# options
set block-policy return
set loginterface $ext_if
set limit states 60000
# scrub
scrub in all
# filter rules
#pass quick all
pass in quick inet from <master>
block in quick from <ddos>
block in all
pass quick on lo0 all
pass in quick proto tcp to ($ext_if) port 80 flags S/SA keep state (max-src-conn 100, max-src-conn-rate 30/5, overload <ddos> flush)
pass in quick proto tcp to ($ext_if) port 8080 flags S/SA keep state (max-src-conn 100, max-src-conn-rate 30/5, overload <ddos> flush)
pass quick inet proto icmp all icmp-type $icmp_types
pass quick proto udp to any port 53
pass out to <gm>
pass out to <web>
1、安装ss5
----------------------------------------
freebsd# cd /usr/ports/net/ss5/
freebsd# make install clean
报错:
===> openldap-client-2.4.19 depends on package: libtool>=2.2 - not found
===> Found libtool-1.5.24, but you need to upgrade to libtool>=2.2.
*** Error code 1
Stop in /usr/ports/net/openldap24-client.
*** Error code 1
解决办法:
freebsd# cd /usr/ports/devel/libtool22/
freebsd# make install clean
freebsd# cd /usr/ports/devel/libltdl22
freebsd# make install clean
然后再继续:
freebsd# cd /usr/ports/net/ss5/
freebsd# make install clean
2、修改配置文件
---------------------------------------
freebsd# vi /usr/local/etc/ss5/ss5.conf
auth 0.0.0.0/0 – u
permit u 0.0.0.0/0 – 0.0.0.0/0 – – – – -
freebsd# vi /usr/local/etc/ss5/ss5.passwd //添加认证用户
king 1q2w3e
freebsd# vi /etc/rc.conf
ss5_enable="YES" //添加ss5启动项
freebsd# /usr/local/etc/rc.d/ss5 start
socks5
1、安装socks5
---------------------------------------
freebsd# cd /usr/ports/net/socks5/
freebsd# make install clean
2、配置socks5
---------------------------------------
freebsd# vi /usr/local/etc/socks5.conf
#指定SOCKS v5绑定的ip地址和监听的端口。假如不指定绑定的IP将使用0.0.0.0
set SOCKS5_BINDINFC 0.0.0.0:1080
#忽略ident请求。当客户机没有运行identd时,使用SOCKS5_NOIDENT将降低超时值
set SOCKS5_NOIDENT
#指定连接停顿最长时间。超过最大值后,socks5断开连接
set SOCKS5_TIMEOUT 15
#socks5将接受SOCKS V4 协议的请求,默认不接受
set SOCKS5_V4SUPPORT
#指定同时存在的最大子进程数,Socks5预设为64
set SOCKS5_MAXCHILD 4
#指定密码文档
set SOCKS5_PWDFILE /usr/local/etc/socks5.passwd
#指定日志文件
set SOCKS5_LOGFILE /var/log/socks5.log
#任何的客户连接都使用username/password用户认证方法
#auth - - u //用户认证方法
auth - - - //允许所有用户
#允许来自192.168.0.X的任何经过用户认证的连接, 这里我没做限制.
