一、 openBSD4.8 做路由及防火墙
1、 openBSD4.8 系统的安装
2、 硬件要求:旧电脑一台、网卡两张、MODEL 一台
3、 安装 openBSD4.8 系统成功后,进入/etc 目录下,配置以下文件
4、 #vi /etc/hostname.rl0(连接内网的网卡,也称为网关)
inet 192.168.0.1 255.255.255.0 NONE
:wq
#注意,此网卡本身为网关地址,因此不需要配置网关地址。将系统默认的网关地址删除 #rm /etc/mygate
5、#vi /etc/hostname.rl1(连接外网的网卡)
up
description “ADSL Port”
:wq
#此网卡设置为拨号网卡
6、#vi /etc/hostname.pppoe0
inet 0.0.0.0 255.255.255.255 NONE pppoedev rl1 authproto pap authname
„拨号用户名‟ authkey „拨号密码‟ up
!/sbin/route add default –ifp pppoe0 0.0.0.1
:wq
#新建拨号文件,并设置拨号信息
7、#vi /etc/sysctl.conf
net.inet.ip.forwarding=1 #1=Permit forwarding (routing) of IPv4 packets
net.inet.ip.mforwarding=1 #1=Permit forwarding (routing) of IPv4 multicast packets
net.inet.gre.allow=1
net.inet.gre.wccp=1
:wq
#去掉前面的“
#”,开启路由转发功能(NAT)
8、#vi /etc/resolv.conf
Lookup file bind
nameserver 202.96.134.133
nameserver 202.96.128.86
:wq
#配置 DNS 服务器
9、#vi /etc/dhcpd.conf
此文件为配置 DHCP 服务器文件,将此文件里面的 IP 改为内网 IP 段 192.168.0.0/24
10、#vi /etc/rc.conf
pf=YES
pf_rules=/etc/pf.conf
#加载系统开机运行文件,开启防火墙11、防火墙的配置(pf.conf 文件)
#vi /etc/pf.conf
###marcos:START
WAN=”pppoe0”
LAN=”rl0”
###marcos:END
###Options: tune the behavior of pf, default values are given.
set limit { states 100000, frags 50000}
set skip on lo0
set skip on gre0
###Tables:START
table <ALLOW_REMOTE_DOMAIN> persist file “/etc/pf/ALLOW_REMOTE_DOMAIN”
table <ALLOW_REMOTE_HOST> persist file “/etc/pf/ALLOW_REMOTE_HOST”
table <BADLIST_HOST> persist file “/etc/pf/BADLIST_HOST”
table <BADLIST_USER> persist file “/etc/pf/BADLIST_USER”
table <BADLIST_DOMAIN> persist file “/etc/pf/BADLIST_DOMAIN”
table <PROXY_USER> persist file “/etc/pf/PROXY_USER”
table <HK_USER> persist file “/etc/pf/HK_USER”
table <ERP_USER> persist file “/etc/pf/ERP_USER”
table <MSN_USER> persist file “/etc/pf/MSN_USER”
table <QQ_USER> persist file “/etc/pf/QQ_USER”
table <TCP_USER> persist file “/etc/pf/TCP_USER”
table <UDP_USER> persist file “/etc/pf/UDP_USER”
table <MSN_SRV> persist file “/etc/pf/MSN_SRV”
table <tax_website> persist file “/etc/pf/tax_websiste”
table <direct_website> persist file “/etc/pf/direct_website”
###Tables:END
###NAT:START
match out on $WAN inet from 192.168.0.0/24 to any nat-to ($WAN)
###NAT:END
###RULES:START
## start system default rules
block in all
pass quick on {gif0,gif1,tun0} inet all
pass out quick inet keep state
#WAN interface
pass in quick on $WAN inet proto ipencap from any to ($WAN) keep state
pass in quick on $WAN inet proto esp from any to ($WAN) keep state
pass in quick on $WAN inet proto tcp from any to ($WAN) port {80,822,443} flags S/SA keep state
pass in quick on $WAN inet proto icmp from any to ($WAN) keep state
pass in quick on $WAN inet proto udp from any to ($WAN) port {1194} keep state
##LAN
pass in quick on $LAN inet proto tcp from any to <direct_website>
pass in quick on $LAN inet proto tcp from any to <MSN_SRV>
pass in quick on $LAN inet proto tcp from any to 202.67.155.136
## for Accounting
pass in quick on $LAN inet proto tcp from 192.168.0.165 to <tax_website> keep state
pass in quick on $LAN inet proto tcp from 192.168.0.3 to <tax_website> keep state
pass in quick on $LAN inet proto tcp from 192.168.0.3 to any port 80 keep state
