FreeBSDで作るブロードバンドルーター

以下のテキストは、執筆時当時の情報を元に書いたものであり、 現在の情勢にそぐわないことを含む場合があるので注意されたい。 また、テキストは最終提出原稿で校正を経る前のものなので、実際にUNIXUSER 本誌に記載されたものとは異なる。誤字脱字等そのままである。

致命的な誤り以外は加筆修正等は行なわないので情報の鮮度に気をつけつつ 利用して欲しい。

目次


Part II 

2001ADSL
2001
ADSL
2001
ADSL
ADSL



TCP/IP

PC-Unix

LANUnix
10BASE
100BASE



10
LAN

		Sun3, SparcStation 1, 1+
	IF		10BASE-5
			1.5Mbps

CPU
ADSL

100MHzPentiumCPU

PC10Mbps

PC-Unix1PC
PC
200MHz600MHzPC



 FreeBSD  Linux ADSLPC


FreeBSDADSL(PPPoE)

FreeBSD 4.4-RELEASE PCADSL
IP1PC
IPPCNAT
()

---[ ]------------------------------------------------------------

                     ()
[Internet] ---PPPoE--[PC]
                       |
                       |NAT
                       |
                       |          ()
         +-------------+----+---------+----------
         |                  |         |
      [pc1]               [pc2]      [pc3] ....

----------------------------------------------------------------------

NIC2

  (NIC)
  1NIC
  
  

  NIC intel EtherExpressPRO+ (
  fxp0)  3Com Fast Etherlink(xl0) 

OS

  PCOS
  FreeBSD 4.4-RELEASE 
  4.4-RELEASE
  
 : ftp://daemon.jp.freebsd.org/pub/FreeBSD-jp/I18N-flp/4.4-RELEASE/
         CD-ROM
   2001-11-21 
  

	# dd if=kern_ja-20011112.flp of=/dev/rfd0a
	# dd if=mfsroot_ja-20011112.flp of=/dev/rfd0a

  kern_ja FDD

	Please insert MFS root floppy and press enter

   mfsroot_ja  [Enter] 

	Skip kernel configuration and continue with installation
	Start kernel configuration in full-screen visual mode
	Start kernel configuration in CLI mode

  [Enter]FreeBSD
  ()

---[ ]------------------------------------------------------------


       %image(install-0.png)


----------------------------------------------------------------------

   Standard 

  HDDFreeBSD
  PCHDD
  FreeBSD()"FDISK Partition
  Editor"  a (=use entire disk) ( )

---[ ]------------------------------------------------------------


       %image(install-fdisk.png)


----------------------------------------------------------------------

  q (= Finish)  FDISK Partition Editor 
  

	BootMgr		Install the FreeBSD boot Manager
	Standard	Install a standrd MBR (no boot manager)
	None		Leave the Master Boot Record untouched

   BootMgr 

   FreeBSD Disklabel Editor OS
  
   a (= Auto Defaults) 
  ( )

---[ ]------------------------------------------------------------


       %image(install-disklabel.png)


----------------------------------------------------------------------

----   OSupgrade ------------------------

FreeBSD Disklabel Editor Auto Defaults  /usr 
()
 /usr OSupgrade


OSupgrade&
newfs
OSupgrade FreeBSD 
 /usr/src 


	# cd /usr/src
	# make world

RELEASEupgrade
&()

-------------------------------------------------------------------------

  Disklabel Editor  q "Choose Distributions" 
  PCX
  User X
   X-User 
  
   X-Kern-Developer (
  )X Exit 
  
---[ ]------------------------------------------------------------


       %image(install-choosedist.png)


----------------------------------------------------------------------

  200112
  CD-ROMFreeBSD 4.4-RELEASE 
  

  
  YES/NO

	SLIP/PPP 
	 YES
	 LAN() NICIP
  
  IP
  YES( )
   /etc/rc.conf  gateway_enable="YES" 
  IP
  

	# sysctl -w net.inet.ip.forwarding=1

  ()
  
  IP
  

---[ ]------------------------------------------------------------


       %image(install-gateway.png)


----------------------------------------------------------------------

  

   anonymous FTP ?
    
    anonymous FTP 
   (NO
   )

  NFS?
    
  NO
  

  ?
    
