor,numerouscontributionsthroughout. ShawnGiese(shawngieseatgmaildotcom):numerouscontributionsthroughout. JimMcBeath(monowallatjdotjimmcdotorg):UsersGuideoutline,editing RudivanDrunen(r.van.drunenatxs4alldotnl)withthankstoManuelKasper,EdwinKremer, PicoBSD,MattSimersonandJohnVoight:m0n0wallHackersGuide,usedasthebasisfortheold Developmentchapter,nowpartofthem0n0wallDevelopers'Handbook. FranciscoArtes(falcoratnetassassin.com):IPsecandPPTPchapters. FredWright(fwatwelldotcom):Suggestionsandreview. AxelEble(axel+m0n00001atbalrogdotde):Helpwiththewiki,ddclienthowtocontribution. BrianZushi(brianatriceragedotorg):LinuxCDburninginstructions,documentationreviewand suggestions. DinoBijedic(dino.bijedicateracomtechdotcom):SonicwallexampleVPNcontribution.
PCI connector.
Foradetailedwalkthroughofgettingupandrunningwithm0n0wallonSoekrishardware,seethe m0n0wallSoekrisQuickStartGuide.
Note
Therearesometrickstogettingm0n0wallworkingonNokiahardwarebecausethe NIC'sinitiallyshowMACaddressff:ff:ff:ff:ff:ff.Forpicturesandcomplete instructions,seethispage.
2.4. Virtualization
Thefollowingcanbeusedasaroughguidetodeterminingwhichembeddedplatform,ifany,is suitableforyourenvironment. 2.5.1.1. Soekris 45xx TheSoekris45xxlineissufficientforanyInternetconnectionunder10Mbps.IfIPsecVPN'swillbe used,a45xxissufficientuptoaround3MbpsofsustainedIPsecthroughput.Otherfeatureswillnot causeenoughofaperformancehittomakeasubstantialdifference. Onethingtokeepinmindisthemaximumthroughputbetweeninterfaces,ifyouplanonutilizinga DMZsegmentorsecondLANsegment.A45xxmaxesoutataround17Mbps.Ifyouneedmorethan 17Mbpsofthroughputbetweenyourinternalnetworks,youwillneedtogowithafasterplatform. 2.5.1.2. Soekris 48xx TheSoekris48xxlineissufficientformostInternetconnectionslessthan30Mbps.IfIPsecVPN's willbeused,a48xxissufficientuptoaround Onethingtokeepinmindisthemaximumthroughputbetweeninterfaces,ifyouplanonutilizinga DMZsegmentorsecondLANsegment.A48xxmaxesoutataround40Mbps.Ifyouneedmorethan 40Mbpsofthroughputbetweenyourinternalnetworks,youwillneedtogowithafasterplatform. 2.5.1.3. WRAP WRAPboardsaresufficientformostInternetconnectionslessthan30Mbps.IfIPsecVPN'swillbe used,aWRAPissufficientuptoaround Onethingtokeepinmindisthemaximumthroughputbetweeninterfaces,ifyouplanonutilizinga DMZsegmentorsecondLANsegment.A48xxmaxesoutataround40Mbps.Ifyouneedmorethan 40Mbpsofthroughputbetweenyourinternalnetworks,youwillneedtogowithafasterplatform.
2.5.3. Processor
2.5.4. RAM
Note
Them0n0wallDocumentationProjectdoesnotendorseanyvendorsyoumayfind throughfroogle.google.com.Wesimplylinkthereforyourconvenience.Thesearches providedmayalsobringupunrelatedhardwareinadditiontothecompatiblehardware. 3COM3crwe737AAirConnectWirelessLANPCCard CiscoSystemsAironet340nohostap CiscoSystemsAironet350nohostap CompaqWL100 CompaqWL110 DLinkDWL520NOTDWL520+asitusesadifferent,unsupported,chipset. DLinkDWL650RevisionsA1J3ONLY.K1,L1,M,andPrevisionsnotsupported. DellTrueMobile1150Seriesnohostap IntelPRO/Wireless2011LANPCCard LinksysInstantWirelessWPC11 NetgearMA311 NetgearMA401 SMC2632WPCCard SMC2602WPCI USRoboticsWirelessCard2410 NL2511CD miniPCI 2511MP DellTrueMobile1150Series
Someofthefollowingdonotsupporthostap.Todetermineiftheydo,searchGoogle forthecardnameandFreeBSD,todeterminewhichdriverthecarduses.Ifitis'wi',it willwork.Cardsthatusedriversotherthanwidonotsupporthostap. AcctonairDirectWN3301 AddtronAWA100 AdtecADLINK340APC Aironet4500/4800series(PCMCIA,PCI,andISAadaptersareallsupported) Airway802.11Adapter AvayaWirelessPCCard BayStack650and660 BlueConcentricCircleCFWirelessLANModelWL379F BreezeNETPCDS.11
BuffaloWLICFS11G CabletronRoamAbout802.11DS CoregaKKWirelessLANPCC11,PCCA11,PCCB11 ELECOMAir@Hawk/LDWL11/PCC ELSAAirLancerMC11 FarallonSkyline11MbpsWireless FarallonSkyLINEWireless ICOMSL1100 IcomSL200 IBMHighRateWirelessLANPCCard IODataWNB11/PCM LaneedWirelesscard LucentTechnologiesWaveLAN/IEEE802.11PCMCIAandISAstandardspeed(2Mbps)and turbospeed(6Mbps)wirelessnetworkadaptersandworkalikes LucentWaveLAN/IEEE802.11 MelcoAirconnectWLIPCMS11,WLIPCML11 MelcoWLIPCM NCRWaveLAN/IEEE802.11 NECWirelessCardCMZR TWP NECAtermWL11C(PCWL/11C) NECPKWL001 NELSSMagic NetwaveAirSurferPlusandAirSurferPro PLANEXGeoW ave/GWNS110 ProximHarmony,RangeLANDS RaytheonRaylinkPCCard SonyPCWAC100 TDKLAKCD011WL ToshibaWirelessLANCard WebgearAviator WebgearAviatorPro XircomWirelessEthernetadapter(rebadgedAironet) ZoomAir4000
than$25USDoneBay.
Chapter 3. Setup
TableofContents 3.1.GettingtheSoftware 3.2.InstallingtheSoftware 3.2.1.PreparingabootableCD 3.2.2.PreparingaCompactFlashorIDEHardDisk 3.2.3.Alternativemeansofinstallation 3.3.Bootingm0n0wall Thischapteractsasaquickreferenceforthosewhoarefamiliarwithinstallingandconfiguring m0n0wall.IfyouneedmorethanaquickreferenceonwhatcommandstousetowriteaCD,CF,HD, etc.pleaseseetheQuickStartGuideappropriatetoyourplatform. SoekrisQuickStartGuide PCQuickStartGuide WRAPQuickStartGuide
m0n0wallisdesignedtobootandrunfromeitheraCDimageoraCompactFlash(CF)cardorIDE harddisk.Afterdownloadingtheappropriateimagefile,preparetheCDorCF.
Linux(ATAPIw/SCSIemulation): First,determineyourburningdevice'sSCSIID/LUNwiththefollowingcommand:
linuxbox# cdrecord --scanbus Cdrecord-Clone 2.01 (i686-pc-linux-gnu) Copyright (C) 1995-2004 Jrg Schilling Linux sg driver version: 3.1.25 Using libscg version 'schily-0.8'. scsibus0: 0,0,0 100) 'LITE-ON ' 'COMBO LTC-48161H' 'KH0F' Removable CDROM
NotetheSCSIID/LUNis0,0,0.Burntheimageasinthefollowingexample(replacing
<maxspeed>withthespeedofyourburner):
cdrecord --dev=0,0,0 --speed=<max speed> cdrom-xxx.iso
Note:youcanomitthefdformatstepifthefloppydiskisalready(lowlevel)formatted. Windows:
format A:
Makesureyourm0n0wallPCissettobootfromCDROMandnotfromfloppy.
Note
Chapter 4. Configuration
TableofContents 4.1.TheConsoleMenu 4.2.TheWebGUI 4.3.TheSystemScreens 4.3.1.GeneralSetup 4.3.2.StaticRoutes 4.3.3.Firmware 4.3.4.Advanced 4.3.5.UserManager 4.4.TheInterfacesScreens 4.4.1.AssignInterfaces 4.4.2.LAN 4.4.3.WAN 4.4.4.OptionalInterfaces 4.4.5.WirelessInterfaces 4.5.TheServicesScreens 4.5.1.DNSForwarder 4.5.2.DynamicDNS 4.5.3.DHCP 4.5.4.SNMP 4.5.5.ProxyARP 4.5.6.CaptivePortal 4.5.7.WakeonLAN 4.5.8.SIPProxy 4.6.TheStatusScreens 4.6.1.System 4.6.2.Interfaces 4.6.3.TrafficGraph 4.6.4.Wireless 4.6.5.Thestatus.phppage 4.7.TheDiagnosticsScreens 4.7.1.SystemLogs 4.7.2.DHCPLeases 4.7.3.IPsec 4.7.4.Ping/Traceroute 4.7.5.ARPTable 4.7.6.FirewallState 4.7.7.ResetState 4.7.8.Backup/Restore 4.7.9.FactoryDefaults 4.7.10.RebootSystem Thischapterismeantasareferenceformostconfigurationoptions.Ifyoudon'tknowhowtogetup
Note
Someofthescreenshotsinthefollowingsectionsincludeblurredareas.Whenyou viewyourm0n0wallscreens,thesewillcontaininformationspecifictoyoursystem.
TheGeneralSetupscreenallowsyoutocontrolsomegeneralparametersofyourfirewall. Figure4.1.TheGeneralSetupscreen
TheGeneralSetupscreenallowsyoutochangethefollowingparameters: Table4.1.GeneralSetupparameters Parameter Hostname Domain DNSServers Username Description Theunqualifiedhostnameofyourfirewall. Thedomainnametoqualifyyourfirewallhostname. Example myfirewall Reference IPBasics
Parameter
Description Thepasswordtousewhenconnectingtothem0n0wall webGUI.Thecurrentpasswordisnotdisplayed;thisfield isusedonlytochangethepasswordYoushouldchangethis whenyoufirstinstallm0n0wall. Theprotocolforthem0n0wallwebGUItouse.Ifyouselect HTTPS,youwillneedtosecurelyaccessyourwebGUI usingaURLthatstartswith"https:"andtoenterasigned certificateandkeyintheAdvancedSystempage. Theportforthem0n0wallwebGUItouse,ifnotthe default. Thetimezoneofyourfirewall.Thisaffectsthevalueof timesprintedtologs.
Example
Reference
Password
webGUI Protocol
webGUIPort Timezone
4.3.3. Firmware
TheFirmwarescreenallowsyoutoupgradeordowngradeyourm0n0wallversion(onlyavailableif youarerunningaharddriveorcompactflashinstallation). Figure4.2.TheFirmwarescreen
4.3.4. Advanced
TheoptionsontheAdvancedSystempageareintendedforusebyadvancedusersonly,andthere's NOsupportforthem. Table4.2.AdvancedSystemOptions Options IPv6tunneling Description AddtheIPaddresstoNATencapsulatedIPv6packets(IPprotocol41/RFC2893)to here.Don'tforgettoaddafirewallruletopermitIPv6packets! Thiswillcausebridgedpacketstopassthroughthepacketfilterinthesamewayas routedpacketsdo(bydefaultbridgedpacketsarealwayspassed).Ifyouenablethis option,you'llhavetoaddfilterrulestoselectivelypermittrafficfrombridged interfaces. Pasteasigned(firmware1.2)orcreateaselfsigned(firmware1.3b12+)certificate inX.509andaRSAprivatekeyinPEMformathere. Changestothisoptionwilltakeeffectafterareboot.
Filteringbridge
Firmwareversion Thiswillcausem0n0wallnottocheckfornewerfirmwareversionswhenthe check System:Firmwarepageisviewed. IPsecfragmented Thiswillcausem0n0walltoallowfragmentedIPpacketsthatareencapsulatedin packets IPsecESPpackets. IfatleastoneIPsectunnelhasahostname(insteadofanIPaddress)astheremote IPsecDNScheck gateway,aDNSlookupisperformedattheintervalspecifiedhere,andiftheIP interval addressthatthehostnameresolvedtohaschanged,theIPsectunnelis (firmware1.3) reconfigured.Thedefaultis60seconds. IdleTCPconnectionswillberemovedfromthestatetableafternopacketshave beenreceivedforthespecifiednumberofseconds.Don'tsetthistoohighoryour TCPidletimeout statetablecouldbecomefullofconnectionsthathavebeenimproperlyshutdown. Thedefaultis2.5hours.
Description Putstheharddiskintostandbymodewhentheselectedamountoftimeafterthe lastaccesshaselapsed.DonotsetthisforCFcards. Keepdiagnosticsinnavigationexpanded. Thisoptiononlyappliesifyouhavedefinedoneormorestaticroutes.Ifitis enabled,trafficthatentersandleavesthroughthesameinterfacewillnotbe checkedbythefirewall.Thismaybedesirableinsomesituationswheremultiple subnetsareconnectedtothesameinterface. Bydefault,accesstothewebGUIontheLANinterfaceisalwayspermitted, regardlessoftheuserdefinedfilterruleset.EnablethisfeaturetocontrolwebGUI access(makesuretohaveafilterruleinplacethatallowsyouin,oryouwilllock yourselfout!).Hint:the"setLANIPaddress"optionintheconsolemenuresets thissettingaswell. Bydefault,ifseveralSAsmatch,thenewestoneispreferredifit'satleast30 secondsold.SelectthisoptiontoalwayspreferoldSAsovernewones. Devicepollingisatechniquethatletsthesystemperiodicallypollnetworkdevices fornewdatainsteadofrelyingoninterrupts.ThiscanreduceCPUloadand thereforeincreasethroughput,attheexpenseofaslightlyhigherforwardingdelay (thedevicesarepolled1000timespersecond).NotallNICssupportpolling;see them0n0wallhomepageforalistofsupportedcards. MaximumnumberoffirewallstateentriestobedisplayedontheDiagnostics: Firewallstatepage.Defaultis300.Settingthistoaveryhighvaluewillcausea slowdownwhenviewingthefirewallstatespage,dependingonyoursystem's processingpower.
webGUIanti lockout
IPsecSA preferral
Devicepolling
Firewallstates displayed
4.3.4.1. IPv6 IPv6supportisincludedinthelatest1.3betarelease(v12orlater).Thebaseforthiswasactually contributedbyMichaelHanselmannwaybackin2005,andwithsomemodificationstoreflectthe changesinm0n0wallsincethen,aswellasafewfixes/improvements(mostnotablyeasytoconfigure 6to4support),itisnowfinallyinanofficialrelease.(Belated)Thanks,Michael! IPv6supportmustbeexplicitlyenabledontheSystem:Advancedsetuppagebeforeanyofthenew optionswillbecomeavailable.Also,bydefaulttherearenofirewallrulesforIPv6,soeverythingis blocked.MakesuretoaddatleastaruleonyourLANinterfaceforoutboundconnectionsifyouwant touseIPv6.
Caution
Since1.3b12isthefirstreleasewithIPv6support,bugsintheimplementationare likely.Asalways,pleasepostonthemailinglistorintheforumifyou'vefound somethingodd(withadetaileddescriptionofwhatyoudid,please).Alsoletusknow ifeverythingworked"outofthebox".:) Ifyoudon'thavenativeIPv6connectivityyet,don'tworry:6to4tunnelingissupported,whichshould workanywhereyou'vegota(nonfirewalled)publicIPv4address.Simplychoose"6to4"fortheIPv6 modeonboththeWANandLANinterfacesnoneedtomanuallyconfigureanyIPv6addresses (checktheIPv6RAoptionontheLANinterfaceandyourLANhostswillbeabletoautomatically obtainanIPv6address).ItcanalsoworkwithdynamicWANIPv4addresses(LAN/OPTIPv6 subnetsareadjustedautomatically).NotethatsomeoperatingsystemsdonotuseIPv6when connectingtoahostthatsupportsbothIPv4andIPv6iftheyareconfiguredwitha6to4IPv6address (>RFC3484),souseanIPv6onlyhost(tryhttp://ipv6.m0n0.ch)forbrowsertesting,orsimplydoa "ping6". Ifyou'vegotnativeIPv6connectivity(overPPPoE/PPTPwith1.3b13orlater),rememberthatyou'll havetostaticallyrouteyourm0n0wall'sLANsubnetfromyourupstreamrouterthere'snoNATfor IPv6inm0n0wall(anditwouldbeprettypointlessinmostcasesanyway:). Also,ifyou'vegottenittoworkandneedsomeIPv6capablewebsitestotryitout,havealookat http://sixy.ch(orhttp://ipv6.sixy.ch),adirectoryofIPv6enabledwebsites.
Note
AlthoughmanyoperatingsystemssupportIPv6bydefaultsuchasMacOSX10.4+, WindowsVistaandmanyLinuxpackages,somesystemsneedittobeactivated(such asWindowsXP)andsomesystemsmaynotsupportitatall(suchastheAppleiPhone 2.0andolderversionsofWindows).Checkyouroperatingsystemdocumentationto seeifIPv6isavailable. FormoreinformationonIPv6checkoutsomeofthefollowingwebsites. IPv6SwissTaskForce WikipediaIPv6 MicrosoftTechnetIPv6 arstechna:EverythingyouneedtoknowaboutIPv6 IPv6TunnelBrokersWikipediaorLinuxReviews.org CoolIPv6Stufffromsixxs.net
4.4.2. LAN
IntheLANsection,itispossibletochangetheIPaddressandthenetmask(inCIDRnotation)ofthe firewallinternalinterface.Thesystemmustberebootedinordertoapplythechangesassuggested afterpressingthe"Save"button. 4.4.2.1. LAN IPv6 WhenIPv6isactivatedinfirmware1.3beta13orhigher,additionalIPv6optionswillbecome availableontheWANinterface.
4.4.3. WAN
filled. Adetaileddescriptionofallthefieldsfollows. Type:theconnectiontypethatmustbeused Static:AstaticIPaddressisassignedtotheinterfacewiththerelatednetmaskand gateway DHCP:adynamicaddressisassignedtothefirewallWANbyaDHCPserveronthe WANside PPPoE:PPPoverEthernet,thatisusefulforADSLconnection PPTP:allowstosetupPPTPfortheADSLprovidersthatrequiresthisprotocolforthe connection GeneralConfigurationPanel:allowtooverridedefaultMACaddressandMTU MACAddress:somecableconnectionsrequiretheMACspoofing.TheMACaddress mustbeintheformatxx:xx:xx:xx:xx:xx MTU:thevalueinthisfieldallowstosetupMSSclampingforTCPconnectionstothe valueenteredaboveminus40(TCP/IPheadersize).Ifthefieldisleftblank,anMTU of1492bytesforPPPoEand1500bytesforallotherconnectiontypeswillbeassumed StaticIPConfiguration:inthispanelthestaticIPandgatewayforWANinterfacemustbeset: IPAddress:thestaticIPwithrelatednetmaskissetinthisfield Gateway:thedefaultgatewayforthefirewallinsetinthisfield PPPoEConfiguration:TheUsernameandpasswordfortheADSLconnectionshouldbesetup there Username:theusernametheproviderassigntoyourconnection Password:thepasswordtheproviderassigntoyourconnection PPTPConfiguration:theparametersinsertedinthissubpanelallowstheusertoestablishthe tunnelrequiredbythePPTPADSLconnection Username:theusernametheproviderassigntoyourconnection Password:thepasswordtheproviderassigntoyourconnection LocalIPAddress:thelocalIPaddresstheproviderassigntoyourconnection RemoteIPAddress:theremoteIPaddresstheproviderassigntoyourconnection BlockPrivateNetworksThisoptionputsinrulestodroptrafficcominginontheWANfrom privateIPsubnets.Ifyouconfigureyourm0n0wallwiththeWANinterfaceonaprivate subnetofanotherLAN,forexample,youneedtodisablethisoption.Also,someISP'sassign customersprivateIP's,inwhichcaseyou'llalsoneedtodisablethisoption
Note
YoudonotneedtodisabletheBlockPrivateNetworksoptionifyouareusingIPsec VPNtunnelswithprivateIPaddresses.WhentheVPNpacketscomeintotheWAN interface,theywillbecomingfromsourceIPoftheWANinterfaceoftheremoteVPN device,notfromtheprivateIPsubnetontheremoteside. 4.4.3.1. WAN IPv6 WhenIPv6isactivatedinfirmware1.3beta13orhigher,additionalIPv6optionswillbecome availableontheWANinterface.
