freebsd5.3r+pf防火墙

xzjt1982

FreeBSD 5.3 Release开始吸收openbsd的packet filter防火墙,IPF没有流量控制,IPFW效率低下.PF还包含了ALTQ(随机公平机制),可以支持多线路进出.硬件配置:CY2.1GHZ,,DDR 400/256MB,,INTEL 845GL,,ST 7200.7 40GB,,2×INTEL 82559网卡..单线:4Mbps电信光纤.fxp0       公网.fxp1       内网.web服务器  192.168.0.200   (ASP+流媒体)  端口80801.下载freebsd 5.3r(ftp.freebsd.org.cn),安装全部源码.2.编译内核.A.#vi //usr/src/sys/conf/GENERIC        (最好cp一个GENERIC备份)----------------------------------------------------------device pfdevice pflogdevice pfsyncoptions         ALTQoptions         ALTQ_CBQ        # Class Bases Queuing (CBQ)options         ALTQ_RED        # Random Early Detection (RED)options         ALTQ_RIO        # RED In/Outoptions         ALTQ_HFSC       # Hierarchical Packet Scheduler (HFSC)options         ALTQ_PRIQ       # Priority Queuing (PRIQ)options  PANIC_REBOOT_WAIT_TIME=0 #内核异常时立即重起options  DEVICE_POLLING   #打开网卡的poling,改善网络响应时间options  HZ=2000   #man 4 pollingoptions  IPSTEALTH  #支持秘密IP转发options  TCP_DROP_SYNFIN  #抛弃SYN+FIN包，阻止检测服务器options  SCHED_4BSD  # 4BSD scheduleroptions  INET   # InterNETworkingoptions  FFS   # Berkeley Fast Filesystemoptions  SOFTUPDATES  # Enable FFS soft updates supportoptions  MD_ROOT   # MD is a potential root deviceoptions  PROCFS   # Process filesystem (requires PSEUDOFS)options  PSEUDOFS  # Pseudo-filesystem frameworkoptions  COMPAT_43  # Compatible with BSD 4.3 [KEEP THIS!]options  SYSVSHM   # SYSV-style shared memoryoptions  SYSVMSG   # SYSV-style message queuesoptions  SYSVSEM   # SYSV-style semaphoresoptions  _KPOSIX_PRIORITY_SCHEDULING # POSIX P1003_1B real-time extensionsoptions  KBD_INSTALL_CDEV # install a CDEV entry in /devdevice  apic  # I/O APIC# Bus support.  Do not remove isa, even if you have no isa slotsdevice  isadevice  pci# ATA and ATAPI devicesdevice  atadevice  atadisk  # ATA disk drivesoptions  ATA_STATIC_ID # Static device numbering# atkbdc0 controls both the keyboard and the PS/2 mousedevice  atkbdc  # AT keyboard controllerdevice  atkbd  # AT keyboarddevice  vga  # VGA video card driverdevice  splash  # Splash screen and screen saver support# syscons is the default console driver, resembling an SCO consoledevice  sc# PCI Ethernet NICs that use the common MII bus controller code.# NOTE: Be sure to keep the 'device miibus' line in order to use these NICs!device  miibus  # MII bus supportdevice  fxp  # Intel EtherExpress PRO/100B (82557, 82558)device            vlan  # IEEE 802.1Q VLAN Support----------------------------------------------------------------------其它#掉...#config GENERIC #cd ../compile/GENERIC #make depend all install#shutdown -r now3.#vi /etc/sysctl.conf # 打开NAT地址转换,优化参数,防止DDOS攻击.net.inet.ip.forwarding=1net.inet.tcp.sendspace=65536net.inet.tcp.recvspace=65536net.inet.udp.sendspace=65535net.inet.udp.maxdgram=65535net.local.stream.sendspace=65535net.inet.tcp.rfc1323=1net.inet.tcp.rfc1644=1net.inet.tcp.rfc3042=1net.inet.tcp.rfc3390=1kern.ipc.maxsockbuf=2097152kern.maxfiles=65536kern.maxfilesperproc=32768 net.inet.tcp.delayed_ack=0net.inet.icmp.icmplim=100net.inet.icmp.icmplim_output=0 net.inet.tcp.drop_synfin=1 net.inet.tcp.msl=7500net.inet.tcp.syncookies=1net.inet.tcp.blackhole=2net.inet.udp.blackhole=1net.inet.raw.maxdgram=65536net.inet.raw.recvspace=655364.#vi /etc/inetd.conf    去掉#(在最后一行),起用FTP代理,以兼容主动FTP.ftp-proxy stream tcp nowait root /usr/libexec/ftp-proxy ftp-proxy5.#vi /etc/resolv.conf  建立DNS解晰文件,改成自己的.nameserver 202.96.128.143nameserver 61.144.56.1006.#vi /etc/rc.confgateway_enable="YES"kern_securelevel_enable="YES"kern_securelevel="2"defaultrouter="xxx.xxx.xxx.xxx"                          #电信网关hostname="www.csf.com" ifconfig_fxp0="inet xxx.xxx.xxx.xxx netmask 255.255.255.0"   #外网IPifconfig_fxp1="inet 192.168.0.0 netmask 255.255.255.0"      #内网IPpf_enable="YES"                 # Enable PF (load module if required)pf_rules="/etc/pf.conf"         # rules definition file for pfpf_flags=""                     # additional flags for pfctl startuppflog_enable="YES"              # start pflogd(8)pflog_logfile="/var/log/pflog"  # where pflogd should store the logfile7.#vi /etc/pf.confwan_if="xxx.xxx.xxx.xxx" #外网IPweb_if="192.168.0.200"   #weblan_if="192.168.0.0/24"  #内网段scrub in allnat on fxp0 from fxp1:network to any ->fxp0               #内网段IP转换成外网IPrdr on fxp1 proto tcp from any to any port 21 ->127.0.0.1 port 8021 #(这句不知道能不能解决FTP兼容性问题?上某些FTP时LIST空)rdr on fxp0 proto tcp from any to $wan_if port 80 ->$web_if port 8080    #把外网的80端口映射到192.168.0.200的流媒体服务器上.rdr on fxp1 proto tcp from $lan_if to $wan_if port 80 ->$web_if port 8080  #回流,内网用户用外网IP访问流媒体服务器block in quick proto icmp from any to $wan_ifblock in quick proto {tcp,udp} from any to any port {135>

xzjt1982

不好意思，这个是转帖，忘记注明了~