  YES5 Asia
    Tokyo

  (CD-ROM)
  FreeBSD

PPPoE

  FreeBSDPPPoE

	* ppp(user-ppp)
	* rp-pppoe 

  rp-pppoe OSLinux 
  FreeBSD
  LinuxPPPoEFreeBSD rp-pppoe 
  Linux

  FreeBSD user-ppp 
  

  user-pppPPPoE

    FreeBSDuser-ppp PPPoE  ppp 
    FreeBSD

	options NETGRAPH

    
     FreeBSD 4.4-RELEASE 
     4.4-RELEASE  PPPoE 
    

    ADSLPPPoE
    

	IP()	192.168.1.12
				PPPoEaccount@provider
				PPPoEpassword
	LAN	10.0.1.0/24
	LAN		fxp0 (Intel EtherExpress PRO+)
	ADSL	xl0 (3Com Fast Etherlink)
				venus

---[ ]------------------------------------------------------------
 IP
 
 IP
----------------------------------------------------------------------

    /etc/ppp/ppp.conf 

default:
 set log Phase Chat LCP IPCP CCP tun command
 ident user-ppp VERSION (built COMPILATIONDATE)
 set device PPPoE:xl0
 set speed sync
 set mru 1454
 set mtu 1454
 set ctsrts off
 set openmode active

pppoe:
 accept chap
 accept pap
 set authname PPPoEaccount@provider
 set authkey PPPoEpassword
 set filter dial 0 deny icmp
 set filter dial 1 permit 0/0 0/0
 set filter alive 0 deny icmp
 set filter alive 1 permit 0/0 0/0
 add default HISADDR

    

    * set log
	
    * ident
	()
    * set device
	PPP
	PPPoE
		PPPoE:<>
	
    * set speed
	 PPPoE  sync
    * set mru, set mtu
	 MRU/MTU ADSL1492
    * set ctsrts
	
