Archive for 6月 2006
FreeBSD6.1Release下利用route和ipfilter架设路由
架设此服务器,使内网用户通过本服务器与外界通讯;基本原理为内网用户通过FreeBSD内自带的网关路由功能(route)与外网进行通讯,服务器的安全性及病毒的防护控制通过FreeBSD的ipfilter来完成。初步架设过程如下:
网卡接口说明:
vr0:外网网卡接口
vr1:内网网卡接口
1、 最小化安装FreeBSD6.1Release
从ftp://ftp.FreeBSD.org/pub/FreeBSD/下载FreeBSD6.1Release镜像文件,然后刻成光盘,将服务器设置成从光驱启动,开始安装,安装时我选择最小化安装,开通ftp及ssh。其它的默认安装就可以。具体可参考这篇文章。安装完后重启机器。
2、 安装内核
将安装光盘放入光驱,然后:
# /usr/sbin/sysinstall
然后选择Configure –> Distributions -> src -> sys,点install,安装完成后重启机器。
3、 基本的配置
配置/etc/rc.conf
# cd /etc
# ee rc.conf
内容如下:
hostname="gatewall.wxic.edu.cn"
defaultrouter="172.16.252.17"
ifconfig_vr0="inet 172.16.252.x netmask 255.255.255.252"
ifconfig_vr1="inet 58.193.11x.25x netmask 255.255.248.0"
inetd_enable="YES"
linux_enable="YES"
sshd_enable="YES"
usbd_enable="YES"
sendmail_enable="NONE"
配置/etc/resolv.conf
# ee /etc/resolv.conf
内容如下:
nameserver 58.193.112.1
4、 配置内核,加入对ipfilter的支持
# cd /usr/src/sys/i386/conf
# cp GENERIC funpower
# ee funpower
然后开始编辑内核文件,机器和应用方面的不同会有不同的内核文件,因为需要用到ipfilter,我们加入对ipfilter的支持。在内核中加入如下内容:
options IPFILTER
options IPFILTER_LOG
options IPFILTER_DEFAULT_BLOCK
其它选项可以参考这篇文章,然后自己定制。编辑完后保存退出。然后进行如下操作:
# /usr/sbin/config funpower
# cd ../compile/funpower
# make cleandepend
# make depend
# make
# make install
编译完后重启服务器(因为ipfilter默认是阻止所有通讯,所以确保你是在服务器前操作)。
5、 在/etc/rc.conf中加入路由选项
# cd /etc
# ee rc.conf
在最后加入如下几行:
gateway_enable="YES"
static_routes="static1"
route_static1="-net 58.193.11x.0/21 172.16.252.x/30" //说明第一个IP为内网IP范围;第二个IP为外网网卡的网关地址
6、 配置ipfilter
在/etc/rc.conf中加入:
ipfilter_enable="YES"
ipfilter_rules="/etc/ipf.conf"
然后编辑/etc/ipf.conf文件
# cd /etc/
# ee ipf.conf
内容如下:
#环路网卡lo0
#out in 全部通过
pass in quick on lo0 all
pass out quick on lo0 all
#外网网卡vr0
#out 只让开通的IP通讯
block out quick on vr0 from any to 192.168.0.0/16
block out quick on vr0 from any to 0.0.0.0/8
block out quick on vr0 from any to 169.254.0.0/8
block out quick on vr0 from any to 10.0.0.0/8
block out quick on vr0 from any to 127.16.0.0/12
block out quick on vr0 from any to 127.0.0.0/8
block out quick on vr0 from any to 192.0.2.0/24
block out quick on vr0 from any to 204.152.64.0/23
block out quick on vr0 from any to 224.0.0.0/3
#开通58.193.112.1
pass out quick on vr0 proto tcp/udp from 58.193.112.1/32 to any keep state
pass out quick on vr0 proto icmp from 58.193.112.1/32 to any keep state
#开通58.193.112.3
pass out quick on vr0 proto tcp/udp from 58.193.112.3/32 to any keep state
pass out quick on vr0 proto icmp from 58.193.112.3/32 to any keep state
#开通58.193.113.1
pass out quick on vr0 proto tcp/udp from 58.193.113.1/32 to any keep state
pass out quick on vr0 proto icmp from 58.193.113.1/32 to any keep state
#开通58.193.113.2
pass out quick on vr0 proto tcp/udp from 58.193.113.2/32 to any keep state
pass out quick on vr0 proto icmp from 58.193.113.2/32 to any keep state
block out on vr0 all
#in 阻止一些IP(比如私有IP)和一些病毒攻击端口(如138139445等)
block in quick on vr0 from 192.168.0.0/16 to any
block in quick on vr0 from 172.16.0.0/12 to any
block in quick on vr0 from 10.0.0.0/8 to any
block in quick on vr0 from 127.0.0.0/8 to any
block in quick on vr0 from 0.0.0.0/8 to any
block in quick on vr0 from 169.254.0.0/16 to any
block in quick on vr0 from 192.0.2.0/24 to any
block in quick on vr0 from 204.152.64.0/23 to any
block in quick on vr0 from 224.0.0.0/3 to any
block in quick on vr0 from 58.193.112.0/21 to any
block in quick on vr0 proto udp from any to any port = 69