ThisserviceallowsyoutousethefixedIPaddressofyourm0n0wall'sLANethernetinterfaceto resolve/proxyallDNSqueriesonyourLANnetwork.Whenthem0n0wallDHCPserverassignsIP addresses,italsoassignstheLANIPaddressastheDNSservertouse.Otherwise,tobenefitfrom thisserviceyoumustmanuallyconfiguretheDNSIPaddressonyourcomputerstobetheLANIPof yourm0n0wall. IftheDNSforwarderisenabled,theDHCPservice(ifenabled)willautomaticallyservetheLANIP addressasaDNSservertoDHCPclientssotheywillusetheforwarder.TheDNSforwarderwilluse theDNSserversenteredinSystem:GeneralsetuporthoseobtainedviaDHCPorPPPonWANifthe "AllowDNSserverlisttobeoverriddenbyDHCP/PPPonWAN"ischecked.Ifyoudon'tusethat option(orifyouuseastaticIPaddressonWAN),youmustmanuallyspecifyatleastoneDNSserver ontheSystem:Generalsetuppage. ThisisimportantforinstanceifyouhaveyourDHCPclientsrenewingtheirIPaddressinformation every3days,buteverydayyourWANIPchangesfromyourISP.IfyourISPchangedtheDNS serversonyouthenitwouldbe2daysuntilyourDHCPclientsreceivedthecorrectinformation.By usingyourLANIPaddress,allLANnetworkclientsareassuredofaworkingDNSserveraslongas them0n0wallhasreceivedagoodDNSIPaddresstouse...evenifitjustreceivedthenewDNS informationaminuteago.Thisalsoallowsanetworkadministratortoeasilyredirectalltraffictoa newinternalDNSserver(maybewhiletransitioninganewserverintothenetwork). Setting"AllowDNSserverlisttobeoverriddenbyDHCP/PPPonWAN"isnecessaryifyourISP mightchangetheIPaddressoftheDNSserver.IfyouhaveastaticIPaddressonyourWANthanyou
EnablingtheDNSForwarderCheckthefirstcheckbox,"EnableDNSforwarder",toenablethe serviceontheLANinterface.Afterenablingthis,youwillneedtoconfigureyourclientmachinesto usetheLANIPaddressofyourm0n0wallastheirDNSserver. DNSHostNameRegistration Ifyourm0n0wallactsastheDHCPserverforyourLAN,andyouneednameresolutionbetweenhosts ontheLAN,checkthe"RegisterDHCPleasesinDNSforwarder"box.Itwillappendthedefault domaininSystem:GeneralsetuptothehostnameofthecomputerthatisrequestingaDHCPlease. Forexample,ifyourmachinenameismypcandyourdefaultdomainisexample.com,itwillregister mypc.example.comwiththeIPaddressassignedfromDHCP,sotheotherhostsonyourLANcan locateyourmachinebythatname.
Caution
Besurethatyourcomputershaveuniquenames. DNSForwarderOverrides IftherearecertainDNShostnamesyouwanttooverrideforyourinternalDNSclients,addthem underDNSoverridesonthispage.Forexample,ifyouwantwww.yourcompany.comtopointtoa differentsiteinternallythanitdoesfromtheInternet,enteranoverrideforwww.yourcompany.com withtheappropriateIPaddress.Thiscanalsobeusedasarudimentary(andeasytobypass)filteron websitesLANclientscanvisit,byassigningtheundesiredhostnametoaninvalidIPaddress.For example,toblockwww.example.com,putinanoverridetoredirectittoaninvalidIPaddress,suchas 1.2.3.4.NotethatusingadifferentDNSserveroreditingthehostsfileontheclientmachinegets aroundthisrestriction,butdoingthisissufficienttoblockthesiteforthevastmajorityofusers.
ConfiguringtheDynamicDNSClient Tostart,firstcheckthe"EnableDynamicDNSclient"boxatthetopofthepage. Inthe"Servicetype"dropdownbox,selecttheserviceyousignedupwithabove. SomeservicessupportMXDNSrecordsondynamicDNSsubdomains.Thishelpsensureyoucanget emailtoyourhostname.Ifyourservicesupportsthis(dyndns.orgisonethatdoes,othersdoaswell), fillinyourmailserver'shostnameinthatfield.IfyoudonotneedanMXrecordorifyourprovider doesnotsupportthem,justleavethefieldblank. WildcardsIfyouwanttoenablewildcardonyourdynamicDNShostname,checkthisbox.This meansallhostnamesnotspecificallyconfiguredareredirectedtoyourdynamicDNSname.Soif yourdynamicDNSisexample.homeip.net,andyouenablewildcards,www.example.homeip.net, mail.example.homeip.net,anything.example.homeip.net,etc.(i.e.*.example.homeip.net)willall resolvetoexample.homeip.net. Thenexttwoboxesareforyourusernameandpassword.Enteryouraccountinformationfromthe dynamicDNSprovider. ClickSave.YourdynamicDNShostnameshouldimmediatelybeupdatedwithyourWANIP address.Toverifythis,pingyourdynamicDNShostname.ItshouldresolvetotheIPaddressofthe WANinterfaceofyourm0n0wall.Ifnot,checkDiagnostics:Systemlogsforinformationonwhyit failed.
4.5.3. DHCP
ThisscreenallowsyoutoenabletheDHCPserveronenabledEthernetinterfacesotherthanWAN.
EnablingtheDHCPServer ToenabletheDHCPserveronaparticularinterface,clickontheappropriatetabfortheinterfaceand checkthe"EnableDHCPserveroninterface"box. Denyunknownclients ThisoptionallowsyoutoimplementamoresecureDHCPconfiguration.Manycompaniessuffer fromwormoutbreaksandrelatedsecurityissuesduetounauthorizedmachinesbeingpluggedinto theirnetwork.ThisoptionwillhelpensureonlyauthorizedhostscanreceivealeasefromyourDHCP server.Withthisoptionenabled,onlyhostsdefinedatthebottomofthispagewillreceivealease fromDHCP. Thedownsidetothisoptionisthatitcanbedifficulttomaintainwhenyouhavemorethanahandful ofhostsonyournetwork.Manywillfindtheincreasedsecurityworththeincreaseinmaintenance. Notethatthisisonlysufficienttostopthetypicaluserthatexpectstobeabletoplugintoyour networkandobtainaDHCPleasetogetontheInternet.Anyonewithnetworkand/orsecurity expertisecaneasilybypassthis.
Subnet,SubnetMask,andAvailablerangearefilledinfromtheIPandsubnetinformationfromthat particularinterface. Range Inthefirstbox,enterthestartingaddressofyourDHCPrange.Inthesecondbox,entertheending addressoftherange.Notethatyoudon'twanttomakethisthesameastheavailablerange,asthis includesthesubnetaddressandbroadcastaddress,whichareunusable,aswellastheaddressofyour m0n0wallinterfacewhichalsocannotbeintherange. WINSServers IfyouuseanNT4domain,orhavepreWindows2000clientsthatneedtoaccessanActiveDirectory domain,youwillneedtofillinyourWINSserverIPaddressesintheseboxes.Ifyouonlyhaveone WINSserver,leavethesecondboxblank. DefaultandMaximumLeaseTime ThedefaultleasetimeisthelengthoftheDHCPleaseonanyclientsthatdonotrequestaspecific expirationtimeontheirDHCPlease.Thedefaultis7200seconds,ortwohours.Forthevastmajority ofnetworkenvironments,thisistoolow.Iwouldgenerallyrecommendsettingthistoaweek,whichis 604,800seconds. Themaximumleasetimemustbemorethanthedefaultleasetime.Mostnetworkswillnotusethis valueatall.Inmostinstances,Isetthistoonesecondlongerthanthedefaultleasetime. ClickSavetosaveyourchanges,thenclickApplytoenabletheDHCPserver. StaticDHCPMappings StaticDHCPmappingscanbeusedtoassignthesameIPaddresseverytimetoaparticularhost.This canbehelpfulifyoudefineaccessrulesonthefirewalloronotherhostsonyourLANbasedonIP address,butstillwanttouseDHCP.Alternatively,youcankeeptheIPaddressboxblanktoassignan IPoutoftheavailablerange,whenyouareusingthe"Denyunknownclients"option. Clickthe+iconatthebottomoftheDHCPconfigurationpagetoaddastaticDHCPmapping.
ClickSavewhenyouarefinishedandthemappingwillbeadded.
Note
TheDNSserversenteredinSystem:Generalsetup(ortheDNSforwarder,ifenabled) willbeassignedtoclientsbytheDHCPserver. TheDHCPleasetablecanbeviewedontheDiagnostics:DHCPleasespage.
4.5.4. SNMP
Caution
Ifyouenable1:1,server,oradvancedoutboundNAT,youmayneedtoenableproxyARPfortheIP address(es)beingusedbythosetranslations.Todoso,clickthe+onthispage.
WhatisCaptivePortal?fromwikipedia.org
ThecaptiveportaltechniqueforcesaHTTPclientonanetworktoseeaspecialwebpage(usuallyfor Authentication)beforesurfingtheInternetnormally.ThisisdonebyinterceptingallHTTPtraffic, regardlessofaddress,untiltheuserisallowedtoexittheportal.Youwillseecaptiveportalsinuseat mostWiFihotspots.Itcanbeusedtocontrolwiredaccess(e.g.apartmenthouses,businesscenters, "open"Ethernetjacks)aswell. Checkthe"Enablecaptiveportal"boxtoenable. InterfaceSelecttheinterfaceonwhichyouwanttoenablecaptiveportal.Itcanonlyrunonone interfaceatatime. IdletimeoutClientswillbedisconnectedafterthisamountofinactivity.Theymayloginagain immediately,though.Leavethisfieldblankfornoidletimeout. HardtimeoutClientswillbedisconnectedafterthisamountoftime,regardlessofactivity.They mayloginagainimmediately,though.Leavethisfieldblankfornohardtimeout(notrecommended unlessanidletimeoutisset). LogoutpopupwindowIfenabled,apopupwindowwillappearwhenclientsareallowedthrough thecaptiveportal.Thisallowsclientstoexplicitlydisconnectthemselvesbeforetheidleorhard timeoutoccurs.WhenRADIUSaccountingisenabled,thisoptionisimplied.
Note
Mostanypopupstopperwillblockthiswindow.Worse,youcannotexcludeaspecific site,asthispopupappearstocomefromwhateverservertheusertriedtogotopriorto authentication.Ifyouhaveapopupblocker,you'llneedtodisableitpriortologgingin, andthenreenableitafterthelogoffpopupappears. RADIUSserverEntertheIPaddressandportoftheRADIUSserverwhichusersofthecaptive portalhavetoauthenticateagainst.LeaveblanktodisableRADIUSauthentication.Leaveport numberblanktousethedefaultport(1812).LeavetheRADIUSsharedsecretblanktonotusea RADIUSsharedsecret.RADIUSaccountingpacketswillalsobesenttoport1813oftheRADIUS serverifRADIUSaccountingisenabled. PortalpagecontentsHereyoucanuploadanHTMLfilefortheportalpage(leaveblanktokeep thecurrentone,orthedefaultifyouhavenotuploadedonepreviously). AuthenticationerrorpagecontentsThecontentsoftheHTMLfilethatyouuploadhereare displayedwhenaRADIUSauthenticationerroroccurs(generallybecauseofanincorrectlogonor password).
Thisservicecanbeusedtowakeup(poweron)computersbysendingspecial"MagicPackets".The NICinthecomputerthatistobewokenupmustsupportWakeonLANandhastobeconfigured properly(WOLcable,BIOSsettings). Thismightbeuseful,forinstance,ifyouaccessyourhomeorcorporatenetworkremotelyviaVPN, andneedtoaccessamachinethatmaynotbepoweredonatalltimes.Youcanlogintothem0n0wall deviceatthatlocationandsendawakeuppacket. Topoweronamachine,justchoosetheappropriateinterface,puttheMACaddressofthemachine intotheMACaddressbox,andclick"Send". Ifyouusethisfeatureatall,youwillprobablywanttocreatealistofthemachinesyouwantto remotelypoweron.Ifyouclickthe+atthebottomofthescreen,youcanaddahosttothelistthatis displayed.Onceyouhaveaddedthehosttoyourlist,youcansimplyclickontheMACaddressto poweronthesystem.
Table4.3.SIPProxyParameters Parameter EnableSIP Proxy Interface SIPUDPport EnableordisableSIPProxy SelecttheinterfacelocaltoyourSIPendpointslikeVOIPphones.Usuallyyour LANport. DefaultUDPportis5060.Ifleftatdefault,thisproxyalsoactsastransparentproxy byredirectingoutgoingSIPmessagestothisSIPproxy. Description
4.6.4. Wireless
MoreinformationonwirelessfeaturescanbefoundintheWirelesschapter.
Warning
Routingtables Networkbuffers Networkprotocolstatistics Kernelparameters Kernelmodulesloaded ipfwshow ipnatlv ipfstatv ipfstatnio ipfstat6nio unparsedipnatrules unparsedipfilterrules unparsedIPv6ipfilterrules unparsedipfwrules resolv.conf Processes dhcpd.conf ezipupdate.cache rtadvd.conf df racoon.conf SPD SAD last200systemlogentries last50filterlogentries ls/conf ls/var/run config.xml
Caution
ThelogsarelimitedtoavailableRAMandareerasedafterareboot.Tostorelogs permanentlyyoushouldenabletheuseofaremotesyslogserverontheDiagnostic LogSettingspage.
Caution
Becauseofthedetailedinformationthatthesemessagescancontainaboutyour networkitishighlyrecommendedtonotsendsyslogmessagesovertheInternetunless theyareinsideanencryptedtunnellikePPTPorIPSec. Table4.4.LogSettingsParameters Parameter Description Showlogentriesin optionallyshowlogswiththenewestontop reverseorder Numberoflog entries howmanylogentriestokeep
Parameter
Description firewalllogpage!Thiscanoftenbedonebyaremotesyslogserver.
Thisscreencanbeusedtoviewyouractiveand/orexpiredDHCPleases.Clickingthebuttononthis screenwillswitchbetweenshowingonlyactiveleasesandshowingbothactiveandexpiredleases.
ExpiredDHCPleasesshowupingraytext,whileactiveonesareblack.(thisscreenshotfromasystem withonlyexpiredleases)
4.7.3. IPsec
Table4.5.ThetwoentriesforeachVPNconnectionareasfollows: Source localIPsubnetfor VPNconnection Destination remoteIPsubnetfor VPNconnection Direction Protocol ESPor AH ESPor AH TunnelEndpoints PublicIPaddressoflocal m0n0wallPublicIPaddressof remoteendpoint PublicIPaddressofremote endpointPublicIPaddressof localm0n0wall
4.7.4. Ping/Traceroute
Note
Them0n0wallpingscreencannotpingoverVPNconnectionsforthesamereason SNMPdoesnotworkoverVPNoutofthebox.SeethisFAQentryformore information.SodonotusethisscreenasanindicatorofwhetheryourVPNisworking.
Note
Them0n0wallpingscreencannotmaketraceroutesoverVPNconnectionsforthe samereasonSNMPdoesnotworkoverVPNoutofthebox.SeethisFAQentryfor moreinformation.SodonotusethisscreenasanindicatorofwhetheryourVPNis working.
ThispageshowsthecurrentARPtableofthem0n0walldevice.
ThispageshowsthecurrentFirewallstatetable.Optionallytakeasnapshotofthestatestableand compareittothecurrenttable.
4.7.8. Backup/Restore
GototheFirewall>Aliasscreenandclickthe
toaddanalias.
1. 2. 3. 4. 5.
NetworkAddressTranslation(NAT)allowsyoutouseRFC1918privateIPaddressesforaddressing onyourinternalnetwork,andallowallhostsontheinternalnetworkstoaccesstheInternetusingone publicIPaddress. DuetothetypicalexpenseofobtainingpublicIPaddresses,mostnetworksdonotpurchaseonepublic IPaddressforeachnetworkhost.NATallowsmultiplemachinestoconnecttotheInternetusinga singlepublicIPaddress.Additionally,usingNATforInternetaccessprotectsinternalnetwork computersfromunwantedaccessattempts. Practically,thismeansthatNATallowsyoutoreceiveoneIPaddressfromyourInternetService ProviderandthateveryoneonyourlocalnetworkcanusethatIPaddresstoaccesstheInternet.Italso allowsyoutoselectoneormoresoftwareservices(webserver,fileserver,databaseserver)tomake accessiblefromtheInternetbuttolimitaccesstootherservicesorIPportnumbers. m0n0walloffers4typesofNAT: InboundNAT OutboundNAT ServerNAT 1:1NAT
Caution
AlthoughaNATrulecanredirecttrafficintoyournetworkyoustillmustenabled filteringrulestoallowthetraffictopassthroughthestatefulpacketfirewall.
TherearetwomostcommonlyusedandmostfamiliartypesofNAT,bidirectionalor1:1(pronounced onetoone),andPortAddressTranslation,orPAT.Inbothcasesm0n0wallwillchangetheIPheader ofpacketsthattraversetheNATenabledinterfacebutNATandPATeachchangeadifferentpartof theIPheader. 6.1.1.1. NAT Explained NATtranslatetheIPaddressintheIPpackerheader.NATrulescanbeappliedtoTCPorUDP packetsthatareeitherincomingand/oroutgoingonanym0n0wallEthernetinterfacesexceptthe LANinterface.SomecommonNATusesinclude: sharinganInternetconnectionwithmultiplecomputers addingmultipleIPaddressestoaWANinterface translatingentireIPsubnetstoanother redirectoutgoingnetworktraffictoadifferentIPaddress redirectincomingnetworktraffictoadifferentIPaddressorportaddress
spooftheIPoriginofoutgoingtraffictoappearascomingfromadifferentIPaddress ForeachNATrule,m0n0wallbuildsandmaintainsatableofnetworkconnectionsthatareusingeach rule. 6.1.1.2. PAT Explained PATtranslatesportnumbersintheIPpacketheader.Forexampleyoucantranslateporttraffic arrivingontheWANatTCPport8080toinsteadberedirectedtoport80.WhenPATiscombined withNATyoucanprovideaccesstomultiplewebserverssuchastosendincomingInternettrafficfor port8001toaninternalwebserverat10.0.0.1port80andport8002toanotherwebserverat10.0.0.2 port80.
