ALIAS_SCTP VERSION 0.2.2 INSTALL.TXT INSTALLING PATCH 1) Copy the patch file to your source directory (usually /usr/src) 2) patch -p0 < alias_sctp_0.2.x_patch8.x 3) (i) Go to src/sys/modules/libalias/libalias a) make KERNCONF=YOUR_KERNEL_CONF b) make install # this will install the libalias module (ii) Go to src/sys/modules/ipfw_nat a) make KERNCONF=YOUR_KERNEL_CONF b) make install # this will install the ip_fw_nat module (iii) Go to src/sbin/ipfw a) make b) make install # this will install the ipfw commandline utility (iv) Go to share/man/man8 a) make all-man b) make maninstall (v) After IPFW is enabled a) kldload ipfw_nat #this will load ipfw_nat and libalias NOTE: If you already have ipfw_nat loaded you should: /etc/rc.d/ipfw stop kldunload ipfw_nat /etc/rc.d/ipfw start kldload ipfw_nat #if it hasn't been loaded by your start 4) Add the ipfw nat and fire wall rules (see below) EXAMPLE IPFW SETUP: 1. In /etc/rc.conf: gateway_enable="YES" # or net.inet.ip.forwarding=1 in sysctl.conf firewall_enable="YES" firewall_type="open" #if different, may need to adjust rules accordingly firewall_logging="YES" 2. /etc/sysctl.conf: net.inet.ip.fw.one_pass=0 3. ipfw nat 100 config if em0 log redirect_addr 192.168.0.65 0.0.0.0 4. ipfw add 2000 nat 100 sctp from any to any via em0 The above sets up nat instance 100, outside ip address of interface em0 set for logging redirect any incoming packets to (local inside address) 192.168.0.65 Add ipfw rule 2000 nat with instance 100 sctp packets from any to any via the em0 interface CONFIGURATION OPTIONS: Most alias_sctp configuration can be done in real-time through the sysctl interface. All may be changed dynamically, though the hash_table size will only change for new NAT instances. Default values are also listed below. net.inet.ip.alias.sctp.hashtable_size (Default = 2003) Size of hash tables used for NAT lookups (100 < prime_number > 1000001) This value sets the hash table size for any _future_ created NAT instance and therefore must be set prior to creating a NAT instance (ie ipfw nat 100 config ...). The table sizes my be changed to suit specific needs. If there will be few concurrent associations, and memory is scarce, you may make these smaller. If there will be many thousands (or millions) of concurrent associations, you should make these larger. A prime number is best for the table size. The sysctl update function will adjust your input value to the next highest prime number. net.inet.ip.alias.sctp.error_on_ootb (Default = 1) Defines when the NAT responds to any Out-of-the-Blue (OOTB) packets with ErrorM packets. An OOTB packet is a packet that arrives with no existing association registered in the NAT AND is not an INIT or ASCONF-AddIP packet: 0 - ErrorM is never sent in response to OOTB packets 1 - ErrorM is only sent to OOTB packets received on the local side 2 - ErrorM is sent to the local side and on the global side ONLY if there is a partial match (ports and vtags match but the source global IP does not). This value is only useful if the NAT is tracking global IP addresses 3 - ErrorM is sent in response to all OOTB packets on both the local and global side (DoS risk) We recommend setting this value to 1 to allow multi-homed local hosts to function with the NAT. If the SCTP stacks on the local side hosts do not support this feature, this value should be set to 0. If tracking global addresses we recommend setting this value to 2 to allow global hosts to be informed when they need to (re)send an ASCONF-AddIP. Value 3 should never be chosen (except for debugging) as the NAT will respond to all OOTB global packets, a DoS risk. net.inet.ip.alias.sctp.accept_global_ootb_addip (Default = 0) Defines how the NAT responds to receipt of global OOTB ASCONF-AddIP: 0 - No response (unless a partially matching association exists - ports and vtags match but global address does not) 1 - NAT will accept and process all OOTB global AddIP messages. Option 1 should never be selected as this forms a security risk. An attacker can establish multiple fake associations by sending AddIP messages. net.inet.ip.alias.sctp.initialising_chunk_proc_limit (Default = 2) Defines the maximum number of chunks in an SCTP packet that will be parsed when no existing association exists that matches that packet. Ideally this packet will only be an INIT or ASCONF-AddIP packet. A higher value may become a DoS risk as malformed packets can consume processing resources. net.inet.ip.alias.sctp.chunk_proc_limit (Default = 5) Defines the maximum number of chunks in an SCTP packet that will be parsed for a packet that matches an existing association. This value is enforced to be >= (initialising_chunk_proc_limit). As for the previous parameter, a high value is a DoS risk yet setting too low a value may result in important control chunks in the packet not being located and parsed. net.inet.ip.alias.sctp.param_proc_limit (Default = 25) Defines the maximum number of parameters within a chunk that will be parsed in a packet. As for other similar sysctl variables, larger values pose a DoS risk. net.inet.ip.alias.sctp.track_global_addresses (Default = 0) Enables/disables global IP address tracking within the NAT and places an upper limit on the number of addresses tracked for each association: 0 - Global tracking is disabled >1 - Enables tracking, the maximum number of addresses tracked for each association is limited to this value This variable is fully dynamic, the new value will be adopted for all newly arriving associations, existing association are treated as they were previously. Global tracking will decrease the number of collisions within the NAT at a cost of increased processing load, memory usage, complexity, and possible NAT state problems in complex networks with multiple NATs. We recommend not tracking global IP addresses, this will still result in a fully functional NAT. net.inet.ip.alias.sctp.init_timer (Default = 15) Timeout value (s) while waiting for (INIT-ACK|AddIP-ACK). This value cannot be 0. net.inet.ip.alias.sctp.up_timer (Default = 300) Timeout value (s) to keep an association up with no traffic. This value cannot be 0. net.inet.ip.alias.sctp.shutdown_time (Default = 15) Timeout value (s) while waiting for SHUTDOWN-COMPLETE. This value cannot be 0. net.inet.ip.alias.sctp.holddown_time (Default = 0) Hold association in table for this many seconds after receiving a SHUTDOWN-COMPLETE. This allows endpoints to correct shutdown gracefully if a shutdown_complete is lost and retransmissions are required. This may be a good option in high loss environments. net.inet.ip.alias.sctp.log_level (Default = 0) Level of detail in the system log messages (0 - minimal, 1 - event, 2 - info, 3 - detail, 4 - debug, 5 - max debug)