block in quick on vr0 proto tcp/udp from any to any port = 135
block in quick on vr0 proto udp from any to any port = 137
block in quick on vr0 proto udp from any to any port = 138
block in quick on vr0 proto tcp/udp from any to any port = 139
block in quick on vr0 proto tcp/udp from any to any port = 445
block in quick on vr0 proto tcp/udp from any to any port = 593
block in quick on vr0 proto tcp from any to any port = 1022
block in quick on vr0 proto tcp from any to any port = 1023
block in quick on vr0 proto tcp from any to any port = 1025
block in quick on vr0 proto tcp from any port = 1034 to any port = 80
block in quick on vr0 proto tcp from any to any port = 1068
block in quick on vr0 proto tcp from any to any port = 1433
block in quick on vr0 proto udp from any to any port = 1434
block in quick on vr0 proto tcp from any to any port = 1871
block in quick on vr0 proto tcp from any to any port = 2745
block in quick on vr0 proto tcp from any to any port = 3208
block in quick on vr0 proto tcp from any to any port = 3127
block in quick on vr0 proto tcp from any to any port = 4331
block in quick on vr0 proto tcp from any to any port = 4334
block in quick on vr0 proto tcp from any to any port = 4444
block in quick on vr0 proto tcp from any port = 4444 to any
block in quick on vr0 proto tcp from any to any port = 4510
block in quick on vr0 proto tcp from any to any port = 4557
block in quick on vr0 proto tcp from any to any port = 5554
block in quick on vr0 proto tcp from any to any port = 5800
block in quick on vr0 proto tcp from any to any port = 5900
block in quick on vr0 proto tcp from any to any port = 6129
block in quick on vr0 proto tcp from any to any port = 6667
block in quick on vr0 proto tcp from any to any port = 9995
block in quick on vr0 proto tcp from any to any port = 9996
block in quick on vr0 proto tcp from any to any port = 10080
block in quick on vr0 all with frags
block in quick on vr0 proto tcp all with short
block in quick on vr0 all with opt lsrr
block in quick on vr0 all with opt ssrr
block in log first quick on vr0 proto tcp from any to any flags FUP
block in quick on vr0 all with ipopts
pass in quick on vr0 proto tcp from any to any port = 80 flags S keep state
pass in quick on vr0 proto tcp from any to any port = 23 flags S keep state
pass in quick on vr0 proto tcp from any to any port = 22 flags S keep state
pass in quick on vr0 proto tcp from any to any port = ftp flags S/SA keep state
pass in quick on vr0 proto tcp from any to any port = ftp-data flags S/SA keep state
pass in quick on vr0 proto tcp from any to any port 30000 >< 50001 flags S/SA keep state
pass in quick on vr0 proto icmp from any to any icmp-type 0
pass in quick on vr0 proto icmp from any to any icmp-type 11
block in log quick on vr0 proto icmp from any to any
block in log on vr0 all
#内网网卡vr1
#out 全部通过
pass out on vr1 all
#in 全部通过
pass in on vr1 all
配置完后重启服务器。
找一台客户机测试,首先使用ipf.conf中开通的IP,然后ping edu.cn,可以ping通,说明可以连接外网了。
然后将IP设置为不是开通列表中的IP,如果ping不通,则说明ipf.conf的设置生效了。
作者:老管(funpower) email:funpower@gmail.com 2006-6-30
参考文章:IP Filter Based Firewalls HOWTO 26.5 IPFILTER (IPF) 防火墙(freebsd handbook) 27.2 网关和路由
网络中出现回路导致网络时断时续
这两天反应局域网内网络时断时续,利用监控软件查看,发现有一部份机器一直群发广播包,把整个网络带宽给耗尽,使正常上网的用户不能工作。如下图:
刚开始以为是病毒的原因,后来一想如果网络中出现回路也会造成这种现象。立刻查找群发广播包的机器,发现都在同一物理位置,更加确定网络中出现回路了。去那检查,果真发现有一个8口集线器上连着同一根双绞线的两个RJ-45接口。
我晕 -_-!!!
