FreeBSD笔记.bak http://funpower.blogbus.com ]]> by blogbus.com Mon, 30 Nov 2009 00:38:11 +0800 http://public.blogbus.com/profile/3/9/5/28593/avatar_28593_96.jpg FreeBSD笔记.bak http://funpower.blogbus.com FreeBSD6.1Release下利用BIND架设DNS服务器 通过此服务器,使内网用户能正常访问INTERNET,这里我们使用FreeBSD自带的BIND来实现DNS的解析,事实上INTERNET上很多DNS都使用了这个软件。基本的操作步骤如下:

DNS父域(edu.cn)给我的信息如下:
域 -> wxicab.edu.cn
DNS主服务器 -> 58.193.128.55 [dns1.wxicab.edu.cn]
DNS辅服务器 -> 58.193.128.56 [dns2.wxicab.edu.cn]
(本笔记中只架设主服务器的配置过程)

网卡接口说明:
xl0:3com外网网卡接口

预先想好的DNS信息表:
Domain:wxicab.edu.cn
DNS Server:dns1.wxicab.edu.cn(58.193.128.55) dns2.wxicab.edu.cn(58.193.128.56)
58.193.128.55 -> dns1.wxicab.edu.cn (DNS主服务器)
58.193.128.56 -> dns2.wxicab.edu.cn (DNS辅服务器)
58.193.128.53 -> wxicab.edu.cn (WEB服务器)
58.193.128.53 -> www.wxicab.edu.cn (WEB服务器)
58.193.128.52 -> mail.wxicab.edu.cn (邮件服务器)
58.193.128.51 -> ftp.wxicab.edu.cn (文件服务器)
58.193.128.50 -> windowsupdate.wxicab.edu.cn (Windows升级服务器)
58.193.128.49 -> virus.wxicab.edu.cn (防病毒服务器)


开始安装:

1、下载并安装FreeBSD6.1Release
从ftp: //ftp.FreeBSD.org/pub/FreeBSD/下载FreeBSD6.1Release镜像文件,然后刻成光盘,将服务器设置成从光驱启动,开始安装,安装时我选择最小化安装,开通ftp及ssh。其它的默认安装就可以。具体可参考这篇文章。安装完后重启机器。

2、基本的配置
配置/etc/rc.conf
# cd /etc
# ee rc.conf
内容如下:
hostname="dns1.wxicab.edu.cn"
defaultrouter="58.193.128.254"
ifconfig_xl1="inet 58.193.128.55 netmask 255.255.248.0"
inetd_enable="YES"
linux_enable="YES"
sshd_enable="YES"
usbd_enable="YES"

3、 配置DNS

(1)新建并配置/etc/named/db.wxicab.edu.cn(从主机名到IP的映射)
# cd /etc/namedb
# ee db.wxicab.edu.cn
内容如下:
$TTL 3d
@ IN SOA dns1.wxicab.edu.cn. hostmaster.wxicab.edu.cn. (
2006626
3h
1h
1w
1h )

          IN NS dns1
          IN NS dns2

          IN A 58.193.128.53
          IN MX 10 mail.wxicab.edu.cn.
dns1 IN A 58.193.128.55
dns2 IN A 58.193.128.56
mail IN A 58.193.128.52
ftp IN A 58.193.128.51
windowsupdate IN A 58.193.128.50
virus IN A 58.193.128.49

www IN CNAME wxicab.edu.cn.

(2)新建并配置/etc/named/db.58.193.128(从IP到主机名的映射)
# cd /etc/namedb
# ee db.58.193.128
内容如下:
$TTL 3d
@ IN SOA dns1.wxicab.edu.cn. hostmaster.wxicab.edu.cn. (
2006626
3h
1h
1w
1h )

          IN NS dns1.wxicab.edu.cn.
          IN NS dns2.wxicab.edu.cn.
56 IN PTR dns1.wxicab.edu.cn.
55 IN PTR dns2.wxicab.edu.cn.
53 IN PTR wxicab.edu.cn.
52 IN PTR mail.wxicab.edu.cn.
51 IN PTR ftp.wxicab.edu.cn.
50 IN PTR windowsupdate.wxicab.edu.cn.
49 IN PTR virus.wxicab.edu.cn.