    * set openmode
	LCP(active)(passive)
    * accept
	
    * set authname
	
    * set authkey
	
    * set filter dial
	on-demand
    * set filter alive
	
	dial/alive  on-demand 
	/usr/share/examples/ppp/ppp.conf.sample
	
    * add default
	HISADDRIP
	

    ppp.conf 
     pppoe  ppp 
    

	# ppp pppoe
	  ~~~~~~~~~
    ppp(dial)

	ppp on venus> dial
		      ~~~~
    ppp
    (pP)

	ppp on venus>
	Ppp on venus>
	PPp on venus>
	PPP on venus>

    tun0

	vv# ifconfig tun0
	tun0: flags=8051 mtu 1454
	        inet6 fe80::250:56ff:fed9:a2db%tun0 prefixlen 64 scopeid 0x6 
		inet 192.168.1.12 --> 192.168.1.1 netmask 0xffffff00 
		Opened by PID 886

    

	* ADSL(ADSL)
	* ADSLPC
	* 
	* ppp.conf 
	* /var/log/ppp.log 

     user-ppp  PPPoE 
    PPPoE /etc/rc.conf
    

	---[ /etc/rc.conf ]---
	  :
	  :()
	  :
	ppp_enable=YES
	ppp_mode=dedicated
	ppp_profile=pppoe

    

	* ppp
	* ppp
	* ppp ppp.conf 

    
    

LAN

  PC
   PPPoE 
  LANPC
  ADSLIP1
  IPLAN
  NAT

  FreeBSDNAT

    FreeBSDNAT

	1. ppp -nat (user-ppp)
	2. ipfw(IP Firewall)
	3. ipnat(IP Filter)

    1
    

  ppp -nat

    user-pppppp
     -nat LANWANNAT
    ppp
     /etc/rc.conf 

	ppp_nat=YES

    ppp -nat 
     -nat  /etc/ppp/ppp.conf 

	nat enable yes

    

---[ ]----------------------------------------------------------
4.4-RELEASE /etc/defaults/rc.conf  ppp_nat=YES 
IP Filter(ipnat)  IP Firewall(ipfw+natd) NAT
user-ppp NAT /etc/rc.conf  ppp_nat=NO 

----------------------------------------------------------------------

()

  
  
  
  
  

  
  
  
  
  
  
  
  

	* Web
	* 
	* 

  /
  
  ()
  
  

  
  
  
  
   apache 
  httpd.conf  .htaccess 
  
  

  IP Firewall 

    IP Firewall  
    /etc/rc.conf 

	firewall_enable=YES
	
    ipfw(IP Firewall)
    ipfw
    ipfw
    
    

    

	* 
	* 

    
    
    PC
    

  IP Firewall

    
    IP
    Firewall FreeBSD 4.4-RELEASE
    ipfw
    

	* /module/ipfw.ko ()

	  /usr/src/sys/modules/ipfw/  Makefile 

	  #If you want it verbose
	  #CFLAGS+= -DIPFIREWALL_VERBOSE

	  

	  #If you want it verbose
	  CFLAGS+= -DIPFIREWALL_VERBOSE

	  &

		# cd /usr/src/sys/modules/ipfw
		# make && make install

	  ipfw
	  

	* IPFIREWALL

	   IPFIREWALL_VERBOSE 
	  

	  options      IPFIREWALL              #firewall
	  options      IPFIREWALL_VERBOSE      #print information about

	  

    ipfw log 
     /var/log/security 
    

	# tail -f /var/log/security

    

  ipfw

    ipfw
    /etc/rc.conf 

	firewall_enable=YES
	firewall_type=closed

    ( )

---[ ]----------------------------------------------------------
# ipfw l
00100 allow ip from any to any via lo0
00200 deny ip from any to 127.0.0.0/8
00300 deny ip from 127.0.0.0/8 to any
65535 deny ip from any to any
----------------------------------------------------------------------

    ipfw
    
    (allow)(deny)
    65535ipfw
    IP
    65535
    

    
    100
    

     (100)
    (lo0)(allow)2
     lo0  127.0.0.0/8 (|) 
    
    
    
    

    ipfw add [prob <>] <> [log [logamount <>]] \
	 <> from <> to <> \
	  [<>] [<>]

    ([])"prob" 
    
    

    <> 

	allow		
	deny		
	unreace	<>	 ICMP unreachable notice
			
	reset		(TCP)TCP reset notice
			SMTPident(113)
			
	count		
			
	check-state	keep-state
			
			
	divert <>	 <>
			divert(4)natd
			
	tee <>	divert
	fwd [,<>]
			   <>
			IPFIREWALL_FORWARD 
			
			ipfw(8)
	pipe <>	dummynet(4) pipe() 
	queue <>	dummynet(4) queue(WF2Q) 
	skipto <>	<>

    <> /etc/protocols ()
    ipall
    

    <>  <> 

	any				
	me				
	[not] 	
					not 

      
    
	x.y.z.w			IP
				IP
	x.y.z.w/	
				
	x.y.z.w:a.b.c.d		x.y.z.wa.b.c.d

     <> 

     <> 

	in	   	
	out		
	via 	
			
	via *	
			
	via any		
			
	via  
			

    "via" 
    "recv", "xmit" 
    ipfw(8)

     <> 

	keep-state []
			
			 IP/ 
			
	bridged		
	frag		
	ipoptions <>
			IPssrr, lsrr, rr, ts
			()
			!
	tcpoptions <>
			TCPmss, window,
			sack, ts, cc ()
			!
	establishd	(TCP)RSTACK
	setup		(TCP)SYNACK
			
	tcpflags <> (TCP)TCPfin, syn, rst, psh, 
			ack, urg ()
			!
	icmptypes	(ICMP) ICMP
	uid 	ID   /
			 
	gid 	ID   /
			 
    
    FreeBSD: 
    http://docs.freebsd.org/handbook/ja/4.3R/firewalls.html
    

    * LAN

      LAN fxp0  10.0.1.0/24 
      

      ipfw add ip from 10.0.1.0/24 to me via fxp0
      ipfw add ip from me to 10.0.1.0/24 via fxp0

      LAN
      

    * TCP(established)

      TCP
      
      

