Opengate Installation Procedure



A Outline

A.1 System Configuration

In this document, we use the system configuration as follows. The network connecting terminals is called "lower-side network" and the network having servers is called "upper-side network".

upper-side network:192.168.0.0/24, 2001:db8:1:2:3/64
Gateway to upper-side network:fxp1, 192.168.0.124, 2001:db8:1:2:3::4
Gateway to lower-side network:fxp0, 192.168.1.1, 2001:db8:5:6:7::1
lower-side network:192.168.1.0/24, 2001:db8:5:6:7/64

Opengate recognizes both IPv4 and IPv6 addresses, and controls both firewalls. It can be used for IPv4 control only if the FreeBSD environment is not set up for IPv6.

A.2 Installation Procedure

The following steps are necessary to complete the installation of Opengate.
Items marked with '*' are mandatory.

A.2 Support Page

The Opengate support page can be consulted at: 

 http://www.cc.saga-u.ac.jp/opengate/index-e.html

back top

B FreeBSD Installation

B.1 Basic Installation

Use FreeBSD4.x or later. FreeBSD6.1 or later is preferred.
Choose distribution "Developer (Full sources, binaries and doc)" or "all" because we have to compile a custom kernel.

Add the following line to "/etc/rc.conf", to enable the gateway function:

gateway_enable="YES"

back top

B.2 Adding NAT and Firewall

Preparing the kernel to include IPFW functionality.

*As the recent kernel includes ipfw in default, reconstruction is not needed.  Skip following reconstruction and start from setting of /etc/rc.conf.

Make a new kernel configuration file:MYKERNEL

# cd /usr/src/sys/i386/conf
# vi MYKERNEL

Following is the content of the file: MYKERNEL

include GENERIC

ident MYKERNEL

options IPDIVERT

options IPFIREWALL
options IPFIREWALL_FORWARD
options IPFIREWALL_VERBOSE
options IPFIREWALL_VERBOSE_LIMIT=100

options IPSEC
device crypto

Compile and install the new kernel (incl. added support for IPFW and IP6FW).

#cd /usr/src
#make buildkernel KERNCONF=MYKERNEL
#make installkernel KERNCONF=MYKERNEL

It might be failed in old FreeBSD.  In the case, execute the following.

# config MYKERNEL
# cd ../compile/MYKERNEL
# make depend
# make
# make install

"make clean" might be requested before "make depend".

Add the following lines to "/etc/rc.conf":

a. FreeBSD6.0 or earlier

firewall_enable="YES"
firewall_script="/etc/rc.firewall"
firewall_type="open"

ipv6_firewall_enable="YES"
ipv6_firewall_script="/etc/rc.firewall6"
ipv6_firewall_type="open"

natd_enable="YES"
natd_interface="fxp1"

b. FreeBSD6.1 or later

firewall_enable="YES"
firewall_script="/etc/rc.firewall"
firewall_type="open"

natd_enable="YES"
natd_interface="fxp1"

When enabling IPFW (and IP6FW), make sure to also set the firewall_type to 'OPEN', to prevent unpredictable system behavior during installation.
To enable NAT, set natd_enable to 'YES' and define the natd interface (Upper-side interface).

Connect a client pc to the lower-side network and check the IPv4 behavior.
Since DHCP is not yet set up, the client's network settings must be configured manually.

back top

B.3 Setting up IPv6(Optional)

If you need IPv4 only, this section can be skipped.
Though explanation is omitted, many parameters, like the ones used in the following sample, can be set in /etc/rc.conf.
It is advised to read up on IPv6 and carefully set up its parameters. 

##ENABLE IPv6
ipv6_enable="YES"
ipv6_network_interfaces="gif0 fxp0"

##TUNNELLING INTERFACE
gif_interfaces="gif0"
gifconfig_gif0="192.168.0.124 192.168.0.126"

##IPv6 ADDRESS 
ipv6_prefix_fxp0="2001:db8:5:6:7"
ipv6_ifconfig_fxp0="2001:db8:5:6:7::1 prefixlen 64"

##ADVERTISE
rtadvd_enable="YES"
rtadvd_interfaces="fxp0"

##DEFAULT GATEWAY
ipv6_default_interface="gif0"
ipv6_defaultrouter="fe80::a:b:c:d%gif0"

##ROUTING(RIPv6)
ipv6_gateway_enable="YES"
ipv6_router_enable="YES"
ipv6_router="/usr/sbin/route6d"
ipv6_router_flags="-O 2001:db8:5:6:7::/64,gif0"

Connect a client pc to the lower-side network and check the behavior of IPv6.
On a Windows pc, the command "ipv6 install" might be needed to activate IPv6.

back top

C BIND9 Install(Optional)

C.1 Ports Install

You can ignore DNS settings, if you control with IP address base or use existing DNS servers.

