xzjt1982
发表于 2005-4-28 19:19:16
FreeBSD 5.3 Release开始吸收openbsd的packet filter防火墙,IPF没有流量控制,IPFW效率低下.PF还包含了ALTQ(随机公平机制),可以支持多线路进出.硬件配置:CY2.1GHZ,,DDR 400/256MB,,INTEL 845GL,,ST 7200.7 40GB,,2×INTEL 82559网卡..单线:4Mbps电信光纤.fxp0 公网.fxp1 内网.web服务器192.168.0.200 (ASP+流媒体)端口80801.下载freebsd 5.3r(ftp.freebsd.org.cn),安装全部源码.2.编译内核.A.#vi //usr/src/sys/conf/GENERIC (最好cp一个GENERIC备份)----------------------------------------------------------device pfdevice pflogdevice pfsyncoptions ALTQoptions ALTQ_CBQ # Class Bases Queuing (CBQ)options ALTQ_RED # Random Early Detection (RED)options ALTQ_RIO # RED In/Outoptions ALTQ_HFSC # Hierarchical Packet Scheduler (HFSC)options ALTQ_PRIQ # Priority Queuing (PRIQ)optionsPANIC_REBOOT_WAIT_TIME=0 #内核异常时立即重起optionsDEVICE_POLLING #打开网卡的poling,改善网络响应时间optionsHZ=2000 #man 4 pollingoptionsIPSTEALTH#支持秘密IP转发optionsTCP_DROP_SYNFIN#抛弃SYN+FIN包,阻止检测服务器optionsSCHED_4BSD# 4BSD scheduleroptionsINET # InterNETworkingoptionsFFS # Berkeley Fast FilesystemoptionsSOFTUPDATES# Enable FFS soft updates supportoptionsMD_ROOT # MD is a potential root deviceoptionsPROCFS # Process filesystem (requires PSEUDOFS)optionsPSEUDOFS# Pseudo-filesystem frameworkoptionsCOMPAT_43# Compatible with BSD 4.3 optionsSYSVSHM # SYSV-style shared memoryoptionsSYSVMSG # SYSV-style message queuesoptionsSYSVSEM # SYSV-style semaphoresoptions_KPOSIX_PRIORITY_SCHEDULING # POSIX P1003_1B real-time extensionsoptionsKBD_INSTALL_CDEV # install a CDEV entry in /devdeviceapic# I/O APIC# Bus support.Do not remove isa, even if you have no isa slotsdeviceisadevicepci# ATA and ATAPI devicesdeviceatadeviceatadisk# ATA disk drivesoptionsATA_STATIC_ID # Static device numbering# atkbdc0 controls both the keyboard and the PS/2 mousedeviceatkbdc# AT keyboard controllerdeviceatkbd# AT keyboarddevicevga# VGA video card driverdevicesplash# Splash screen and screen saver support# syscons is the default console driver, resembling an SCO consoledevicesc# PCI Ethernet NICs that use the common MII bus controller code.# NOTE: Be sure to keep the 'device miibus' line in order to use these NICs!devicemiibus# MII bus supportdevicefxp# Intel EtherExpress PRO/100B (82557, 82558)device vlan# IEEE 802.1Q VLAN Support----------------------------------------------------------------------其它#掉...#config GENERIC #cd ../compile/GENERIC #make depend all install#shutdown -r now3.#vi /etc/sysctl.conf # 打开NAT地址转换,优化参数,防止DDOS攻击.net.inet.ip.forwarding=1net.inet.tcp.sendspace=65536net.inet.tcp.recvspace=65536net.inet.udp.sendspace=65535net.inet.udp.maxdgram=65535net.local.stream.sendspace=65535net.inet.tcp.rfc1323=1net.inet.tcp.rfc1644=1net.inet.tcp.rfc3042=1net.inet.tcp.rfc3390=1kern.ipc.maxsockbuf=2097152kern.maxfiles=65536kern.maxfilesperproc=32768 net.inet.tcp.delayed_ack=0net.inet.icmp.icmplim=100net.inet.icmp.icmplim_output=0 net.inet.tcp.drop_synfin=1 net.inet.tcp.msl=7500net.inet.tcp.syncookies=1net.inet.tcp.blackhole=2net.inet.udp.blackhole=1net.inet.raw.maxdgram=65536net.inet.raw.recvspace=655364.#vi /etc/inetd.conf 去掉#(在最后一行),起用FTP代理,以兼容主动FTP.ftp-proxy stream tcp nowait root /usr/libexec/ftp-proxy ftp-proxy5.#vi /etc/resolv.conf建立DNS解晰文件,改成自己的.nameserver 202.96.128.143nameserver 61.144.56.1006.#vi /etc/rc.confgateway_enable="YES"kern_securelevel_enable="YES"kern_securelevel="2"defaultrouter="xxx.xxx.xxx.xxx" #电信网关hostname="www.csf.com" ifconfig_fxp0="inet xxx.xxx.xxx.xxx netmask 255.255.255.0" #外网IPifconfig_fxp1="inet 192.168.0.0 netmask 255.255.255.0" #内网IPpf_enable="YES" # Enable PF (load module if required)pf_rules="/etc/pf.conf" # rules definition file for pfpf_flags="" # additional flags for pfctl startuppflog_enable="YES" # start pflogd(8)pflog_logfile="/var/log/pflog"# where pflogd should store the logfile7.#vi /etc/pf.confwan_if="xxx.xxx.xxx.xxx" #外网IPweb_if="192.168.0.200" #weblan_if="192.168.0.0/24"#内网段scrub in allnat on fxp0 from fxp1:network to any ->fxp0 #内网段IP转换成外网IPrdr on fxp1 proto tcp from any to any port 21 ->127.0.0.1 port 8021 #(这句不知道能不能解决FTP兼容性问题?上某些FTP时LIST空)rdr on fxp0 proto tcp from any to $wan_if port 80 ->$web_if port 8080 #把外网的80端口映射到192.168.0.200的流媒体服务器上.rdr on fxp1 proto tcp from $lan_if to $wan_if port 80 ->$web_if port 8080#回流,内网用户用外网IP访问流媒体服务器block in quick proto icmp from any to $wan_ifblock in quick proto {tcp,udp} from any to any port {135>
xzjt1982
发表于 2005-4-28 19:22:13
不好意思,这个是转帖,忘记注明了~
页:
[1]