FreeBSD笔记.bak

通过此服务器，使内网用户能正常访问INTERNET，这里我们使用FreeBSD自带的BIND来实现DNS的解析，事实上INTERNET上很多DNS都使用了这个软件。基本的操作步骤如下：

◇ DNS父域（edu.cn）给我的信息如下：
域 -> wxicab.edu.cn
DNS主服务器 -> 58.193.128.55 [dns1.wxicab.edu.cn]
DNS辅服务器 -> 58.193.128.56 [dns2.wxicab.edu.cn]
（本笔记中只架设主服务器的配置过程）

◇ 网卡接口说明：
xl0：3com外网网卡接口

◇ 预先想好的DNS信息表：
Domain：wxicab.edu.cn
DNS Server：dns1.wxicab.edu.cn（58.193.128.55） dns2.wxicab.edu.cn（58.193.128.56）
58.193.128.55 -> dns1.wxicab.edu.cn （DNS主服务器）
58.193.128.56 -> dns2.wxicab.edu.cn （DNS辅服务器）
58.193.128.53 -> wxicab.edu.cn （WEB服务器）
58.193.128.53 -> www.wxicab.edu.cn （WEB服务器）
58.193.128.52 -> mail.wxicab.edu.cn （邮件服务器）
58.193.128.51 -> ftp.wxicab.edu.cn （文件服务器）
58.193.128.50 -> windowsupdate.wxicab.edu.cn （Windows升级服务器）
58.193.128.49 -> virus.wxicab.edu.cn （防病毒服务器）


开始安装：

1、下载并安装FreeBSD6.1Release
从ftp: //ftp.FreeBSD.org/pub/FreeBSD/下载FreeBSD6.1Release镜像文件，然后刻成光盘，将服务器设置成从光驱启动，开始安装，安装时我选择最小化安装，开通ftp及ssh。其它的默认安装就可以。具体可参考这篇文章。安装完后重启机器。

2、基本的配置
配置/etc/rc.conf

# cd /etc
# ee rc.conf

内容如下：
hostname="dns1.wxicab.edu.cn"
defaultrouter="58.193.128.254"
ifconfig_xl1="inet 58.193.128.55 netmask 255.255.248.0"
inetd_enable="YES"
linux_enable="YES"
sshd_enable="YES"
usbd_enable="YES"

3、 配置DNS

（1）新建并配置/etc/named/db.wxicab.edu.cn（从主机名到IP的映射）

# cd /etc/namedb
# ee db.wxicab.edu.cn

内容如下：
$TTL 3d
@ IN SOA dns1.wxicab.edu.cn. hostmaster.wxicab.edu.cn. (
2006626
3h
1h
1w
1h )

          IN NS dns1
          IN NS dns2

          IN A 58.193.128.53
          IN MX 10 mail.wxicab.edu.cn.
dns1 IN A 58.193.128.55
dns2 IN A 58.193.128.56
mail IN A 58.193.128.52
ftp IN A 58.193.128.51
windowsupdate IN A 58.193.128.50
virus IN A 58.193.128.49

www IN CNAME wxicab.edu.cn.

（2）新建并配置/etc/named/db.58.193.128（从IP到主机名的映射）

# cd /etc/namedb
# ee db.58.193.128

内容如下：
$TTL 3d
@ IN SOA dns1.wxicab.edu.cn. hostmaster.wxicab.edu.cn. (
2006626
3h
1h
1w
1h )

          IN NS dns1.wxicab.edu.cn.
          IN NS dns2.wxicab.edu.cn.
56 IN PTR dns1.wxicab.edu.cn.
55 IN PTR dns2.wxicab.edu.cn.
53 IN PTR wxicab.edu.cn.
52 IN PTR mail.wxicab.edu.cn.
51 IN PTR ftp.wxicab.edu.cn.
50 IN PTR windowsupdate.wxicab.edu.cn.
49 IN PTR virus.wxicab.edu.cn.

（3）配置locahost.rev文件：

# cd /etc/namedb
# chmod 755 make-localhost
# ./make-localhost

运行后在/etc/namedb/master目录下会自动生成localhost.rev和localhost-v6.rev两个文件；localhost-v6.rev是针对下一代IP，暂时用不到，我的localhost.rev文件的内容为：

$TTL 3600
@ IN SOA dns1.wxicab.edu.cn. root.dns1.wxicab.edu.cn. (
20060627 ; Serial
3600 ; Refresh
900 ; Retry
3600000 ; Expire
3600 ) ; Minimum
          IN NS dns1.wxiabc.edu.cn.
1 IN PTR localhost.wxicab.edu.cn.

