OPENBSD上的ADSL和防火墙设置配置
下面我用的是OPENBSD 3.6
配置ADSL:
# vi /etc/ppp/ppp.conf
========================ppp.conf=======================
default:
set log Phase Chat IPCP CCP tun command
set redial 15 0
set reconnect 15 10000
pppoe:
set device "!/usr/sbin/pppoe -i rl1"
disable acfcomp protocomp
deny acfcomp
set mtu max 1492
set crtscts off
set speed sync
enable lqr
set lqrperiod 5
set cd 5
set dial
set login
set timeout 0
set authname "sjz681a0156@adsl2"
set authkey 123456
add! default HISADDR
enable mssfixup
========================ppp.conf=======================
建立防火墙代理配置:
# vi /etc/pf.conf
=========================pf.conf=======================
ext_if = "tun0"
int_if = "{ dc0, rl0 }"
int_net = "{ 192.168.0.0/24, 192.168.10.0/24 }"
loop = "lo0"
tcp_services = "{ www, ftp }"
boss_ip = "{ 192.168.10.10, 192.168.10.11, 192.168.10.12, 192.168.10.13, 192.168.10.14, 192.168.10.15 }"
noroute = "{ 127.0.0.1/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8, 255.255.255.255/32 }"
web_server = "{ 192.168.10.5, 192.168.100.16 }"
set block-policy return
set loginterface $ext_if
set optimization aggressive
scrub in all
altq on $int_if cbq bandwidth 1200Kb queue { dflt, boss }
queue dflt bandwidth 300Kb cbq(default)
queue boss bandwidth 900Kb cbq(borrow)
nat on $ext_if from $int_net to any -> $ext_if
block all
block return
block in quick on $ext_if os NMAP
block in quick on $ext_if from $noroute to any
block out quick on $ext_if from any to $noroute
pass in quick on $ext_if inet proto tcp from any to any port > 60000 keep state
#pass in quick on $ext_if inet proto icmp all icmp-type 8 code 0 keep state
pass in quick on $ext_if inet proto tcp from any to any port $tcp_services flags S/SAFR keep state
pass quick on $loop all
pass in on $int_if from $int_net
pass out on $int_if from any to $int_net
pass out on $int_if from any to $boss_ip queue boss
pass out on $ext_if all keep state
pass in on $ext_if inet proto tcp from any to $web_server port = 80 flags S/SAFR keep state (max 200, source-track rule, max-src-nodes 200, max-src-states 2) queue boss
=========================pf.conf=======================
禁用系统自定义的PF规则
# vi /etc/rc.conf
pf=NO
启用IP转发:
# vi /etc/sysctl.conf
net.inet.ip.forwarding=1
设置开机启动ADSL拨号:
# mkdir /etc/rc.d
# vi /etc/rc.d/adsl.sh
--------------+----------------+---------------+-------------
#!/bin/sh
# /etc/rc.d/adsl.sh
# 7-11-2004
# llzqq@126.com
pppoe_status () {
IP=$(/sbin/ifconfig tun0 | awk '/netmask/{print $2}')
if [ ! -z "$IP" ]; then
echo "pppoe link is up, ip: " $IP
else
echo "pppoe link is down"
fi
}
pppoe_start () {
echo -n "starting pppoe "; ppp -ddial pppoe > /dev/null
for i in 19 18 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0; do
sleep 2; echo -n "."
IP=$(/sbin/ifconfig tun0 | awk '/netmask/{print $2}')
if [ ! -z "$IP" ]; then
break
fi
done
echo "."