(3)配置locahost.rev文件:
# cd /etc/namedb
# chmod 755 make-localhost
# ./make-localhost
运行后在/etc/namedb/master目录下会自动生成localhost.rev和localhost-v6.rev两个文件;localhost-v6.rev是针对下一代IP,暂时用不到,我的localhost.rev文件的内容为:

$TTL 3600
@ IN SOA dns1.wxicab.edu.cn. root.dns1.wxicab.edu.cn. (
20060627 ; Serial
3600 ; Refresh
900 ; Retry
3600000 ; Expire
3600 ) ; Minimum
          IN NS dns1.wxiabc.edu.cn.
1 IN PTR localhost.wxicab.edu.cn.

(4)配置/etc/namedb/named.conf文件:
# cd /etc/namedb
# ee named.conf
内容如下:
options {
directory "/etc/namedb";
pid-file "/var/run/named/pid";
dump-file "/var/dump/named_dump.db";
statistics-file "/var/stats/named.stats";
};
zone "." {
type hint;
file "named.root";
};
zone "0.0.127.IN-ADDR.ARPA" {
type master;
file "master/localhost.rev";
};
zone "wxicab.edu.cn" {
type master;
file "db.wxicab.edu.cn";
};
zone "128.193.58.in-addr.arpa" {
type master;
file "db.58.193.128";
};

(5)开启named服务器,并使其和系统一起启动
在/etc/rc.conf中加入如下一行:

named_enable="YES"

编辑后保存退出。

重启服务器,利用top命令查看,如果有named进程,说明启动正常。然后找一台客户机,将DNS设置成本机IP:58.193.128.55,然后ping edu.cn测试,如果能ping通,说明解析正常。也可以使用nslookup工具测试。

作者:老管(funpower) email:funpower@gmail.com 2006-7-1
参考文章:25.6 域名系统 (DNS) 《DNS与BIND(第四版)》

随机文章:


收藏到:Del.icio.us


博客大巴,你的个人传媒早班车


]]> http://funpower.blogbus.com/logs/2733362.html funpower Sat, 01 Jul 2006 14:26:00 +0800 FreeBSD6.1Release下利用route和ipfilter架设路由 架设此服务器,使内网用户通过本服务器与外界通讯;基本原理为内网用户通过FreeBSD内自带的网关路由功能(route与外网进行通讯,服务器的安全性及病毒的防护控制通过FreeBSDipfilter来完成。初步架设过程如下:

网卡接口说明:
vr0:外网网卡接口
vr1:内网网卡接口

1    最小化安装FreeBSD6.1Release
ftp://ftp.FreeBSD.org/pub/FreeBSD/下载FreeBSD6.1Release镜像文件,然后刻成光盘,将服务器设置成从光驱启动,开始安装,安装时我选择最小化安装,开通ftpssh。其它的默认安装就可以。具体可参考这篇文章。安装完后重启机器。

2    安装内核
将安装光盘放入光驱,然后:

# /usr/sbin/sysinstall

然后选择Configure --> Distributions -> src -> sys,点install,安装完成后重启机器。

3    基本的配置
配置/etc/rc.conf

# cd /etc
# ee rc.conf

内容如下:
hostname="gatewall.wxic.edu.cn"
defaultrouter="172.16.252.17"
ifconfig_vr0="inet 172.16.252.x netmask 255.255.255.252"
ifconfig_vr1="inet 58.193.11x.25x netmask 255.255.248.0"
inetd_enable="YES"
linux_enable="YES"
sshd_enable="YES"
usbd_enable="YES"
sendmail_enable="NONE"
 
配置/etc/resolv.conf

# ee /etc/rc.conf

内容如下:
nameserver 58.193.112.1

4    配置内核,加入对ipfilter的支持

# cd /usr/src/sys/i386/conf
# cp GENERIC funpower
# ee funpower

然后开始编辑内核文件,机器和应用方面的不同会有不同的内核文件,因为需要用到ipfilter,我们加入对ipfilter的支持。在内核中加入如下内容:
options   IPFILTER
options   IPFILTER_LOG
options   IPFILTER_DEFAULT_BLOCK
其它选项可以参考这篇文章,然后自己定制。编辑完后保存退出。然后进行如下操作:

# /usr/sbin/config funpower
# cd ../compile/funpower
# make cleandepend
# make depend
# make
# make install

编译完后重启服务器(因为ipfilter默认是阻止所有通讯,所以确保你是在服务器前操作)

5    /etc/rc.conf中加入路由选项

# cd /etc
# ee rc.conf

在最后加入如下几行:
gateway_enable="YES"
static_routes="static1"
route_static1="-net 58.193.11x.0/21 172.16.252.x/30" //说明第一个IP为内网IP范围;第二个IP为外网网卡的网关地址

6    配置ipfilter
/etc/rc.conf中加入:
ipfilter_enable="YES"
ipfilter_rules="/etc/ipf.conf"
然后编辑/etc/ipf.conf文件

# cd /etc/
# ee ipf.conf

内容如下:
#环路网卡lo0 
#out in 全部通过
pass in quick on lo0 all
pass out quick on lo0 all

#外网网卡vr0
#out 只让开通的IP通讯
block out quick on vr0 from any to 192.168.0.0/16
block out quick on vr0 from any to 0.0.0.0/8
block out quick on vr0 from any to 169.254.0.0/8
block out quick on vr0 from any to 10.0.0.0/8
block out quick on vr0 from any to 127.16.0.0/12
block out quick on vr0 from any to 127.0.0.0/8
block out quick on vr0 from any to 192.0.2.0/24
block out quick on vr0 from any to 204.152.64.0/23
block out quick on vr0 from any to 224.0.0.0/3

#开通58.193.112.1
pass out quick on vr0 proto tcp/udp from 58.193.112.1/32 to any keep state
pass out quick on vr0 proto icmp from 58.193.112.1/32 to any keep state

#开通58.193.112.3
pass out quick on vr0 proto tcp/udp from 58.193.112.3/32 to any keep state
pass out quick on vr0 proto icmp from 58.193.112.3/32 to any keep state

#开通58.193.113.1
pass out quick on vr0 proto tcp/udp from 58.193.113.1/32 to any keep state
pass out quick on vr0 proto icmp from 58.193.113.1/32 to any keep state

#开通58.193.113.2
pass out quick on vr0 proto tcp/udp from 58.193.113.2/32 to any keep state
pass out quick on vr0 proto icmp from 58.193.113.2/32 to any keep state

block out on vr0 all

#in 阻止一些IP(比如私有IP)和一些病毒攻击端口(138139445)
block in quick on vr0 from 192.168.0.0/16 to any
block in quick on vr0 from 172.16.0.0/12 to any
block in quick on vr0 from 10.0.0.0/8 to any
block in quick on vr0 from 127.0.0.0/8 to any
block in quick on vr0 from 0.0.0.0/8 to any
block in quick on vr0 from 169.254.0.0/16 to any
block in quick on vr0 from 192.0.2.0/24 to any
block in quick on vr0 from 204.152.64.0/23 to any
block in quick on vr0 from 224.0.0.0/3 to any
block in quick on vr0 from 58.193.112.0/21 to any

block in quick on vr0 proto udp from any to any port = 69
block in quick on vr0 proto tcp/udp from any to any port = 135
block in quick on vr0 proto udp from any to any port = 137
block in quick on vr0 proto udp from any to any port = 138
block in quick on vr0 proto tcp/udp from any to any port = 139
block in quick on vr0 proto tcp/udp from any to any port = 445
block in quick on vr0 proto tcp/udp from any to any port = 593
block in quick on vr0 proto tcp from any to any port = 1022
block in quick on vr0 proto tcp from any to any port = 1023
block in quick on vr0 proto tcp from any to any port = 1025
block in quick on vr0 proto tcp from any port = 1034 to any port = 80
block in quick on vr0 proto tcp from any to any port = 1068
block in quick on vr0 proto tcp from any to any port = 1433
block in quick on vr0 proto udp from any to any port = 1434
block in quick on vr0 proto tcp from any to any port = 1871
block in quick on vr0 proto tcp from any to any port = 2745
block in quick on vr0 proto tcp from any to any port = 3208
block in quick on vr0 proto tcp from any to any port = 3127
block in quick on vr0 proto tcp from any to any port = 4331
block in quick on vr0 proto tcp from any to any port = 4334
block in quick on vr0 proto tcp from any to any port = 4444
block in quick on vr0 proto tcp from any port = 4444 to any
block in quick on vr0 proto tcp from any to any port = 4510
block in quick on vr0 proto tcp from any to any port = 4557
block in quick on vr0 proto tcp from any to any port = 5554
block in quick on vr0 proto tcp from any to any port = 5800
block in quick on vr0 proto tcp from any to any port = 5900
block in quick on vr0 proto tcp from any to any port = 6129
block in quick on vr0 proto tcp from any to any port = 6667
block in quick on vr0 proto tcp from any to any port = 9995
block in quick on vr0 proto tcp from any to any port = 9996
block in quick on vr0 proto tcp from any to any port = 10080