（4）配置/etc/namedb/named.conf文件：

# cd /etc/namedb
# ee named.conf

内容如下：
options {
directory "/etc/namedb";
pid-file "/var/run/named/pid";
dump-file "/var/dump/named_dump.db";
statistics-file "/var/stats/named.stats";
};
zone "." {
type hint;
file "named.root";
};
zone "0.0.127.IN-ADDR.ARPA" {
type master;
file "master/localhost.rev";
};
zone "wxicab.edu.cn" {
type master;
file "db.wxicab.edu.cn";
};
zone "128.193.58.in-addr.arpa" {
type master;
file "db.58.193.128";
};

（5）开启named服务器，并使其和系统一起启动
在/etc/rc.conf中加入如下一行：

named_enable="YES"

编辑后保存退出。

重启服务器，利用top命令查看，如果有named进程，说明启动正常。然后找一台客户机，将DNS设置成本机IP：58.193.128.55，然后ping edu.cn测试，如果能ping通，说明解析正常。也可以使用nslookup工具测试。

作者：老管（funpower） email：funpower@gmail.com 2006-7-1
参考文章：25.6 域名系统 (DNS) 《DNS与BIND（第四版）》

架设此服务器，使内网用户通过本服务器与外界通讯；基本原理为内网用户通过FreeBSD内自带的网关路由功能（route）与外网进行通讯，服务器的安全性及病毒的防护控制通过FreeBSD的ipfilter来完成。初步架设过程如下：

网卡接口说明：
vr0：外网网卡接口
vr1：内网网卡接口

1、    最小化安装FreeBSD6.1Release
从ftp://ftp.FreeBSD.org/pub/FreeBSD/下载FreeBSD6.1Release镜像文件，然后刻成光盘，将服务器设置成从光驱启动，开始安装，安装时我选择最小化安装，开通ftp及ssh。其它的默认安装就可以。具体可参考这篇文章。安装完后重启机器。

2、    安装内核
将安装光盘放入光驱，然后：

# /usr/sbin/sysinstall

然后选择Configure --> Distributions -> src -> sys，点install，安装完成后重启机器。

3、    基本的配置
配置/etc/rc.conf

# cd /etc
# ee rc.conf

内容如下：
hostname="gatewall.wxic.edu.cn"
defaultrouter="172.16.252.17"
ifconfig_vr0="inet 172.16.252.x netmask 255.255.255.252"
ifconfig_vr1="inet 58.193.11x.25x netmask 255.255.248.0"
inetd_enable="YES"
linux_enable="YES"
sshd_enable="YES"
usbd_enable="YES"
sendmail_enable="NONE"
 
配置/etc/resolv.conf

# ee /etc/rc.conf

内容如下：
nameserver 58.193.112.1

4、    配置内核，加入对ipfilter的支持

# cd /usr/src/sys/i386/conf
# cp GENERIC funpower
# ee funpower

然后开始编辑内核文件，机器和应用方面的不同会有不同的内核文件，因为需要用到ipfilter，我们加入对ipfilter的支持。在内核中加入如下内容：
options   IPFILTER
options   IPFILTER_LOG
options   IPFILTER_DEFAULT_BLOCK
其它选项可以参考这篇文章，然后自己定制。编辑完后保存退出。然后进行如下操作：

# /usr/sbin/config funpower
# cd ../compile/funpower
# make cleandepend
# make depend
# make
# make install

编译完后重启服务器(因为ipfilter默认是阻止所有通讯，所以确保你是在服务器前操作)。

5、    在/etc/rc.conf中加入路由选项

# cd /etc
# ee rc.conf

在最后加入如下几行：
gateway_enable="YES"
static_routes="static1"
route_static1="-net 58.193.11x.0/21 172.16.252.x/30" //说明第一个IP为内网IP范围；第二个IP为外网网卡的网关地址

6、    配置ipfilter
在/etc/rc.conf中加入：
ipfilter_enable="YES"
ipfilter_rules="/etc/ipf.conf"
然后编辑/etc/ipf.conf文件

# cd /etc/
# ee ipf.conf

内容如下：
#环路网卡lo0 
#out in 全部通过
pass in quick on lo0 all
pass out quick on lo0 all

#外网网卡vr0
#out 只让开通的IP通讯
block out quick on vr0 from any to 192.168.0.0/16
block out quick on vr0 from any to 0.0.0.0/8
block out quick on vr0 from any to 169.254.0.0/8
block out quick on vr0 from any to 10.0.0.0/8
block out quick on vr0 from any to 127.16.0.0/12
block out quick on vr0 from any to 127.0.0.0/8
block out quick on vr0 from any to 192.0.2.0/24
block out quick on vr0 from any to 204.152.64.0/23
block out quick on vr0 from any to 224.0.0.0/3

#开通58.193.112.1
pass out quick on vr0 proto tcp/udp from 58.193.112.1/32 to any keep state
pass out quick on vr0 proto icmp from 58.193.112.1/32 to any keep state

#开通58.193.112.3
pass out quick on vr0 proto tcp/udp from 58.193.112.3/32 to any keep state
pass out quick on vr0 proto icmp from 58.193.112.3/32 to any keep state

#开通58.193.113.1
pass out quick on vr0 proto tcp/udp from 58.193.113.1/32 to any keep state
pass out quick on vr0 proto icmp from 58.193.113.1/32 to any keep state

