FreeBSD Firewall on a Nokia IP330 Mini-Howto

How to install FreeBSD onto a Nokia IP330 via CD-ROM, and how to
quickly install and configure the PF firewall software using fwbuilder
2.0 on the same. I will eventually post this to my web site,
http://web.irtnog.org/.

This document assumes a passing familiarity with the Nokia IP330, with
PC hardware in general, and with FreeBSD. It skips mentioning
important things like how to jumper hard drives and CD-ROMs to set
master/slave, how to connect to the IP330's serial console
(9600-8-N-1), etc.

Hardware

The Nokia IP330 is a PC-compatible computer with an AMD K6 CPU, a PCI
bus, multiple Ethernet interfaces based on the Intel EtherExpress Pro
100 chipset, a serial console, and on-board IDE. My IP330, labeled a
VPN210 externally and a IP2330 internally, has a 266-MHz K6-2, 64-MB
RAM, the Intel PIIX4 chipset (including UDMA33 EIDE and, strangely
enough, USB 1.0), an 8-GB EIDE hard disk drive, an Aries V.34 serial
card, and an Award BIOS. Some systems came with a hardware option to
offload cryptographic functions.

Preparation

Boot into IPSO and record each Ethernet device's Ethernet station ID
(also known as the Ethernet MAC address) prior to installation.
Neither the FreeBSD fxp driver nor Linux e100 driver can read the MAC
address from the device ROM. If the system does not have IPSO
installed or if the original hard drive failed, you should try
manually assigning an arbitrarily chosen MAC address to each Ethernet
device within FreeBSD, after the operating system installation is
complete. I chose to write the MAC addresses in indelible ink on the
interior side of the IP330's cover.

Back up IPSO prior to installation, e.g. with Symantec Ghost or dd.
Verify that the image is bootable, e.g. by restoring the image to a
similarly sized hard disk.

Because there is no easy alternative to booting the FreeBSD
installer, and because the network devices as detected and
initialized by FreeBSD won't work properly without manual
intervention, this document instructs you to accomplish the
installation using CD-based media. Obtain an IDE CD-ROM, a
Molex-style "Y" splitter cable, and a standard two-port IDE ribbon
cable. The IP330 contains only one Molex-style power connector and
only a single-port IDE cable for the interior hard drive, so
different IDE and power cables are temporarily necessary for the
duration of the operating system installation.

You may need to re-configure the BIOS to detect and boot from the
CD-ROM.

Also download and burn to CD the latest FreeBSD production release;
verify that you can boot from the media prior to beginning your
installation. I used the FreeBSD 5.3 mini-install CD and installed
ports over the network after the operating system was installed and
configured, but feel free to obtain the standard installation and
packages CDs and use those instead.

Operating System Installation

Boot the FreeBSD installation CD. No special settings are required
to use the serial console, though the BTX loader and the initial
"Beastie" boot menul will not display properly. Prior to running
sysinstall, FreeBSD will prompt you for your terminal type. Those of
us who use Tera Term should choose the 'VT100' option (with the
terminal set to 80 rows, 24 columns).

Install the operating system as you would normally. I chose to do a
full installation, including sources and ports. Because I used the
mini-install CD, I did not install any packages (e.g. X, perl) at
this time.

**DO NOT** skip through the post-install configuration screens and
immediately reboot! You will be unable to log in to the system as
FreeBSD does not spawn a getty on the serial console port by default.

Post-Install Configuration

After the installer finishes unpacking the distribution files, when
prompted, configure the network interface and enable routing (the
gateway option). Note that you will be unable to actually use these
interfaces or get a DHCP lease until their MAC addresses are set (see
below).

Don't forget to configure a default route.

Once the installation completes, enter the configuration menu (choose
'Configure' from the main menu) and choose 'TTYs' to enable logins on
the serial console and disable logins on the VGA console. For each
of the standard terminals **ttyv0**, **ttyv1**, et seq., change the
fourth column (labelled **status**) from 'on' to 'off'. For the
serial console device **ttyd0**, change the status to 'on' and the
terminal type in the third column from 'dialup' to 'vt100'. If you
forget to do this step, boot the system into single user mode (option
4 at the "Beastie" boot menu) to edit the file.

