- 论坛徽章:
- 0
|
硬件:intel D945G + 双核CPU850 + 512M + 串口80G + I8254em*2
平台:freebsd 6.1 RELEASE
用途:网关+防火墙+nat(带300台机器,可对网段实现流量限制)
安装:Minimal+src>sys、man、ports
内核:加入IPFIREWALL、IPDIVERT、DUMMYNET、maxusers的支持
配置conf:
rc.conf
defaultrouter="x.x.x.x"
gateway_enable="YES"
hostname="xxx.server.org"
ifconfig_em1="inet x.x.x.x netmask 255.255.255.240"
ifconfig_em0="inet xx.xx.xx.xx netmask 255.255.252.0"
firewall_enable="YES"
firewall_script="/etc/rc.firewall"
firewall_type="/etc/ipfw.conf"
firewall_quiet="YES"
firewall_logging_enable="YES"
natd_interface="em1"
natd_enable="YES"
kern_securelevel_enable="NO"
sendmail_enable="NONE"
sshd_enable="YES"
Tips:x.x.x.x为外网地址,xx.xx.xx.xx为内外地址
ipfw.conf
add 00400 divert natd ip from any to any via em1
add 00001 deny log ip from any to any ipoptions rr
add 00002 deny log ip from any to any ipoptions ts
add 00003 deny log ip from any to any ipoptions ssrr
add 00004 deny log ip from any to any ipoptions lsrr
add 00005 deny tcp from any to any in tcpflags syn,fin
#######tcp#########
add 10000 allow tcp from any to x.x.x.x 22 in
add 19997 check-state
add 19998 allow tcp from any to any out keep-state setup
add 19999 allow tcp from any to any out
######udp##########
add 20001 allow udp from any 53 to me in recv em1
add 20002 allow udp from any to x.x.x.x 53 in recv em1
add 29999 allow udp from any to any out
######icmp#########
add 30000 allow icmp from any to any icmptypes 3
add 30001 allow icmp from any to any icmptypes 4
add 30002 allow icmp from any to any icmptypes 8 out
add 30003 allow icmp from any to any icmptypes 0 in
add 30004 allow icmp from any to any icmptypes 11 in
#######lan##########
add 40000 allow all from 192.168.1.0/24 to any
add 40001 allow all from any to 192.168.1.0/24
add 40002 allow all from 192.168.2.0/24 to any
add 40003 allow all from any to 192.168.2.0/24
add 40004 allow all from 192.168.0.0/16 to any
add 40005 allow all from any to 192.168.0.0/16
Tips:关键字ipopt在6.1以后应写全ipoptions
通过以上的设置,网关和防火墙已运作正常了,下面就DUMMYNET来限制网段流量进一步探讨。
pipe
ipfw add pipe 1 ip from 192.168.1.0/24 to any out
ipfw add pipe 2 ip from any to 192.168.1.0/24 in
ipfw pipe 1 config mask src-ip 0x000000ff bw 200Kbit/s queue 20Kbytes
ipfw pipe 2 config mask dst-ip 0x000000ff bw 200Kbit/s queue 20Kbytes
ipfw add pipe 3 ip from 192.168.2.0/24 to any out
ipfw add pipe 4 ip from any to 192.168.2.0/24 in
ipfw pipe 3 config mask src-ip 0x000000ff bw 200Kbit/s queue 20Kbytes
ipfw pipe 4 config mask dst-ip 0x000000ff bw 200Kbit/s queue 20Kbytes
声明:本人对freebsd是一个新手,不对的地方请老师们多提提。
问题:
1.双CPU或双核CPU的支持(已解决)
2.SATA口(串口硬盘)的支持(已解决)
3.BTX架构的APCI电源管理问题(已解决)
4.关于dummynet限制流量的问题(未解决,遇到的疑问太多,希望老师们指导指导)
5.优化及安全问题(正在学习中)
下面是本人对pipe的疑问:
1.上面的pipe应该放在我的ipfw.conf里什么位置最为妥当?
2.0x000000ff可不可以改变?若可变,变化的意义是什么?
3.队列queue后面的 20Kbytes数值是由什么因素来决定的?
4.pipe1和pipe2语句里的bw 数值200Kbit/s是不是要同时变化,而且数值要相等?(本人测试过,只有两个数相同,限制才起效)
5.本人想对192.168.1.2——192.168.1.200和192.168.2.2——192.168.2.200这两个网段内的主机进行流量限制,而其它的IP主机不受限制,上面的pipe语句应该怎么写?(最为重要,本人翻查了很多资料,都没这方面的具体说明,只有这种方式:addr/masklen{num,num,...},如:192.168.1.0/24{2,3,4,...200},还没有没其它的方式可选?请老师们帮帮忙) |
|