#开通58.193.113.2
pass out quick on vr0 proto tcp/udp from 58.193.113.2/32 to any keep state
pass out quick on vr0 proto icmp from 58.193.113.2/32 to any keep state

block out on vr0 all

#in 阻止一些IP(比如私有IP)和一些病毒攻击端口(如138139445等)
block in quick on vr0 from 192.168.0.0/16 to any
block in quick on vr0 from 172.16.0.0/12 to any
block in quick on vr0 from 10.0.0.0/8 to any
block in quick on vr0 from 127.0.0.0/8 to any
block in quick on vr0 from 0.0.0.0/8 to any
block in quick on vr0 from 169.254.0.0/16 to any
block in quick on vr0 from 192.0.2.0/24 to any
block in quick on vr0 from 204.152.64.0/23 to any
block in quick on vr0 from 224.0.0.0/3 to any
block in quick on vr0 from 58.193.112.0/21 to any

block in quick on vr0 proto udp from any to any port = 69
block in quick on vr0 proto tcp/udp from any to any port = 135
block in quick on vr0 proto udp from any to any port = 137
block in quick on vr0 proto udp from any to any port = 138
block in quick on vr0 proto tcp/udp from any to any port = 139
block in quick on vr0 proto tcp/udp from any to any port = 445
block in quick on vr0 proto tcp/udp from any to any port = 593
block in quick on vr0 proto tcp from any to any port = 1022
block in quick on vr0 proto tcp from any to any port = 1023
block in quick on vr0 proto tcp from any to any port = 1025
block in quick on vr0 proto tcp from any port = 1034 to any port = 80
block in quick on vr0 proto tcp from any to any port = 1068
block in quick on vr0 proto tcp from any to any port = 1433
block in quick on vr0 proto udp from any to any port = 1434
block in quick on vr0 proto tcp from any to any port = 1871
block in quick on vr0 proto tcp from any to any port = 2745
block in quick on vr0 proto tcp from any to any port = 3208
block in quick on vr0 proto tcp from any to any port = 3127
block in quick on vr0 proto tcp from any to any port = 4331
block in quick on vr0 proto tcp from any to any port = 4334
block in quick on vr0 proto tcp from any to any port = 4444
block in quick on vr0 proto tcp from any port = 4444 to any
block in quick on vr0 proto tcp from any to any port = 4510
block in quick on vr0 proto tcp from any to any port = 4557
block in quick on vr0 proto tcp from any to any port = 5554
block in quick on vr0 proto tcp from any to any port = 5800
block in quick on vr0 proto tcp from any to any port = 5900
block in quick on vr0 proto tcp from any to any port = 6129
block in quick on vr0 proto tcp from any to any port = 6667
block in quick on vr0 proto tcp from any to any port = 9995
block in quick on vr0 proto tcp from any to any port = 9996
block in quick on vr0 proto tcp from any to any port = 10080

block in quick on vr0 all with frags
block in quick on vr0 proto tcp all with short
block in quick on vr0 all with opt lsrr
block in quick on vr0 all with opt ssrr
block in log first quick on vr0 proto tcp from any to any flags FUP
block in quick on vr0 all with ipopts

pass in quick on vr0 proto tcp from any to any port = 80 flags S keep state
pass in quick on vr0 proto tcp from any to any port = 23 flags S keep state
pass in quick on vr0 proto tcp from any to any port = 22 flags S keep state
pass in quick on vr0 proto tcp from any to any port = ftp flags S/SA keep state
pass in quick on vr0 proto tcp from any to any port = ftp-data flags S/SA keep state
pass in quick on vr0 proto tcp from any to any port 30000 >< 50001 flags S/SA keep state

pass in quick on vr0 proto icmp from any to any icmp-type 0
pass in quick on vr0 proto icmp from any to any icmp-type 11
block in log quick on vr0 proto icmp from any to any

block in log on vr0 all


#内网网卡vr1
#out 全部通过
pass out on vr1 all
#in 全部通过
pass in on vr1 all

配置完后重启服务器。

找一台客户机测试，首先使用ipf.conf中开通的IP，然后ping edu.cn，可以ping通，说明可以连接外网了。
然后将IP设置为不是开通列表中的IP，如果ping不通，则说明ipf.conf的设置生效了。

作者：老管（funpower）     email：funpower@gmail.com  2006-6-30
参考文章：IP Filter Based Firewalls HOWTO 26.5 IPFILTER (IPF) 防火墙(freebsd handbook) 27.2 网关和路由

去年末写过<FreeBSD6.0Release+Squid+Socks5服务器架设笔记>, 但对某些用户的上网还没作进一步的限制. 今天完成这项工作.