Reboot the system, seed the pseudo-random number generator, log in
for the first time, and perform other customary post-installation
configuration, e.g. enabling accounting, setting the host name, etc.

To fix the EtherExpress Pro interfaces, create a file for each
interface named '/etc/start_if.fxpN' (replacing N with the interface
instance number, e.g. 'fxp0') that contains the following command::

/sbin/ifconfig $1 link ETHERNET-STATION-ID

replacing 'ETHERNET-STATION-ID' with the MAC address of that
interface. Reboot the system or run the command '/etc/rc.d/netif
stop && /etc/rc.d/netif start to re-initialize networking.

Additional Software Installation

You do not need to recompile the firewall in order to use the PF
firewall. FreeBSD 5.3 includes this firewall as a kernel loadable
module, and the initialization scripts know to load the module at
boot if necessary. Add the following two lines to **/etc/rc.conf**
to start PF on boot::

pf_enable="YES"
pflogd_enable="YES"

I use the excellent "Firewall Builder":http://www.fwbuilder.org/ tool
to create and manage my firewall configuration files. If you wish to
build it and its dependencies entirely from source, download the most
recent version of the ports tree, switch to the
**ports/security/fwbuilder** directory, and run the command 'make
install'. If you prefer to avoid building the dependencies, install
the following binary packages first, e.g. via 'pkg_add -r' (I set
**FTP_PASSIVE_MODE** and **PACKAGEROOT** in my environment to
customize how and where pkg_add retrieved its packages):

- xorg

- qt

- qmake

- net-snmp

- libxml2

- libxslt

- libgpg-error

- libgcrypt

- gmake

Policy Creation

Create your firewall policy with Firewall Builder. When you create
the firewall object, make certain to select the 'PF' firewall type
and the 'FreeBSD' operating system type. Define your objects, create
your filtering and NAT rules, and when finished, compile the policy
and save the **.conf** file to **/etc/pf.conf** on the firewall.
Reboot to activate this configuration or run the command
'/etc/rc.d/pf reload' (use '/etc/rc.d/pf start' if you are starting
PF for the first time). I run Firewall Builder directly on the
firewall over an SSH-tunneled X connection.

Caveat: FTP Proxy for Clients

PF does not include an in-kernel FTP proxy and Firewall Builder does
not currently have an option to automatically generate the relevant
rules for clients or servers, so you must configure these on the
firewall itself. Edit **/etc/pf.conf** on the firewall after
compiling the policy:

1. Add a line similar to the following immediately after the NAT
definitions, where the interface or interfaces between the curly
brackets are the firewall's internal interfaces, i.e. where the
FTP clients are::

rdr on { fxp1 fxp2 } proto tcp from any to any port 21 -> 127.0.0.1 port 8021

2. Add a line similar to the following immediately after the table
definitions, where the interface or interfaces mentioned are on
the opposite side of the firewall from the FTP clients::

pass in quick on fxp0 inet proto tcp from port 20 to (fxp0) user proxy flags
S/SA keep state
pass in quick on fxp2 inet proto tcp from port 20 to (fxp2) user proxy flags
S/SA keep state

3. Enable the inetd service, e.g. via sysinstall's configuration menu
or by adding the line 'inetd_enable="YES"' to **/etc/rc.conf**. I
prefer to bind inetd to only the loopback interface, by adding
another line 'inetd_flags="${inetd_flags} -a 127.0.0.1' to
**/etc/rc.conf**.

4. In **/etc/inetd.conf**, enable the ftp-proxy service by
uncommenting the appropriate line. Add the '-n' flag to the end
of the line in order to enable the FTP proxy's NAT mode, if you
are using NAT, so it doesn't try to proxy passive FTP transfers.

5. It should go without saying that you need to reload the firewall
rules and start inetd to make this work.

See the PF documentation and manual pages for additional details.

Firewall Configuration

There isn't much to do beyond enabling PF (and PF logging) in
**/etc/rc.conf** as described above. Unless you want ALTQ or IPSEC
support, you do not need to recompile the kernel.

Software Updates

I installed both net/cvsup and security/freebsd-update, using the
binary packages. Current sources and ports are sometimes useful
(especially since you can only get version 2.0 of Firewall Builder in
the current ports tree). Since my firewall is a slower system, I
prefer to use the freebsd-update mechanism for binary updates, but
your mileage may vary.