Note
SinceonlyTCPandUDPpacketsareusingportnumbers,onlythesepacketscan benefitfromPATbasedtranslationrules. PATconfigurationisincludedintheNATconfigurationpageswheneveryouchoosetouseport addressesorportranges.OtherusesforPATinclude: hidingcommonportstomakethemlessobviousforscriptbasedattacks makingdataappeartooriginatefromaparticularportaddress allowmultipleinstancesofaserveronthesamecomputer 6.1.1.3. Proxy ARP Normally,anEthernetinterfacewhichhasanIPaddressbeingrequestedonanetworkwillrespond firsttoanARPrequesttosaythattheIPaddressexistsandthattheEthernetinterfaceisaccepting trafficforit. WithoutProxyARPyoucanstillassignmultipleIPaddressestotheWANinterfacebutyourInternet ServiceProvidermustedittheirroutingtablestoredirectthetrafficaccordingly.
Note
Caution
ItisnotpossibletoaccessNATedservicesusingtheWANIPaddressfromwithin LAN(oranoptionalnetwork).Onlyexternaltrafficincomingontheselectedinterface
willhaveInboundNATrulesappliedtoit.
Note
Note
DependingonthewayyourWANconnectionissetup,youmayalsoneedproxyARP.
Note
addressestotheWANinterfaceaswellandredirecttheirtraffictospecificservers.
queue
In practice, pipes can be used to set hard limits to the bandwidth that a flow can use, whereas queues can be used to determine how different flow share the available bandwidth.
Chapter 8. IPsec
TableofContents 8.1.Preface 8.1.1.SitetoSiteVPNExplained 8.1.2.RemoteAccessIPsecVPN 8.2.Prerequisites 8.3.ConfiguringtheVPNTunnel 8.4.Whatifyourm0n0wallisntthemainInternetFirewall? ThischapterwillgooverconfiguringasitetositeVPNlinkbetweentwom0n0walls,andwilldiscuss howtoconfiguresitetositelinkswiththirdpartyIPseccompliantdevices.TheExampleVPN Configurationschaptergoesover,indetail,howtoconfiguresitetositeIPseclinkswithsomethird partyIPsecdevices.Ifyouhavegottenm0n0wallworkinginasitetositeIPsecconfigurationwith somethirdpartyIPsecdevice,wewouldappreciateifyoucouldputtogetherashortwriteupofhow yougotitconfigured,preferablywithscreenshotswhereapplicable.
8.1. Preface
SitetositeVPN'sconnecttwolocationswithstaticpublicIPaddressesandallowtraffictoberouted betweenthetwonetworks.Thisismostcommonlyusedtoconnectanorganization'sbranchoffices backtoitsmainoffice,sobranchuserscanaccessnetworkresourcesinthemainoffice.Priorto VPN's,muchmoreexpensiveprivateWideAreaNetwork(WAN)linkslikeframerelay,pointtopoint T1lines,etc.werecommonlyusedforthisfunctionality.Someorganizationsaremovingtowards VPNlinksbetweensitestotakeadvantageofreducedcosts. SitetositeVPN'scanalsobeusedtolinkyourhomenetworktoafriend'shomenetwork,toprovide accesstoeachother'snetworkresourceswithoutopeningholesinyourfirewalls. WhilesitetositeVPN'sareagoodsolutioninmanycases,privateWANlinksalsohavetheir benefits.IPsecaddsprocessingoverhead,andtheInternethasfargreaterlatencythanaprivate network,soVPNconnectionsaretypicallyslower(whilemaybenotthroughputwise,theyatleast havemuchhigherlatency).ApointtopointT1typicallyhaslatencyofaround48ms,whileatypical VPNconnectionwillbe3080+msdependingonthenumberofhopsontheInternetbetweenthetwo VPNendpoints. WhendeployingVPN's,youshouldstaywiththesameISPforallsitesifpossible,orataminimum, staywithISP'sthatusethesamebackboneprovider.Geographicproximityusuallyhasnorelationto Internetproximity.AserverinthesamecityasyoubutonadifferentInternetbackboneprovider couldbeasfarawayfromyouinInternetdistance(hops)asaserverontheothersideofthecontinent. ThisdifferenceinInternetproximitycanmakethedifferencebetweenaVPNwith30mslatencyand onewith80+mslatency.
IPsec,whichmeansifanyofyourclientmachinesarebehindNAT,IPsecVPNwillnotwork.This aloneeliminatesitasapossibilityformostenvironments,sinceremoteuserswillalmostalwaysneed accessfrombehindNAT.ManyhomenetworksuseaNATrouterofsomesort,asdomosthotspot locations,hotelnetworks,etc. Onegooduseofthem0n0wallIPsecclientVPNcapabilitiesistosecurealltrafficsentbyhostsona wirelessnetworkorotheruntrustednetwork.Thiswillbedescribedlaterinthischapter. FIXMEAsecondlimitationisthelackofanyreallygood,freeIPsecVPNclientsforWindows. MostofyourremoteuserswilllikelybeWindowslaptopusers,sothisisanothermajorhindrance. Formostsituations,PPTPisprobablythebestremoteaccessVPNoptioninm0n0wallrightnow.See thePPTPchapterformoreinformation.
8.2. Prerequisites
Beforegettingstarted,youneedtotakecareofthefollowing. 1. Yourm0n0wallmustbesetupandworkingproperlyforyournetworkenvironment. 2. BothlocationsmustbeusingnonoverlappingLANIPsubnets. i.e.ifbothsitesareusing192.168.1.0/24ontheLAN,nositetositeVPNwillwork.Thisisnot alimitationinm0n0wall,it'sbasicIProuting.Whenanyhostoneitherofyournetworkstries tocommunicatewith192.168.1.0/24,itwillconsiderthathosttobeonitslocalLANandthe packetswillneverreachm0n0walltobepassedovertheVPNconnection.Similarly,ifonesite isusing,forexample,192.168.0.0/16andoneusing192.168.1.0/24,thesesubnetsarealso overlappingandasitetositeVPNwillnotwork. Keepinmindthemorenetworksyoulinktogetherthemoreimportantthisbasicfactbecomes. Donotuseunnecessarilylargesubnetmasks.IfyousetupyourLANas10.0.0.0/8,butonly have100hostsonit,you'reunnecessarilylimitingyourabilitytoaddVPNnetworksanywhere inthe10.x.x.xspace. 3. Ifm0n0wallisnotthedefaultgatewayontheLANwhereitisinstalled,youmustaddstatic routestowhateversystemisthedefaultgateway,pointingtheremoteVPNsubnettotheLAN IPofm0n0wall. 4. Youwillneedtoeithercontrolorbeincontactwiththepersonwhodoescontroltheother VPNconcentrator.Ifitisanotherm0n0wallsystem,thensharethisdocumentwiththeother administrator.Ifitisn'tthenhavethemconsultthedocumentationthatcamewiththeIPsec devicetheyareusing. 5. Hostandapplicationlevelsecuritybecomemoreimportantwhenconnectingmultiple networks,howmuchdependingonhowmuchyoutrusttheothernetwork.TheVPNtunnel willnotrespondtofirewallrulesatthetimeofthiswriting,soyouwillnotbeabletolimit whichhostscanbeaccessedbyusersacrosstheVPNconnection.Ifawormwouldgetintothe networkyouareconnectedtoviaVPN,itcouldeasilyspreadtoyournetwork.Ifasystemon theremotenetworkiscompromizedbyanattacker,hecouldeasilyhopovertheVPNtoattack yoursystemswithoutanyfirewallprotection. 6. Payattentiontowhatyouaredoing!IfyouhaveaVPNtoyouroffice,andaVPNtoyour friend'shomenetwork,yourfriendcannowhopovertoyourcompany'snetworkfromyour network.Or,ifyourfriendgetsinfectedwithaworm,itcouldtheninfectyourmachinesand continuetopropagateovertheVPNconnectiontoyouroffice.Mostcompanieswould probablyfireyouifyourfriendwascaughtontheirnetwork.Bestbethereisifyouhaveasite tositeVPNintoyournetworkatwork,donotconnectwithfriends,oruseonenetworkand
firewallforaccessingworkandoneforaccessingyourfriend'snetwork. Oknowthatwehavethebasicslet'sgetstartedonthefirewallsettings.
Logintoyourm0n0wallandclickIPsec,underVPN.
Thisisthefirstsetoffieldsthatweneedtoconcentrateon.Later,whentestingyourtunnel,youcan
actuallyfailtoestablishlevel2connectionifthisdataisincorrect.Iwillnotewhattopayparticular attentiontoaswegoalong. 1. Mode,thisisahardsetoptionandfranklyyoudontneedtochangeit(norcanyou.) 2. Disabled,thisisagreaton/offbuttonifyouneedtodisablethetunnelforwhatever reason.Simplyselecttheeditor fromthemainVPN:IPsecwindowandclickthis checkboxelement,thenselectapplyatthebottomofthepage.Whenyouneedthetunnel again,reversetheprocess. 3. Interface,thisishowyoudeterminewhichpartofyournetworkwillbetheterminationpoint (endpoint)fortheVPNTunnel.Ifyouareconnectingtoaremoteserver,thenWANisyour option. 4. Localsubnet.Thisiswhereyoucansetwhichparts,hosts,ortheentireLANcanbeaccessed fromtheothersideoftheVPNtunnel.TheeasiestthingtodoistosettheLANsubnetasthe option;thismeansyourentireLANwillbeaccessiblefromtheremotenetwork. IMPORTANT:Theotherendofthetunnelhasthissamefield,wellitprobablyhas99%of thesefieldsactually,makesuretheotherendissetexactlyasyousetthisend.E.g.ifyousaid SinglehostinthissectionandenteredtheIPaddressofthathost,theotherpersonwouldset thathostinhisRemoteSubnetfield.Thesamegoesforyou,andwiththatmentionedwe movetothenextfield. 5. RemoteSubnet.Thisismorethanjustlabelingwhichhostsand/orhostyouwanttoaccesson theothernetwork,asmentionedinitem4itisparamountthatyousetthisexactlylikethe otherendslocalsubnetsection.Ifnot,level2oftheVPNconnectionwillfailandtraffic willnotpassfromoneVPNsegmenttotheother. 6. Description:Itisagoodpracticetoalwaysleavenotesaboutwhyyouaredoingsomething.I suggestyouentersomethingaboutwhatthisVPNtunnelisusedfor,orabouttheremoteend ofthetunneltoremindyourselfwho/whatitis. Okallthebasicfortheroutinghavebeenestablished.Nowwemoveontophase1oftheVPN authenticationprocess.
OkaytheeasypartoftheVPNtunnel.Thetrickhere,andeveninphase2,istomakesurethatboth VPNservershaveEXACTLYTHESAMESETTINGSforallofthesefields.Wellokay,theywill
havedifferentMyidentifierbutmakedarnsurethattheyknoweachothersnamesmoreonthat later. 1. Negotiationmode:Thisisthetypeofauthenticationsecuritythatwillbeused.Unlessyouare underclosewatchbysomeonewithparanormallikecraziness,justleavethisasaggressive.It isindeedfarfasterandwillinsurethatyourVPNtunnelwillrebuilditselfquicklyand probablywonttimeoutanapplicationifthetunnelwasdownwhentheresourceontheother endwasrequested.(moreaboutthatunderLifetime) 2. Myidentifier:Thisisthekeytoprobably90%oftheemailonthelistwherepeopleseemto notgettheVPNtunnelup,orwanttoknowhowtodothiswithdynamicIPaddresses,etc. Verysimple,setyouridentifiertosomethingthatisntgoingtochange.Soifyouleaveitas MyIPaddress(*ThiswillbetheIPaddressoftheinterfaceyoulistedinthefirstsection.*) thenmakesurethatIPisstaticandpersistent.IfyouuseaDHCPassignedaddressthenI wouldsuggestusingdomainnameinsteadThisisbecausedomainnamecanbecompletely yourownevenifyoudonotownthedomainname.Makeyourssexylovemonkey.comjustfor fun.;) 3. EncryptionAlgorithm:3DESistheworlddefactoifyouareconnectingtoanother m0n0wall,orasystemthatwillsupportit,changethistoBlowfish.Itisamoresecureand abouttwiceasfast!Nowofcourse,ifyouaretryingtoconnecttoaVPNdevicethatonly supportsDESthenyouwillneedtodowngradeandhopenoonedecryptsyourkeyexchange. MAKESUREBOTHVPNDEVICESAREUSINGTHESAMEENCRYPTION ALGORITHM. 4. HashAlgorithm:thisisthehashusedforchecksum.MD5isagoodchoice,SHA1isthenew upandcomeranditismorereliablethenMD5,butnotallthingssupportit.Againmakesure youareusingthesamesettingastheotherendofthetunnel,andifyoucanuseSHA1gofor it! 5. DHKeyGroup:Mostsystemswillsupportatleastupto1024bit.Thisisagoodplacetostick to,goingwithmorewilleatupmoreresourcesandlessmakesyourtunnellesssecure. 6. Lifetime:Thisfieldisfarmoreimportantthenitappears.Thislifetime,asopposedtotheone inphase2,ishowlongyourendwillwaitforphase1tobecompleted.Isuggestusing28800 inthisfield. 7. PreSharedKey:ContrarytosomesuggestionsthiskeymustbeexactlythesameonbothVPN routers.Itiscasesensitive,anditdoessupportspecialcharacters.Isuggestusingboth.E.x. f00m0nk3y@BubbaLand OkayifyoumanagedtocoordinateandgetbothVPNsystemssetthesameallshouldbegoodfor phase1.Wereallydontwanttostophere,soletsgorightintophase2.
Phase2iswhatbuildstheactualtunnel,setstheprotocoltouse,andsetsthelengthoftimetokeep thetunnelupwhenthereisnotrafficonit. 1. Protocol:ESPisthedefactoonwhatmostVPNsystemsuseasatransportprotocol.Isuggest leavingthisasis.Note:ThesystemshouldautogenerateafirewallruleforyoutoallowESP orAHtotheendpointoftheVPN.Wewillcheckthislater,ifitdoesnotyouwillneedto makeafirewallruleallowingESP(orAHifyouchangedthis)traffictotheinterfaceyou establishedasyourendpointofthetunnel.Iwilloutlinethatafterfigure5. 2. Encryptionalgorithms:Okhereisthedealonthis.Likebeforeinphase1,makesureyouare settingthealgorithmexactlyasitissetontheotherVPNserver.Youcanuseseveral;when youdosoeverythingyouselectisavailableforuse.HonestlyIliketokeepthingssimplesoI recommendonlycheckingtheoneyouaregoingtouse.Withm0n0walltom0n0walluse Blowfishforspeedandsecurityover3DES. 3. Hashalgorithms:againjustasinphase1youwanttomakesureyourselectedhashmatches theoneontheotherend.Andlikeinstep2,dontaddthingsyoudontneed.SHA1isthe suggestionifyoucan,butMD5isalwaysagoodalternative. 4. PFSkeygroup:thisworksexactlylikeitdoesinphase1.Isuggestusing1024bit,thedefault isoff. 5. Lifetime:Thisisthelifetimethenegotiatedkeyswillbevalidfor.Donotsetthistotoohighof anumber.E.g.morethanaboutaday(86400)asdoingsowillgivepeoplemoretimetocrack yourkey.Dontbeoverparanoideither;thereisnoneedtosetthisto20minutesorsomething likethat.Honestly,onedayisprobablygood. 6. ClickSave 7. ClickApplyChanges
Chapter 9. PPTP
TableofContents 9.1.Preface 9.2.Audience 9.3.Assumptions 9.4.SubnettingandVLANrouting 9.5.Setupofm0n0wallsoftware 9.6.PPTPUserSetup 9.7.PPTPFirewallRules 9.7.1.ExampleoffilteredPPTPRules 9.8.SettingupaPPTPClientonWindowsXP 9.8.1.TestingourPPTPConnectioninWindows 9.9.SomethingsIhavefoundnottoworkoverthePPTPConnection ThischapterisbasedonFranciscoArtes'm0n0wallPPTPdocument,usedwithpermission.
9.1. Preface
9.2. Audience
YouneedtohaveabasicunderstandingofTCP/IPandsubnettingtounderstandthisdocument.The authordoesmakeeveryefforttodescribetheitemsbeingdiscussed,butletsfaceitIcanonlygoso far.(AndIdidincludepictures,whichapparentlyareeachworth1,000words.Sothatmakesthisone HUGEdocument.) Ifyouhavecomments,questions,orsuggestionsinregardtothisdocumentpleaseemail <falcor@netassassin.com>.Iwilltrytogetbacktoyouasquicklyaspossible,butpleasedo readthisdocumentthoroughlybeforewriting.Youmayalsowanttocheckthem0n0wallwebsitefor emailarchivesonfrequently(orevenonetime)questions.
9.3. Assumptions
2. ThenextstepistoenablethePPTPserver.ClicktheEnablePPTPserverradiobutton.(It onlygetsharderfromhere.) 3. Nowwehavetotype.(seeharder)SoentertheServerAddressnext.Thiscanbeanunused IPonyourLAN,oranotherlocallyusableIPaddressinaseparatesubnet.ItMUSTbeinthe samenetworkingclassasthenextentry. 4. RemoteAddressrange.Thisisgoingtobetherangeof16IPaddressesthattheserverwill issuetoclients.Noticethe/28,itistheretoremindyoutherewillbe16hosts.Again,this MUSTbeinthesamesubnetclassastheIPlistedabove.(Notinthesame/28though.If youtrytooverlapthetwothefirewallwilltellyouthatyoumadeamistake.) Inourexampleweused192.168.1.254fortheServerAddressand192.168.1.192/28astheRemote addressrange.ThinkoftheSeverAddressasthedefaultroutefortheIPsyouaregoingtobe issuingtotheclients.ItisalsothevirtualinterfaceforthePPTPserver. Ifyouareconfusedhere,orinstep3,pleasegobackandreadthesectionnamedSubnettingand VLANroutingasitcoveredthisinmoredetail. 5. IfyouhaveaRADIUSserverofsomesortfeelfreetofillinthenextfewboxes.Idontsothey areblankonthisexampleandfranklygooutsideofthescopeofthisdocumentanyway. 6. Ifyouarereallysecurityconscious,andyourclientsoftwaresupportsit,checktheboxto require128bitencryption. 7. ClickSaveWearealldonesettinguptheserver.Nowletssetupsomeusers.
NowweneedtosetupafirewallrulesopeopleusingthePPTPconnectioncandosomethingwithit whentheyconnect.
3. SelectConnecttotheNetworkatmyWorkplacefromthemenu. 4. SelectVirtualPrivateNetworkconnectionfromthenextpanel. 5. Nametheconnection. 6. NowentertheIPorFQDNofthePPTPServer.(Thiscanbeanyoftheconfiguredinterfaces.) 7. Ifyouarethesystemadminyouwillbeaskedifyouwantthistobeforyouruseonlyorfor anyonesuse.IsuggestyoulimitittoyouruseonlyunlessyouwanttheVPNnetworktobe madeavailabletoalluseraccountsontheworkstation. 8. Nextyoucaneitherjustfinishoraddashortcuttothedesktop.Youarenearlydone! 9. Whenyoulaunchtheclientforthefirsttime(hopefullyfromtheiconyouaskedittocreate fromthewizard,ifnotthenyouwillneedtoaccesstheNetworkConnectionswindowagain anddoubleclickyournewconnection.)youwillbeaskedforausernameandpassword.Click connectwhenyouaredonewiththisandifallgoeswellyouwillconnecttothePPTPServer.