block in quick on vr0 all with frags
block in quick on vr0 proto tcp all with short
block in quick on vr0 all with opt lsrr
block in quick on vr0 all with opt ssrr
block in log first quick on vr0 proto tcp from any to any flags FUP
block in quick on vr0 all with ipopts

pass in quick on vr0 proto tcp from any to any port = 80 flags S keep state
pass in quick on vr0 proto tcp from any to any port = 23 flags S keep state
pass in quick on vr0 proto tcp from any to any port = 22 flags S keep state
pass in quick on vr0 proto tcp from any to any port = ftp flags S/SA keep state
pass in quick on vr0 proto tcp from any to any port = ftp-data flags S/SA keep state
pass in quick on vr0 proto tcp from any to any port 30000 >< 50001 flags S/SA keep state

pass in quick on vr0 proto icmp from any to any icmp-type 0
pass in quick on vr0 proto icmp from any to any icmp-type 11
block in log quick on vr0 proto icmp from any to any

block in log on vr0 all


#内网网卡vr1
#out 全部通过
pass out on vr1 all
#in 全部通过
pass in on vr1 all

配置完后重启服务器。

找一台客户机测试,首先使用ipf.conf中开通的IP,然后ping edu.cn,可以ping通,说明可以连接外网了。
然后将IP设置为不是开通列表中的IP,如果ping不通,则说明ipf.conf的设置生效了。

作者:老管(funpower     emailfunpower@gmail.com  2006-6-30
参考文章:IP Filter Based Firewalls HOWTO 26.5 IPFILTER (IPF) 防火墙(freebsd handbook) 27.2 网关和路由



随机文章:


收藏到:Del.icio.us


博客大巴,你的个人传媒早班车


]]> http://funpower.blogbus.com/logs/2733360.html funpower Sat, 01 Jul 2006 14:25:00 +0800 FreeBSD6.0下通过squid的acl语句对上网用户作进一步设置 去年末写过<FreeBSD6.0Release+Squid+Socks5服务器架设笔记>, 但对某些用户的上网还没作进一步的限制. 今天完成这项工作.

以下为通过squid的acl语句对上网用户进行限制:

1. 先列出表格:

--------星期一星期二星期三星期四星期五星期六星期天
特殊用户
00:00-24:0000:00-24:0000:00-24:0000:00-24:0000:00-24:0000:00-24:00
00:00-24:00
 用户18:30-23:008:30-23:0012:00-23:008:30-23:008:30-23:008:00-21:308:00-21:30
 用户214:30-23:0014:30-23:0012:00-23:0014:30-23:0014:30-23:008:00-21:308:00-21:30
 用户316:00-23:0016:00-23:0012:00-23:0016:00-23:0016:00-23:008:00-21:308:00-21:30
 用户416:30-23:0016:30-23:0012:00-23:0016:30-23:0016:30-23:008:00-21:308:00-21:30


2. 编辑/usr/local/squid/etc/squid.conf文件, 从1475行开始, 加入如下内容:

acl tieshuyonghu src 192.168.121.210/32 192.168.121.211/32 192.168.121.212/32
acl yonghu1 src 192.168.120.1-192.168.120.52/255.255.255.255
acl yonghu2 src 192.168.120.53-192.168.120.104/255.255.255.255
acl yonghu3 src 192.168.120.105-192.168.120.157/255.255.255.255
acl yonghu4 src 192.168.120.158-192.168.120.208/255.255.255.255
acl 8:30-23:00 time MTHF 8:30-23:00
acl 14:30-23:00 time MTHF 14:30-23:00
acl 16:00-23:00 time MTHF 16:00-23:00
acl shan time W 12:00-23:00
acl zm time AS 8:00-21:30
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443 563     # https, snews
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow tieshuyonghu
http_access allow yonghu1 8:30-23:00
http_access allow yonghu1 shan
http_access allow yonghu2 14:30-23:00
http_access allow yonghu2 shan
http_access allow yonghu3 16:00-23:00
http_access allow yonghu3 shan
http_access allow yonghu3 zm
http_access allow yonghu4 16:30-23:00
http_access allow yonghu4 shan
http_access allow yonghu4 zm
http_access deny all