pppoe_status
}
pppoe_stop () {
PID=$(ps aux | awk '/ppp -ddial/{print $2}')
kill $PID
echo "pppoe link is down"
}
case "$1" in
'start')
pppoe_start
;;
'stop')
pppoe_stop
;;
'status')
pppoe_status
;;
*)
echo "Usage: $0 {start|stop|status}"
exit 1
esac
--------------+----------------+---------------+-------------
# chmod 555 /etc/rc.d/adsl.sh
开机时自动进行ADSL拨号
# vi /etc/rc.local
if [ -f /etc/ppp/ppp.conf ]; then
. /etc/rc.d/adsl.sh start
fi
# vi /etc/rc.shutdown
/etc/rc.d/adsl.sh stop
启用NAME缓存服务器(不是必须的):
# vi /var/named/named.boot
options forward-only
forwarders 202.99.160.68 202.99.168.8
根据拨号需要加载和关闭防火墙:
# vi /etc/ppp/ppp.linkup
MYADDR:
! sh -c "/sbin/ifconfig pflog0 up"
! sh -c "/sbin/pflogd"
! sh -c "/sbin/pfctl -e -F all -f /etc/pf.conf"
# vi /etc/ppp/ppp.linkdown
MYADDR:
! sh -c "/sbin/pfctl -d -F all"
! sh -c "kill `cat /var/run/pflogd.pid`"
! sh -c "/sbin/ifconfig pflog0 down"
! sh -c "/sbin/route delete default"
配置动态域名更新:
# tar zxvf ez-ipupdate-3.0.10.tgz
# cd ez-ipupdate-3.0.10
# vi conf_file.c
增加一行:
#include <errno.h>
# vi ez-ipupdate.c
注释掉下面几行(4515行):
//else
// {
// fprintf(stderr, "no update needed at this time\n");
// }
# ./configure
# make
# make install
设置拨号后自动运行:
# vi /etc/ppp/ppp.linkup
MYADDR:
! sh -c "/sbin/ifconfig pflog0 up"
! sh -c "/sbin/pflogd"
! sh -c "/sbin/pfctl -e -F all -f /etc/pf.conf"
!bg /usr/local/bin/ez-ipupdate -i tun0 -h nero.3322.org -S qdns -w wildcard -u user:pwd
解决通过PF防火墙用主动模式连接外网FTP服务器的问题:
# vi /etc/pf.conf
rdr on $int_if proto tcp from any to any port 21 -> 127.0.0.1 port 8021
# vi /etc/inetd.conf
127.0.0.1:8021 stream tcp nowait root /usr/libexec/ftp-proxy ftp-proxy
# reboot
设置SQUID的透明代理:
# vi /etc/squid/squid.conf
http_port 127.0.0.1:3128
# vi /etc/pf.conf
rdr on $int_if proto tcp from $int_net to any port 80 -> 127.0.0.1 port 3128
配置ADSL:
# vi /etc/ppp/ppp.conf
========================ppp.conf=======================
default:
set log Phase Chat IPCP CCP tun command
set redial 15 0
set reconnect 15 10000
pppoe:
set device "!/usr/sbin/pppoe -i rl1"
disable acfcomp protocomp
deny acfcomp
set mtu max 1492
set crtscts off
set speed sync
enable lqr
set lqrperiod 5
set cd 5
set dial
set login
set timeout 0
set authname "sjz681a0156@adsl2"
set authkey 123456
add! default HISADDR
enable mssfixup
========================ppp.conf=======================
建立防火墙代理配置:
# vi /etc/pf.conf
=========================pf.conf=======================
ext_if = "tun0"
int_if = "{ dc0, rl0 }"
int_net = "{ 192.168.0.0/24, 192.168.10.0/24 }"
loop = "lo0"
tcp_services = "{ www, ftp }"
boss_ip = "{ 192.168.10.10, 192.168.10.11, 192.168.10.12, 192.168.10.13, 192.168.10.14, 192.168.10.15 }"
noroute = "{ 127.0.0.1/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8, 255.255.255.255/32 }"
web_server = "{ 192.168.10.5, 192.168.100.16 }"
set block-policy return
set loginterface $ext_if
set optimization aggressive
scrub in all
altq on $int_if cbq bandwidth 1200Kb queue { dflt, boss }
queue dflt bandwidth 300Kb cbq(default)
queue boss bandwidth 900Kb cbq(borrow)
nat on $ext_if from $int_net to any -> $ext_if
block all
block return
block in quick on $ext_if os NMAP
block in quick on $ext_if from $noroute to any
block out quick on $ext_if from any to $noroute
pass in quick on $ext_if inet proto tcp from any to any port > 60000 keep state
#pass in quick on $ext_if inet proto icmp all icmp-type 8 code 0 keep state
pass in quick on $ext_if inet proto tcp from any to any port $tcp_services flags S/SAFR keep state
pass quick on $loop all
pass in on $int_if from $int_net
pass out on $int_if from any to $int_net
pass out on $int_if from any to $boss_ip queue boss
pass out on $ext_if all keep state
pass in on $ext_if inet proto tcp from any to $web_server port = 80 flags S/SAFR keep state (max 200, source-track rule, max-src-nodes 200, max-src-states 2) queue boss
=========================pf.conf=======================
禁用系统自定义的PF规则
# vi /etc/rc.conf
pf=NO
启用IP转发:
# vi /etc/sysctl.conf
net.inet.ip.forwarding=1
设置开机启动ADSL拨号:
# mkdir /etc/rc.d
# vi /etc/rc.d/adsl.sh
--------------+----------------+---------------+-------------
#!/bin/sh
# /etc/rc.d/adsl.sh
# 7-11-2004
# llzqq@126.com
pppoe_status () {
IP=$(/sbin/ifconfig tun0 | awk '/netmask/{print $2}')
if [ ! -z "$IP" ]; then
echo "pppoe link is up, ip: " $IP
else
echo "pppoe link is down"
fi
}
pppoe_start () {
echo -n "starting pppoe "; ppp -ddial pppoe > /dev/null
for i in 19 18 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0; do
sleep 2; echo -n "."
