OPENBSD上的ADSL和防火墙设置配置
下面我用的是OPENBSD 3.6 <br /><br />配置ADSL: <br /># vi /etc/ppp/ppp.conf <br />========================ppp.conf======================= <br />default: <br />set log Phase Chat IPCP CCP tun command <br />set redial 15 0 <br />set reconnect 15 10000 <br /><br />pppoe: <br />set device "!/usr/sbin/pppoe -i rl1" <br />disable acfcomp protocomp <br />deny acfcomp <br />set mtu max 1492 <br />set crtscts off <br />set speed sync <br />enable lqr <br />set lqrperiod 5 <br />set cd 5 <br />set dial <br />set login <br />set timeout 0 <br />set authname "sjz681a0156@adsl2" <br />set authkey 123456 <br />add! default HISADDR <br />enable mssfixup <br />========================ppp.conf======================= <br /><br />建立防火墙代理配置: <br /># vi /etc/pf.conf <br />=========================pf.conf======================= <br />ext_if = "tun0" <br />int_if = "{ dc0, rl0 }" <br />int_net = "{ 192.168.0.0/24, 192.168.10.0/24 }" <br />loop = "lo0" <br />tcp_services = "{ www, ftp }" <br />boss_ip = "{ 192.168.10.10, 192.168.10.11, 192.168.10.12, 192.168.10.13, 192.168.10.14, 192.168.10.15 }" <br />noroute = "{ 127.0.0.1/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8, 255.255.255.255/32 }" <br />web_server = "{ 192.168.10.5, 192.168.100.16 }" <br />set block-policy return <br />set loginterface $ext_if <br /><br />set optimization aggressive <br /><br />scrub in all <br /><br />altq on $int_if cbq bandwidth 1200Kb queue { dflt, boss } <br />queue dflt bandwidth 300Kb cbq(default) <br />queue boss bandwidth 900Kb cbq(borrow) <br /><br />nat on $ext_if from $int_net to any -> $ext_if <br /><br />block all <br /><br />block return <br />block in quick on $ext_if os NMAP <br />block in quick on $ext_if from $noroute to any <br />block out quick on $ext_if from any to $noroute <br /><br />pass in quick on $ext_if inet proto tcp from any to any port > 60000 keep state <br />#pass in quick on $ext_if inet proto icmp all icmp-type 8 code 0 keep state <br />pass in quick on $ext_if inet proto tcp from any to any port $tcp_services flags S/SAFR keep state <br /><br />pass quick on $loop all <br />pass in on $int_if from $int_net <br />pass out on $int_if from any to $int_net <br />pass out on $int_if from any to $boss_ip queue boss <br />pass out on $ext_if all keep state <br /><br />pass in on $ext_if inet proto tcp from any to $web_server port = 80 flags S/SAFR keep state (max 200, source-track rule, max-src-nodes 200, max-src-states 2) queue boss <br />=========================pf.conf======================= <br /><br />禁用系统自定义的PF规则 <br /><br /># vi /etc/rc.conf <br />pf=NO <br /><br />启用IP转发: <br /># vi /etc/sysctl.conf <br />net.inet.ip.forwarding=1 <br /><br />设置开机启动ADSL拨号: <br /><br /># mkdir /etc/rc.d <br /># vi /etc/rc.d/adsl.sh <br />--------------+----------------+---------------+------------- <br />#!/bin/sh <br /># /etc/rc.d/adsl.sh <br /># 7-11-2004 <br /># llzqq@126.com <br /><br />pppoe_status () { <br /><br />IP=$(/sbin/ifconfig tun0 | awk '/netmask/{print $2}') <br /><br />if [ ! -z "$IP" ]; then <br />echo "pppoe link is up, ip: " $IP <br />else <br />echo "pppoe link is down" <br />fi <br />} <br /><br />pppoe_start () { <br /><br />echo -n "starting pppoe "; ppp -ddial pppoe > /dev/null <br /><br />for i in 19 18 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0; do <br />sleep 2; echo -n "." <br />IP=$(/sbin/ifconfig tun0 | awk '/netmask/{print $2}') <br />if [ ! -z "$IP" ]; then <br />break <br />fi <br />done <br />echo "." <br />pppoe_status <br />} <br /><br />pppoe_stop () { <br /><br />PID=$(ps aux | awk '/ppp -ddial/{print $2}') <br />kill $PID <br />echo "pppoe link is down" <br />} <br /><br />case "$1" in <br />'start') <br />pppoe_start <br />;; <br />'stop') <br />pppoe_stop <br />;; <br />'status') <br />pppoe_status <br />;; <br />*) <br />echo "Usage: $0 {start|stop|status}" <br />exit 1 <br />esac <br />--------------+----------------+---------------+------------- <br /># chmod 555 /etc/rc.d/adsl.sh <br /><br />开机时自动进行ADSL拨号 <br /><br /># vi /etc/rc.local <br /><br />if [ -f /etc/ppp/ppp.conf ]; then <br />. /etc/rc.d/adsl.sh start <br />fi <br /><br /># vi /etc/rc.shutdown <br />/etc/rc.d/adsl.sh stop <br /><br />启用NAME缓存服务器(不是必须的): <br /># vi /var/named/named.boot <br />options forward-only <br />forwarders 202.99.160.68 202.99.168.8 <br /><br />根据拨号需要加载和关闭防火墙: <br /># vi /etc/ppp/ppp.linkup <br />MYADDR: <br />! sh -c "/sbin/ifconfig pflog0 up" <br />! sh -c "/sbin/pflogd" <br />! sh -c "/sbin/pfctl -e -F all -f /etc/pf.conf" <br /><br /># vi /etc/ppp/ppp.linkdown <br />MYADDR: <br />! sh -c "/sbin/pfctl -d -F all" <br />! sh -c "kill `cat /var/run/pflogd.pid`" <br />! sh -c "/sbin/ifconfig pflog0 down" <br />! sh -c "/sbin/route delete default" <br /><br />配置动态域名更新: <br /><br /># tar zxvf ez-ipupdate-3.0.10.tgz <br /># cd ez-ipupdate-3.0.10 <br /># vi conf_file.c <br />增加一行: <br />#include <errno.h> <br /><br /># vi ez-ipupdate.c <br />注释掉下面几行(4515行): <br />//else <br />// { <br />// fprintf(stderr, "no update needed at this time\n"); <br />// } <br /><br /># ./configure <br /># make <br /># make install <br /><br />设置拨号后自动运行: <br /><br /># vi /etc/ppp/ppp.linkup <br />MYADDR: <br />! sh -c "/sbin/ifconfig pflog0 up" <br />! sh -c "/sbin/pflogd" <br />! sh -c "/sbin/pfctl -e -F all -f /etc/pf.conf" <br />!bg /usr/local/bin/ez-ipupdate -i tun0 -h nero.3322.org -S qdns -w wildcard -u user:pwd <br /><br />解决通过PF防火墙用主动模式连接外网FTP服务器的问题: <br /><br /># vi /etc/pf.conf <br />rdr on $int_if proto tcp from any to any port 21 -> 127.0.0.1 port 8021 <br /><br /># vi /etc/inetd.conf <br />127.0.0.1:8021 stream tcp nowait root /usr/libexec/ftp-proxy ftp-proxy <br /><br /># reboot <br /><br />设置SQUID的透明代理: <br /><br /># vi /etc/squid/squid.conf <br />http_port 127.0.0.1:3128 <br /><br /># vi /etc/pf.conf <br />rdr on $int_if proto tcp from $int_net to any port 80 -> 127.0.0.1 port 3128
頁:
[1]