      ipfw add allow tcp from any to any established
      ipfw add allow ip  from any to any frag

    * LANTCP

      ipfw add allow tcp from 10.0.1.0/24 to any setup
      ipfw add allow tcp from me to any setup

    * UDP

      DNS(53)NTP(123)

      ipfw add allow udp from 10.0.1.0/24 to any 53 keep-state
      ipfw add allow udp from me to any 53 keep-state
      ipfw add allow udp from 10.0.1.0/24 to any 123 keep-state
      ipfw add allow udp from me to any 123 keep-state

    * 

      
       SSH(22), SMTP(25),
      HTTP(80), POP3(110)

      ipfw add allow tcp from any to me 22
      ipfw add allow tcp from any to me 25
      ipfw add allow tcp from any to me 80
      ipfw add allow tcp from any to me 110

    * ICMP

      ping
      ICMP

      ipfw add allow icmp from any to any

    * 

      
      65535
      
      

      ipfw add deny log ip from any to any

	-	-	-

    /etc/rc.firewall.local 
     

---[  /etc/rc.firewall.local]---------------------------------
# IP Firewall rule definition
#
# packets from/to lo0
allow ip from any to any via lo0
deny ip from any to 127.0.0.0/8
deny ip from 127.0.0.0/8 to any
# LAN
ipfw add ip from 10.0.1.0/24 to me via fxp0
ipfw add ip from me to 10.0.1.0/24 via fxp0
# established tcp connection
ipfw add allow tcp from any to any established
# fragments
ipfw add allow ip from any to any frag
# from LAN to outside
ipfw add allow tcp from 10.0.1.0/24 to any setup
ipfw add allow tcp from me to any setup
# essential UDP's
ipfw add allow udp from 10.0.1.0/24 to any 53 keep-state
ipfw add allow udp from me to any 53 keep-state
ipfw add allow udp from 10.0.1.0/24 to any 123 keep-state
ipfw add allow udp from me to any 123 keep-state
# pass SSH, SMTP, HTTP, POP3
ipfw add allow tcp from any to me 22
ipfw add allow tcp from any to me 25
ipfw add allow tcp from any to me 80
ipfw add allow tcp from any to me 110
# allow ICMP
ipfw add allow icmp from any to any
#
# Then, deny all with logging
ipfw add deny log ip from any to any
----------------------------------------------------------------------

    
    /etc/rc.conf 

    firewall_enable="YES"
    firewall_script="/etc/rc.firewall.local"

DHCP

LANPCPC
DHCPPCIP
DHCP
ISC-DHCP3 DHCP

  ISC-DHCP3 

  ISC-DHCP3 FreeBSD Packages Collection 
  
  ftp://ftp.jp.freebsd.org/pub/FreeBSD/ports/i386/packages-4.4-release/net/
  isc-dhcp3-3.0.r11.tgz 

	# pkg_add isc-dhcp3-3.0.r11.tgz

  /usr/local 
  ftp://ftp.isc.org/isc/dhcp/ 
  

	( dhcp-3.0.1rc6.tar.gz )
	# tar vzxpf dhcp-3.0.1rc6.tar.gz
	# cd dhcp-3.0.1rc6
	# less README		(README)
	# ./configure && make && make install

   /usr 
   Makefile.conf 
  DHCP dhcpd 
  dhcpd.conf dhcpd.conf
  Packages /usr/local/etc 
  & 
  /etc 

  LAN

		10.0.1.0
			255.255.255.0
		10.0.1.1
			ns.example.com

  PCIP 10.0.1.10010.0.1.120 
  dhcpd.conf 

----------------------------------------------------------------------
#
# dhcpd.conf
#

# 
option domain-name "example.com";
option domain-name-servers ns.example.com;
# ddns none ()
ddns-update-style none;

# lease
default-lease-time 600;
max-lease-time 7200;

# 
log-facility local7;

# LAN
subnet 10.0.1.0 netmask 255.255.255.0 {
	# 
        option routers 10.0.1.1;
        # Unknown clients get this pool.
        pool {
		# IP
                range 10.0.1.200 10.0.1.253;
		# 
                allow unknown clients;
        }
}
----------------------------------------------------------------------

  dhcpd

  Packages 
  /usr/local/etc/rc.d/isc-dhcpd.sh.sample 
   isc-dhcpd.sh 
  dhcpd
  dhcpd  /usr/sbin/ 
   /usr/local/etc/rc.d 

---[ /usr/local/etc/rc.d/dhcpd.sh ]-----------------------------------
#!/bin/sh

OPTIONS=""
IFACES=""

case "$1" in
start)  
        /usr/sbin/dhcpd $OPTIONS $IFACES > /dev/null 2>&1
        echo -n ' dhcpd'
        ;;
stop)   
        killall dhcpd
        ;;
restart)
        $0 stop
        $0 start
        ;;
status) 
        ps -auxww | egrep '(conserver|console)' | egrep -v "($0|egrep)"
        ;;
*)
        echo "usage: ${0##*/} {start|stop|restart|status}" >&2
        ;;
esac

exit 0
----------------------------------------------------------------------

   /var/db/dhcpd.leases 

	# touch /var/db/dhcpd.leases

  dhcpddhcpd.conf 

	# dhcpd -d

  -d


yuuji@gentei.org
Fingerprint16 = FF F9 FF CC E0 FE 5C F7 19 97 28 24 EC 5D 39 BA
HIROSE Yuuji - ASTROLOGY / BIKE / EPO / GUEST BOOK / YaTeX [Tweet]