2. Runipconfigandyoushouldgetsomethingsimilartothenextfigure: Asyouhopefullywillseeyouhavethesettingsforyourphysicaladapter(inmycaseIrenameditto ETH0) YouwillalsoseethePPPAdapterwiththenameyougavetheVPNConnectionwhenper formingthe stepsinthelastsection.ItshouldhaveanIPaddressthatisintherangeyoudefinedforthePPTP Server.Itshouldalsohavethesubnetof255.255.255.255anditwillbeusingitselfasthedefault gateway.Justlivewithit;itishowitworks. Forthemoreadvancedwhowishtoknowifthingsareallworkingright,Figure6,displaysafull ipconfigonthevirtualadapter. 3. Nowletstrydoingsomething.Ifyoufollowedthesetupforthishowtoyouwillhavesetupfull accessfromthePPTPnetworktotheLANandWAN.Ifyousetupselectiverulesyouwill havetotestspecificallywhatyousetup.E.g.ifyousetuprulestoonlyallowSMTPyouwill needtotelnettothehost:25thatyoudesignatedinthefirewallrule.Orwriteanewrule allowingICMPtoahostthatwillechoareplyback. WewillbesendingaICMP(Ping)tothefirewallsinternalinterfacetotesttheVPN connection. 4. Inmycasethefirewallis192.168.1.1(pleaseuseyourinternaladdressbeforewritingtometo saypinging192.168.1.1didntworkonyour10.x.x.xnetwork.Hehe)Ifdoneright(assuming yourfirewallisntblockinginternalICMPpackets)youaregoodforLANaccess.(Ifyouare blockingICMPontheinternalinterfacepingsomeotherhostonyourhomenetwork.)
9.9. Some things I have found not to work over the PPTP Connection
ThesearemorelimitsinPPTPthanotherVPNprotocols. NATsometimesdoesnotplaynicewithPPTP.Thoughm0n0wallseemstohavethislicked, anditworksratherwell. MajorGotcha!Ifyouarevisitingaremotenetworkwherethenetworkrangeisthesameas thenetworkrangeonthePPTPNetwork(yourLANnetworkinmostcases)thenthePPTP tunnelwillnotwork.E.g.YouareusingaWiFiconnectioninalocalcoffeeshopandthe networkrangeithasputyouinis192.168.1.0/24.Youtrytoconnecttoyourhomenetworkvia PPTP,butyourhomealsouses192.168.1.0/24.Thetunnel/authenticationtothePPTPserver willhappen,butnotrafficwillgoacrossthattunnelduetotheconfusionintheTCP/IP stackonyourworkstation.Togetaroundthisusesomeoddnetworkrangeathome.E.x. 192.168.88.0/24.Mostpeopleuse10.0.0.1and192.168.1.0sotrytosetyourhomenetwork differently.ThiswillalsohelpwhenyousetupIPSECtunnelsbetweenyourhouseandsay yourfriendshouse. SomeISP'suseunreasonablyshortDHCPleasetimes,likeonehour.IfthePPTPclient machinegetsashortleasefromDHCP,itwillloseinternetconnectivityaftertheleaseexpires. Thisisbecauseallnetworktraffic,includingyourDHCPrenewalrequests,aregoingacross theVPN.Sinceitcan'thitthelocalDHCPserverthroughtheVPN,whentheleaseexpires yourmachinewillreleaseitsIPaddress.Thiscausesthelossofallconnectivity.Youhaveto
disconnectfromthePPTP(ifitdoesn'tdisconnectitself),renewyourIPaddress,and reconnect.ThisiscommononWindowshosts,andlikelyotherOS'saswell.Ifthishappens, contacttheadministratorofyourDHCPserver(likelytheclientmachine'sISP)andgetthe leasetimelengthened. Theauthorhasseenthissituationnumeroustimes,andineverycase,theISPwaswillingto helpandresolvedtheproblem.Yourmileagemayvary. UPnPpacketsfromyourLANdonotmakeittothePPTPnetwork.Thisismorethanlikely becausethecurrentversionofm0n0walldoesnotsupportUPnP.(InEnglish:thoseofuse havingdreamsofaccessingourReplayTVorothermediadevicesthatuseUPnPcandream ofotherthingsfornow.ItisactuallymoresecuretonothaveUPnPonafirewall,butsome peopleoverlookthatsotheycanusevoicechatsoftwareandDVRs.) NetworkNeighborhoodinWindowsdoesnotworkoverPPTPconnectionsbecausebroadcasts arenotforwardedacrossthePPTPconnection. IhaventreallybeatenthePPTPtunnelthatmuchyet,soifyoufindmoreitemsthatdontseemto workrightletmeknowandIwilladdthemheresopeopledontgocrazytryingtofigureout somethingthatjustwontwork.;)
Note
Version1.3.xm0n0wallisstillinbetatestingandfeaturescanchangebeforeitis releasedasastableversion. Someofthem0n0wallwirelessfeaturesinclude: supportforwiandathwirelesscards supportfor802.11b/g/a channelselectionfrom1to14 supportforhostap,BSSadIBSSmodes enable/disablewirelessinterface SSID(hidingSSIDintheupcoming1.3m0n0wall) 64bitor128bitWEPencryptionforASCIIorhexadecimaldigits BridgingwithanotherEthernetinterfaceifusinghostapmode WPAandWPA2encryptionusingPSKandEnterprisemode(inhostapmodeoftheupcoming 1.3m0n0wall) AES/CCMPandTKIPciphers(intheupcoming1.3m0n0wall) WPARadiusserverparameters(intheupcoming1.3m0n0wall)
Note
AWirelessDistributionSystem(WDS)iscurrentlynotsupportedineither1.2.xor 1.3.x.
configuration.
Description Theservicesetidentifier(SSID)isa32characternameofyourwirelessnetwork Ifthisoptionisselected,theSSIDwillnotbebroadcastinhostapmode,andonly clientsthatknowtheexactSSIDwillbeabletoconnect.Notethatthisoption shouldneverbeusedasasubstituteforpropersecurity/encryptionsettings. EitherchooseAutoforthem0n0walldevicetoscanandfindanavailablewireless channelorselectachannelmanually.Toseecurrentlyusedchannels,clickthe Wirelessoptionofthem0n0wallStatusmenu. ChoosenonetonotuseWPAencryptiononyourwirelessdata.Otherwisechoose PSKtouseaPresharedKey(password)orEnterprisetouseaRadiusserver. ChoosefromWPA,WPA2,orWPA+WPA2.Inmostcases,youshouldselect "WPA+WPA2"here. ChoosefromTKIP,AES/CCMP ,orTKIP+AES/CCMP.AES/CCMPprovides bettersecuritythanTKIP,butTKIPismorecompatiblewitholderhardware. EntertheASCIIpassphrasethatwillbeusedinWPAPSKmode.Thismustbe between8and63characterslong.
Channel
RadiusAccounting Leavethisfieldblanktousethedefaultport(1813). Port RadiusShared Secret EnableWEP WEPKeys14 OptionallyleavethesharedsecretblanktonotuseaRADIUSsharedsecret(not recommended). CheckthisboxtoenableWEPencryptionofyourwirelessdata 40(64)bitkeysmaybeenteredas5ASCIIcharactersor10hexdigitspreceded by'0x'.104(128)bitkeysmaybeenteredas13ASCIIcharactersor26hexdigits precededby'0x'.
Belowisascreenshotofthewirelessinterfaceconfigurationscreenof1.3.xm0n0wall.
Customizableauthenticationfailurepage Vouchersupport(intheupcoming1.3m0n0wall)
Caution
BelowaresomeoftheConnectionoptionsthatcanbeconfiguredforusewiththeCaptivePortal. AdditionallythereissomeinformationaboutallowingpassthroughMACaddressesandmakingalist ofallowedIPaddressesthatdonotneedauthentication. Table12.1.ConnectionParameters Parameter Interface Description Choosewhichinterfacetorunthecaptiveportalon.CaptivePortalcanonlyberun ononeinterface. Thissettinglimitsthenumberofconcurrentconnectionstothecaptiveportal HTTP(S)server.Thisdoesnotsethowmanyuserscanbeloggedintothecaptive portal,butratherhowmanyuserscanloadtheportalpageorauthenticateatthe sametime!Defaultis4connectionsperclientIPaddress,withatotalmaximumof 16connections. Clientswillbedisconnectedafterthisamountofinactivity.Theymayloginagain immediately,though.Leavethisfieldblankfornoidletimeout. Clientswillbedisconnectedafterthisamountoftime,regardlessofactivity.They mayloginagainimmediately,though.Leavethisfieldblankfornohardtimeout (notrecommendedunlessanidletimeoutisset). Ifenabled,apopupwindowwillappearwhenclientsareallowedthroughthe captiveportal.Thisallowsclientstoexplicitlydisconnectthemselvesbeforethe idleorhardtimeoutoccurs. IfyouprovideaURLhere,clientswillberedirectedtothatURLinsteadoftheone theyinitiallytriedtoaccessafterthey'veauthenticated.
Idletimeout
Hardtimeout
Ifthisoptionisset,onlythemostrecentloginperusernamewillbeactive. Concurrentuser Subsequentloginswillcausemachinespreviouslyloggedinwiththesame logins usernametobedisconnected. Ifthisoptionisset,noattemptswillbemadetoensurethattheMACaddressof clientsstaysthesamewhilethey'reloggedin.ThisisrequiredwhentheMAC addressoftheclientcannotbedetermined(usuallybecausetherearerouters betweenm0n0wallandtheclients). Ifthisoptionisset,thecaptiveportalwillrestricteachuserwhologsintothe specifieddefaultbandwidth.RADIUScanoverridethedefaultsettings.Leave emptyorsetto0fornolimit.Youwillneedtoenablethetrafficshaperforthis
MACfiltering
Parameter tobeeffective.
Description
Caution
BelowaresomeoftheSecureAuthenticationoptionsthatcanbeconfiguredforusewiththCaptive Portalto. Table12.2.SecureAuthenticationParameters Parameter Description Ifenabled,theusernameandpasswordwillbetransmittedoveranHTTPSconnection HTTPSlogin toprotectagainsteavesdroppers.Aservername,certificateandmatchingprivatekey mustalsobespecifiedbelow. HTTPSserver ThisnamewillbeusedintheformactionfortheHTTPSPOSTandshouldmatchthe
SecondaryRADIUS IfyouhaveasecondRADIUSserver,youcanactivateitbyenteringitsIP server address,portandsharedsecretasdonefortheprimaryserver. sendRADIUS accountingpackets Reauthentication Ifthisisenabled,RADIUSaccountingpacketswillbesenttotheprimary RADIUSserver.Optionallychangethedefaultport(1813). Ifreauthenticationisenabled,AccessRequestswillbesenttotheRADIUS serverforeachuserthatisloggedineveryminute.IfanAccessRejectis receivedforauser,thatuserisdisconnectedfromthecaptiveportal
Description Thesereauthenticationupdatescanbeconfiguredtosupportnoaccounting updates,stop/startaccounting,orinterimupdates. Ifthisoptionisenabled,thecaptiveportalwilltrytoauthenticateusersby sendingtheirMACaddressastheusernameandastaticpassword/secrettothe RADIUSserver. Whenthisisenabled,clientswillbedisconnectedaftertheamountoftime retrievedfromtheRADIUSSessionTimeoutattribute. IfRADIUStypeissettoCisco,inRADIUSrequests (Authentication/Accounting)thevalueofCallingStationIdwillbesettothe client'sIPaddressandtheCalledStationIdtotheclient'sMACaddress. DefaultbehaviourisCallingStationId=client'sMACaddressandCalled StationId=m0n0wall'sWANMACaddress.
RadiusType
Thetotalsizelimitforallfilesis256KB.
12.4. Vouchers
BelowisaquickhowtofrommwigetwhoaddedtheVoucherfeaturetom0n0wall.Vouchersareonly availableintheupcoming1.3firmwarreleaseandarecurrentlypartofthebetaversionofthe firmware.
Belowarethestepstoquicklysetupandusethevoucherfunctionalityofm0n0wall'sCaptivePortal. 1. Toenable,createandmanagevouchersupportviacaptiveportal,thereisanewTabunder Services>CaptivePortal:Voucher. 2. Enablecaptiveportalfirst,uploadalandingpagethatcontainsaninputfield'auth_voucher'. AnexamplecanbefoundonthetheURLabove. 3. ThenenableVouchersupportontheVouchertab.Initiallyyoucanleaveallfieldswithits defaults.Everynewinstallwillcreateuniqueencryptionkeys. 4. Nowaddatleastone"Roll"byclicking'+'ontheVoucherspage,rightto'Voucherrolls': SpecifyaRollNumber,e.g.0,howmanyvouchersthatrollshallcontain,andhowlongeach voucherallowsnetworkaccess. 5. Thengeneratethenewvouchersbyclickingonthepaperlogorighttothenewlyaddedroll. ThiswillgenerateaCSVfileanddownloadviayourbrowser. Eachofthesegeneratedvoucherscannowbeusedbyusersfortheconfiguredamountofminutesfor thatroll.Notethatassoonasavoucherhasbeenactivated,itstimerwillrundowntozeroandthen blockaccess,nomatterifthesessionisidleorgotdisconnectedduetologoutorsessiontermination. Totestthevouchersinthem0n0wallGUI,clickonStatus>CaptivePortal.Newtabs,dedicatedto voucherhandling,showupwhenvouchersupportisenabled.Clickonstatus>captiveportal>Test VouchersandenteroneormoreofthenewlygeneratedvouchersfromthedownloadedCSVfileand clicksubmit.Amessagewillbeshownwiththevalidationanddurationofeachgivenvoucher. Onecanaddmultiplerolls,e.g.tohavevoucherswithdifferenttimecredit.Itisalsopossible,toenter multiplevouchers,separatedbyspace,togainthesumoftimecreditofallenteredvouchers. Thereismoretoit,readthecommentstoeachconfigparameteronthevoucherpage. Noteontheveryshortpublic/privateRSAkeys:Iknow,thosecanbecrackedeasyandinnotime,if oneofthekeysisknown.Theideaherewastomakeitalittlebitharderthansimplyaddingashared passwordintothem0n0wallconfigfile.UnfortunatelyI'mnoexpertonencryptionbutIassumewith suchshortencryptedvouchers,thereisnosecuritydifferencebetweentheusedRSAkeysanda symmetricencryption.Anyhow,allthatencryption/decryptionstuffisdoneinanewlyaddedbinaryC
programvoucher.c,thatiscompiledandaddedintothem0n0wallimage,andcanbemodifiedto increasetheusabilityandsecurity.
Belowarethefollowingparametersthatcanbeconfiguredforvoucheruseintheupcoming1.3 m0n0wall).TheEnableVoucherscheckboxmustactivatedfortheseparameterstobeused. ChanginganyVoucherparameter(apartfrommanagingthelistofRolls)onthispage willrenderexistingvouchersuselessiftheyweregeneratedwithdifferentsettings. Table12.5.VoucherParameters Parameter Description Create,generateandactivateRollswithVouchersthatallowaccessthroughthe captiveportalfortheconfiguredtime.Onceavoucherisactivated,itsclockisstarted VoucherRolls andrunsuninterrupteduntilitexpires.Duringthattime,thevouchercanbereused fromthesameoradifferentcomputer.Ifthevoucherisusedagainfromanother computer,theprevioussessionisstopped. Voucher publickey Voucher privatekey PasteanRSApublickey(64Bitorsmaller)inPEMformathere.Thiskeyisusedto decryptvouchers. PasteanRSAprivatekey(64Bitorsmaller)inPEMformathere.Thiskeyisonly usedtogenerateencryptedvouchersanddoesn'tneedtobeavailableifthevouchers havebeengeneratedoffline.
Ticketsaregeneratedwiththespecifiedcharacterset.Itshouldcontainprintable Characterset characters(numbers,lowercaseanduppercaseletters)thatarehardtoconfusewith others.Avoide.g.0/Oandl/1. #ofRollBits ReservesarangeineachvouchertostoretheRoll#itbelongsto.Allowedrange:1..31. SumofRoll+Ticket+ChecksumbitsmustbeoneBitlessthantheRSAkeysize. ReservesarangeineachvouchertostoretheTicket#itbelongsto.Allowedrange: 1..16.Using16bitsallowsarolltohaveupto65535vouchers.Abitarray,storedin RAMandintheconfig,isusedtomarkifavoucherhasbeenused.Abitarrayfor 65535vouchersrequires8KBofstorage. ReservesarangeineachvouchertostoreasimplechecksumoverRoll#andTicket#. Allowedrangeis0..31. Magicnumberstoredineveryvoucher.Verifiedduringvouchercheck.Sizedepends onhowmanybitsareleftbyRoll+Ticket+Checksumbits.Ifallbitsareused,no magicnumberwillbeusedandchecked.
Description
Errormessagedisplayedforexpiredvouchersoncaptiveportalerrorpage ($PORTAL_MESSAGE$).
12.5. Limitations
BecauseusersareidentifiedbytheirMAChardwareaddressitispossiblethatsomeoneusingapacket sniffercanspoof/impersonatetheauthenticatedMAChardwareaddressandtherebygainnetwork access.Settingahardtimeoutcanhelptominimizethisrisk. Don'tforgettoenabletheDHCPserveronyourcaptiveportalinterface!Makesurethatthe default/maximumDHCPleasetimeishigherthanthetimeoutenteredonthispage.Also,theDNS forwarderneedstobeenabledforDNSlookupsbyunauthenticatedclientstowork. PlancarefullywhenyouwillmakechangestotheCaptivePortalconfiguration.Changinganysettings onthemainCaptivePortalconfigurationwindowwilldisconnectallclients! BecauseofthewayCaptivePortalisimplemented,itcannotbeusedonmorethanoneinterface.
12.6. Additional Information 12.6.1. Is there any extra Captive Portal RADIUS functionality available?
JonathanDeGraevehasimplementedanumberofnewRADIUSfeaturesforCaptivePortalthatwill beimplementedinafuturebetaversion.Fornow,thesefeaturesareavailableontestimagesavailable fordownloadfromhttp://inf.imelda.be/downloads/m0n0wall/. Featurescurrentlyimplementedinthetestimagesinclude: RADIUSdefinedURLredirectiontakingprecedenceoverURLredirectionparameterin captiveportalsetuppage. MultipleRADIUSserversupport Failuremessageoncaptiveportalloginerrorpage,plusloggingtothecaptiveportallogon whyauthenticationfailed(useraccountexceededbandwidthlimit,badpassword,etc.).
Note
RetrievalmeansthevariableispresentandCANbeused,butthereisnoactionbound toityet.
Appendix A. Reference
TableofContents A.1.IPBasics A.2.IPFiltering A.3.NAT A.4.TrafficShaping A.5.DNS A.6.Encryption(PPTP/IPsec) A.7.Logging(syslog)
A.1. IP Basics
YoucanchangethehostnameanddomainusedbyyourfirewallintheGeneralSetupscreen.
