配置ADSL: # vi /etc/ppp/ppp.conf ========================ppp.conf======================= default: set log Phase Chat IPCP CCP tun command set redial 15 0 set reconnect 15 10000
pppoe: set device "!/usr/sbin/pppoe -i rl1" disable acfcomp protocomp deny acfcomp set mtu max 1492 set crtscts off set speed sync enable lqr set lqrperiod 5 set cd 5 set dial set login set timeout 0 set authname "sjz681a0156@adsl2" set authkey 123456 add! default HISADDR enable mssfixup ========================ppp.conf=======================
altq on $int_if cbq bandwidth 1200Kb queue { dflt, boss } queue dflt bandwidth 300Kb cbq(default) queue boss bandwidth 900Kb cbq(borrow)
nat on $ext_if from $int_net to any -> $ext_if
block all
block return block in quick on $ext_if os NMAP block in quick on $ext_if from $noroute to any block out quick on $ext_if from any to $noroute
pass in quick on $ext_if inet proto tcp from any to any port > 60000 keep state #pass in quick on $ext_if inet proto icmp all icmp-type 8 code 0 keep state pass in quick on $ext_if inet proto tcp from any to any port $tcp_services flags S/SAFR keep state
pass quick on $loop all pass in on $int_if from $int_net pass out on $int_if from any to $int_net pass out on $int_if from any to $boss_ip queue boss pass out on $ext_if all keep state
pass in on $ext_if inet proto tcp from any to $web_server port = 80 flags S/SAFR keep state (max 200, source-track rule, max-src-nodes 200, max-src-states 2) queue boss =========================pf.conf=======================
禁用系统自定义的PF规则
# vi /etc/rc.conf pf=NO
启用IP转发: # vi /etc/sysctl.conf net.inet.ip.forwarding=1
if [ -f /etc/ppp/ppp.conf ]; then . /etc/rc.d/adsl.sh start fi
# vi /etc/rc.shutdown /etc/rc.d/adsl.sh stop
启用NAME缓存服务器(不是必须的): # vi /var/named/named.boot options forward-only forwarders 202.99.160.68 202.99.168.8
根据拨号需要加载和关闭防火墙: # vi /etc/ppp/ppp.linkup MYADDR: ! sh -c "/sbin/ifconfig pflog0 up" ! sh -c "/sbin/pflogd" ! sh -c "/sbin/pfctl -e -F all -f /etc/pf.conf"
# vi /etc/ppp/ppp.linkdown MYADDR: ! sh -c "/sbin/pfctl -d -F all" ! sh -c "kill `cat /var/run/pflogd.pid`" ! sh -c "/sbin/ifconfig pflog0 down" ! sh -c "/sbin/route delete default"
配置动态域名更新:
# tar zxvf ez-ipupdate-3.0.10.tgz # cd ez-ipupdate-3.0.10 # vi conf_file.c 增加一行: #include errno.h>
# vi ez-ipupdate.c 注释掉下面几行(4515行): //else // { // fprintf(stderr, "no update needed at this time\n"); // }
# ./configure # make # make install
设置拨号后自动运行:
# vi /etc/ppp/ppp.linkup MYADDR: ! sh -c "/sbin/ifconfig pflog0 up" ! sh -c "/sbin/pflogd" ! sh -c "/sbin/pfctl -e -F all -f /etc/pf.conf" !bg /usr/local/bin/ez-ipupdate -i tun0 -h nero.3322.org -S qdns -w wildcard -u user:pwd
解决通过PF防火墙用主动模式连接外网FTP服务器的问题:
# vi /etc/pf.conf rdr on $int_if proto tcp from any to any port 21 -> 127.0.0.1 port 8021
# vi /etc/inetd.conf 127.0.0.1:8021 stream tcp nowait root /usr/libexec/ftp-proxy ftp-proxy
# reboot
设置SQUID的透明代理:
# vi /etc/squid/squid.conf http_port 127.0.0.1:3128
# vi /etc/pf.conf rdr on $int_if proto tcp from $int_net to any port 80 -> 127.0.0.1 port 3128