* Instead of BIND, it is recommended to use Unbound included in the recent FreeBSD versions.

Installing BIND9 from ports:
Note: The "sysinstall" command can also be used. If /usr/sbin/named exists, configure files in /etc/namedb.

# cd /usr/ports/dns/bind9/
# make clean
# make install clean ; rehash

During installation the directory "/etc/namedb (/var/named/etc/namedb)" is created.

back top

C.2 Making RNDC key

Use the "rndc" command to further secure BIND9.

Create the rndc key as follows:

# cd /etc/namebd/
# rndc-confgen -b 512 > rndc.conf

This will generate the "rndc.conf" file.

# Start of rndc.conf
key "rndc-key" {
 algorithm hmac-md5;
 secret "wMpASEmnRVnD602MtEb+RqtMee5+n0RVgpaUrlAHvPpgH3SoK7f2nRZBUH7a0urvmyBuAg0dwtk/Otg9Ker3gA==";
};

options {
 default-key "rndc-key";
 default-server 127.0.0.1;
 default-port 953;
};
# End of rndc.conf

# Use with the following in named.conf, adjusting the allow list as needed:
# key "rndc-key" {
# algorithm hmac-md5;
# secret "wMpASEmnRVnD602MtEb+RqtMee5+n0RVgpaUrlAHvPpgH3SoK7f2nRZBUH7a0urvmyBuAg0dwtk/Otg9Ker3gA==";
# };
# 
# controls {
# inet 127.0.0.1 port 953
# allow { 127.0.0.1; } keys { "rndc-key"; };
# };
# End of named.conf

back top

C.3 Setting up named.conf

After installation, look for the "/etc/namedb/named.conf" file and copy the last half of the "rndc.conf" file to it, making sure to remove comments, and add IPv6 configuration where/if required.

# Use with the following in named.conf, adjusting the allow list as needed:
key "rndc-key" {
 algorithm hmac-md5;
 secret "wMpASEmnRVnD602MtEb+RqtMee5+n0RVgpaUrlAHvPpgH3SoK7f2nRZBUH7a0urvmyBuAg0dwtk/Otg9Ker3gA==";
};

controls {
 inet ::1 port 953 allow { ::1; } keys { "rndc-key"; };
 inet 127.0.0.1 port 953 allow { 127.0.0.1; } keys { "rndc-key"; };
};
# End of named.conf

For security reasons, it is better to write the "key" directive in the other file.

Edit the "options" directive in "named.conf":

options {
 directory "/etc/namedb";
 pid-file "/var/run/named/pid";
 auth-nxdomain yes;
 listen-on-v6 { any; };
};

Create the corresponding "pid" directory.

back top

C.4 Creating a Zone file

Edit the "zone" directives in "named.conf".

 zone "og.saga-u.ac.jp" {
 type master;
 file "og.saga-u.ac.jp";
 };


Make a "zone" file for the domain "og.saga-u.ac.jp".
The domain name and IPv4/6 addresses should be modified properly. If you don't need IPv6, remove the line containing "AAAA ....".

$TTL 3600
$ORIGIN og.saga-u.ac.jp.

@ IN SOA ns.og.saga-u.ac.jp. postmaster (
   2005051702 ;
   3600
   1200
   2419200
   86400 )
  IN NS ns.og.saga-u.ac.jp.
  IN A 192.168.1.1
  IN MX 10 opengate.og.saga-u.ac.jp.

ns IN A 192.168.1.1

opengate IN A 192.168.1.1
  IN AAAA 2001:db8:5:6:7::1

back top

C.5 Checking Behavior

Confirm starting of "named" after completings its configuration.

# /usr/local/sbin/named -u bind -c /etc/namedb/named.conf

If "named" starts without problems, add the following lines to "/etc/rc.conf" to allow it to automatically start on boot up.

named_enable="YES"
named_program="/usr/local/sbin/named"
named_flags="-u bind -c /etc/namedb/named.conf"

Because the management of a DNS server can be complicated, it is strongly advised to carefully read the BIND9 manual, and/or consult other documentation.

back top

D isc-dhcp3 Installation (Optional)

D.1 Ports Install

If many client PCs are going to be connected, using the DHCP service might be a desirable solution for assigning IP addresses to these clients.

