- 论坛徽章:
- 0
|
长城宽带或者是E家宽的同志用OPENBSD做网关透明
哈哈
这东西我一直在用
mygate:
xxx.xxx.xxx.xxx
/etc/dhcpd.conf:
shared-network LOCAL-NET {
option domain-name "your.domain";
option domain-name-servers 192.168.1.1;
subnet 192.168.1.0 netmask 255.255.255.0 {
option routers 192.168.1.254;
range 192.168.1.32 192.168.1.127;
}
host host1 {
hardware ethernet 52:54:ab:1f xx;
fixed-address 192.168.1.2;
}
host host2 {
hardware ethernet 00:d0:b7:9dxx;
fixed-address 192.168.1.3;
}
host host3 {
hardware ethernet 00:04:75:c3xx;
fixed-address 192.168.1.4;
}
host host4 {
hardware ethernet 00:00:b4:9cxx;
fixed-address 192.168.1.5;
}
host host5 {
hardware ethernet 00:04:75:c3xx;
fixed-address 192.168.1.6;
}
.
.
.
}
/etc/pf.conf:
ext_if ="xl0"
dmzl_if ="rl0"
int_if ="rl1"
noroute ="{10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 169.254.0.0/16, 127.0.0.0/8,192.0.2.0/24, 204.152.64.0/23, 255.255.255.255/32, 0.0.0.0/8,224.0.0.0/4}"
HdgsNet ="10.232.58.0/24"
LocalNet ="192.168.1.0/24"
PppNet ="10.232.60.0/24"
HnspNet ="10.232.0.0/16"
RouterIP ="192.168.1.1"
myfriend ="{10.232.58.81/32,10.232.58.168/32}"
Loop ="lo0"
InServicesTCP = "{imap, pop3, smtp, www, ftp, https}"
set loginterface $ext_if
set optimization aggressive
scrub in on $ext_if all fragment reassemble
nat on $ext_if from $LocalNet to any ->; $ext_if
nat on $ext_if from $PppNet to any ->; $ext_if
nat on $ext_if from $HdgsNet to any ->; $ext_if
nat on $dmzl_if from $LocalNet to $HnspNet ->; $dmzl_if
rdr on $int_if proto tcp from ! $RouterIP to ! $LocalNet port 80 ->; 127.0.0.1 port 8080
rdr on $int_if proto {tcp,udp} from ! $RouterIP to ! $LocalNet port 53 ->; 192.168.1.1 port 53
rdr on $dmzl_if proto tcp from $PppNet to ! $HnspNet port 80 ->; 127.0.0.1 port 8080
rdr on $dmzl_if proto tcp from $HdgsNet to ! $HnspNet port 80 ->; 127.0.0.1 port 8080
rdr on $dmzl_if proto {tcp,udp} from $HnspNet to ! $HnspNet port 53 ->; 10.232.58.80 port 53
block in log quick on $ext_if inet proto tcp from any to any flags FUP/FUP
block in log quick on $ext_if inet proto tcp from any to any flags SF/SFRA
block in log quick on $ext_if inet proto tcp from any to any flags /SFRA
pass in quick on $Loop all
pass out quick on $Loop all
block out on $ext_if all
block in on $ext_if all
block return-rst out log on $ext_if proto tcp all
block return-rst in log on $ext_if proto tcp all
block return-icmp out log on $ext_if proto udp all
block return-icmp in log on $ext_if proto udp all
block in log quick on $ext_if inet from $noroute to any
block in log quick on $ext_if inet from any to $noroute
pass in quick on $ext_if inet proto icmp all icmp-type 8 code 0 keep state
pass in quick on $ext_if inet proto tcp from any to any port $InServicesTCP flags S/SAFR keep state
pass out quick on $ext_if all keep state
pass in log quick on $dmzl_if inet from $PppNet to any
pass in log quick on $dmzl_if inet from $myfriend to any
pass in log quick on $dmzl_if inet from $HnspNet to $HdgsNet
pass in log quick on $dmzl_if inet proto {tcp,udp} from $PppNet port 53 to any port 53
pass in log quick on $dmzl_if inet proto {tcp,udp} from $HdgsNet port 53 to any port 53
block in log quick on $dmzl_if inet proto {tcp,udp} from $HnspNet port 53 to ! 10.232.58.80/32 port 53
block in log quick on $dmzl_if inet from $noroute to any
.
.
.
squid.conf:
http_port 8080
cache_swap_low 90
cache_swap_high 95
cache_dir ufs /var/squid/cache 1024 16 256
cache_access_log /dev/null
cache_log /var/squid/logs/cache.log
cache_store_log none
pid_filename /var/squid/logs/squid.pid
append_domain .xxx.xxx.com
dns_nameservers 127.0.0.1
unlinkd_program /usr/local/libexec/unlinkd
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl allownet src "/etc/squid/allownet"
acl allowip src "/etc/squid/allowip"
acl denyip src "/etc/squid/denyip"
acl morning time 8:00-12:00
acl noon time 12:01-14:00
acl aftnoon time 14:01-17:30
acl everning time 17:51-22:00
acl SSL_ports port 443
acl Safe_ports port 80 21 443 70 210 1025-65535
acl FTP proto FTP
acl CONNECT method CONNECT
acl allow_ip dst "/etc/squid/squid.allowip"
acl badip dst "/etc/squid/squid.badip"
always_direct allow FTP
http_access allow manager localhost
http_access allow manager allownet
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
http_access allow allownet
http_access deny badip
http_access allow allow_ip
http_access allow allowip
acl myfriend proxy_auth REQUIRED
http_access allow myfriend
http_access deny denyip
http_access deny !allownet
http_access deny all
cache_effective_user squid
cache_effective_group squid
httpd_accel_with_proxy on
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_uses_host_header on
cache_mgr webmaster@mail.xxx.xxx.com
quick_abort_min 4 KB
quick_abort_max 16 KB
quick_abort_pct 95 |
|
免费注册
发表于 2003-04-27 11:14