Tip
Logmessagesincludeatimestampofwhentheeventocurred.Thesystemtimeonthe firewallissynchronizedtoanNTP(NetworkTimeProtocol)server.Youcanchange theNTPserverandrelatedparametersintheGeneralSetupscreen. Unixbasedtools ThesyslogdaemonbuiltintovirtuallyeveryUnixlikesystemcanbeconfiguredtoacceptlog messagesfromremotehosts.CheckdocumentationspecifictoyourOSonhowtoconfiguresyslogd toacceptmessagesfromremotehosts. OtherUnixTools syslogng nsyslog Windowsbasedtools ThereareseveralfreeandcommercialtoolsavailableonWindowstoenableyoursystemtoaccept syslogmessagesfromhostsonyournetwork. KiwiSyslog OneofmyfavoritesonWindowsisKiwiSyslog.Thereisaversionwith"basic"featuresthatisfree, andamoreadvancedversionwith$49registration.Evenifyouarejustlookingforafreetool,the
ThisdepictsthenetworklayoutwewillhaveafterconfiguringourDMZinterface.
Clickthe
onthispagetoaddyourthirdinterface.
Nowrestartyourm0n0wallforthechangestotakeaffect.
Checktheboxatthetoptoenabletheinterface,giveitamoredescriptivename(I'llcallit"DMZ"), andsetupthedesiredIPconfiguration.TheIPsubnetmustbedifferentfromtheLANsubnet.
ClickSaveafterverifyingyourselections.ThenclickApplyChanges.
Note
Don'tforgetthatsourceports(TCPandUDP)arerandomlyselectedhighports,and notthesameasthedestinationport.You'llneedtouse"any"forsourceport. MyDMZinterfacefirewallrulesnowlooklikethefollowingafterpermittingtherequiredservices fromDMZtoLAN.
forthemailserverandwebserver.
Afteraddingtherules,clickApplychanges.You'llnowseesomethinglikethefollowing.
13.1.6.2. Testing the 1:1 NAT Configuration Youcantestthe1:1NATwejustconfiguredbygoingtowhatismyip.comonthemachineconfigured for1:1.Ifyoudon'thaveaGUI,lynxwillwork,oryoucanfetchorwgettheURLandcattheresulting file.(fetchhttp://whatismyip.com&&catwhatismyip.com|grep"IPis"). YoushouldseetheIPistheoneyoujustconfiguredin1:1NAT.IfyougetanIPotherthantheone
youconfiguredin1:1,thereisaproblemwithyourconfiguration. 13.1.6.3. Using Inbound NAT IfyouhaveonlyonepublicIP,ormoreneedmorepubliclyaccessibleserversthanyouhavepublicIP addresses,you'llneedtouseinboundNAT.GototheNATscreen,andontheInboundtab,click . Forthisexample,wewillassumeyouhaveonlyonepublicIP,anditistheinterfaceaddressofthe WANinterface. First,anythingtotheWANIPtoport25(SMTP)willgotothemailserverinourDMZ.
ClickSave,andclick
toaddtheinboundNATrulefortheHTTPserver.
Click"Applychanges"andyourconfigurationwillbeworking.Itshouldlooklikethefollowing.
difficult.Manyexploitsrelyonthetargetbeingabletopullfilesfromamachinetheattackercontrols, orinthecaseofaworm,fromtheinfectedhost.I'lluseCodeRedandNimdaasanexample.Infected hostsexploitedthevulnerability,andtheremotehostpulledtheinfectedadmin.dllviaTFTPfromthe alreadyinfectedhost.Ifyouwererunningvulnerablewebservers,butdidnotallowTFTPtraffic outboundfromyourwebservers,youcouldnothavebeeninfected.(reference) Attackersmostalwaystrytopullinatoolkitorrootkitofsomesortontomachinestheyexploit. Therearewaysaroundthis,butitjustmakesitthatmuchmoredifficult.Thiswillmerelyslow downaknowledgeableattacker(who'llfindawaytogetinonewayoranother),butitcouldstopa scriptkiddiedeadintheirtracksandkeepsomewormsfrominfectingyournetwork. Thisisnotareplacementforproperpatchingandothersecuritymeasures,it'sjustgood practiceinadefenseindepthstrategy.
Recommended configuration
Note
RememberyoucannotaccesshostsonabridgedinterfacefromaNAT'edinterface,so ifyoudohaveaLANinterfacesetup,youwon'tbeabletoaccessthehostsonthe bridgedinterfacefromtheLAN.
13.3.5.1. OPT Interface Rules Initially,youmaywanttoconfigurearuleontheOPTinterfacepermittingtraffictoanywhere,then afterthingsareworking,tighteningthatrulesasdesired.Forthisexample,we'llgoaheadand implementlockeddownrulesfromthegetgo. ThemailserveronourbridgedinterfaceneedstosendmailtoanyhostontheInternet.Bothservers needtogettoDNSserversat111.111.110.2and111.111.109.2.We'lladddisabledmaintenancerulesfor HTTPandcvsup. 13.3.5.2. WAN Interface Rules Sincethisexampleportraysafirewallatacolocationfacility,weneedaremoteadministrationruleto allowtrafficfromourtrustedlocation'sstaticIPaccesstoadministrationfunctionsoftheservers,as wellasthem0n0wallwebGUI.Forthisexample,we'llpermitalltrafficfromthetrustedlocation(IP 11.12.13.30).Youmaywanttotightenthisrule.Ifyoudon'thaveanythingontheLANsegment, remembertoallowremoteadministrationfromsomewheresoyoucangetintothewebGUIwithout beingonsite. WealsoneedtoaddrulestopermitSMTPtraffictothemailserverandHTTPandHTTPStrafficto thewebserver. 13.3.5.3. LAN Interface Rules YoucanleaveorremovethedefaultLANtoanyruleifyoudon'thavehostsontheLANinterface.In theexample,theLANinterfacewillbeunpluggedoncetheonsiteconfigurationiscompleted. 13.3.5.4. Firewall Rules Completed
ThefollowingdescribeshowtoconfigureasitetositeIPsecVPNtunnelbetweenaPIXFirewalland m0n0wall.
FirstweneedtomakesurethePIXhas3DESenabled.
Cisco PIX Firewall Version 6.3(3) Cisco PIX Device Manager Version 2.0(2) Compiled on Wed 13-Aug-03 13:55 by morlee pixfirewall up 157 days 5 hours Hardware: PIX-515E, 32 MB RAM, CPU Pentium II 433 MHz Flash E28F128J3 @ 0x300, 16MB BIOS Flash AM29F400B @ 0xfffd8000, 32KB 0: ethernet0: address is 000b.4605.d319, irq 10 1: ethernet1: address is 000b.4605.d31a, irq 11 2: ethernet2: address is 0002.b3b3.2e54, irq 11 Licensed Features: Failover: Disabled
EnableISAKMPontheoutsideinterface(where"outside"isthenameoftheinternetfacinginterface)
pixfirewall(config)# isakmp enable outside
isakmppolicycommandonPIX
pixfirewall(config)# isakmp policy ? Usage: isakmp policy %lt;priority> authen %lt;pre-share|rsa-sig> isakmp policy %lt;priority> encrypt %lt;aes|aes-192|aes-256|des|3des> isakmp policy %lt;priority> hash %lt;md5|sha> isakmp policy %lt;priority> group %lt;1|2|5> isakmp policy %lt;priority> lifetime %lt;seconds>
NowweneedtoconfiguretheISAKMPpolicyonthePIX.Enterthefollowingcommandsin configuremode:
isakmp isakmp isakmp isakmp isakmp policy policy policy policy policy 10 10 10 10 10 authen pre-share encrypt 3des hash md5 group 2 lifetime 86400
Nowweneedtocreateanaccesslistdefiningwhattrafficcancrossthistunnel.
access-list monovpn permit ip 10.0.0.0 255.255.255.0 10.0.1.0 255.255.255.0 access-list monovpn permit ip 10.0.0.0 255.255.255.0 10.0.1.0 255.255.255.0
Definetransformsetforthisconnectioncalled"monovpnset"
crypto ipsec transform-set monovpnset esp-3des esp-md5-hmac
Definesecurityassociationlifetime
crypto ipsec security-association lifetime seconds 86400 kilobytes 50000
Nowtosetuptheactualconnection,thecryptomap"monovpnmap".(where1.1.1.1isthepublicIP addressofthem0n0walldevice)
crypto map monovpnmap 10 ipsec-isakmp
crypto map monovpnmap 10 set peer 1.1.1.1 crypto map monovpnmap 10 set transform-set monovpnset crypto map monovpnmap 10 match address monovpn
Lifetime:86400
Note
Inm0n0wall1.2betaversions,youmayexperiencetheconnectiondroppingfrequently withthisconfiguration.Ifthishappens,setthePFSkeygroupinphase2to"off".
Note
Ifyoudon'tspecifyakeylifetimeinthem0n0wallconfig,thetunnelwillwork,but appeartogoinsaneafterawhile.SupposedlyCisco'swillnegotiateakeylifetime,but Ihavenotseenthisworkinmyexperience.ThisisalsotrueofaCiscoVPN Concentrator.(anonymouswikicontribution)
14.2. Smoothwall
Rev.TigpostedthefollowinginformationonconnectingSmoothwallandm0n0wallviaIPsecVPNin apostonthemailinglistonSeptember30,2004.
I could not find a working solution in the mailing list archives but here is how I have managed to create a VPN between Smoothwall Corporate with Smoothtunnel and m0n0wall and I thought I would share it here to same people going through the same headbashing experience I did :) This will be far to much of a teaching granny to suck eggs for most people on the list but it might help someone get up and running quickly. Variety is the spice of life and just to confuse matters the m0n0wall box was stuck behind NAT :) The office I was linking to was in a serviced building and hence the connection was a shared one with a private IP and public one port forwarded to it. I had never done this before so corrections are welcome :) I am not saying these are the best settings all I know is my VPN is up and running and it seems to be happy :) What I have created is a VPN between one subnet at one site running Smoothwall Corporate Server 3.0 with Smoothtunnel and a m0n0wall v1 box sitting behind NAT with a private IP at the other site. Any other versions of the software may need slightly different settings but hopefully this should put you in the right ballpark. First off IPSEC over NAT, if at all possible don't :) If you have to or for some perverse reason you fancy a crack at this then read on, if you are just here for the Smoothwall bit scroll down :) IPSEC over NAT does work but it can be a case of sacrificing the odd network card to the deity of your choice, what I did in the end was ask their network guy to just send everything and I will let m0n0 do the firewalling, this is what I would recommend as then you don't have to hassle them every time you want a port opening, but from what I have gathered is that all you need are port 500 forwarding and IP protocols 50 and 51 to be routed but the firewall. Apparently your IPSEC traffic goes through port 500 but IP protocols 50 and 51 are needed for phase 1 (authentication) and phase 2 (key exchange). If I am wrong (this is quite possible there will be a load of mails below correcting me :) If m0n0 is behind NAT and you are certain the other end is right but there appears to be no attempts to authenticate then check here first. Now onto Smoothwall Corporate, now I know Rich Morrell posts on here
so I have to be careful about what I say about the interface but that is just a personal taste thing :) Right here are the Smoothwall settings : Local IP : your RED IP address (if you are using Smoothhost then put the IP of your firewall in) Local ID type: Local IP Remote IP : the external IP of your NATted m0n0wall box. Remote ID type : Remote IP Authenticate by : Preshared Key Preshared Key : put your shared key here Use Compression : Off Enabled : On Local network : in this case it was 192.168.0.0/255.255.255.0 Local ID value : same as your Local IP Remote network: in this case it was 192.168.1.0/255.255.255.0 Remote ID value : the same as your Remote IP Initiate the connection : Yes I will use these networks in this example as it shows you a little gotcha in m0n0wall that threw me because I was not thinking :) Next block : Local Certificate : (your local certificate) Perfect Forward Secrecy : Yes Authentication type: ESP (it has to be AH will NOT work over NAT) Phase 1 crypto algo: 3DES Phase 1 hash algo : MD5 Key life : 480 (mins) Key tries : 0 (never give up) Right now the m0n0wall settings : Phase 1: Mode : tunnel (well you can't change it and why would you want to :) Interface : WAN Local Subnet : 192.168.1.0 / 24 (don't do what I did and select LAN :) Remote Subnet : 192.168.0.0 / 24 Remote IP : The RED IP of your Smoothwall box Negotiation Mode : Main My Identifier : IP Address : Your public IP (non NATed) for your m0n0wall box Encryption Algo: 3DES Hash Algo : MD5 DH Key Group : 5 Lifetime : (blank) Preshared Key : put your shared key here. Phase 2: Protocol : ESP Encryption Algo: 3DES (only! untick the others) Hash Algo: MD5 (again only) PFS Key Group : 5 Lifetime : (blank) That is it, your can now bring the link up from Smoothwall by going into the VPN control tab and clicking UP!
14.3. FreeS/WAN
JoshMcAllisterprovidedthefollowingsampleipsec.conf,whichcanbeusedtoconnectm0n0wall withFreeS/WANinasitetositeIPsecconfiguration.
# /etc/ipsec.conf - FreeS/WAN IPsec configuration file version 2.0 specification # conforms to second version of ipsec.conf
config setup interfaces=%defaultroute klipsdebug=none plutodebug=none uniqueids=yes # defaults for subsequent connection descriptions conn %default # How persistent to be in (re)keying negotiations (0 means very). keyingtries=0 #compress=yes conn block auto=ignore conn private auto=ignore conn private-or-clear auto=ignore conn clear-or-private auto=ignore conn clear auto=ignore conn packetdefault auto=ignore conn josh type=tunnel left=ip.add.of.m0n0 leftsubnet=m0n0.side.subnet/24 leftnexthop=%defaultroute right=ip.add.of.freeswan rightsubnet=freeswan.side.subnet/24 rightnexthop=%defaultroute authby=secret auth=esp esp=3des-md5-96 pfs=no auto=start m0n0-side: Phase1 Neg. mode = main Enc. Alg = 3DES Hash Alg = MD5 DH key grp = 5 Phase2 Protocol = ESP Uncheck all Enc. Alg. Except 3des Hash alg = md5 PFS key group = off
14.4. Sonicwall
ContributedbyDinoBijedic<dino.bijedic(at)eracomtech(dot)com> ThefollowingdescribeshowtoconfigureasitetositeIPSecVPNtunnelbetweenaSonicwall(PRO 300)andm0n0wall. Editor'snote:IwouldsuggestusingMainmoderatherthanAggressive. Figure14.1.Networkdiagram
ClickUpdate Figure14.2.ExampleofSonicwallconfiguration
14.5. Nortel
IfyougotoNortel'ssupportsite,theyhaveanumberofdocumentsavailableonsettinguppeerto peerIPsectunnelsusingpresharedkeyauthentication.Findtheappropriateoneforyourdevice,and setupthem0n0wallendwiththeappropriatesettingsasdescribedintheNorteldocumentation.
6. Select"MyIdentity"andusethefollowingsettings:
7. Select"Authentication(Phase1)>Proposal1"andusethefollowingsettings:
8. Select"KeyExchange(Phase1)>Proposal1"andusethefollowingsettings: Ifyouhaveacryptoacceleratorcardinyourm0n0wall,youmaywanttouseTripleDES insteadofAES256astheencryptionalgorithm(somecryptoacceleratorsdonotsupport AES). 9. ChooseFile>Save. 10. Ifyouhaveacryptoacceleratorcardinyourm0n0wall,youmaywanttouseTripleDES insteadofAES256astheencryptionalgorithm(somecryptoacceleratorsdonotsupport AES). 11. ChooseFile>Save. 12. MakesurethattheInternetconnectionisestablished.TrytopingahostonyourLAN(e.g. yourm0n0wall'sLANIPaddress).Thefirstfewpingswilltimeoutasittakesafewseconds fortheIPsectunneltobeestablished.UseSoftRemote'slogviewerandconnectionmonitorto tellyouwhat'sgoingon(rightclickontheSoftRemoteiconnexttotheclocktoopenthem).
15.31.ArePCMCIAcardssupported? 15.32.Arethereanytweaksforsystemsthatwillneedtosupportlargeloads? 15.33.CanIaddMRTGorsomeotherhistoricalgraphingpackagetom0n0wall? 15.34.CanCaptivePortalbeusedonabridgedinterface? 15.35.CanIrunCaptivePortalonmorethanoneinterface? 15.36.WhydomySSHsessionstimeoutaftertwohours? 15.37.Whyisn'tthereplyaddressofthelistsettothelist? 15.38.WhyamIseeing"IPFirewallUnloaded"log/consolemessages? 15.39.Whycan'tmyIPsecVPNclientsconnectfrombehindNAT? 15.40.Whydoesn'tm0n0wallhavealogoutbutton? 15.41.CanIhavemorethan16simultaneousPPTPusers? 15.42.CanIsellm0n0wall(oruseitinacommercialproduct)? 15.43.WherecanIgetahighresolutionversionofthem0n0walllogo? 15.44.Whenwillm0n0wallbeavailableonanewerFreeBSDversion? 15.45.IsthereanyextraCaptivePortalRADIUSfunctionalityavailable? 15.46.HowcanIincreasethesizeofthestatetable? Everythingyoueverwantedtoknowaboutm0n0wallbutwereafraidtoask.Thisisamustread beforepostingquestionstothemailinglist!
6. Select"MyIdentity"andusethefollowingsettings:
7. Select"Authentication(Phase1)>Proposal1"andusethefollowingsettings:
8. Select"KeyExchange(Phase1)>Proposal1"andusethefollowingsettings:
Ifyouhaveacryptoacceleratorcardinyourm0n0wall,youmaywanttouseTripleDES insteadofAES256astheencryptionalgorithm(somecryptoacceleratorsdonotsupport AES). 9. ChooseFile>Save. 10. Ifyouhaveacryptoacceleratorcardinyourm0n0wall,youmaywanttouseTripleDES insteadofAES256astheencryptionalgorithm(somecryptoacceleratorsdonotsupport AES). 11. ChooseFile>Save. 12. MakesurethattheInternetconnectionisestablished.TrytopingahostonyourLAN(e.g.
15.3. Why isn't it possible to access NATed services by the public IP address from LAN?
Problem.ItisnotpossibletoaccessNATedservicesusingthepublic(WAN)IPaddressfromwithin LAN(oranoptionalnetwork).Example:you'vegotaserverinyourLANbehindm0n0wallandadded aNAT/filterruletoallowexternalaccesstoitsHTTPport.Whileyoucanaccessitjustfinefromthe Internet,youcannotaccesshttp://yourexternalip/fromwithinyourLAN. Reason.Thisisduetoalimitationinipfilter/ipnat(whichareusedinm0n0wall).Readtheipfilter FAQfordetails.m0n0walldoesnot(andprobablywillnot)includea"bounce"utility. Solution.Ifyouusem0n0wall'sbuiltinDNSforwarderforyourLANclients,youcanaddoneor moreoverridessothattheywillgettheinternal(LAN)IPaddressofyourserverinsteadofthe externalone,whileexternalclientsstillgetthereal/publicIPaddress.
Note
15.4. I enabled my PPTP server, but am unable to pass traffic into my LAN
15.5. I just added a new interface to my m0n0wall box, and now it doesn't show up in the webGUI!
Youprobablyforgottoassignafunctiontotheinterface.Usetheconsolemenu's"assignnetwork ports"optiontodothat.
Shortanswer:Notyet.(i.e.youcannotspecifyMACaddressesinfirewallrules) Longanswer:Thereareseveral"hacks"youmaybeabletousetoachievethedesiredendresult.
Toverifythisaddition,run'arpa'inexec.phpandyou'llseethefollowinginthelist.