Installing isc-dhcp3 from ports:
Note: the "sysinstall" command can also be used.

# cd /usr/ports/net/isc-dhcp3-server
# make clean
# make install clean ; rehash

back top

D.2 Setting up DHCP

The"/usr/local/etc/dhcpd.conf.sample" configuration file is created during installation.
Copy "dhcpd.conf.sample" to "dhcpd.conf" and edit the file.

The following is an example setup:
The lease time must be greater than the maximum usage duration (Duration/Max in opengatesrv.conf).
The domain name and IP addresses should be modified. 

option domain-name "og.saga-u.ac.jp";
option domain-name-servers 192.168.1.1;
option subnet-mask 255.255.255.0;
option broadcast-address 192.168.1.255;
option routers 192.168.1.1;

default-lease-time 86400;
max-lease-time 604800;
ddns-update-style none;
log-facility local7;

subnet 192.168.1.0 netmask 255.255.255.0 {
 range 192.168.1.10 192.168.1.250;
}

Add the following lines to "/etc/rc.conf" to allow it to automatically start on boot up.

dhcpd_enable="YES"
dhcpd_ifaces="fxp0"
dhcpd_conf="/usr/local/etc/dhcpd.conf"

In this example, the value of "dhcpd_ifaces" is the interface providing the DHCP service
(to the lower-side network).

back top

E Apache2 Installation

E.1 Ports Install

When using IPv6, Opengate needs Apache2 to support IPv6.
By default, Apache2 supports SSL which is preferred for secure authentication.

Installing Apache2 from ports:
Note: The "sysinstall" command can also be used.

# cd /usr/ports/www/apache22
# make clean
# make install clean ; rehash

back top

E.2 Making Certificates

It is better to obtain a formal key from some CA. But we will show you how to create a self-signed private key and certificate.

Creating a private key:

# cd /usr/local/etc/apache22
# mkdir ssl.key ssl.crt
# chmod 700 ssl.key ssl.crt

# /usr/bin/openssl genrsa -out /usr/local/etc/apache22/server.key 1024


Making a certificate from the created key:

# /usr/bin/openssl req -new -x509 -days 365 \
 -key /usr/local/etc/apache22/server.key \
 -out /usr/local/etc/apache22/server.crt

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:JP
State or Province Name (full name) [Some-State]:Saga
Locality Name (eg, city) []:Saga-city
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Saga-university
Organizational Unit Name (eg, subsection) []:Opengate Management
Common Name (eg, YOUR name) []:opengate.og.saga-u.ac.jp
Email Address []:administrator@opengate.og.saga-u.ac.jp

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

back top

E.3  Setting up SSL

Edit "/usr/local/etc/apache22/extra/httpd-ssl.conf" as shown in the following example:

ssl.conf 

<VirtualHost _default_:443>
 DocumentRoot "/usr/local/www/apache22/data"
 ServerName opengate.og.saga-u.ac.jp:443
 ServerAdmin administrator@opengate.og.saga-u.ac.jp
 ErrorLog "|/usr/bin/logger -p local6.info"
 CustomLog "|/usr/bin/logger -p local5.info" combined

 SSLEngine on
 SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
 SSLCertificateFile /usr/local/etc/apache22/server.crt
 SSLCertificateKeyFile /usr/local/etc/apache22/server.key
</VirtualHost>

Since Apache2 has many settings, familiarize yourself with the Apache2 configuration options for adequate control.

back top

E.4 Other Settings and Checking the Installation

Edit "/usr/local/etc/apache22/httpd.conf" as follows:

Opengate should send back the authentication page in response to any kind of HTTP request.
To do so, add the following line to httpd.conf:
(the top page will be sent back on an HTTP_ERROR 404 [file not found] error).

ErrorDocument 404 /


Add "ExecCGI" to allow executing CGI programs in the cgi-bin directory.