这里利用了squid的acl中的src和time两个标签, time对星期的表示为 S-Sunday(星期天)  M-Monday(星期一) T-Tuesday(星期二)  W-Wednesday(星期三) H-Thursday(星期四)  F-Friday(星期五)  A-Saturday(星期六), 对acl更多的信息可看这里.

随机文章:


收藏到:Del.icio.us


博客大巴,你的个人传媒早班车


]]> http://funpower.blogbus.com/logs/2733348.html funpower Sat, 01 Jul 2006 14:19:00 +0800 FreeBSD6.1Release下利用route和ipfilter架设路由 架设此服务器,使内网用户通过本服务器与外界通讯;基本原理为内网用户通过FreeBSD内自带的网关路由功能(route与外网进行通讯,服务器的安全性及病毒的防护控制通过FreeBSDipfilter来完成。初步架设过程如下:

网卡接口说明:
vr0:外网网卡接口
vr1:内网网卡接口

1    最小化安装FreeBSD6.1Release
ftp://ftp.FreeBSD.org/pub/FreeBSD/下载FreeBSD6.1Release镜像文件,然后刻成光盘,将服务器设置成从光驱启动,开始安装,安装时我选择最小化安装,开通ftpssh。其它的默认安装就可以。具体可参考这篇文章。安装完后重启机器。

2    安装内核
将安装光盘放入光驱,然后:

# /usr/sbin/sysinstall

然后选择Configure --> Distributions -> src -> sys,点install,安装完成后重启机器。

3    基本的配置
配置/etc/rc.conf

# cd /etc
# ee rc.conf

内容如下:
hostname="gatewall.wxic.edu.cn"
defaultrouter="172.16.252.17"
ifconfig_vr0="inet 172.16.252.x netmask 255.255.255.252"
ifconfig_vr1="inet 58.193.11x.25x netmask 255.255.248.0"
inetd_enable="YES"
linux_enable="YES"
sshd_enable="YES"
usbd_enable="YES"
sendmail_enable="NONE"
 
配置/etc/resolv.conf

# ee /etc/rc.conf

内容如下:
nameserver 58.193.112.1

4    配置内核,加入对ipfilter的支持

# cd /usr/src/sys/i386/conf
# cp GENERIC funpower
# ee funpower

然后开始编辑内核文件,机器和应用方面的不同会有不同的内核文件,因为需要用到ipfilter,我们加入对ipfilter的支持。在内核中加入如下内容:
options   IPFILTER
options   IPFILTER_LOG
options   IPFILTER_DEFAULT_BLOCK
其它选项可以参考这篇文章,然后自己定制。编辑完后保存退出。然后进行如下操作:

# /usr/sbin/config funpower
# cd ../compile/funpower
# make cleandepend
# make depend
# make
# make install

编译完后重启服务器(因为ipfilter默认是阻止所有通讯,所以确保你是在服务器前操作)

5    /etc/rc.conf中加入路由选项

# cd /etc
# ee rc.conf

在最后加入如下几行:
gateway_enable="YES"
static_routes="static1"
route_static1="-net 58.193.11x.0/21 172.16.252.x/30" //说明第一个IP为内网IP范围;第二个IP为外网网卡的网关地址

6    配置ipfilter
/etc/rc.conf中加入:
ipfilter_enable="YES"
ipfilter_rules="/etc/ipf.conf"
然后编辑/etc/ipf.conf文件