以下为通过squid的acl语句对上网用户进行限制:

1. 先列出表格:

--------	星期一	星期二	星期三	星期四	星期五	星期六	星期天
特殊用户	00:00-24:00	00:00-24:00	00:00-24:00	00:00-24:00	00:00-24:00	00:00-24:00	00:00-24:00
用户1	8:30-23:00	8:30-23:00	12:00-23:00	8:30-23:00	8:30-23:00	8:00-21:30	8:00-21:30
用户2	14:30-23:00	14:30-23:00	12:00-23:00	14:30-23:00	14:30-23:00	8:00-21:30	8:00-21:30
用户3	16:00-23:00	16:00-23:00	12:00-23:00	16:00-23:00	16:00-23:00	8:00-21:30	8:00-21:30
用户4	16:30-23:00	16:30-23:00	12:00-23:00	16:30-23:00	16:30-23:00	8:00-21:30	8:00-21:30

2. 编辑/usr/local/squid/etc/squid.conf文件, 从1475行开始, 加入如下内容:

acl tieshuyonghu src 192.168.121.210/32 192.168.121.211/32 192.168.121.212/32
acl yonghu1 src 192.168.120.1-192.168.120.52/255.255.255.255
acl yonghu2 src 192.168.120.53-192.168.120.104/255.255.255.255
acl yonghu3 src 192.168.120.105-192.168.120.157/255.255.255.255
acl yonghu4 src 192.168.120.158-192.168.120.208/255.255.255.255
acl 8:30-23:00 time MTHF 8:30-23:00
acl 14:30-23:00 time MTHF 14:30-23:00
acl 16:00-23:00 time MTHF 16:00-23:00
acl shan time W 12:00-23:00
acl zm time AS 8:00-21:30
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443 563     # https, snews
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow tieshuyonghu
http_access allow yonghu1 8:30-23:00
http_access allow yonghu1 shan
http_access allow yonghu2 14:30-23:00
http_access allow yonghu2 shan
http_access allow yonghu3 16:00-23:00
http_access allow yonghu3 shan
http_access allow yonghu3 zm
http_access allow yonghu4 16:30-23:00
http_access allow yonghu4 shan
http_access allow yonghu4 zm
http_access deny all

这里利用了squid的acl中的src和time两个标签, time对星期的表示为 S-Sunday(星期天)  M-Monday(星期一) T-Tuesday(星期二)  W-Wednesday(星期三) H-Thursday(星期四)  F-Friday(星期五)  A-Saturday(星期六), 对acl更多的信息可看这里.

架设此服务器，使内网用户通过本服务器与外界通讯；基本原理为内网用户通过FreeBSD内自带的网关路由功能（route）与外网进行通讯，服务器的安全性及病毒的防护控制通过FreeBSD的ipfilter来完成。初步架设过程如下：

网卡接口说明：
vr0：外网网卡接口
vr1：内网网卡接口

1、    最小化安装FreeBSD6.1Release
从ftp://ftp.FreeBSD.org/pub/FreeBSD/下载FreeBSD6.1Release镜像文件，然后刻成光盘，将服务器设置成从光驱启动，开始安装，安装时我选择最小化安装，开通ftp及ssh。其它的默认安装就可以。具体可参考这篇文章。安装完后重启机器。

2、    安装内核
将安装光盘放入光驱，然后：

# /usr/sbin/sysinstall

然后选择Configure --> Distributions -> src -> sys，点install，安装完成后重启机器。

3、    基本的配置
配置/etc/rc.conf

# cd /etc
# ee rc.conf

内容如下：
hostname="gatewall.wxic.edu.cn"
defaultrouter="172.16.252.17"
ifconfig_vr0="inet 172.16.252.x netmask 255.255.255.252"
ifconfig_vr1="inet 58.193.11x.25x netmask 255.255.248.0"
inetd_enable="YES"
linux_enable="YES"
sshd_enable="YES"
usbd_enable="YES"
sendmail_enable="NONE"
 
配置/etc/resolv.conf

# ee /etc/rc.conf

内容如下：
nameserver 58.193.112.1

4、    配置内核，加入对ipfilter的支持

# cd /usr/src/sys/i386/conf
# cp GENERIC funpower
# ee funpower

然后开始编辑内核文件，机器和应用方面的不同会有不同的内核文件，因为需要用到ipfilter，我们加入对ipfilter的支持。在内核中加入如下内容：
options   IPFILTER
options   IPFILTER_LOG
options   IPFILTER_DEFAULT_BLOCK
其它选项可以参考这篇文章，然后自己定制。编辑完后保存退出。然后进行如下操作：

# /usr/sbin/config funpower
# cd ../compile/funpower
# make cleandepend
# make depend
# make
# make install

编译完后重启服务器(因为ipfilter默认是阻止所有通讯，所以确保你是在服务器前操作)。

5、    在/etc/rc.conf中加入路由选项

# cd /etc
# ee rc.conf

在最后加入如下几行：
gateway_enable="YES"
static_routes="static1"
route_static1="-net 58.193.11x.0/21 172.16.252.x/30" //说明第一个IP为内网IP范围；第二个IP为外网网卡的网关地址

6、    配置ipfilter
在/etc/rc.conf中加入：
ipfilter_enable="YES"
ipfilter_rules="/etc/ipf.conf"
然后编辑/etc/ipf.conf文件