<Directory "/usr/local/www/cgi-bin">
 ...
 Options ExecCGI
 ...
</Directory>

Remove the comment mark ("#") to enable the following setting: 

AddHandler cgi-script .cgi
AddHandler type-map .var

Add "index.html.var" to DirectoryIndex: 

DirectoryIndex index.html.var index.html

Include ssl conf file:

Include etc/apache22/extra/httpd-ssl.conf

Set ServerName: 

ServerName opengate.og.saga-u.ac.jp

Start Apache2 with "apachectl start" and check for errors.
If no errors are displayed, add the following lines to "/etc/rc.conf" to allow Apache to start on boot up:

apache22_enable="YES"
apache22ssl_enable="YES"

If the system shows "Failed to enable the 'httpready' Accept Filter", add the following to /boot/loader.conf :

accf_http_load="YES"

Should the certificate require a PASSPHRASE, Apache will ask for it during boot up.
If you do not enter the passphrase (reboot due to power outage, remote reboot, ,...), this will prevent
the server from starting Apache normally, i.e. leaving you with a possible "crippled" server.

Easy fix:
1. create a simple script containing the following:
#!/bin/sh
echo "<passphrase goes here>"

2. add the following to httpd.conf:
SSLPassPhraseDialog exec:/path/to/above/script

back top

F SQLite3 Installation

F.1 Installation

Download archive file from SQLite site(www.sqlite.org). Install it as follows. Note: The "sysinstall" command and ports can also be used.

# tar xzvf sqlite-amalgamation-3.xx.xx.tar.gz
# cd sqlite-3.xx.xx
# ./configure
# make
# make install
back top

F.2 Checking

Check the normal execution. 
# sqlite3
SQLite version 3.xx.xx
Enter ".help" for instructions
Enter SQL statements terminated with a ";"
sqlite> .quit
#

back top

G Opengate Installation

G.1 Opengate Package

Unpack the Opengate compressed file: 

# tar xzvf opengatexxxx.tar.gz

It contains the following directories:

doc: Documentation
conf: Configuration files and firewall control Perl script sample
javahtml: Client Programs and HTML files
opengatesrv: Server CGI programs
tools: Some related tools
ezxml: XML parser (Copyright Aaron Voisine)

back top

G.2 Installation

Check the settings in "opengatesrv/Makefile" and modify if needed:

HTMLTOP = /usr/local/www/apache22
DOCDIR = /data
CGIDIR = /cgi-bin
OPENGATEDIR = /opengate
CONFIGPATH = /etc/opengate

Compile and Install in opengatesrv directory:

# make clean
# make install

back top

G.3 Setting up Config File

Copy the sample configuration file "/etc/opengate/opengatesrv.conf.sample" to "/etc/opengate/opengatesrv.conf" and modify it. 

cd /etc/opengate
cp opengatesrv.conf.sample opengatesrv.conf
vi opengatesrv.conf

The following settings must be changed:

 <OpengateServerName>opengate.og.saga-u.ac.jp</OpengateServerName>

 <AuthServer>
 <Protocol>pop3s</Protocol>
 <Address>192.168.0.2</Address>
 </AuthServer>

In <OpengateServerName>, set the HOSTNAME(FQDN) or IP address of the opengate gateway server. If you want to use IPv6, you need to set the FQDN corresponding to both IPv4 and IPv6 addresses.

In <AuthServer>, set the information for the authentication server. Opengate supports various authentication protocols. See the config file for details.
To differentiate between erorrs caused by authentication server or those caused by the opengate server, try the following setting first. This means that any userid and password combination is accepted.

 ****Do not use this setting in real service****
 <AuthServer>
 <Protocol>accept</Protocol> 
 <AuthServer>

The config file is XML. "#" marks in the file do not represent the start of a comment.
Use XML-formatted comments like <!-- Comment String --> to disable a description.

Opengate can pass authentication settings in the form of "userid@extid".
See the config file for more details.
By using this function, you can use different authentication servers for many sections or guests.

When the primary authentication server does not reply, Opengate can resend the request to other authentication servers. See the config file for more details.

Caution: Do not delete the IPv6 related settings in the config file!
The IPv6 access is executed when the FQDN for IPv6 is prepared.

back top

G.4 Setting up IPFW

Write IPFW rules for Opengate.

Both IPv4 and IPv6 packets are controlled by IPFW.

A sample rule set for IPFW can be found in "/etc/opengate/rc.firewall.sample"

Copy the script and modify to fit your needs.
If you are not familiar with Ipv6, set IPv6 addresses as localhost (*net6="0", *ip6="::1").