? (192.168.1.11) at ab:cd:ef:12:34:56 on sis2 [ethernet]
Thischangewillnotsurviveareboot.Youneedtoputthearpscommandinyourconfig.xmlin <shellcmd>.SeethisFAQentryformoreinformationonhiddenconfig.xmloptions
Note
Anunauthorizeduserwithacluewillbeabletogetaroundthissecondmethodmore easilythanthefirstmethodbyjustassigningastaticIPaddressthatisn'tinuse.Either methodiseasyenoughtogetaroundforauserwithadecentamountofknowledge.
SMPsupportisntbuiltintom0n0wall,andthecurrentversionshavenoaddonSMPsupport available.m0n0wallwillrunonSMPsystems,howeveritwillonlyutilizeoneprocessor. Michael'sSMPsupporthasn'tbeenupdatedinquitesometime,andwillnotworkwith currentm0n0wallreleases. MichaelIedemahaswrittenaprogramtoautomaticallyaddSMPsupporttoam0n0wallrelease, whichisavailablefromhttp://www.michaeli.com/files/projects/m0n0smp. Thescriptrequirespseudo-device vnbuiltintoyourkernel.Whenfirstrun,itdownloadsthe latestSMPkernelfromMichaelssiteandupdatestheimage.Theupdateflagwillredownloadthe SMPkernelintheeventthatMichaelreleasesanewrevisionofthekernel.Michaelalsohasapre builtcopyofthelatestgenericpcimagewithSMPavailablefordownloadfromhispage.
15.8. Why can't hosts on a NATed interface talk to hosts on a bridged interface?
ThisfrequentlyhappenswhensomeonewantstobridgeaninterfacetotheirWANtouseitasaDMZ, andwantstoputallofthehostsontheirLANinterfacebehindaNAT.Thisisactuallyafairly reasonableandnaturalthingtowanttodo. Theproblemhereisthatipnatandbridging(atleastasimplementedinFreeBSD)don'tplaywell together.PacketsfromtheLANtotheDMZgooutjustfine,butintheotherdirection,itseemslike thepacketsarrivingontheunnumberedbridgeinterfacedon'tgetlookedupcorrectlyintheipnatstate tables. I'vemanagedtoconvincemyselfthatsolvingthisisReallyReallyHard(TM).Theirritatingthingis thatthere'snotheoreticalreasonwhythisshouldbedifficult...itallcomesdowntoimplementation details. ContributionfromBruceA.Mah<bmah(at)freebsd.org>
Hey folks, I feel the need to state once and for all what the intention with which I started m0n0wall was. My goal was to create a free/open-source alternative to smaller commercial firewall boxes - no more, no less. I figured that on a Soekris or similar embedded PC, it could be made to look and behave just like a commercial firewall - only cheaper and with me in control of the features. When I started working on it, I especially had the following models in mind: WatchGuard SOHO ZyXEL ZyWALL 10 SonicWALL SOHO NetScreen 5XP
I didn't intend to create an enterprise-class firewall, and I didn't intend to make a file, mail, print, web or whatever server. And despite the fact that m0n0wall runs well (and in the majority of installations, according to the survey!) on normal PCs, it is targeted at embedded PCs, which means they dictate what is possible in terms of storage, CPU speed and RAM size. I think m0n0wall mostly meets or even exceeds the feature range of the aforementioned products, so my goal has already been reached. That doesn't mean there's no room for or point in improvements. I just want to make it clear that I don't think we're ever going to see things like the following in m0n0wall: caching proxy file server (Samba etc.) mail server web server (Apache etc.) very extensive statistics
simply because it wasn't my goal to produce some all-in-one thing like e-smith, but a packet filtering firewall. Furthermore, these things usually don't mix well with embedded PCs for several reasons. Why do we have a DHCP server then? Because all the commercial products I mentioned before do, because it's small and lightweight enough to fit in with the rest, and because it considerably increases ease-of-use (meaning that if your Internet connection uses DHCP too, like for example cable, you don't have to configure anything at all to let your clients access the Internet - that's why it's on by default too). Now, about the NTP server... Rest assured that if msntp didn't have problems with Windows XP clients, there would have been a nice little NTP server configuration page in the webGUI, or at least a checkbox on the general setup page (with default to off of course), since pb15. But I don't like stuff that works only half of the time, so that's why it hasn't happened yet. There you go... Hope I've explained my point of view now.
Regards, Manuel
Note
DonotaddProxyARPentriesforIPaddressesthatarenotassignedtoyou!Most DHCPserverswillattempttodoanARPquerybeforeassigninganIPaddresstoa client,andifyouenableProxyARPonIP'sthatarenotyours,theywillappeartobein usetotheDHCPserver.WehaveheardofinstanceswherepeopleenabledProxyARP fortheirentireWANsubnet,andgotdisconnectedbecausetheywere"takingupallthe DHCPaddresses."Technicallyyouaren'ttakingalltheleases,you'rejustanswering ARPonallofthemwhichisjustasbad.Thisistypicallyonlyanissuewhenyour WANisanEthernetnetwork,butdon'teverdoit. Notethatitisnevernecessary(andstronglydiscouraged)touseIPaliasingontheWANinterface (bymeansofifconfigcommands).
Therearenofilteringcapabilitiesbuiltintom0n0wallbasedonwebsitecontent,keywords,etc.,nor anysupportedaddonswithsuchfunctionality. BlockingbyIPAddress/Subnet Youcanblockspecificsitesbyputtinginfirewallrulestodenyaccesstotheundesiredserver'sIP address.Ifyoutakethispath,itisrecommendedyouuse"reject"ratherthan"block"inthefirewall rulessoinaccessiblesitestimeoutimmediately. BlockingbyDNSOverride Ifyouuseyourm0n0wallasyouronlyDNSserver,youcanalsoblockspecificsitesbyputtingin DNSoverridefortheundesiredsitetopointtoaninternalorinvalidIPaddress.Toblock www.example.com,putinaDNSoverridepointingitto1.2.3.4orsomeotherinvalidIPaddress,oran addressofaLANwebserver.IfyouuseaninvalidIPaddress,youshouldputinafirewallruleto rejectpacketstothisaddresssotherequeststimeoutimmediately. NotethisiseasytogetaroundbyeitherusingadifferentDNSserveroreditingthehostsfileonthe localmachine,thoughthisisbeyondthecapabilitiesandknowledgeofmostanyuser. UsingaProxyServer TheidealsolutionwouldbetouseaproxyserveronyourLAN,andblockoutgoingtrafficfromyour LANhostsotherthantheproxyserver.
PPPoE/PPTPclient,PPTPVPN,andDynDNSpasswordsaswellasRADIUSandIPsecshared secretsappearinplaintextinconfig.xml.Thisisadeliberatedesigndecision.Theimplementationsof PPP,IKE,RADIUSandthewayDynDNSworksrequireplaintextpasswordstobeavailable.We couldofcourseusesomesnakeoilencryptiononthosepasswords,butthatwouldonlycreateafalse senseofsecurity.SincewecannotprompttheuserforapasswordeachtimeaPPPsessionis establishedortheDynDNSnameneedstobeupdated,anyencryptionweapplytothepasswordscan bereversedbyanyonewithaccesstothem0n0wallsourcesi.e.everybody.HasheslikeMD5cannot beusedwheretheplaintextpasswordisneededatalaterstage,unlikeforthesystempassword,which isonlystoredasahash.Byleavingthepasswordsinplaintext,itismadeveryclearthatconfig.xml deservestobestoredinasecurelocation(orencryptedwithoneofthecountlessprogramsoutthere).
result). Theoretically this *shouldn't* be an issue for the *server* side of SNMP, but perhaps the server has a bug (well, deficiency, at least) where it doesn't send the response out through a socket bound to the request packet. You can fake it out by adding a bogus static route to the remote end of the tunnel via the m0n0wall's LAN IP (assuming that's within the nearend tunnel range). A good test is to see whether you can ping something at the remote end of the tunnel (e.g. the SNMP remote) *from* the m0n0wall. There's an annoying but mostly harmless side-effect to this - every LAN packet to the tunnel elicits a no-change ICMP Redirect.
15.16. Can I use m0n0wall's WAN PPTP feature to connect to a remote PPTP VPN?
Them0n0wallWANPPTPfeatureisforISP'sthatrequireyoutoconnectusingPPTP(somein Europerequirethis). ThisfeaturecannotbeusedasaPPTPclienttoconnecttoaremotePPTPservertoallowm0n0wallto routeoverthePPTPconnection.
15.17. Can I use multiple WAN connections for load balancing or failover on m0n0wall?
Notyet.
Note
Note
15.22. Will there ever be translated versions of m0n0wall? Can I translate m0n0wall into my language?
Theshortansweris:no. Thelongansweris:theauthorofm0n0wallhasdecidedthattranslationsaddanextremeamountof overhead,sinceeachtimeanewfeatureisdeveloped(oranexistingfeatureismodified),allthe translatorsneedtobecontactedtogetthepropertranslationsforthenewstrings.Experienceshows thatpeopleareofteneagertostartsomethingnew,butloseinterestandgiveuporgoawayaftera while,soit'dbehardtokeepallthedifferentlanguagessynchronized.Failuretodosowouldleadto incompleteormixed(withEnglish)translationssomethingwhichimmediatelycreatesaverybad impressioninmostusers.Furthermore,translatingtheinterfaceofafirewallisn'taseasyasitseems thetranslatorneedstofullyunderstandalltheconceptsthatareinvolvedinordertoproduceaccurate translations. Sidenote:thenativelanguageoftheauthorofm0n0wallisnotEnglisheither.However,hebelieves thatanyonewho'stryingtoaccomplishanythingnontrivialwithafirewall,especiallyanopensource one,willnevergetaroundlearningEnglishanyway. Thatsaid,everybody'sfreetostarttheirown(translated)m0n0wallbranchtheBSDlicense,under whichm0n0wallisplaced,essentiallypermitsanyonetodoanythingwithm0n0wallaslongasthe originalcopyrightnoticeandlicensearepreservedsomewhere(seethelicensefordetails).Itshould bemadeclearthatit'snotan"official"versionthough.
ChrisBuechlerhasthistoadd:
I have a 2511MP+ in my 4501, though honestly, I don't use it much anymore for anything other than m0n0wall testing. I got a Linksys WRT54G to use for wireless. FreeBSD 4.11's hostap just plain sucks IMO. It's starting to show its age (the 4.x version is several years old). There are many newer cards you just can't get to connect to it no matter what (more than half the b/g and a/b/g cards I've tried), some that require configuration changes to connect, and in general it's just a pain. Given the cost of miniPCI cards, a Linksys or similar is a good alternative for about the same cost - just bridge the wireless over to an OPT port on m0n0wall, as I do. Things should improve very much in the next m0n0wall version, including support for a/b/g cards and none of the pains of 4.11's dated hostap, so you may want to hold off for a few months or so if you can.
15.26. How can I route multiple subnets over a site to site IPsec VPN?
Therearetwowaystoaccomplishthis.Whichismostsuitabledependsonifyouareableto summarizethesubnets,andhowmanysubnetsareinvolved.Foreitherway,thesubnetsdonotneedto
15.28. Why does my MSN Messenger transfer files very slowly when using traffic shaper?
BecausethetrafficshapingrulestolimitBitTorrentthroughputcoverthesamerangeofportsMSN uses.MagicShaperuses68816999toclassifyBitTorrenttraffic,whichencompassestheMSNports 68916900.YoucanchangetherulesthatclassifyBitTorrenttrafficinthetrafficshapingpages. TypicallyBitTorrentonlyuses68816889. Credit:ChrisBagnall
15.29. Can I forward broadcasts over VPN for gaming or other purposes?
Notyet.OpenVPNwillmakethispossibleinthefuture.
15.30. How can I use public IP's on the LAN side? Or how can I disable NAT?
Ifyou'reusingpublicIP'sonyourLAN,orneedtodisableNATforsomeotherreason,enable advancedoutboundNAT,underFirewall>NAT,Outboundtab.
15.32. Are there any tweaks for systems that will need to support large loads?
reserved for network buffers. You can do a simple calculation to figure out how many you need. If you have a web server which maxes out at 1000 simultaneous connections, and each connection eats a 16K receive and 16K send buffer, you need approximately 32MB worth of network buffers to deal with it. A good rule of thumb is to multiply by 2, so 32MBx2 = 64MB/2K = 32768. So for this case you would want to set kern.ipc.nmbclusters to 32768. We recommend values between 1024 and 4096 for machines with moderates amount of memory, and between 4096 and 32768 for machines with greater amounts of memory. Under no circumstances should you specify an arbitrarily high value for this parameter, it could lead to a boot-time crash. The -m option to netstat(1) may be used to observe network cluster use. Older versions of FreeBSD do not have this tunable and require that the kernel config(8) option NMBCLUSTERS be set instead.
Addalinelikethefollowingtothe/boot/loader.rcontheimage.
set kern.ipc.nmbclusters=32768
15.33. Can I add MRTG or some other historical graphing package to m0n0wall?
Or"whySVG,itdoesn'ttellmeanything".Nottrue,therearemanyusesforrealtimegraphingdata thatMRTG,ifgraphandsimilarhistoricalpackagescannotprovide.Thesefilltwodifferentneeds. Notdirectlyonthefirewall.ThesepackagesallhaveheavyrequirementslikePerlandothers.Inorder tokeepm0n0walllight,thesepackagescannotbeaddeddirectlytothesystem.m0n0wall'sfilesystem design,inthatitrunsfromRAManddoesnotmaintainanythingotherthanyourconfigurationacross reboots,isnotcondusivetoapplicationsofthisnature. Youcanrunthesefromanothersystemonyournetwork.Seeifgraphsectionofthisguide.
15.37. Why isn't the reply address of the list set to the list?
TheezmlmFAQexplainswhythisisnotrecommended. ManuelpostedthefollowingexplanationtothelistonMay12,2003.
It will stay this way because I read this: http://www.ezmlm.org/faq-0.40/FAQ-9.html#ss9.8 and found that they're right - I can live with the fact that people have to think twice before posting anything to the list. :) Besides, other lists behave in the same way, too (including soekris-tech and freebsd-small), and every better MUA has got a "Reply All" function, so that issue is settled as far as I'm concerned.
AlsoseeTheGreatReplytoDebateinthebookProducingOpenSourceSoftware.
15.39. Why can't my IPsec VPN clients connect from behind NAT?
15.41. Can I have more than 16 simultaneous PPTP users? 15.42. Can I sell m0n0wall (or use it in a commercial product)?
Yes,thoughthisisnotofficiallysupported.SeethispageonChrisBuechler'swebsiteforimagesand furtherinformation.
Note
Unfortunately,toincreasethesizeofthestatetableyouhavetorecompilethekernel.SeeThe completeguidetobuildingam0n0wallimagefromscratchinthem0n0wallDevelopers'Handbook.
Note
16.1. Installation
m0n0wallLiveInstallerFreeBSDLiveCD(builtusingFreeSBIE)includingallm0n0wall1.11and 1.2b3imagesandinstructionsonusingit. Installingm0n0walloveranetworkRobertoPereyra
16.2. VPN/IPsec/PPTP
16.3. Wireless
SettingUpaCommunityHotspotwithm0n0wall(PDF)NYCwireless
TableofContents B.1.Introduction B.2.InstallingSVGVieweronMozillaFirefox B.3.CollectingandGraphingm0n0wallInterfaceStatisticswithifgraph B.4.UpdatingmorethanoneDynamicDNShostnamewithddclient B.5.UsingMultiTech'sFreeWindowsRADIUSServer B.6.ConfiguringApacheforMultipleServersonOnePublicIP B.7.OpeningPortsforBitTorrentinm0n0wall B.7.1.OpeningBitTorrentforMultipleLANHosts B.8.Automatedconfig.xmlbackupsolutions B.8.1.BackingupandcommittingtoCVS B.8.2.Backinguptothecurrentdirectory B.9.HistoricalInterfaceGraphingUsingMRTGonWindows
B.1. Introduction
Compilingyourself
su-2.05b# cd /usr/ports/net-mgmt/ifgraph su-2.05b# make install clean
You'llseethenamesofyourinterfacesunderthedescriptioncolumn.Makenoteoftheinterface number(firstcolumn)foryourinterfaces.
3.Editifgraph.conffile. Copythesampleifgraph.conffile(ifgraph.conf.sample)toifgraph.conf.
su-2.05b# cp /usr/local/etc/ifgraph.conf.sample /usr/local/etc/ifgraph.conf
[global] rrdtool = /usr/local/bin/rrdtool rrddir = /usr/local/var/ifgraph graphdir = /usr/local/ifgraph/htdocs template = /usr/local/ifgraph/templates/en imgformat=PNG # those are the default configurations, should be # overriden in each target host = your.main.router.com community = public port =161 max=100M dimension=550x200 colors=back#000000,font#FFFFFF,shadea#212121,canvas#232323,mgrid#FF000 0,out#FFFFFF options=noerror hbeat=600 retry=2 timeout=5 [m0n0wall-wan] host=192.168.1.1 community=public port=161 interface=2 max=100M dimension=550x200 title=In/Out data for m0n0wall WAN interface colors=back#000000,font#FFFFFF,shadea#212121,canvas#232323,mgrid#FF000 0,out#FFFFFF options=noerror ylegend=kbits per second legends=kbits entering our network,kbits leaving our network
shortlegend=kbits/sec hbeat=600 retry=2 timeout=5 step = 300 periods = -1day, -1week, -1month, -1year [m0n0wall-dmz] host=192.168.1.1 community=public port=161 interface=3 max=100M dimension=550x200 title=In/Out data for m0n0wall DMZ interface colors=back#000000,font#FFFFFF,shadea#212121,canvas#232323,mgrid#FF000 0,out#FFFFFF options=noerror ylegend=kbits per second legends=kbits entering DMZ network,kbits leaving DMZ network shortlegend=kbits/sec hbeat=600 retry=2 timeout=5 step = 300 periods = -1day, -1week, -1month, -1year [m0n0wall-lan] host=192.168.1.1 community=public port=161 interface=4 max=100M dimension=550x200 title=In/Out data for m0n0wall LAN interface colors=back#000000,font#FFFFFF,shadea#212121,canvas#232323,mgrid#FF000 0,out#FFFFFF options=noerror ylegend=kbits per second legends=kbits entering our LAN network,kbits leaving our LAN network shortlegend=kbits/sec hbeat=600 retry=2 timeout=5 step = 300 periods = -1day, -1week, -1month, -1year
Nowwe'llrunmakegraph.pltomakethehtmlpagesandgraphs.
su-2.05b# makegraph.pl -c /usr/local/etc/ifgraph.conf
Checktheifgraphhtdocsdirectorytomakesureitcontainsthepngandhtmlfiles.
su-2.05b# ls /usr/local/ifgraph/htdocs index.html m0n0wall-lan-1day.png m0n0wall-wan-1month.png m0n0wall-dmz-1day.png m0n0wall-lan-1month.png m0n0wall-wan-1week.png m0n0wall-dmz-1month.png m0n0wall-lan-1week.png m0n0wall-wan-1year.png m0n0wall-dmz-1week.png m0n0wall-lan-1year.png m0n0wall-wan.html m0n0wall-dmz-1year.png m0n0wall-lan.html m0n0wall-dmz.html m0n0wall-wan-1day.png
5.EditApacheconfig
Inthemod_aliassectionofyourhttpd.conffile(/usr/local/etc/apache/httpd.confinFreeBSD)
Alias /ifgraph/ "/usr/local/ifgraph/htdocs/"
RestartApacheforthechangestotakeeffect.
su-2.05b# apachectl restart
B.4. Updating more than one Dynamic DNS hostname with ddclient
m0n0wallupdatesthedynamichostnameoftheexternalinterfacewiththeprogramezipupdate whichislightweightanddoesitsjob.However,itisnotcapableofupdatingmorethanonehostname (likeifyouhostyourdomainatDynDNS).Ifyouwantorneedtodothis,yourbestbetisusing anothersystem(you'llprobablyhaveaserverrunninginthebackgroundanyway). Theddclientprojectwebsitecanbefoundhere. DynDNShasalistofsupportedclients.MostofthesewillworkwithanydynamicDNSprovider,not onlywithDynDNS. SeewhatDynDNSoffersasservices.Thisisvitalinunderstandingtheconfigfileofddclient. Thisdocumentdescribesthesetupforupdatingseveralhostnameswithddclient.Ichosethat particularbeastbecauseitcanreadtheexternaladdressfromstatuspagesofseveralhardwareand softwarefirewallsandrouterssoIthoughtImightcheckifitworksoutoftheboxwiththem0n0wall status_interfaces.phppage.Itdoes. Theconfigisprettyeasy:
# Configuration file for ddclient generated by debconf # # /etc/ddclient.conf pid=/var/run/ddclient.pid protocol=dyndns2 server=members.dyndns.org login=YourDynDNSLogin password=YourDynDNSPassword fw-login=admin fw-password=Yourm0n0Password use=fw, fw=http://Yourm0n0IPOrHostname/status_interfaces.php custom=yes yourdomain.org,mail.yourdomain.org,somehost.yourdomain.org,yourdomain. com
IfyouonlywanttoupdateDynamicDNSentrieswithDynDNS,removethe
custom=yes
directive.IfyouwanttoupdateaDynDNSStaticDNSrecord,replacethe
custom=yes
with
static=yes
Ifyoumanageyourm0n0wallwithTLS,thesetupisslightlydifferentasyoushouldrunanexternal commandtoaccessthestatuspage:
# Configuration file for ddclient generated by debconf # # /etc/ddclient.conf pid=/var/run/ddclient.pid protocol=dyndns2 server=members.dyndns.org login=YourDynDNSLogin password=YourDynDNSPassword # fw-login=admin # fw-password=Password # use=fw, fw=http://Yourm0n0IPOrHostname/status_interfaces.php use=cmd cmd='curl -k -s https://admin:Yourm0n0Password@Yourm0n0IPOrPassword/status_interfaces. php' custom=yes yourdomain.org,mail.yourdomain.org,somehost.yourdomain.org,yourdomain. com
Nowsetupddclienttorunasadaemon.Minechecksthestatuspageevery5minutesandupdatesthe DynDNSrecordsifnecessary.