# cd /etc/
# ee ipf.conf

内容如下:
#环路网卡lo0 
#out in 全部通过
pass in quick on lo0 all
pass out quick on lo0 all

#外网网卡vr0
#out 只让开通的IP通讯
block out quick on vr0 from any to 192.168.0.0/16
block out quick on vr0 from any to 0.0.0.0/8
block out quick on vr0 from any to 169.254.0.0/8
block out quick on vr0 from any to 10.0.0.0/8
block out quick on vr0 from any to 127.16.0.0/12
block out quick on vr0 from any to 127.0.0.0/8
block out quick on vr0 from any to 192.0.2.0/24
block out quick on vr0 from any to 204.152.64.0/23
block out quick on vr0 from any to 224.0.0.0/3

#开通58.193.112.1
pass out quick on vr0 proto tcp/udp from 58.193.112.1/32 to any keep state
pass out quick on vr0 proto icmp from 58.193.112.1/32 to any keep state

#开通58.193.112.3
pass out quick on vr0 proto tcp/udp from 58.193.112.3/32 to any keep state
pass out quick on vr0 proto icmp from 58.193.112.3/32 to any keep state

#开通58.193.113.1
pass out quick on vr0 proto tcp/udp from 58.193.113.1/32 to any keep state
pass out quick on vr0 proto icmp from 58.193.113.1/32 to any keep state

#开通58.193.113.2
pass out quick on vr0 proto tcp/udp from 58.193.113.2/32 to any keep state
pass out quick on vr0 proto icmp from 58.193.113.2/32 to any keep state

block out on vr0 all

#in 阻止一些IP(比如私有IP)和一些病毒攻击端口(138\139\445)
block in quick on vr0 from 192.168.0.0/16 to any
block in quick on vr0 from 172.16.0.0/12 to any
block in quick on vr0 from 10.0.0.0/8 to any
block in quick on vr0 from 127.0.0.0/8 to any
block in quick on vr0 from 0.0.0.0/8 to any
block in quick on vr0 from 169.254.0.0/16 to any
block in quick on vr0 from 192.0.2.0/24 to any
block in quick on vr0 from 204.152.64.0/23 to any
block in quick on vr0 from 224.0.0.0/3 to any
block in quick on vr0 from 58.193.112.0/21 to any

block in quick on vr0 proto udp from any to any port = 69
block in quick on vr0 proto tcp/udp from any to any port = 135
block in quick on vr0 proto udp from any to any port = 137
block in quick on vr0 proto udp from any to any port = 138
block in quick on vr0 proto tcp/udp from any to any port = 139
block in quick on vr0 proto tcp/udp from any to any port = 445
block in quick on vr0 proto tcp/udp from any to any port = 593
block in quick on vr0 proto tcp from any to any port = 1022
block in quick on vr0 proto tcp from any to any port = 1023
block in quick on vr0 proto tcp from any to any port = 1025
block in quick on vr0 proto tcp from any port = 1034 to any port = 80
block in quick on vr0 proto tcp from any to any port = 1068
block in quick on vr0 proto tcp from any to any port = 1433
block in quick on vr0 proto udp from any to any port = 1434
block in quick on vr0 proto tcp from any to any port = 1871
block in quick on vr0 proto tcp from any to any port = 2745
block in quick on vr0 proto tcp from any to any port = 3208
block in quick on vr0 proto tcp from any to any port = 3127
block in quick on vr0 proto tcp from any to any port = 4331
block in quick on vr0 proto tcp from any to any port = 4334
block in quick on vr0 proto tcp from any to any port = 4444
block in quick on vr0 proto tcp from any port = 4444 to any
block in quick on vr0 proto tcp from any to any port = 4510
block in quick on vr0 proto tcp from any to any port = 4557
block in quick on vr0 proto tcp from any to any port = 5554
block in quick on vr0 proto tcp from any to any port = 5800
block in quick on vr0 proto tcp from any to any port = 5900
block in quick on vr0 proto tcp from any to any port = 6129
block in quick on vr0 proto tcp from any to any port = 6667
block in quick on vr0 proto tcp from any to any port = 9995
block in quick on vr0 proto tcp from any to any port = 9996
block in quick on vr0 proto tcp from any to any port = 10080

block in quick on vr0 all with frags
block in quick on vr0 proto tcp all with short
block in quick on vr0 all with opt lsrr
block in quick on vr0 all with opt ssrr
block in log first quick on vr0 proto tcp from any to any flags FUP
block in quick on vr0 all with ipopts

