1、硬件配置
HP NETSERVER 800 PⅢ1000 內存256M Inter82559網卡兩張
2、分區情況
Filesystem Size Used Avail Capacity Mounted on
/dev/da0s1a 248M 54M 174M 24% /
devfs 1.0K 1.0K 0B 100% /dev
/dev/da0s1f 4.8G 130M 4.3G 3% /home
/dev/da0s1d 248M 12K 228M 0% /tmp
/dev/da0s1g 4.8G 565M 3.9G 12% /usr
/dev/da0s1e 5.8G 410K 5.3G 0% /var
3、系統安裝情況
采用最小化安裝
並且安裝src和ports(原本打算采用ports安裝,但是不知道怎麼搞的,竟然不能cvs源碼,當然也就不能通過ports安裝,無奈之下只能采用源碼編譯)
4、內核編譯
沒有對內核采用優化,這裡只是為了驗證pf和squid結合做反向代理的可行性,在實際的生產應用中應該對服務器內核做一定程度的優化。
cd /usr/src/sys/i386/conf
cp GENERIC cache
編輯內核cache在內核中添加如下選項
device pf
device pflog
device pfsync
options ALTQ
options ALTQ_CBQ
編譯內核
/usr/sbin/config cache
cd ../config/cache
make depend
make
make install
至此內核編譯完畢
reboot
5、讓系統自動加載pf
usbd_enable="NO"
defaultrouter="218.4.xxx.xxx"
ifconfig_fxp0="inet 218.4.xxx.xxx netmask 255.255.255.248"
ifconfig_fxp1="inet 192.168.2.10 netmask 255.255.255.0"
gateway_enable="YES"
inetd_enable="YES"
pf_enable="YES"
pf_flags=""
pflog_enable="YES"
pflog_logfile="/var/log/pflog"
sshd_enable="YES"
6、打開ip轉發
net.inet.ip.forwarding=1
7、實現共享上網,最簡單的pf設置
wan_if="fxp0"
lan_if="fxp1"
inter_net="192.168.2.0/24"
web_server="192.168.2.3"
ftp_server="192.168.2.3"
scrub in all
nat on $wan_if from $inter_net to any -> fxp0
rdr on fxp1 proto tcp from $lan_if to any port 80 -> $lan_if port 80
rdr on fxp1 proto tcp from any to any port 21 -> 127.0.0.1 port 8021
#rdr on fxp0 proto tcp from any to $wan_if port 80 ->$web_server port 8080
#rdr on fxp1 proto tcp from $lan_if to $wan_if port 80 ->$web_server port 8080
rdr on $wan_if proto tcp from any to any port 21 -> $ftp_server port 21
rdr on $wan_if proto tcp from any to any port 49152:65535 -> $ftp_server port 49152:65535
# in on $wan_if
pass in quick on $wan_if proto tcp from any to $ftp_server port 21 keep state
pass in quick on $wan_if proto tcp from any to $ftp_server port > 49151 keep state
# out on $lan_if
pass out quick on $lan_if proto tcp from any to $ftp_server port 21 keep state
pass out quick on $lan_if proto tcp from any to $ftp_server port > 49151 keep state
#Disable danger port
#Danger_Port="{445 135 139 593 5554 9995 9996}"
#block quick on $wan_if inet proto tcp from any to any port $Danger_Port
#block quick on $wan_if inet proto tcp from any to any port $Danger_Port
pass in all
pass out all