/usr/sbin/ddclient -daemon 300 -syslog
Theradiusprogramwillcreateamyusersfilebasedontheusersfile youjustedited,leavethisalone. Dictionaryfilecanbeleftasis. Theclientsfileneedstobeeditedtoincludetheipaddressofthe m0n0wall,andtheradiusaccesspassword,myfilelookslikethis: 172.16.1.1password That'sit,vsimple Nomorefilestoedit. Itinstallsitselfasawin32service,juststoptheservice,restart it,anditloadsallthesettings/users.. Nowenablethecaptiveportal,tellingittousetheipaddressofthe win32machinethisradiusserverisinstalledon,andthepasswordto use,inthiscasepassword. Makesurethatyourlocalwin32firewalliseithernoton,oris allowingport1812throughforradius!
Redirect / http://www.whatever.com:81 </VirtualHost> <VirtualHost 192.168.1.12> UseCanonicalName off ServerName www.example.net Redirect / http://www.example.net:82 </VirtualHost>
Note
Ifyouaren'talreadyusingastaticIPorstaticDHCPreservation,youshouldsetoneup forthatmachinenowsoitsIPaddresswillneverchange.
mkdir $TMPDIR cd $TMPDIR cvs -Q co $CVSPROJ cd $CVSPROJ curl -s -o config.xml -F Submit=download -u ${USER}:${PASS} ${PROTO}://$M0N0IP/diag_backup.php NOW=`date +%Y-%m-%d@%H:%M:%S` cvs -Q commit -m "backup of config.xml [$NOW]" cd /tmp rm -rf $TMPDIR
Tip
FirstcheckyourBIOSsettingsfora"PlugandPlayOS"or"OS"setting.For"PlugandPlayOS",set itto"no"or"disable".Ifthereisan"OS"setting,typicallyyoucanandshouldsetitto"other".This mostalwaysfixestheproblem. Ifthatdoesn'tresolveit,trytoupgradeyoursystemBIOS. ResettingtheBIOStodefaultsettingsmighthelp.Therehavebeeninstancesinthepastwherethishas resolvedthisproblem,likelyduetosomestrangeBIOSsetupfrompastuseofthehardware. Occasionallyotherhardwarelikesoundcards,andsimilar,canpreventsomeorallofyourcardsfrom beingdetected.Tryremovinganycardsinthesystemthataren'trequired,anddisablinganyunused hardware(USB,parallelport,serialports,anyonboardsound,etc.)inthesystemBIOS. MostallEthernetcardsaresupportedbym0n0wall,butifyoustillcannotseethenetworkcards, ensuretheyaresupported.
17.2. After replacing my current firewall with m0n0wall using the same public IP m0n0wall cannot get an Internet , connection.
Thissameproblemcanaffectnew1:1andServerNATconfigurations. Cause.Thisistypicallycausedbytherouteroutsideofyourm0n0wallhavingtheMACaddressof yourpreviousfirewallstillinitsARPtable.Ciscorouters,forexample,willcachethisforfourhours bydefault.Manyotherroutersaresimilar.
Solution
CleartheARPcacheonyourrouter.Ifyoudon'thaveaccesstothecommandinterfaceoftherouter, ordon'tknowhowtocleartheARPcache,powercyclingtheroutershouldachievethesameresult. Alternatively,youcouldfillintheMACaddressoftheWANinterfaceofyourpreviousfirewallin m0n0wall'sWANinterfacescreen.
Straight cables
Crossover cables
areusedtoconnectonehuborswitchtoanotherhuborswitch,orconnectaPCdirectlyto anotherPC,orafirewalldirectlytoaPC,etc. Makesureyouareusingtheappropriatecabletypeforyoursituation.Ifyouareunsureof whichcableisrequiredanddonotgetalinklightwithastraightcable,tryacrossovercable. Ifnoneoftheaboveapplyandyoustillarenotgettingalinklight,verifyfunctionalityofbothpieces ofequipmentbytryingotherdevices.Ifyoucannotgetalinklightonanetworkdevicenomatter whatyouplugitintowithanykindofcable,thedevicehasabadEthernetport.
Pinging 192.168.1.1 with 32 bytes of data: Reply Reply Reply Reply from from from from 192.168.1.1: 192.168.1.1: 192.168.1.1: 192.168.1.1: bytes=32 bytes=32 bytes=32 bytes=32 time<1ms time<1ms time<1ms time<1ms TTL=64 TTL=64 TTL=64 TTL=64
Ping statistics for 192.168.1.1: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 0ms, Average = 0ms
Anunsuccessfulpingwilllooklikethis.
C:\>ping 192.168.1.1 Pinging 192.168.1.1 with 32 bytes of data: Request Request Request Request timed timed timed timed out. out. out. out.
Ping statistics for 192.168.1.1: Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
SeeCannotAccesswebGUIasifyoucannotping,youwon'tbeabletogetintothewebGUIeither.
'ipconfig/all'fromacommandpromptifusingWindowstocheckthis.Itmustbesettom0n0wall's LANIP(192.168.1.1bydefault).
Ifallelsefailsandyouneedtodetermineexactlywhichruleisdroppingthetraffic,gotostatus.php onyourm0n0walltothe"last50filterlogentries"section.Findtheloglineapplyingtothetrafficin question,andmakenoteoftherulenumber.Therulenumberisdenotedbyan@followedbya number,thenacolon,thenanothernumber,forexample@0:18.The0indicatesthefirstgroup,and the18indicatesrulenumber18ingroup0. Thengouptotheoutputof"ipfstatnio"andfindtheruleinquestion.Anythingwithoutagroup numberattheendoftheruleisthe0group.@1:1wouldindicatethefirstrulewith"group100"atthe endoftherule.@2:1wouldbethefirstrulewith"group200"attheendoftherule,andsoon. Findingtheexactrule,sincesomerulesareaddedbythebackendofm0n0wallandnotvisibleonthe rulespage,maymaketroubleshootingeasier.
18.1. Books
WirelessHacking:ProjectsforWiFiEnthusiasts
WhereGoodWiFiMakesGoodNeighborsTheNewYorkTimes
18.4. Television
BuildaWirelessAccessPointTechTV
18.6. Conferences
Therewillbeasessiononm0n0wallatO'Reilly'sEuroOSCON2005.
Glossary
ACL AH AccessControlList.
AuthenticationHeader.TheAuthenticationHeaderisusedtoprovideconnectionlessintegrity anddataoriginauthenticationforIPdatagrams.Note:AHwillnotworkthroughNAT,soifyou areplacingyourm0n0wallbehindanotherfirewallorlayer2routerthatisperformingNATAH willnotwork.Unlessyoureallyhaveareason,useESP. SeeAlsohttp://www.networksorcery.com/enp/protocol/ah.htm. BroadcastDomain Abroadcastdomainistheportionofanetworksharingthesamelayertwonetworksegment.In anetworkwithasingleswitch,thebroadcastdomainisthatentireswitch.Inanetworkwith multipleswitchesinterconnectedbycrossovercableswithouttheuseofVLAN's,thebroadcast domainincludesallofthoseswitches. AsinglebroadcastdomaincancontainmorethanoneIPsubnet,howeverthatisgenerallynot consideredgoodnetworkdesign.IPsubnetsshouldbesegregatedintoseparatebroadcast domainsviatheuseofseparateswitches,orVLAN's. DHCP DynamicHostConfigurationProtocol.AprotocoltoautomatetheassignmentofIPaddresses andrelatedinformationonanetwork. DMZ ADMZ,orDeMilitarizedZone,isasegmentofyournetworkspecificallyforpublicly accessibleservers.IfyouaremostfamiliarwithresidentialclassrouterslikeLinksysand similar,thesedevicesgenerallyincorrectlyrefertoinboundNAT(openingportsfromthe internettoyourLAN)as"DMZ"functionality. AtrueDMZresidesonaseparatebroadcastdomainfromtheLAN,typicallyonaseparate switchusingathirdinterfaceonthefirewall.VLAN'scanalsobeused,buttoeliminatethe potentialofaswitchmisconfigurationexposingyourLANtoyourDMZandthepotential effectsofVLANhoppingattacks,thisisnotrecommended. ThemainpurposeofaDMZistosegregateInternetaccessibleserversfromtheLAN,toprotect yourtrustednetworksifaDMZhostiscompromised. TypicalDMZConfiguration.ThefollowingdiagramillustratesatypicalDMZconfiguration. Figure11.TypicalDMZNetwork
ESP EncapsulatingSecurityPayload.Encryptsand/orauthenticateseverythingabovetheIPsec layer.ESP,mostagree,rendersAHcompletelyunnecessary. SeeAlsohttp://www.networksorcery.com/enp/protocol/esp.htm. FQDN FullyQualifiedDomainName.Thehostnameofacomputer,includingit'scompletedomain name,suchaswww.m0n0.ch. ICMP InternetControlMessageProtocol.Aprotocol,layeredontopofIP,usedtosendcontrol messagesbetweencomputers,suchasping. IP InternetProtocol.TheprotocolusedtosendpacketsacrosstheInternetatlayerthree. SeeAlsoICMP,TCP. IPsec SecuretransmissionoverIP.IPsecisanextensionoftheIPprotocolusedforencryptionand authentication.EncryptionoccursatthetransportlayeroftheOSImodel,theapplicationdoesn't havetosupportencryptionfortheencryptionprocesstowork.Therefore,allnetworktraffic generatedbyapplicationscanbeencryptedregardlessoftheapplication SeeAlsohttp://www.netbsd.org/Documentation/network/ipsec/. LAN LocalAreaNetwork.Anetworkthattypicallyincludescomputerswhicharephysicallyclose,
suchasinoneoffice,usuallyconnectedwithhubsandswitchesratherthanrouters. SeeAlsoVPN,WAN. MXRecords MXrecordsareDNSrecordsthatenablemailserverstofindthemailserversforanother domainwhensendinginternetemail.Whenamailserverneedstosendanemailto example.com,itperformsaDNSlookupoftheMXrecordforthedomain,andsendstheemail totheresultinghost. NIC NetworkInterfaceCard.A.k.a.networkcard,orEthernetcard. NAT NetworkAddressTranslation.AtechniquewherebyIPtrafficfrommultipleIPaddressesbehind afirewallaremadetolooktotheoutsideasiftheyallcomefromasingleIPaddress. OSI OpenSystemsInterconnect ProxyARP ProxyARPisatechniqueforusingtheARPprotocoltoprovideanadhocroutingmechanism. Amultiportnetworkingdevice(e.g.arouter,firewall,etc.)implementingProxyARPwill respondtoARPrequestsononeinterfaceasbeingresponsibleforaddressesofdeviceaddresses onanotherinterface.Thedevicecanthenreceiveandforwardpacketsaddressedtotheother devices.(adaptedfromwikipedia.org) Inm0n0wall,ProxyARPcanbeusedfor1:1,advancedoutbound,andserverNAT,amongst otherpotentialuses. PPP PointtoPointProtocol. PPTP PointtoPointTunnelingProtocol. Racoon Akeymanagementdaemon.ThemagicbehindtheVPNpowerofm0n0wall. SeeAlsohttp://www.kame.net/racoon/. TCP TransmissionControlProtocol.Aprotocol,layeredontopofIP,thathandlesconnectionsand reliabledelivery. VLAN VirtualLocalAreaNetwork.VLAN'sareacommonfunctionofhigherendswitches.They allowsegregationofportsontheswitchintoseparatebroadcastdomains.Thisisgenerallydone forsecurityorperformancereasons.Inverylargenetworks,theamountofbroadcasttrafficon thewirecaninhibittheperformanceoftheentirenetwork.Segregatingthenetworkinto multipleIPsubnetsandusingVLAN'stoseparatethebroadcastdomain VPN VirtualPrivateNetwork.Aconnectionbetweentwoormoremachinesornetworkswherethe datatravelsoveraninsecurenetwork(typicallytheInternet),butisencryptedtoprevent eavesdropping,andpackagedoneitherendinordertomakethetwoendsappeartobeona WAN.
WOLWakeonLAN WakeonLANisacapabilityinsomenetworkcardspermittingpoweringonthesystemoverthe networkwithaspeciallycrafted"MagicPacket". GenerallyaWOLcablemustbeattachedfromtheNICtothemotherboardofthesystem.Most NIC'sbuiltintothemotherboardhavethissupportbuiltin.YoumustenableWOLintheBIOS ofthemachine.Thisisgenerallyoffbydefault. WAN WideAreaNetwork.Anetworkthatspansalargearea,typicallyincludingrouters,gateways, andmanydifferentIPaddressgroups. Inthecontextoffirewalls,theWANinterfaceistheonedirectlyconnectedtotheInternet.In thecontextofcorporatenetworks,theWANgenerallyreferstothenetworkthatconnectsallof theorganization'slocationsontothecorporatenetwork.Historicallythiswasaccomplishedwith expensiveprivateleasedlineslikeframerelayandsimilartechnologies.Withthelowcostand widespreadavailabilityofbroadbandInternetconnections,manyorganizationsareswitchingto usingVPNinlieuofleasedlines.VPNprovidesthesamefunctionality,thoughisnotasreliable asleasedlinesandhashigherlatency.
Appendix C. License
TableofContents C.1.TheFreeBSDCopyright C.2.ThePHPLicense C.3.mini_httpdLicense C.4.ISCDHCPServerLicense C.5.ipfilterLicense C.6.MPDLicense C.7.ezipupdateLicense C.8.CircularlogsupportforFreeBSDsyslogdLicense C.9.dnsmasqLicense C.10.racoonLicense C.11.GeneralPublicLicenseforthesoftwareknownasMSNTP C.12.ucdsnmpLicense C.12.1.CMU/UCDcopyrightnotice C.12.2.NetworksAssociatesTechnology,Inccopyrightnotice C.12.3.CambridgeBroadbandLtd.copyrightnotice C.13.choparpLicense C.14.bpaloginLicense C.15.phpradiusLicense C.16.wolLicense m0n0wallisCopyright20022008byManuelKasper<mk@neon1.net>.Allrightsreserved. Redistributionanduseinsourceandbinaryforms,withorwithoutmodification,arepermitted providedthatthefollowingconditionsaremet: 1. Redistributionsofsourcecodemustretaintheabovecopyrightnotice,thislistofconditions andthefollowingdisclaimer. 2. Redistributionsinbinaryformmustreproducetheabovecopyrightnotice,thislistof conditionsandthefollowingdisclaimerinthedocumentationand/orothermaterialsprovided withthedistribution. THISSOFTWAREISPROVIDED"ASIS''ANDANYEXPRESSORIMPLIED WARRANTIES,INCLUDING,BUTNOTLIMITEDTO,THEIMPLIEDWARRANTIESOF MERCHANTABILITYANDFITNESSFORAPARTICULARPURPOSEARE DISCLAIMED.INNOEVENTSHALLTHEAUTHORBELIABLEFORANYDIRECT, INDIRECT,INCIDENTAL,SPECIAL,EXEMPLARY,ORCONSEQUENTIALDAMAGES (INCLUDING,BUTNOTLIMITEDTO,PROCUREMENTOFSUBSTITUTEGOODSOR SERVICES;LOSSOFUSE,DATA,ORPROFITS;ORBUSINESSINTERRUPTION) HOWEVERCAUSEDANDONANYTHEORYOFLIABILITY,WHETHERINCONTRACT, STRICTLIABILITY,ORTORT(INCLUDINGNEGLIGENCEOROTHERWISE)ARISING INANYWAYOUTOFTHEUSEOFTHISSOFTWARE,EVENIFADVISEDOFTHE POSSIBILITYOFSUCHDAMAGE.
Redistributionanduseinsourceandbinaryforms,withorwithoutmodification,arepermitted providedthatthefollowingconditionsaremet: 1. Redistributionsofsourcecodemustretaintheabovecopyrightnotice,thislistofconditions andthefollowingdisclaimer. 2. Redistributionsinbinaryformmustreproducetheabovecopyrightnotice,thislistof conditionsandthefollowingdisclaimerinthedocumentationand/orothermaterialsprovided withthedistribution. THISSOFTWAREISPROVIDEDBYTHEFREEBSDPROJECT``ASIS''ANDANYEXPRESS ORIMPLIEDW ARRANTIES,INCLUDING,BUTNOTLIMITEDTO,THEIMPLIED WARRANTIESOFMERCHANTABILITYANDFITNESSFORAPARTICULARPURPOSEARE DISCLAIMED.INNOEVENTSHALLTHEFREEBSDPROJECTORCONTRIBUTORSBE LIABLEFORANYDIRECT,INDIRECT,INCIDENTAL,SPECIAL,EXEMPLARY,OR CONSEQUENTIALD AMAGES(INCLUDING,BUTNOTLIMITEDTO,PROCUREMENTOF SUBSTITUTEGOODSORSERVICES;LOSSOFUSE,DATA,ORPROFITS;ORBUSINESS INTERRUPTION)HOWEVERCAUSEDANDONANYTHEORYOFLIABILITY,WHETHER INCONTRACT,STRICTLIABILITY,ORTORT(INCLUDINGNEGLIGENCEOROTHERWISE) ARISINGINANYWAYOUTOFTHEUSEOFTHISSOFTWARE,EVENIFADVISEDOFTHE POSSIBILITYOFSUCHDAMAGE. Theviewsandconclusionscontainedinthesoftwareanddocumentationarethoseoftheauthorsand shouldnotbeinterpretedasrepresentingofficialpolicies,eitherexpressedorimplied,oftheFreeBSD Project.