pass in quick on vr0 proto tcp from any to any port = 80 flags S keep state
pass in quick on vr0 proto tcp from any to any port = 23 flags S keep state
pass in quick on vr0 proto tcp from any to any port = 22 flags S keep state
pass in quick on vr0 proto tcp from any to any port = ftp flags S/SA keep state
pass in quick on vr0 proto tcp from any to any port = ftp-data flags S/SA keep state
pass in quick on vr0 proto tcp from any to any port 30000 >< 50001 flags S/SA keep state

pass in quick on vr0 proto icmp from any to any icmp-type 0
pass in quick on vr0 proto icmp from any to any icmp-type 11
block in log quick on vr0 proto icmp from any to any

block in log on vr0 all


#内网网卡vr1
#out 全部通过
pass out on vr1 all
#in 全部通过
pass in on vr1 all

配置完后重启服务器。

找一台客户机测试,首先使用ipf.conf中开通的IP,然后ping edu.cn,可以ping通,说明可以连接外网了。
然后将IP设置为不是开通列表中的IP,如果ping不通,则说明ipf.conf的设置生效了。

作者:老管(funpower     emailfunpower@gmail.com  2006-6-30
参考文章:IP Filter Based Firewalls HOWTO \ 26.5 IPFILTER (IPF) 防火墙(freebsd handbook) \ 27.2 网关和路由


随机文章:

2006-01-11 2006-01-11
2005-11-08 2005-11-08
测试php方法 2005-10-28

收藏到:Del.icio.us


博客大巴,你的个人传媒早班车


]]> http://funpower.blogbus.com/logs/2728727.html funpower Fri, 30 Jun 2006 19:23:33 +0800 FreeBSD6.0下通过squid的acl语句对上网用户作进一步设置 去年末写过<FreeBSD6.0Release+Squid+Socks5服务器架设笔记>, 但对某些用户的上网还没作进一步的限制. 今天完成这项工作.

以下为通过squid的acl语句对上网用户进行限制:

1. 先列出表格:

--------星期一星期二星期三星期四星期五星期六星期天
特殊用户
00:00-24:0000:00-24:0000:00-24:0000:00-24:0000:00-24:0000:00-24:00
00:00-24:00
 用户18:30-23:008:30-23:0012:00-23:008:30-23:008:30-23:008:00-21:308:00-21:30
 用户214:30-23:0014:30-23:0012:00-23:0014:30-23:0014:30-23:008:00-21:308:00-21:30
 用户316:00-23:0016:00-23:0012:00-23:0016:00-23:0016:00-23:008:00-21:308:00-21:30
 用户416:30-23:0016:30-23:0012:00-23:0016:30-23:0016:30-23:008:00-21:308:00-21:30


2. 编辑/usr/local/squid/etc/squid.conf文件, 从1475行开始, 加入如下内容:

acl tieshuyonghu src 192.168.121.210/32 192.168.121.211/32 192.168.121.212/32
acl yonghu1 src 192.168.120.1-192.168.120.52/255.255.255.255
acl yonghu2 src 192.168.120.53-192.168.120.104/255.255.255.255
acl yonghu3 src 192.168.120.105-192.168.120.157/255.255.255.255
acl yonghu4 src 192.168.120.158-192.168.120.208/255.255.255.255
acl 8:30-23:00 time MTHF 8:30-23:00
acl 14:30-23:00 time MTHF 14:30-23:00
acl 16:00-23:00 time MTHF 16:00-23:00
acl shan time W 12:00-23:00
acl zm time AS 8:00-21:30
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443 563     # https, snews
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow tieshuyonghu
http_access allow yonghu1 8:30-23:00
http_access allow yonghu1 shan
http_access allow yonghu2 14:30-23:00
http_access allow yonghu2 shan
http_access allow yonghu3 16:00-23:00
http_access allow yonghu3 shan
http_access allow yonghu3 zm
http_access allow yonghu4 16:30-23:00
http_access allow yonghu4 shan
http_access allow yonghu4 zm
http_access deny all

这里利用了squid的acl中的src和time两个标签, time对星期的表示为 S-Sunday(星期天)  M-Monday(星期一) T-Tuesday(星期二)  W-Wednesday(星期三) H-Thursday(星期四)  F-Friday(星期五)  A-Saturday(星期六), 对acl更多的信息可看这里.