pass in quick on $LAN inet from 192.168.0.3 to any keep state
pass in quick on $LAN inet proto tcp from 192.168.0.3 to any port
{82,7001,7002,5678,8001} keep state
##MSN
pass in quick on $LAN inet proto tcp from 192.168.0.0/24 to <MSN_SRV> keep state
pass in quick on $LAN inet proto tcp from 192.168.0.0/24 to any port {https} keep state
pass in quick on $LAN inet proto tcp from 192.168.0.0/24 to any port {1863} keep state
##Secure WEB-stie
pass in quick on $LAN inet proto tcp from <TCP_USER> to any keep state
pass in quick on $LAN inet proto udp from <TCP_USER> to any port {8000,8001}
keep state
pass in quick on $LAN inet proto udp from <QQ_USER> to any port {8000,8001}
keep state
##TO HK Print SERVER
pass in quick on $LAN inet from 192.168.0.0/24 to 192.168.1.223 keep state
pass in quick on $LAN inet proto tcp from 192.168.0.147 to any port {7001,5678} keep
state
##for accounting
pass in quick on $LAN inet from 192.168.0.165 to any keep state
##TO mail.saihe.cm
pass in quick on $LAN inet proto tcp from 192.168.0.0/24 to 202.82.144.87 port
{25,110,443,465,995} keep state
#RULES:END
#sh /etc/netstart #启动网络接口
#ifconfig rl0 up #打开 rl0 网卡
#pfctl –f /etc/pf.conf #重新加载防火墙配置
#pfctl –e
#开启防火墙
#pfctl –d
#关闭防火墙安装及配置防火墙
一、操作系统:openBSD4.8
二、硬件要求:DELL 电脑一台、网卡两张
三、安装系统及配置防火墙
1、OpenBSD4.8 操作系统的安装(此省略);
2、配置第一张网卡(hostname.rl0)此网卡做内网网关。
#cd /etc/
#vi hostname.rl0
inet 192.168.0.1 255.255.255.0 NONE
:wq
3、配置第二张网卡(hostname.rl1)此网卡用于拨号。
#cd /etc
#vi hostname.rl1
up
description “ADSL Port”
:wq
4、配置拨号文件(hostname.pppoe0)。
#cd /etc
#vi hostname.pppoe0
inet 0.0.0.0 255.255.255.255 NONE pppoedev rl1 authproto pap authname „宽带帐号‟
authkey „密码‟ up
dest 0.0.0.1
!/sbin/route add default –ifp pppoe0 0.0.0.1
:wq
5、配置 DNS 服务器
#cd /etc
#vi resolv.conf
nameserver 202.96.128.86
nameserver 202.96.134.133
:wq
6、开启路由转发功能。
#cd /etc
#vi sysctl.conf
net.inet.ip.forwarding=1 //去掉前面的#号
7、开启防火墙功能。
#cd /etc
#vi rc.conf
pf=YES
pf_rules=/etc/pf.conf
8、配置防火墙 PF #cd /etc
#vi pf.conf
##marcos:START
WAN=”pppoe0”
LAN=”rl0”
##marcos:END //定义宏
##option:START
set limit {states 100000, frags 50000}
set skip lo0
set skip gre0
##option:END //选项定义
##table:START
table <表格名称> persist file “表格路径”
##table:END //配置表格
##queue:START
##QUEUE:END //优先级处理、带宽设置
. ##NAT:START
match out on $WAN inet from 192.168.0.0/24 to any nat-to ($WAN)
##NAT:END //转发内网 IP 地址访问互联网
##RULES:START //定义转发规则
block in all
pass quick on {gif0,gif1,tun0} inet all
pass out quick inet keep state
##WAN interfaces
pass in quick on $WAN inet proto ipencap from any to ($WAN) keep state
pass in quick on $WAN inet proto esp from any to ($WAN) keep state
pass in quick on $WAN inet proto tcp from any to ($WAN) port {80,822,443} flags S/SA keep
state
pass in quick on $WAN inet proto icmp from any to ($WAN) keep state
pass in quick on $WAN inet proto udp from any to ($WAN) port {1194} keep state
##LAN interfaces
pass in quick on $LAN inet proto tcp from 192.168.0.0/24 to any keep state
block in quick on $LAN inet proto tcp from 192.168.0.0/24 to any
block in quick on $LAN inet proto tcp from 192.168.0.0/24 to <deny_video_web> port 80
相关