架设DNS后出现named[] unknown option 'zone' 错误提示
今天利用FreeBSD架设DNS服务器时出现named总不能成功启动,出现如下错误:
dns1# /usr//sbin/named -gc /etc/namedb/named.conf
Jun 03 11:00:12.193 using 1 CPU
Jun 03 11:00:12.203 loading configuration from ‘/etc/namedb/named.conf’
Jun 03 11:00:12.204 /usr/local/etc/named.conf:18: unknown option ‘zone’
Jun 03 11:00:12.204 /usr/local/etc/named.conf:23: unknown option ‘zone’
Jun 03 11:00:12.205 /usr/local/etc/named.conf:56: unknown option ‘zone’
Jun 03 11:00:12.205 /usr/local/etc/named.conf:60: unknown option ‘zone’
Jun 03 11:00:12.205 /usr/local/etc/named.conf:66: unknown option ‘key’
Jun 03 11:00:12.205 /usr/local/etc/named.conf:71: unknown option ‘controls’
Jun 03 11:00:12.206 /usr/local/etc/named.conf:75: ‘}’ expected near end of file
Jun 03 11:00:12.206 loading configuration: unexpected token
Jun 03 11:00:12.206 exiting (due to fatal error)
找了好多文章对照都没发现有什么不对的,最后竟然发现是因为在named.conf中少了个 "}; " . -_-!!!
options {
directory "/etc/namedb";
pid-file "/var/run/named/pid";
dump-file "/var/dump/named_dump.db";
statistics-file "/var/stats/named.stats";
};zone "." {
type hint;
file "named.root";
};zone "0.0.127.IN-ADDR.ARPA" {
type master;
file "master/localhost.rev";
};zone "wxic.edu.cn" {
type master;
file "db.wxic.edu.cn";
};zone "112.193.58.in-addr.arpa" {
type master;
file "db.58.193.112";
};
Google Earth升级
一直希望Google Earth能 “支持” 中国更多的城市,这次的Earth升级终于让我如愿以偿。数据升级后Earth的版本也立即推出了Google Earth
(Release 4 – BETA)。
无锡商业职业技术学院
RelaxBSD 2.0 测试版和RelaxBSD 2.0 RC1发布
1、RelaxBSD 2.0 测试版发布
ftp://local-distfiles.freebsd.org.cn/pub/china-ports/hamigua/relaxbsd/RelaxBSD-InstallCD-2.0-test.iso
ftp://xiong:tang123@125.90.202.88:3075/RelaxBSD-InstallCD-2.0-test.iso
MD5: 4f4563e80f55b110af54cccee4cca7ac
欢迎大家测试.
已知bug:
1、在gdm中不能用普通用户登录,但用root可以,这是文件权限的问题。
解决办法:
在进入gdm登录界面后先不登陆,按Ctrl+Alt+F1 到控制台下。
用root (或普通用户登录后再执行su)登录。
依次执行:
/usr/sbin/mtree -deU -f /etc/mtree/BSD.var.dist -p /var
chmod 1777 /tmp
然后再按Ctrl+Alt+F9,这时便可以在gdm中用普通用户登录了。
2、在/root/.cshrc中最后两行代码需要注释掉。
3、在vmware或无windows环境中安装RelaxBSD,OpenOffice界面中文字体不能显示。因为用了文泉驿bitmap字体,
openoffice似乎不支持。解决的办法是向RelaxBSD系统中拷贝字体(如simsum.ttf,fireflyttf.ttf)至
/usr/X11R6/lib/X11/fonts/TrueType下并执行fc-cache -f -v 即可�
2、RelaxBSD 2.0 RC1 发布
71343eded674456af9bd314d17c61e97
RelaxBSD-InstallCD-2.0RC1.iso
这次修正了RelaxBSD 2.0 测试版已知的bug,另外还增添了sane
(xsane)扫描仪支持软件、Nvu网页编辑软件、CUP打印扩展驱动、firefly字体等。对Openoffice进行了修正。
——————
RelaxBSD安装过一次,对于从安装FreeBSD到安装GNOME再到常用软件的编译安装来说确实是方便不少,而且这次的版本还增加了扫描仪、打印机等一些周围产品的扩展驱支。新版本也还没安装尝试,安装过程应该是GUI了吧。不过我自己还是喜欢从安装FreeBSD再到配置其它程序来安装FreeBSD图形界面。
什么是RelaxBSD?
RelaxBSD 将是一套由 FreeBSD 及 FreeSBIE 演变而来可以直接从光驱上启动并运行的中文桌面系统
(Live CD),或者是一个由可开机光盘上载入的操作系統,
不需要任何安裝程序、甚至不用硬盘。如果你想要保存运行中的设置,仅仅只需一个USB盘即可。