# cd /etc/
# ee ipf.conf

内容如下：
#环路网卡lo0 
#out in 全部通过
pass in quick on lo0 all
pass out quick on lo0 all

#外网网卡vr0
#out 只让开通的IP通讯
block out quick on vr0 from any to 192.168.0.0/16
block out quick on vr0 from any to 0.0.0.0/8
block out quick on vr0 from any to 169.254.0.0/8
block out quick on vr0 from any to 10.0.0.0/8
block out quick on vr0 from any to 127.16.0.0/12
block out quick on vr0 from any to 127.0.0.0/8
block out quick on vr0 from any to 192.0.2.0/24
block out quick on vr0 from any to 204.152.64.0/23
block out quick on vr0 from any to 224.0.0.0/3

#开通58.193.112.1
pass out quick on vr0 proto tcp/udp from 58.193.112.1/32 to any keep state
pass out quick on vr0 proto icmp from 58.193.112.1/32 to any keep state

#开通58.193.112.3
pass out quick on vr0 proto tcp/udp from 58.193.112.3/32 to any keep state
pass out quick on vr0 proto icmp from 58.193.112.3/32 to any keep state

#开通58.193.113.1
pass out quick on vr0 proto tcp/udp from 58.193.113.1/32 to any keep state
pass out quick on vr0 proto icmp from 58.193.113.1/32 to any keep state

#开通58.193.113.2
pass out quick on vr0 proto tcp/udp from 58.193.113.2/32 to any keep state
pass out quick on vr0 proto icmp from 58.193.113.2/32 to any keep state

block out on vr0 all

#in 阻止一些IP(比如私有IP)和一些病毒攻击端口(如138\139\445等)
block in quick on vr0 from 192.168.0.0/16 to any
block in quick on vr0 from 172.16.0.0/12 to any
block in quick on vr0 from 10.0.0.0/8 to any
block in quick on vr0 from 127.0.0.0/8 to any
block in quick on vr0 from 0.0.0.0/8 to any
block in quick on vr0 from 169.254.0.0/16 to any
block in quick on vr0 from 192.0.2.0/24 to any
block in quick on vr0 from 204.152.64.0/23 to any
block in quick on vr0 from 224.0.0.0/3 to any
block in quick on vr0 from 58.193.112.0/21 to any

block in quick on vr0 proto udp from any to any port = 69
block in quick on vr0 proto tcp/udp from any to any port = 135
block in quick on vr0 proto udp from any to any port = 137
block in quick on vr0 proto udp from any to any port = 138
block in quick on vr0 proto tcp/udp from any to any port = 139
block in quick on vr0 proto tcp/udp from any to any port = 445
block in quick on vr0 proto tcp/udp from any to any port = 593
block in quick on vr0 proto tcp from any to any port = 1022
block in quick on vr0 proto tcp from any to any port = 1023
block in quick on vr0 proto tcp from any to any port = 1025
block in quick on vr0 proto tcp from any port = 1034 to any port = 80
block in quick on vr0 proto tcp from any to any port = 1068
block in quick on vr0 proto tcp from any to any port = 1433
block in quick on vr0 proto udp from any to any port = 1434
block in quick on vr0 proto tcp from any to any port = 1871
block in quick on vr0 proto tcp from any to any port = 2745
block in quick on vr0 proto tcp from any to any port = 3208
block in quick on vr0 proto tcp from any to any port = 3127
block in quick on vr0 proto tcp from any to any port = 4331
block in quick on vr0 proto tcp from any to any port = 4334
block in quick on vr0 proto tcp from any to any port = 4444
block in quick on vr0 proto tcp from any port = 4444 to any
block in quick on vr0 proto tcp from any to any port = 4510
block in quick on vr0 proto tcp from any to any port = 4557
block in quick on vr0 proto tcp from any to any port = 5554
block in quick on vr0 proto tcp from any to any port = 5800
block in quick on vr0 proto tcp from any to any port = 5900
block in quick on vr0 proto tcp from any to any port = 6129
block in quick on vr0 proto tcp from any to any port = 6667
block in quick on vr0 proto tcp from any to any port = 9995
block in quick on vr0 proto tcp from any to any port = 9996
block in quick on vr0 proto tcp from any to any port = 10080

block in quick on vr0 all with frags
block in quick on vr0 proto tcp all with short
block in quick on vr0 all with opt lsrr
block in quick on vr0 all with opt ssrr
block in log first quick on vr0 proto tcp from any to any flags FUP
block in quick on vr0 all with ipopts

pass in quick on vr0 proto tcp from any to any port = 80 flags S keep state
pass in quick on vr0 proto tcp from any to any port = 23 flags S keep state
pass in quick on vr0 proto tcp from any to any port = 22 flags S keep state
pass in quick on vr0 proto tcp from any to any port = ftp flags S/SA keep state
pass in quick on vr0 proto tcp from any to any port = ftp-data flags S/SA keep state
pass in quick on vr0 proto tcp from any to any port 30000 >< 50001 flags S/SA keep state

pass in quick on vr0 proto icmp from any to any icmp-type 0
pass in quick on vr0 proto icmp from any to any icmp-type 11
block in log quick on vr0 proto icmp from any to any

block in log on vr0 all


#内网网卡vr1
#out 全部通过
pass out on vr1 all
#in 全部通过
pass in on vr1 all

配置完后重启服务器。

找一台客户机测试，首先使用ipf.conf中开通的IP，然后ping edu.cn，可以ping通，说明可以连接外网了。
然后将IP设置为不是开通列表中的IP，如果ping不通，则说明ipf.conf的设置生效了。