随机文章:

2005-12-15 2005-12-15
cnfug.org改版 2005-10-09

收藏到:Del.icio.us


博客大巴,你的个人传媒早班车


]]> http://funpower.blogbus.com/logs/2728719.html funpower Fri, 30 Jun 2006 19:21:10 +0800 2006-04-07
panorama of nyc
Originally uploaded byjoshua.

随机文章:

2006-03-01 2006-03-01
2006-01-13 2006-01-13
2006-01-11 2006-01-11
2005-12-23 2005-12-23

收藏到:Del.icio.us


博客大巴,你的个人传媒早班车


]]> http://funpower.blogbus.com/logs/2219549.html funpower Fri, 07 Apr 2006 15:32:42 +0800 Windows2000中毒,重新架设FreeBSD桌面系统(FreeBSD6.1_beta2 + Gnome-2.12.3) aaa

aaa

最近MS的windows2000一直病毒发作,想换到前段时间安装的Solaris10上,但可用软件实在太少,于是决定加一个FreeBSD + Gnome系统,步骤基本上按以前写的《FreeBSD5.4Release中文工作站安装笔记 (Freebsd5.4R+Gnome2.10.0) 》安装笔记进行安装,只是FreeBSD版本换成FreeBSD6.1_beta2

另外,以前登陆系统都是先登陆字符界面系统,然后运行startx命令来启动Gnome。这次准备利用GDM来登陆系统,一般安装完GNOME后GDM已经在你的系统中,但默认是禁用的。通过在/etc/rc.conf中加入gdm_enable="YES"就可以启用了。还有一些中文输入及GDM外观设置等具体可参考Freebsdchina.org上OneZ写的FreeBSD 5.x下GDM的安装我在更换GDM的主题(一般是运行/usr/X11R6/bin下的gdmsetup来更换)时参考OneZ文章,但我在他所说的/usr/X11R6/bin下没有找到gdmsetup程序,难道是文章有问题,在GNOME中国站中说只需用root帐号运行gdmsetup即可,但我也不成功。于是就想到会不会是版本原因一些文件放的位置不一样,最后,终于在/usr/X11R6/sbin中找到了gdmsetup,运行./gdmsetup命令,GDM的更换主题GUI程序终于"现身"。


随机文章:


收藏到:Del.icio.us


博客大巴,你的个人传媒早班车


]]> http://funpower.blogbus.com/logs/1998084.html funpower Fri, 03 Mar 2006 10:28:26 +0800 2006-03-01
FreeBSD6.1-beta2 + Gnome-2.12.3
Originally uploaded by老管&aposs photo.

随机文章:

2006-04-07 2006-04-07
2006-01-13 2006-01-13
2006-01-11 2006-01-11
2005-12-23 2005-12-23

收藏到:Del.icio.us


博客大巴,你的个人传媒早班车


]]> http://funpower.blogbus.com/logs/1989727.html funpower Wed, 01 Mar 2006 11:07:04 +0800 Linux不是Windows 贡献人: 来源:http://linux.oneandoneis2.org/LNW.htm, 中文:http://www.ubuntu.org.cn/lnw, 翻译:laborer

laborer翻译的中文版有些难打开,所以转载过来,方便后来人查询。如您觉得侵害了您的版权,请来信(funpower at gmail.com)告知,我立即删除。

随机文章:

2006-04-07 2006-04-07
2006-03-01 2006-03-01
2006-01-13 2006-01-13
2006-01-11 2006-01-11
2005-12-23 2005-12-23

收藏到:Del.icio.us


博客大巴,你的个人传媒早班车


]]> http://funpower.blogbus.com/logs/1826972.html funpower Mon, 16 Jan 2006 12:01:46 +0800 2006-01-13
freebsd官方中文网
Originally uploaded by老管&aposs photo.地址: http://cnsnap.cn.freebsd.org/zh_CN/

随机文章:

2006-04-07 2006-04-07
2006-03-01 2006-03-01
2006-01-11 2006-01-11
2005-12-23 2005-12-23

收藏到:Del.icio.us


博客大巴,你的个人传媒早班车


]]> http://funpower.blogbus.com/logs/1816565.html funpower Fri, 13 Jan 2006 08:36:32 +0800