# cd /etc/opengate
# cp rc.firewall.sample rc.firewall
# vi rc.firewall

Modify the firewall settings in /etc/rc.conf as follows:
Be careful not to lock yourself out of the system after reloading the firewall.

firewall_enable="YES"
firewall_script="/etc/opengate/rc.firewall"

Familiarise yourself with the "ipfw" command.
The Opengate software sends out ipfw add/delete commands.

The directory /etc/opengate includes another file: 'ipfwctrl.pl.sample'.  The file is an ipfw control perl script but is not used in default setting.

back top

G.5 Setting up syslog

Edit /etc/syslog.conf to save log entries for Opengate.

        | * Separated by TAB code
        V
local1.* /var/log/opengate.log

Make the log file as follows:
Consider using log rotation to control the size of this log file.

# touch /var/log/opengate.log

back top

G.6 Checking Behavior

Reboot the PC to enable setting and connect a PC to the lower-side network and try to access a site in the upper-side network.
If it does not work properly, consult doc/progflow.html and doc/protocol.txt to better understand the procedure. Also check the log files for Opengate, httpd, system and others. To dump more information from Opengate, set the <Debug> switch to "2" in opengatesrv.conf. Also check the functions of related software. The error checking document (errcheck.html) and Q&A documents (qa.html, recentqa.html on the web) can be used for problem solving.

back top

G.7 Modifying Pages

If you want to modify the contents of the web pages, edit the html files in the Opengate directories. The relative path cannot be used in httpkeep.html. Use the full URL description. The descriptions such as %%XXX%% are variables replaced by their proper values during CGI runtime.

back top

G.8 Setting up SQLite3

Opengate uses the SQLite3 database to hold session information. The path of the database file is indicated with <SqliteDb> in opengatesrv.conf. It is recommended to change the default value to the proper directory. WWW sholud have write permission for the directory. 

Example:
-- opengatesrv.conf --
<SqliteDb>/home/sqlitedb/opengate.db</SqliteDb>

-- shell commands --
# mkdir /home/sqlitedb
# chown www /home/sqlitedb

The file and database table are created automatically.

As the file size incleases steadily, you should periodically trim or remove the file with cron (or manually). Following is a sample script to delete 3 day old records. 

#!/bin/sh
echo "delete from session where closeTime < datetime('now','localtime','-3days');" | sqlite3 /tmp/opengate.db
exit 0
back top

H MRTG Installion (Optional)

H.1 Ports Installation

This section is optional.
If you want to graphically monitor the state of Opengate, MRTG can be used but is not required.

MRTG (Multi Router Traffic Grapher) is a system to monitor network traffic. MRTG produces graphic images and HTML files.

You can install MRTG on the gateway server or another server. If you need to monitor multiple Opengate systems, it is advised to install MRTG on a separate server.

# cd /usr/ports/net-mgmt/mrtg/
# make clean
# make install clean ; rehash

back top

H.2 Setting up MRTG

MRTG creates "/usr/local/etc/mrtg/mrtg.cfg.sample" as the sample configuration file during installation. Copy mrtg.cfg.sample to opengate.cfg and edit the file:

##################################################
# opengate user counter

WorkDir: /usr/home/user/public_html/mrtg/opengate/

##### Options
Options[^]: growright,gauge,nopercent,integer

Target[opengate]:`/usr/home/user/bin/input.sh`
Title[opengate]: Opengate user counter

PageTop[opengate]: <h1>Opengate user counter</h1>
 <p>Show the number of people using Opengate</p>

# Max Number
MaxBytes[opengate]: 200

# Title of Y axis
YLegend[opengate]: Opengate User
# unit
ShortLegend[opengate]: s
# Title of graph LegendI: first line LegendO: second line
LegendI[opengate]: IPv6 Users
LegendO[opengate]: Total Users

Be sure to actually create the directory which you appointed in "WorkDir". MRTG creates its graphic images and HTML files in "WorkDir"

"Target[opengate]" contains the path to the program that hands its data to MRTG.
(details explained below)

H.2.1 Scenario 1: Running MRTG on the gateway server

Create the shell script "/usr/home/user/bin/input.sh" with the following contents:

#!/bin/sh

#######################################
##
## show opengate status for MRTG
##
## 1 line : IPv6 Users
## 2 line : Total Users
## 3 line : uptime
## 4 line : comment for data
##
#######################################

LANG=C
COLUMNS=256

export LANG
export COLUMNS

### IPv6 prefix
prefix="2001:db8:5:6:7:"
###opengateprocessname
process="opengatesrv.cgi" 

###tmp file name
tmp_all="/tmp/og_count_all.tmp"
tmp_6="/tmp/og_count_6.tmp"