作者：老管（funpower）     email：funpower@gmail.com  2006-6-30
参考文章：IP Filter Based Firewalls HOWTO \ 26.5 IPFILTER (IPF) 防火墙(freebsd handbook) \ 27.2 网关和路由

去年末写过<FreeBSD6.0Release+Squid+Socks5服务器架设笔记>, 但对某些用户的上网还没作进一步的限制. 今天完成这项工作.

以下为通过squid的acl语句对上网用户进行限制:

1. 先列出表格:

--------	星期一	星期二	星期三	星期四	星期五	星期六	星期天
特殊用户	00:00-24:00	00:00-24:00	00:00-24:00	00:00-24:00	00:00-24:00	00:00-24:00	00:00-24:00
用户1	8:30-23:00	8:30-23:00	12:00-23:00	8:30-23:00	8:30-23:00	8:00-21:30	8:00-21:30
用户2	14:30-23:00	14:30-23:00	12:00-23:00	14:30-23:00	14:30-23:00	8:00-21:30	8:00-21:30
用户3	16:00-23:00	16:00-23:00	12:00-23:00	16:00-23:00	16:00-23:00	8:00-21:30	8:00-21:30
用户4	16:30-23:00	16:30-23:00	12:00-23:00	16:30-23:00	16:30-23:00	8:00-21:30	8:00-21:30

2. 编辑/usr/local/squid/etc/squid.conf文件, 从1475行开始, 加入如下内容:

acl tieshuyonghu src 192.168.121.210/32 192.168.121.211/32 192.168.121.212/32
acl yonghu1 src 192.168.120.1-192.168.120.52/255.255.255.255
acl yonghu2 src 192.168.120.53-192.168.120.104/255.255.255.255
acl yonghu3 src 192.168.120.105-192.168.120.157/255.255.255.255
acl yonghu4 src 192.168.120.158-192.168.120.208/255.255.255.255
acl 8:30-23:00 time MTHF 8:30-23:00
acl 14:30-23:00 time MTHF 14:30-23:00
acl 16:00-23:00 time MTHF 16:00-23:00
acl shan time W 12:00-23:00
acl zm time AS 8:00-21:30
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443 563     # https, snews
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow tieshuyonghu
http_access allow yonghu1 8:30-23:00
http_access allow yonghu1 shan
http_access allow yonghu2 14:30-23:00
http_access allow yonghu2 shan
http_access allow yonghu3 16:00-23:00
http_access allow yonghu3 shan
http_access allow yonghu3 zm
http_access allow yonghu4 16:30-23:00
http_access allow yonghu4 shan
http_access allow yonghu4 zm
http_access deny all

这里利用了squid的acl中的src和time两个标签, time对星期的表示为 S-Sunday(星期天)  M-Monday(星期一) T-Tuesday(星期二)  W-Wednesday(星期三) H-Thursday(星期四)  F-Friday(星期五)  A-Saturday(星期六), 对acl更多的信息可看这里.

aaa

aaa

最近MS的windows2000一直病毒发作，想换到前段时间安装的Solaris10上，但可用软件实在太少，于是决定加一个FreeBSD + Gnome系统，步骤基本上按以前写的《FreeBSD5.4Release中文工作站安装笔记 (Freebsd5.4R+Gnome2.10.0) 》安装笔记进行安装，只是FreeBSD版本换成FreeBSD6.1_beta2。

另外，以前登陆系统都是先登陆字符界面系统，然后运行startx命令来启动Gnome。这次准备利用GDM来登陆系统，一般安装完GNOME后GDM已经在你的系统中，但默认是禁用的。通过在/etc/rc.conf中加入gdm_enable="YES"就可以启用了。还有一些中文输入及GDM外观设置等具体可参考Freebsdchina.org上OneZ写的《FreeBSD 5.x下GDM的安装》，我在更换GDM的主题（一般是运行/usr/X11R6/bin下的gdmsetup来更换）时参考OneZ文章，但我在他所说的/usr/X11R6/bin下没有找到gdmsetup程序，难道是文章有问题，在GNOME中国站中说只需用root帐号运行gdmsetup即可，但我也不成功。于是就想到会不会是版本原因一些文件放的位置不一样，最后，终于在/usr/X11R6/sbin中找到了gdmsetup，运行./gdmsetup命令，GDM的更换主题GUI程序终于"现身"。

