【IT168 服务器学院】该例已测试通过.
这次的测试包括二部分:内网为一个网段及内网为二个不同网段,外网为城域网接入.
要求:代理内网用户上网,为两个内网网段时需分配带宽.
下面是只有一内网网段的测试过程.
1.系统安装与升级
选择的操作系统为FreeBSD6,MINI安装完成后,做系统的升级:
# Pkg_add –r cvsup-without-gui
# cd /usr/share/examples/cvsup
# cvsup –g –L 2 standard-supfile –h ftp.freebsdchina.org
# cd /usr/src
# make buildworld
# make installworld
2.内核优化编译
编译内核,加入PF规则
# cd /usr/src/sys/i386/conf
# cp GENERIC my_pro
# ee my_pro
在配置文件中加入:
device pf
device pflog
device pfsync
然后
#config my_pro
#cd .. compile/my_pro
# make depend
# make
# make install
重启系统.
3. 在/etc/sysctl.conf中加入
net.inet.ip.forwarding=1 #打开IP转发。
4. 在/etc/rc.conf中改写如下:
defaultrouter="218.5.5.5" #外网IP,此外为假设地址
gateway_enable="YES"
hostname="abc.xyz.com"
network_interface="bge0 rl0 rl1"
ifconfig_xl1="inet 192.168..1 netmask 255.255.255.0"
ifconfig_bge0="inet 218.5.5.5 netmask 255.255.255.224"
inetd_enable="YES"
linux_enable="YES"
usbd_enable="YES"
pf_enable="YES"
pf_rules="/etc/pf.conf"
pf_flags=""
pflog_enable="YES"
pflog_logfile="/var/log/pflog"
pflog_flags=""
arp_enable="YES"
在调试过程中曾犯过很低级的错误.将网线接错,导致地址被绑定后,开机看到的就是MAC地址不能通过接口的不停刷屏:)
5. 代理规则的编写(/etc/pf.conf)
#----------------------------------------------
# Macros: define common values, so they can be referenced and changed easily
ext_if="bge0" # 外网网卡
int_if1="xl1" # 内网网卡
internal_net="192.168.1.0/24"
www="192.168.1.5"
priv_nets="{127.0.0.0/8,192.168.0.0/16,172.16.0.0/12,10.0.0.0/8}"
Admin=”{192.168.1.8/29}”
icmp_types="echoreq"
ports = "{ 20, 21, 22, 25, 53, 80, 110 }"
#----------------------------------------------
# Options: tune the behavior of pf, default values are given
set timeout { interval 10, frag 30 }
set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 }
set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 }
set timeout { udp.first 60, udp.single 30, udp.multiple 60 }
set timeout { icmp.first 20, icmp.error 10 }
set timeout { other.first 60, other.single 30, other.multiple 60 }
set timeout { adaptive.start 0, adaptive.end 0 }
set limit { states 10000, frags 5000 }
set loginterface bge0
set optimization high-latency
set block-policy return
#----------------------------------------------
# Normalization: reassemble fragments and resolve or reduce traffic ambiguities.
scrub in all
#------------------Network Address Trans-------
# Translation: specify how addresses are to be mapped or redirected.
nat on $ext_if from $int_if:network to any -> ($ext_if)
#----------------------------------------------
# rdr outgoing FTP requests to the ftp-proxy
rdr on $int_if proto tcp from any to any port ftp -> 127.0.0.1 port 8021
# rdr: packets coming in on $ext_if with destination $external_addr:8080 will
# be redirected to $www:80.
rdr on $ext_if proto tcp from any to $ext_if port 8080 -> $www port 80
#-----------------------Filter-----------------
block all
block drop in quick on $ext_if from $priv_nets to any
block drop out quick on $ext_if from any to $priv_nets
#----------------------------------------------
pass in on $ext_if proto tcp from any to any port 21 keep state
pass in on $ext_if proto tcp from any to any port > 49151 keep state
pass out on $ext_if all keep state
#----------------------------------------------
antispoof quick for $int_if1 inet
antispoof quick for $int_if2 inet
#----------------------------------------------
pass in on $int_if from $internal_net to any keep state
pass out on $int_if from any to $internal_net keep state
#----------------------------------------------
pass quick on lo0 all
6.关于FTP
如果想让FTP通过,可以使用ftp-proxy.编辑/etc/inetd.conf文件.
将#ftp-proxy stream tcp nowait root /usr/libexec/ftp-proxy ftp-proxy行中的#号去掉.
7.pf相关命令
你也可以通过pfctl程序启动和停止pf
# pfctl -e
# pfctl -d
注意这仅仅是启动和关闭PF,实际它不会载入规则集,规则集要么在系统启动时载入,要么在PF启动后通过命令单独载入。
Pfctl –f /etc/pf.conf 载入pf.conf文件
Pfctl –Nf /etc/pf.conf 只载入文件中的NAT规则
Pfctl –Rf /etc/pf.conf 只载入文件中的过滤规则
Pfctl –sn 显示当前的NAT规则
Pfctl –sr 显示当前的状态表
Pfctl –si显示过滤状态和计数
Pfctl –sa 显示任何可显示的
Pfctl –sq 显示应用队列
现在,将机器接入网内,可以基本工作了J,如果想使系统更好的工作,需进一步优化系统与PF的规则。