"ThisproductincludesPHP,freelyavailablefrom<http://www.php.net/>". THISSOFTWAREISPROVIDEDBYTHEPHPDEVELOPMENTTEAM``ASIS''ANDANY EXPRESSEDORIMPLIEDWARRANTIES,INCLUDING,BUTNOTLIMITEDTO,THE IMPLIEDWARRANTIESOFMERCHANTABILITYANDFITNESSFORAPARTICULAR PURPOSEAREDISCLAIMED.INNOEVENTSHALLTHEPHPDEVELOPMENTTEAMOR ITSCONTRIBUTORSBELIABLEFORANYDIRECT,INDIRECT,INCIDENTAL,SPECIAL, EXEMPLARY,ORCONSEQUENTIALD AMAGES(INCLUDING,BUTNOTLIMITEDTO, PROCUREMENTOFSUBSTITUTEGOODSORSERVICES;LOSSOFUSE,DATA,OR PROFITS;ORBUSINESSINTERRUPTION)HOWEVERCAUSEDANDONANYTHEORYOF LIABILITY,WHETHERINCONTRACT,STRICTLIABILITY,ORTORT(INCLUDING NEGLIGENCEOROTHERWISE)ARISINGINANYWAYOUTOFTHEUSEOFTHIS SOFTWARE,EVENIFADVISEDOFTHEPOSSIBILITYOFSUCHDAMAGE.
Copyright1999,2000byJefPoskanzer<jef@acme.com>.Allrightsreserved. Redistributionanduseinsourceandbinaryforms,withorwithoutmodification,arepermitted providedthatthefollowingconditionsaremet: 1. Redistributionsofsourcecodemustretaintheabovecopyrightnotice,thislistofconditions andthefollowingdisclaimer. 2. Redistributionsinbinaryformmustreproducetheabovecopyrightnotice,thislistof conditionsandthefollowingdisclaimerinthedocumentationand/orothermaterialsprovided withthedistribution. THISSOFTWAREISPROVIDEDBYTHEAUTHORANDCONTRIBUTORS``ASIS''AND ANYEXPRESSORIMPLIEDW ARRANTIES,INCLUDING,BUTNOTLIMITEDTO,THE IMPLIEDWARRANTIESOFMERCHANTABILITYANDFITNESSFORAPARTICULAR PURPOSEAREDISCLAIMED.INNOEVENTSHALLTHEAUTHORORCONTRIBUTORSBE LIABLEFORANYDIRECT,INDIRECT,INCIDENTAL,SPECIAL,EXEMPLARY,OR CONSEQUENTIALD AMAGES(INCLUDING,BUTNOTLIMITEDTO,PROCUREMENTOF SUBSTITUTEGOODSORSERVICES;LOSSOFUSE,DATA,ORPROFITS;ORBUSINESS INTERRUPTION)HOWEVERCAUSEDANDONANYTHEORYOFLIABILITY,WHETHER INCONTRACT,STRICTLIABILITY,ORTORT(INCLUDINGNEGLIGENCEOROTHERWISE) ARISINGINANYWAYOUTOFTHEUSEOFTHISSOFTWARE,EVENIFADVISEDOFTHE POSSIBILITYOFSUCHDAMAGE.
ORINCONNECTIONWITHTHEUSEORPERFORMANCEOFTHISSOFTWARE.
Copyright20032004,ArchieL.Cobbs,MichaelBretterklieber,AlexanderMotin Allrightsreserved. Redistributionanduseinsourceandbinaryforms,withorwithoutmodification,arepermitted providedthatthefollowingconditionsaremet: 1. Redistributionsofsourcecodemustretaintheabovecopyrightnotice,thislistofconditions andthefollowingdisclaimer. 2. Redistributionsinbinaryformmustreproducetheabovecopyrightnotice,thislistof conditionsandthefollowingdisclaimerinthedocumentationand/orothermaterialsprovided withthedistribution. 3. Neitherthenameoftheauthorsnorthenamesofitscontributorsmaybeusedtoendorseor promoteproductsderivedfromthissoftwarewithoutspecificpriorwrittenpermission. THISSOFTWAREISPROVIDEDBYTHECOPYRIGHTHOLDERS NDCONTRIBUTORS"AS A IS"ANDANYEXPRESSORIMPLIEDW ARRANTIES,INCLUDING,BUTNOTLIMITEDTO, THEIMPLIEDWARRANTIESOFMERCHANTABILITYANDFITNESSFORAPARTICULAR PURPOSEAREDISCLAIMED.INNOEVENTSHALLTHECOPYRIGHTOWNEROR CONTRIBUTORSBELIABLEFORANYDIRECT ,INDIRECT,INCIDENTAL,SPECIAL, EXEMPLARY,ORCONSEQUENTIALD AMAGES(INCLUDING,BUTNOTLIMITEDTO, PROCUREMENTOFSUBSTITUTEGOODSORSERVICES;LOSSOFUSE,DATA,OR PROFITS;ORBUSINESSINTERRUPTION)HOWEVERCAUSEDANDONANYTHEORYOF LIABILITY,WHETHERINCONTRACT,STRICTLIABILITY,ORTORT(INCLUDING
NEGLIGENCEOROTHERWISE)ARISINGINANYWAYOUTOFTHEUSEOFTHIS SOFTWARE,EVENIFADVISEDOFTHEPOSSIBILITYOFSUCHDAMAGE.
Copyright19982001AngusMackay.Allrightsreserved; Thisprogramisfreesoftware;youcanredistributeitand/ormodifyitunderthetermsoftheGNU GeneralPublicLicenseaspublishedbytheFreeSoftwareFoundation;eitherversion2,or(atyour option)anylaterversion. THISSOFTWAREISPROVIDED``ASIS''ANDANYEXPRESSEDORIMPLIED WARRANTIES,INCLUDING,BUTNOTLIMITEDTO,THEIMPLIEDW ARRANTIESOF MERCHANTABILITYANDFITNESSFORAPARTICULARPURPOSEAREDISCLAIMED.IN NOEVENTSHALLTHEA UTHORBELIABLEFORANYDIRECT,INDIRECT,INCIDENTAL, SPECIAL,EXEMPLARY,ORCONSEQUENTIALDAMAGES(INCLUDING,BUTNOT LIMITEDTO,PROCUREMENTOFSUBSTITUTEGOODSORSERVICES;LOSSOFUSE, DATA,ORPROFITS;ORBUSINESSINTERRUPTION)HOWEVERCAUSEDANDONANY THEORYOFLIABILITY,WHETHERINCONTRACT,STRICTLIABILITY,ORTORT (INCLUDINGNEGLIGENCEOROTHERWISE)ARISINGINANYWAYOUTOFTHEUSEOF THISSOFTWARE,EVENIFADVISEDOFTHEPOSSIBILITYOFSUCHDAMAGE.
Copyright2001JeffWheelhouse(jdw@wwwi.com) ThiscodewasoriginallydevelopedbyJeffWheelhouse(jdw@wwwi.com). Redistributionanduseinsourceandbinaryforms,withorwithoutmodification,arepermitted providedthatthefollowingconditionsaremet: 1. Redistributionofsourcecodemustretailtheabovecopyrightnotice,thislistofconditionsand thefollowingdisclaimer. 2. Redistributionsinbinaryformmustreproducetheabovecopyrightnotice,thislistof conditionsandthefollowingdisclaimerinthedocumentationand/orothermaterialsprovided withthedistribution. THISSOFTWAREISPROVIDEDBYJEFFWHEELHOUSE``ASIS''ANDANYEXPRESSOR IMPLIEDWARRANTIES,INCLUDING,BUTNOTLIMITEDTO,THEIMPLIEDWARRANTIES OFMERCHANTABILITYANDFITNESSFORAPARTICULARPURPOSEAREDISCLAIMED. INNOEVENTSHALLJEFFWHEELHOUSEBELIABLEFORANYDIRECT,INDIRECT, INCIDENTAL,SPECIAL,EXEMPLARY,ORCONSEQUENTIALDAMAGES(INCLUDINGBUT NOTLIMITEDTO,PROCUREMENTOFSUBSTITUTEGOODSORSERVICES;LOSSOFUSE, DATA,ORPROFITS;ORBUSINESSINTERRUPTION)HOWEVERCAUSEDANDONANY THEORYOFLIABILITY,WHETHERINCONTRACT,STRICTLIABILITY,ORTORT (INCLUDINGNEGLIGENCEOROTHERWISE)ARISINGINANYWAYOUTOFTHEUSEOF THISSOFTWARE,EVENIFADVISEDOFTHEPOSSIBILITYOFSUCHDAMAGE.
Copyright,N.M.Maclaren,1996,1997,2000 Copyright,UniversityofCambridge,1996,1997,2000 FreeuseofMSNTPinsourceandbinaryformsispermitted,providedthatthisentirelicenseis duplicatedinallcopies,andthatanydocumentation,announcements,andothermaterialsrelatedto useacknowledgethatthesoftwarewasdevelopedbyN.M.Maclaren(hereafterreferedtoasthe Author)attheUniversityofCambridge.NeitherthenameoftheAuthornortheUniversityof Cambridgemaybeusedtoendorseorpromoteproductsderivedfromthismaterialwithoutspecific priorwrittenpermission. TheAuthorandtheUniversityofCambridgeretainthecopyrightandallotherlegalrightstothe softwareandmakeitavailablenonexclusively.Allusersmustensurethatthesoftwareinallits derivationscarriesacopyrightnoticeintheform: CopyrightN.M.Maclaren, CopyrightUniversityofCambridge.
NO WARRANTY
BecausetheMSNTPsoftwareislicensedfreeofcharge,theAuthorandtheUniversityofCambridge provideabsolutelynowarranty,eitherexpressedorimplied,including,butnotlimitedto,theimplied warrantiesofmerchantabilityandfitnessforaparticularpurpose.Theentireriskastothequalityand performanceoftheMSNTPsoftwareiswithyou.ShouldMSNTPprovedefective,youassumethe costofallnecessaryservicingorrepair.
COPYING POLICY
PermissionisherebygrantedforcopyinganddistributionofcopiesoftheMSNTPsourceandbinary files,andofanypartthereof,subjecttothefollowinglicenseconditions: 1. YoumaydistributeMSNTPorcomponentsofMSNTP,withorwithoutadditionsdeveloped byyouorbyothers.Nocharge,otherthanan"atcost"distributionfee,maybechargedfor copies,derivations,ordistributionsofthismaterialwithouttheexpresswrittenconsentofthe copyrightholders. 2. YoumayalsodistributeMSNTPalongwithanyotherproductforsale,providedthatthecost ofthebundledpackageisthesameregardlessofwhetherMSNTPisincludedornot,and providedthatthoseinterestedonlyinMSNTPmustbenotifiedthatitisaproductfreely availablefromtheUniversityofCambridge. 3. IfyoudistributeMSNTPsoftwareorpartsofMSNTP,withorwithoutadditionsdevelopedby youorothers,thenyoumusteithermakeavailablethesourcetoallportionsoftheMSNTP system(exclusiveofanyadditionsmadebyyouorbyothers)uponrequest,orinsteadyoumay notifyanyonerequestingsourcethatitisfreelyavailablefromtheUniversityofCambridge. 4. Youmaynotomitanyofthecopyrightnoticesoneitherthesourcefiles,theexecutablefiles, orthedocumentation. 5. YoumaynotomittransmissionofthisLicenseagreementwithwhateverportionsofMSNTP thataredistributed. 6. Anyusersofthissoftwaremustbenotifiedthatitiswithoutwarrantyorguaranteeofany nature,expressorimplied,noristhereanyfitnessforuserepresented. October1996 April1997 October2000
Copyright1989,1991,1992byCarnegieMellonUniversity DerivativeWork1996,19982000 Copyright1996,19982000TheRegentsoftheUniversityofCalifornia AllRightsReserved Permissiontouse,copy,modifyanddistributethissoftwareanditsdocumentationforanypurpose andwithoutfeeisherebygranted,providedthattheabovecopyrightnoticeappearsinallcopiesand thatboththatcopyrightnoticeandthispermissionnoticeappearinsupportingdocumentation,and thatthenameofCMUandTheRegentsoftheUniversityofCalifornianotbeusedinadvertisingor publicitypertainingtodistributionofthesoftwarewithoutspecificwrittenpermission. CMUANDTHEREGENTSOFTHEUNIVERSITYOFCALIFORNIADISCLAIMALL WARRANTIESWITHREGARDTOTHISSOFTWARE,INCLUDINGALLIMPLIED WARRANTIESOFMERCHANTABILITYANDFITNESS.INNOEVENTSHALLCMUORTHE REGENTSOFTHEUNIVERSITYOFCALIFORNIABELIABLEFORANYSPECIAL,
Copyright20012002,NetworksAssociatesTechnology,Inc Allrightsreserved. Redistributionanduseinsourceandbinaryforms,withorwithoutmodification,arepermitted providedthatthefollowingconditionsaremet: Redistributionsofsourcecodemustretaintheabovecopyrightnotice,thislistofconditions andthefollowingdisclaimer. Redistributionsinbinaryformmustreproducetheabovecopyrightnotice,thislistof conditionsandthefollowingdisclaimerinthedocumentationand/orothermaterialsprovided withthedistribution. NeitherthenameoftheNetworksAssociatesTechnology,Incnorthenamesofitscontributors maybeusedtoendorseorpromoteproductsderivedfromthissoftwarewithoutspecificprior writtenpermission. THISSOFTWAREISPROVIDEDBYTHECOPYRIGHTHOLDERS NDCONTRIBUTORS A ``ASIS''ANDANYEXPRESSORIMPLIEDWARRANTIES,INCLUDING,BUTNOTLIMITED TO,THEIMPLIEDW ARRANTIESOFMERCHANTABILITYANDFITNESSFORA PARTICULARPURPOSEAREDISCLAIMED.INNOEVENTSHALLTHECOPYRIGHT HOLDERSORCONTRIBUTORSBELIABLEFORANYDIRECT,INDIRECT,INCIDENTAL, SPECIAL,EXEMPLARY,ORCONSEQUENTIALDAMAGES(INCLUDING,BUTNOT LIMITEDTO,PROCUREMENTOFSUBSTITUTEGOODSORSERVICES;LOSSOFUSE, DATA,ORPROFITS;ORBUSINESSINTERRUPTION)HOWEVERCAUSEDANDONANY THEORYOFLIABILITY,WHETHERINCONTRACT,STRICTLIABILITY,ORTORT (INCLUDINGNEGLIGENCEOROTHERWISE)ARISINGINANYWAYOUTOFTHEUSEOF THISSOFTWARE,EVENIFADVISEDOFTHEPOSSIBILITYOFSUCHDAMAGE.
choparpcheap&omittedproxyarp Copyright1997TakamichiTateoka(tree@mma.club.uec.ac.jp) Copyright2002ThomasQuinot(thomas@cuivre.fr.eu.org) Redistributionanduseinsourceandbinaryforms,withorwithoutmodification,arepermitted providedthatthefollowingconditionsaremet: 1. Redistributionsofsourcecodemustretaintheabovecopyrightnotice,thislistofconditions andthefollowingdisclaimer. 2. Redistributionsinbinaryformmustreproducetheabovecopyrightnotice,thislistof conditionsandthefollowingdisclaimerinthedocumentationand/orothermaterialsprovided withthedistribution. 3. Neitherthenameoftheauthorsnorthenamesoftheircontributorsmaybeusedtoendorseor promoteproductsderivedfromthissoftwarewithoutspecificpriorwrittenpermission. THISSOFTWAREISPROVIDEDBYTHEAUTHORSANDCONTRIBUTORS``ASIS''AND ANYEXPRESSORIMPLIEDW ARRANTIES,INCLUDING,BUTNOTLIMITEDTO,THE IMPLIEDWARRANTIESOFMERCHANTABILITYANDFITNESSFORAPARTICULAR PURPOSEAREDISCLAIMED.INNOEVENTSHALLTHEREGENTSORCONTRIBUTORS BELIABLEFORANYDIRECT,INDIRECT,INCIDENTAL,SPECIAL,EXEMPLARY,OR CONSEQUENTIALD AMAGES(INCLUDING,BUTNOTLIMITEDTO,PROCUREMENTOF SUBSTITUTEGOODSORSERVICES;LOSSOFUSE,DATA,ORPROFITS;ORBUSINESS INTERRUPTION)HOWEVERCAUSEDANDONANYTHEORYOFLIABILITY,WHETHER INCONTRACT,STRICTLIABILITY,ORTORT(INCLUDINGNEGLIGENCEOROTHERWISE) ARISINGINANYWAYOUTOFTHEUSEOFTHISSOFTWARE,EVENIFADVISEDOFTHE POSSIBILITYOFSUCHDAMAGE.
providedthatthefollowingconditionsaremet: 1. Redistributionsofsourcecodemustretaintheabovecopyrightnotice,thislistofconditions andthefollowingdisclaimer. 2. Redistributionsinbinaryformmustreproducetheabovecopyrightnotice,thislistof conditionsandthefollowingdisclaimerinthedocumentationand/orothermaterialsprovided withthedistribution. 3. Alladvertisingmaterialsmentioningfeaturesoruseofthissoftwaremustdisplaythe followingacknowledgement: ThisproductincludessoftwaredevelopedbyEdwinGroothuis. 4. NeitherthenameofEdwinGroothuismaybeusedtoendorseorpromoteproductsderived fromthissoftwarewithoutspecificpriorwrittenpermission. THISSOFTWAREISPROVIDED``ASIS''ANDANYEXPRESSORIMPLIEDWARRANTIES, INCLUDING,BUTNOTLIMITEDTO,THEIMPLIEDW ARRANTIESOFMERCHANTABILITY ANDFITNESSFORAPARTICULARPURPOSEAREDISCLAIMED.INNOEVENTSHALL THEREGENTSORCONTRIBUTORSBELIABLEFORANYDIRE CT,INDIRECT, INCIDENTAL,SPECIAL,EXEMPLARY,ORCONSEQUENTIALDAMAGES(INCLUDING, BUTNOTLIMITEDTO,PROCUREMENTOFSUBSTITUTEGOODSORSERVICES;LOSSOF USE,DATA,ORPROFITS;ORBUSINESSINTERRUPTION)HOWEVERCAUSEDANDON ANYTHEORYOFLIABILITY,WHETHERINCONTRACT,STRICTLIABILITY,ORTORT (INCLUDINGNEGLIGENCEOROTHERWISE)ARISINGINANYWAYOUTOFTHEUSEOF THISSOFTWARE,EVENIFADVISEDOFTHEPOSSIBILITYOFSUCHDAMAGE.