IP=$(/sbin/ifconfig tun0 | awk '/netmask/{print $2}')
if [ ! -z "$IP" ]; then
break
fi
done
echo "."
pppoe_status
}
pppoe_stop () {
PID=$(ps aux | awk '/ppp -ddial/{print $2}')
kill $PID
echo "pppoe link is down"
}
case "$1" in
'start')
pppoe_start
;;
'stop')
pppoe_stop
;;
'status')
pppoe_status
;;
*)
echo "Usage: $0 {start|stop|status}"
exit 1
esac
--------------+----------------+---------------+-------------
# chmod 555 /etc/rc.d/adsl.sh
开机时自动进行ADSL拨号
# vi /etc/rc.local
if [ -f /etc/ppp/ppp.conf ]; then
. /etc/rc.d/adsl.sh start
fi
# vi /etc/rc.shutdown
/etc/rc.d/adsl.sh stop
启用NAME缓存服务器(不是必须的):
# vi /var/named/named.boot
options forward-only
forwarders 202.99.160.68 202.99.168.8
根据拨号需要加载和关闭防火墙:
# vi /etc/ppp/ppp.linkup
MYADDR:
! sh -c "/sbin/ifconfig pflog0 up"
! sh -c "/sbin/pflogd"
! sh -c "/sbin/pfctl -e -F all -f /etc/pf.conf"
# vi /etc/ppp/ppp.linkdown
MYADDR:
! sh -c "/sbin/pfctl -d -F all"
! sh -c "kill `cat /var/run/pflogd.pid`"
! sh -c "/sbin/ifconfig pflog0 down"
! sh -c "/sbin/route delete default"
配置动态域名更新:
# tar zxvf ez-ipupdate-3.0.10.tgz
# cd ez-ipupdate-3.0.10
# vi conf_file.c
增加一行:
#include <errno.h>
# vi ez-ipupdate.c
注释掉下面几行(4515行):
//else
// {
// fprintf(stderr, "no update needed at this time\n");
// }
# ./configure
# make
# make install
设置拨号后自动运行:
# vi /etc/ppp/ppp.linkup
MYADDR:
! sh -c "/sbin/ifconfig pflog0 up"
! sh -c "/sbin/pflogd"
! sh -c "/sbin/pfctl -e -F all -f /etc/pf.conf"
!bg /usr/local/bin/ez-ipupdate -i tun0 -h nero.3322.org -S qdns -w wildcard -u user:pwd
解决通过PF防火墙用主动模式连接外网FTP服务器的问题:
# vi /etc/pf.conf
rdr on $int_if proto tcp from any to any port 21 -> 127.0.0.1 port 8021
# vi /etc/inetd.conf
127.0.0.1:8021 stream tcp nowait root /usr/libexec/ftp-proxy ftp-proxy
# reboot
设置SQUID的透明代理:
# vi /etc/squid/squid.conf
http_port 127.0.0.1:3128
# vi /etc/pf.conf
rdr on $int_if proto tcp from $int_net to any port 80 -> 127.0.0.1 port 3128