######################################################
psax | grep $process > $tmp_all
COUNT = `wc-l $tmp_all | awk '{print $1}'` 
grep $prefix $tmp_all > $tmp_6
COUNT6=`wc -l $tmp_6 | awk '{print $1}'`
UPTIME=`uptime | awk '{print $3$4}' | sed -e "s/,//g"`

rm $tmp_all
rm $tmp_6

echo "$COUNT6"
echo "$COUNT"
echo "$UPTIME"
echo "Opengate User Counter"

Run this shell script as standalone and confirm that you can acquire the following data:

5
48
10days
Opengate User Counter
H.2.2 Scenario 2: Running MRTG on a separate server

Create the shell script "/usr/home/user/bin/input.sh" on a separate server.

#!/bin/sh

#######################################
##
## input data for MRTG
##
## 1 line : IPv6 Users
## 2 line : Total Users
## 3 line : uptime
## 4 line : comment for data
##
#######################################

# tmp file name
file="/tmp/opengate.tmp"

# URL of output.sh at opengate
url="http://opengate.saga-u.ac.jp/cgi-bin/output.sh"

fetch -o $file $url &> /dev/null

more $file

Create the shell script "/usr/local/apache2/cgi-bin/output.sh" on the Opengate (gateway) server, and set the URL to $url, as explained above.

#!/bin/sh

#######################################
##
## show opengate status for MRTG
##
## 1 line : IPv6 Users
## 2 line : Total Users
## 3 line : uptime
## 4 line : comment for data
##
#######################################

LANG=C
COLUMNS=256

export LANG
export COLUMNS

### IPv6 prefix
prefix="2001:db8:5:6:7:"
###opengateprocessname
process="opengatesrv.cgi" 

###tmp file name
tmp_all="/tmp/og_count_all.tmp"
tmp_6="/tmp/og_count_6.tmp"

######################################################
psax | grep $process > $tmp_all 
COUNT = `wc-l $tmp_all | awk '{print $1}'` 
grep $prefix $tmp_all > $tmp_6
COUNT6=`wc -l $tmp_6 | awk '{print $1}'`
UPTIME=`uptime | awk '{print $3$4}' | sed -e "s/,//g"`
rm $tmp_all
rm $tmp_6

echo "Content-type: text/plain; charset=iso-8859-1"
echo

echo "$COUNT6"
echo "$COUNT"
echo "$UPTIME"
echo "Opengate User Counter"

Run "input.sh" on another server and confirm that you can acquire the following data:

5
48
10days
Opengate User Counter

back top

H.3 Confirming MRTG Startup Operation:

Use the following command to confirm MRTG is working with your config:

# /usr/local/bin/mrtg /usr/local/etc/mrtg/opengate.cfg

Various WARNING messages are output the first and second time, this is normal behavior
(as explained in the MRTG documentation)!
Some files are created in "WorkDir".

> ls -l
-rw-r--r-- 1 root wheel 538 12 14 04:40 mrtg-l.png
-rw-r--r-- 1 root wheel 414 12 14 04:40 mrtg-m.png
-rw-r--r-- 1 root wheel 1759 12 14 04:40 mrtg-r.png
-rw-r--r-- 1 root wheel 2941 12 20 15:15 opengate-day.png
-rw-r--r-- 1 root wheel 2146 12 20 14:35 opengate-month.png
-rw-r--r-- 1 root wheel 2867 12 20 14:55 opengate-week.png
-rw-r--r-- 1 root wheel 1897 12 20 05:00 opengate-year.png
-rw-r--r-- 1 root wheel 5961 12 20 15:15 opengate.html
-rw-r--r-- 1 root wheel 48786 12 20 15:15 opengate.log
-rw-r--r-- 1 root wheel 48784 12 20 15:10 opengate.old

back top

H.4 Registering to Crontab

Add the following line to "/etc/crontab":

*/5 * * * * root /usr/local/bin/mrtg /usr/local/etc/mrtg/opengate.cfg

back top

I rulechk Installation (Optional)

This section is optional.
When the Opengate process is not exited normally, superfluous rules might be left behind.
Though it is very rare, the tools/rulechk script is made to handle such situations. This script compares the Opengate process list and the firewall rule list, and deletes the obsolete rules.
This script is compatible with Opengate Ver1.3.1 or above.

back top