Welcome to Scribd, the world's digital library. Read, publish, and share books and documents. See more
Standard view
Full view
of .
Save to My Library
Look up keyword
Like this
0 of .
Results for:
No results containing your search query
P. 1
Building a powerful FreeBSD firewall based on PF and IPFW

Building a powerful FreeBSD firewall based on PF and IPFW



|Views: 10,891 |Likes:
Published by Ian
Create a FreeBSD firewall appliance with PF, IPFW, DUMMYNET, OpenVPN, DHCPD Server, BIND, NTOP, PFTOP, WEBMIN, Apache and NAGIOS.
Create a FreeBSD firewall appliance with PF, IPFW, DUMMYNET, OpenVPN, DHCPD Server, BIND, NTOP, PFTOP, WEBMIN, Apache and NAGIOS.

More info:

Published by: Ian on Feb 08, 2009
Copyright:Public Domain


Read on Scribd mobile: iPhone, iPad and Android.
download as PDF or read online from Scribd
See more
See less



Building a FreeBSD OpenVPN Firewall Appliance
PF, IPFW Dummynet, OpenVPN w/ Active Directory Authentication, Nagios and NTOP 
By: Ian EvansVersion 5
Document History
1Draft Preliminary01/01/08Ian Evans2Core Production02/01/08Ian Evans3Mods, Illustrations andAdditional Material05/01/09Ian Evans4Additional Illustrations11/01/09Ian Evans5Major revisions, addedFreeBSD 8 support03/16/10Ian Evans
Document Contributors and Authors
AuthorIan Evans
Disclaimer: Use this guide at your own risk! I accept no responsibility fordamages that may occur.
 This guide comes after many painful hours getting everything setup just right. The mostchallenging part of this process will most likely be the problems encountered with missing orbroken packages in the ports system. I found that using a combination of ports and pkg_addseemed to do the trick. Be patient, because you will find the end product to be one of the moststable, secure and reliable firewalls you will ever use.
Recommended hardware
Server systems.
I always had good luck with the Compaq/HP DL380 or DL360 systems. FreeBSDsupports all of the components and installs very easily on these systems.
Try to use a dual-core or higher. You can buy one for under $100.00 now, so there is noreason to go cheap on the processor. As services are added to the appliance, you will be glad youinvested in a decent CPU.
 Try to use registered memory if possible. This type of memory has better recoverymechanisms built in and is designed for 24x7 environments. A good 2-4GB of DDR2 or DDR3 of registered dual channel memory will do the trick.
Motherboard and Chipset.
SuperMicro makes some great server boards for those that want tobuilt your own. Cheap desktop boards will work, but may not live up to the requirements of a 24x7operation. FreeBSD works well with pretty much any Intel, AMD or Nvidia chipset. I personally hadvery good luck with the Nforce series chipsets. Pay very close attention to those integrated NIC'son the motherboards... some of them are not supported, especially if they are new.
Network Card.
You will need three Gigabit network cards (the WAN port can be 100Mbps). IntelPro1000's (e1000 driver) are good network cards and are widely supported. I have also usedSyskonnect and Nvidia Nforce network cards with great success. Most systems have twointegrated Gigabit NIC's, so one add-on card may be all that is required.
There are many options out there (software vs hardware, etc). I always recommend truehardware RAID. The card is a dedicated resource and does not require any software on the O/S tobuild or maintain the RAID set. Get a decent card that has at least 256MB of cache, a batterybackup (BBU) and runs on at least a PCI-X 133 or PCIe 8x bus. Most decent cards you can buy nowwill run on a PCIe bus, which will give a significant performance boost over legacy PCI buses.
Hard Disks.
SATA is getting much better, but I still recommend 10-15K SAS for most 24x7environments. You get a substantial performance boost and these drives have a higher MTBFrating/Warranty. Try to get at least 4 drives so you can create a RAID1+0 array. This will give youthe best blend of performance and reliability without costing too much. If you must go with SATAdrives, make sure they are enterprise grade (examples: WD RE3, WD Raptor, Seagate ES.2).
Preconfiguration Steps
. FreeBSD can be a little picky about ACPI at times so make sure your BIOS is up to the latestrevision. If you have updated and you experience problems during the beginning of theinstallation, try to start the installation without ACPI enabled (there will be an option for this at theinitial boot menu).
RAID Controller.
When creating your hardware RAID set, it may be a good idea to add a hot-swap-spare. You also want to make sure you have enabled write-back cache and the batterybackup unit (BBU) prior to completing the RAID configuration.
Download and install FreeBSD 8.0

Activity (90)

You've already reviewed this. Edit your review.
1 hundred reads
1 thousand reads
Ian liked this
Berend de Boer added this note
Hi Ian, I don't get your bidirectional pipes. I'm guessing you try to traffic shape incoming traffic with ipfw right? But why is the rule then: ipfw add 10 pipe 1 all from any to any xmit bge1 Shouldn't that be recv instead of xmit?
Ian liked this
Ian liked this
Ian liked this
Cesare Esposito added this note
Very nice document
Daniel Ayosa added this note
LacHun18 liked this

You're Reading a Free Preview

/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->