permit - - - - - - //允许所有IP
#permit u - - - - - //允许认证用户
#permit u - 192.168.0.X - - -
freebsd# vi /usr/local/etc/socks5.passwd
king 741852
freebsd# vi /etc/rc.conf #添加socks5项
socks5_enable="YES"
socks5_flags="-t -b 222.192.55.99:8080"
#pf开放8080端口
pass in quick proto tcp to $ext_if port 8080
3、开始测试
freebsd# /usr/local/bin/socks5 -f -s
如果出现下面的信息表示测试成功。
18210: Socks5 starting at Mon Dec 14 18:23:45 1998 in normal mode
:编辑/etc/syslog.conf文件
在文件最后加入如下内容:
!ipfw *.* /var/log/ipfw.log
这行的作用是将IPFW的日志写到/var/log/ipfw.log文件里
ee /etc/ipfw.conf
引用
#!/bin/sh
IPFW='/sbin/ipfw -q'
$IPFW -f flush
$IPFW add 2000 allow ip from any to any via lo*
$IPFW add 2010 deny log ip from 127.0.0.0/8 to any in
$IPFW add 2020 deny log ip from any to 127.0.0.0/8 in
$IPFW add 2030 deny log ip from 224.0.0.0/3 to any in
$IPFW add 2040 deny log tcp from any to 224.0.0.0/3 in
$IPFW add 2050 allow log tcp from any to any out
$IPFW add 2060 allow log tcp from any to any established
$IPFW add 2070 allow log tcp from any to any 22 in
$IPFW add 2080 allow log tcp from any to any 80 in
$IPFW add 12190 deny log tcp from any to any
2.4 安装axel提高ports的安装速度
cd /usr/ports/ftp/axel
make install
#修改 /et/make.conf
ee /etc/make.conf
#加入以下内容
kern.dfldsiz="2147483648" # Set the initial data size limit
kern.maxdsiz="2147483648" # Set the max data size
kern.ipc.nmbclusters="0" # Set the number of mbuf clusters
kern.ipc.nsfbufs="66560" # Set the number of sendfile(2) bufs
cd /usr/ports/lang/php52
#make config ##配置编译参数
[X] CLI Build CLI version
[X] CGI Build CGI version
[ ] APACHE Build Apache module
[ ] DEBUG Enable debug
[X]] SUHOSIN Enable Suhosin protection system
[X] MULTIBYTE Enable zend multibyte support
[ ] IPV6 Enable ipv6 support
[X] REDIRECT Enable force-cgi-redirect support (CGI only)
[X] DISCARD Enable discard-path support (CGI only)
[X] FASTCGI Enable fastcgi support (CGI only)
[X] PATHINFO Enable path-info-check support (CGI only)
make install clean
# cp /usr/local/etc/php.ini-dist /usr/local/etc/php.ini
3.5 配置php.ini
ee php.ini
找到如下语句
引用
;open_basedir =
disable_functions =
expose_php = On
expose_php = Off
display_errors = On
output_buffering = Off
修改为
引用
open_basedir = /data/www/wwwroot:/tmp
disable_functions =
phpinfo,passthru,exec,system,chroot,scandir,chgrp,chown,shell_exec,proc_open,proc_get_status,ini_alter,ini_alter,ini_restore,dl,pfsock
open,openlog,syslog,readlink,symlink,popepassthru,stream_socket_server
display_errors = Off
output_buffering = On
3.6 安装php52-extensions
引用
# cd /usr/ports/lang/php52-extensions/
#make config
Options for php52-extensions 1.3
-------------------------------------------------
[X] CURL CURL support
[X] FTP FTP support
[X] GD
[X] GETTEXT
[X] MBSTRING multibyte string support
[X] MCRYPT Encryption support
[X] MYSQL
[X] PCRE Perl Compatible Regular Expression support
[ ] POSIX //去掉
[ ] SQLITE //去掉.
[X] ZIP ZIP support
[X] ZLIB
# make install clean
修改php.ini cgi.fix_pathinfo=1,让SCRIPT_FILENAME有效
安装Zendoptimizer
cd /usr/ports/devel/ZendOptimizer/
make (不要安装,只需下载下来即可)
cd work/ZendOptimizer-3.3.0a-freebsd6.0-i386
./install-tty 一路按回车,到最后选择no,不使用apache。
zend 将自动在php.ini最后添加参数的。
让nginx和spawn-fcgi开机启动
vi /usr/pgsql/postgresql.conf
listen_addresses = '*'修改pg_hba.conf文件里的文件验证方式 ,这个文件的位置是你数据库所在的目录,也就是rc.conf里配置的那个修改用户密码加密方式
# TYPE DATABASE USER CIDR-ADDRESS METHOD
#"local" is for Unix domain socket connections only
local all pgsql md5
# "local" is for Unix domain socket connections only
local all pgsql md5
# IPv4 local connections:
host all pgsql 127.0.0.1/32 md5
# IPv6 local connections:
host all all ::1/128 trust重启服务