贡献人: 来源：http://linux.oneandoneis2.org/LNW.htm, 中文：http://www.ubuntu.org.cn/lnw, 翻译：laborer

laborer翻译的中文版有些难打开，所以转载过来，方便后来人查询。如您觉得侵害了您的版权，请来信(funpower at gmail.com)告知，我立即删除。

地址: http://cnsnap.cn.freebsd.org/zh_CN/

继上次架设完FreeBSD6.0Release+Squid+Socks5服务器架设笔记后， 服务器运行基本正常，但今天发现socks5服务不能使用。以为是socks5进程死掉了，就运行stopsocks -KILL，将socks5停止。然后使用socks5命令重新开启socks5服务。可没过多久，socks5服务又不能用了。马上用netstat -nat命令查看网络连接情况，发现有一ip 172.16.1.199开启了无数进程发向服务器的1080端口。为了大局，决定暂时先停止此ip的连接，没有过socks5禁止过某一ip，所以一开 始没顺利禁止此ip，后来看了如何在Solaris 9系统下实现socks5代理一文后才了解如何禁止。

其实很简单，socks5.conf中开启某段ip是用permit字段，将permit改成deny就可以，方法如下：

将/usr/local/etc/socks5.conf：

auth - - -
permit - - 172.16. - - -
set SOCKS5_NOIDENT
set SOCKS5_V4SUPPORT

改成以下内容即可：

deny - - 172.16.1.199/255.255.255.255 - - -
auth - - -
permit - - 172.16. - - -
set SOCKS5_NOIDENT
set SOCKS5_V4SUPPORT

架设此服务器，使客户端通过设置代理服务器的squid来浏览网页，通过代理服务器的socks5来使用QQ、MSN、证券等服务，下面简单介绍服务器的架设过程。

一、安装FreeBSD6.0Release

从ftp://ftp.freebsd.org/pub/FreeBSD/torrents/6.0-RELEASE下载最新版本FreeBSD6.0Release刻成光盘并选择最小化安装(安装时开通ftp及ssh服务)。

网络信息：
网段 -> 192.168.10.0/24
fxp0 -> 内网网卡 192.168.10.254
em0 -> 外网网卡 218.104.52.x/32

1、选择软件包时选择最小化安装。

2、编辑inetd.conf时开通ftp及telnet服务。
其它的都默认安装，具体可参考这，安装完后重启机器。

二、配置freebsd

1、配置/etc/rc.conf:
hostname="jifangproxy.jscpu.com"
defaultrouter="218.104.52.x"
ifconfig_em0="inet 218.104.52.x netmask 255.255.255.248"
ifconfig_fxp0="inet 192.168.10.254 netmask 255.255.255.0"
inetd_enable="YES"
kern_securelevel_enable="NO"
linux_enable="YES"
nfs_reserved_port_only="YES"
sendmail_enable="NONE"
sshd_enable="YES"
usbd_enable="NO"

2、配置/etc/resolv.conf:
domain jscpu.com
nameserver 218.104.48.106
nameserver 221.***.66

3、将光盘放入光驱中，安装ports和src
# /usr/sbin/sysinstall
然后选择Configure-->Distributions，然后利用空格键选择src和ports两项，点install，安装完成后重启机器。

三、配置内核

# cd /usr/src/sys/i386/conf
# cp GENERIC funpower
# ee funpower
内核根据服务器的不同具体配置。
编辑好funpower后开始编译安装内核：
#/usr/sbin/config funpower
#cd ../compile/funpower
#make cleandepend
#make depend
#make
#make intall
编译安装完成后重启机器。

四、安装squid服务

1、安装perl（freebsd5.4以后要先安装perl后再安装squid）

从http://www.cpan.org/authors/id/R/RG/RGARCIA/下载perl-5.6.2.tar.gz，然后拷贝到/usr/ports/distfiles中，然后：

# cd /usr/ports/lang/perl5
# make install

2、下载并安装squid

从http://www.squid-cache.org/Versions/v2/2.5/下载squid最新版squid-2.5.STABLE12.tar.gz，通过ftp上传至服务器目录中。

<安装>
# cd /home/funpower
# tar zxvf squid-2.5.STABLE12.tar.gz
# cd squid-2.5.STABLE7
# ./configure –prefix=/usr/local/squid
# make
# make install

<配置squid配置文件>
# cd /usr/local/squid/etc
# ee squid.conf
配置文件中改如下几项：
http_port 3128          //56行
cache_mem 128 MB     //490行
cache_dir ufs /usr/local/squid/cache 1024 16 256      //705行
cache_access_log /dev/null              //712
cache_log /dev/null                    //720
cache_store_log none                  //730
配置文件中加入以下几项：
acl web src 192.168.10.254             //在1830行左右acl all src 0.0.0.0/0.0.0.0这行前加入
http_access allow web               //在1890行左右的http_access deny all这行前加入
在配置文件开头加入以下四行：
visible_hostname jifangproxy.jscpu.com
cache_mgr admin@jifangproxy.jscpu.com
cache_effective_user squid
cache_effective_group squid

<添加用户及组及目录权限的修改>
# pw groupadd squid
# pw adduser squid –g squid –s /nonexistent
# mkdir /usr/local/squid/cache
# chown –R squid /usr/local/squid/cache
# chgrp –R squid /usr/local/squid/cache
# chown –R squid /usr/local/squid/var/logs
# chgrp –R squid /usr/local/squid/var/logs

<创建初始cache目录>
# /usr/local/squid/sbin/squid –Z
运行测试squid，如果运行后没有error之类的错误，用top命令能看到squid进程的话，说明安装成功：
# cd /usr/local/squid/sbin
# ./squid

<建立squid启动脚本（随系统一起启动）>
# ee /etc/rc.local
加入如下一行，然后保存退出：
/usr/local/squid/sbin/squid

重启服务器。

五、安装socks5服务

1、下载并安装socks5

从北大天网上下载socks5-v1.0r11.tar.gz，大小为401.093KB（我提供的这个就是），然后通过FTP拷贝到服务器上，然后：

# cd /home/funpower
# cp socks5-v1.0r11.tar.gz /usr/ports/distfiles

<查看distinfo>
# cd /usr/ports/net/socks5
#more distinfo
显示如下：
MD5 (socks5-v1.0r11.tar.gz) = 9d6db7d3c425bbafb8c8d67e128eedfe
SIZE (socks5-v1.0r11.tar.gz) = 401093
查看SIZE的大小是否和刚才下载的大小一样(401.093KB)

<开始安装>
# cd /usr/ports/net/socks5
# make install

2、配置socks5

# cd /usr/local/etc
# ee socks5.conf
<内容如下>
auth - - -
permit - - 192.168. - - -
set SOCKS5_NOIDENT
set SOCKS5_V4SUPPORT

保存退出，重启服务器。

然后通过QQ的测试连接测试你服务器HTTP的3128端口和SOCKS5的1080端口。

作者：老管     email：funpower@gmail.com
参考文章：在Linux上配置和实现SOCKS v5    在FreeBSD上安装Squid

我的FreeBSD桌面 :)

前几天学校的网络一直时断时续，一直以为是新架设的网关服务器的问题，所以几天前对它进行过一次优化（主要是优化/etc/sysctl.conf和 ip_state.h文件），但查到最后，发现原来是内网机器的病毒加上网络流量的增大（没有限制流量）所造成的，和网关服务器没关系，所以最后还是决定 使用放弃ipfilter而使用squid，事情越简单越好，这话一点没错，这次用ipfilter本来是想让客户端使用方便，可没想到一些负面对服务器影响这么大（主要为病毒冲击内网网卡加上使用p2p软件进行无限制下载网络资源），今天准备从内核中将ipfilter撤走：

# cd /usr/src/sys/i386/conf
# cp funpower2 funpower3  //通过复制来新建一个新内核文件
# ee funpower3

将以下三行注释（加#号）：
#options         IPFILTER
#options         IPFILTER_LOG
#options         IPFILTER_DEFAULT_BLOCK

# /usr/sbin/config funpower3
# cd ../compile/funpower3
# make cleandepend
# make depend
# make
# make install

当编译到make命令时，竟然出现了以下错误：

In file included from /usr/src/sys/modules/ipfilter/../../contrib/ipfilter/netinet/mlfk_ipl.c:26:
/usr/src/sys/modules/ipfilter/../../contrib/ipfilter/netinet/ip_state.h:24: error: syntax error before "IPSTATE_SIZE"
*** Error code 1

Stop in /usr/src/sys/modules/ipfilter.
*** Error code 1

Stop in /usr/src/sys/modules.
*** Error code 1

Stop in /usr/src/sys/i386/compile/funpower2.

看到错误信息中有我优化时更改的ip_state.h文件，就知道一定和优化有关，马上恢复原来设置，将优化的内容：

#ifndef IPSTATE_SIZE
define IPSTATE_SIZE    64997
#endif
#ifndef IPSTATE_MAX
define IPSTATE_MAX     45497    /* Maximum number of states held */
#endif

改成（加两#号）：

#ifndef IPSTATE_SIZE                                 
#define IPSTATE_SIZE    5737                         
#endif
#ifndef IPSTATE_MAX
#define IPSTATE_MAX     4013    /* Maximum number of states held */
#endif

重新进入配置文件进行配置（刚前几步完成的操作不用重复，直接make）：

# cd /usr/src/sys/i386/compile/funpower2
# make //刚前几步make cleandepend\make depen等完成的操作不用重复，直接make
# make install

然后编辑/etc/rc.conf，去除启动选项：

# cd /etc
# ee rc.conf
去除以下四行（加#号）：
#ipfilter_enable="YES"
#ipfilter_rules="/etc/ipf.conf"
#ipnat_enable="YES"
#ipnat_rules="/etc/ipnat.conf"

重启服务器，完成去除ipfilter工作。