免费注册 查看新帖 |

Chinaunix

  平台 论坛 博客 文库
最近访问板块 发新帖
查看: 3766 | 回复: 4
打印 上一主题 下一主题

[FreeBSD] freebsd做多功能网关应用请教 [复制链接]

论坛徽章:
0
跳转到指定楼层
1 [收藏(0)] [报告]
发表于 2008-03-10 16:15 |只看该作者 |倒序浏览
想把freebsd做成具有如下的功能,
都需要安全什么软件?
1.带宽管理
2.网关杀毒(对网页中嵌入的病毒木马可以查杀)
3.限制bt,电驴等p2p软件
4.基于mac地址限制客户端是否可以上网
懂的朋友说下,
谢谢

论坛徽章:
0
2 [报告]
发表于 2008-03-10 21:09 |只看该作者
首先,“2.网关杀毒(对网页中嵌入的病毒木马可以查杀)”你是在开玩笑吧。
其次,“懂的朋友说下”明显是没有认真读过《提问的智慧》才说出的话,Be careful。

然后解答你的问题。
基本实现方法:推荐ipfw+dummynet。
1,在内核中加入:
options  IPFIREWALL
options  IPFIREWALL_DEFAULT_TO_ACCEPT
options  IPFIREWALL_VERBOSE
options  IPFIREWALL_VERBOSE_LIMIT=10
options  IPDIVERT
options         IPFIREWALL_FORWARD
option DUMMYNET
2,编译内核
3,在/etc/rc.conf中加入如下内容:
gateway_enable="YES"
firewall_enable="YES"
firewall_type="simple"
firewall_quiet="YES"
tcp_extensions="YES"
4,推荐给你使用的/etc/rc.firewall,请根据你的实际情况做修改:
#!/bin/sh
# ================
/sbin/ipfw -f flush
# ================
/sbin/ipfw add divert natd all from any to any via em0
#/sbin/ipfw add allow all from any to me 80 in
#/sbin/ipfw add allow all from any to 192.168.1.254 80 in
#/sbin/ipfw add allow all from any to me 80 out
#/sbin/ipfw add allow all from 192.168.1.254 to any 80 out
#/sbin/ipfw add forward 192.168.1.254,80 all from 192.168.0.0/16 to 125.74.120.94,80 via em1
/sbin/ipfw add forward 61.178.0.93 ip from 192.168.0.0/16 to 202.100.64.68 via em1 log
/sbin/ipfw add allow udp from any 53 to me in recv em0
ipfw pipe 1 config bw 10240kbit/s
ipfw pipe 2 config bw 50000kbit/s
ipfw add pipe 1 ip from 192.168.0.0/16 to any out
ipfw add pipe 2 ip from any to 192.168.0.0/16 in
#ipfw pipe 1 config bw 10MBytes/s
#ipfw pipe 2 config bw 10MBytes/s
#ipfw add deny all from any to 192.168.2.214
#ipfw add deny all from 192.168.2.214 to any
# ================
#Security Settings:
/sbin/ipfw add deny all from 59.163.36.66 to me in via em0 #India Hacker.
/sbin/ipfw add deny all from any to 59.163.36.66 out via em0 #same as above
/sbin/ipfw add deny all from any to 59.163.36.66 #sam
/sbin/ipfw add deny all from any to me 3306
/sbin/ipfw add deny all from me 3306 to any
# ================

/sbin/ipfw add deny all from any to 218.201.45.106 #vagaa web
/sbin/ipfw add deny all from any to 218.201.45.145 #vagaa login1
/sbin/ipfw add deny all from any to 221.192.133.39 #vagaa login2
/sbin/ipfw add deny all from any to 62.241.53.2    #vagaa login3
/sbin/ipfw add deny all from any to 58.17.4.34 #pp365 web
/sbin/ipfw add deny all from any to 218.201.44.209 #vagaa sou
#/sbin/ipfw add deny all from any to 121.20.1.15 #pp365 login1
#/sbin/ipfw add deny all from any to 218.85.180.155 #pp365 login2
#/sbin/ipfw add deny all from any to 218.15.202.192 #pp365 login3
#/sbin/ipfw add deny all from any to 60.187.161.197 #pp365 login4
#/sbin/ipfw add deny all from any to 60.163.42.167 #pp365 login5
#/sbin/ipfw add deny all from any to 222.85.99.142 #pp365 login6
#/sbin/ipfw add deny all from any to 58.213.209.89 #pp365 login7
#/sbin/ipfw add deny all from any to 125.109.131.148 #pp365 login8
#/sbin/ipfw add deny all from any to 124.71.152.137 #pp365 login9
#/sbin/ipfw add deny all from any to 58.223.140.38 #pp365 login10
#/sbin/ipfw add deny all from any to 125.120.214.196 #pp365 login11
#/sbin/ipfw add deny all from any to 58.51.15.180 #pp365 login12
#/sbin/ipfw add deny all from any to 59.34.242.192 #pp365 login13
#/sbin/ipfw add deny all from any to 222.241.121.251 #pp365 login14
#/sbin/ipfw add deny all from any to 220.250.6.119 #pp365 login15
#/sbin/ipfw add deny all from any to 60.187.215.21 #pp365 login16
#/sbin/ipfw add deny all from any to 125.109.166.10 #pp354 login17
#/sbin/ipfw add deny all from any to 222.182.234.170 #pp365 login18
#/sbin/ipfw add deny all from any to 124.115.80.19 #pp365 login19
#/sbin/ipfw add deny all from any to 125.109.40.3 #pp365 login20
#/sbin/ipfw add deny all from any to 221.1.88.125 #pp365 login21
#/sbin/ipfw add deny all from any to 58.52.54.16 #pp365 login22
#/sbin/ipfw add deny all from any to 222.75.86.100 #pp365 login23
#/sbin/ipfw add deny all from any to 125.108.240.34 #pp365 login24
#/sbin/ipfw add deny all from any to 123.249.181.166 #pp365 login25
#/sbin/ipfw add deny all from any to 124.226.117.88 #pp365 login26
#/sbin/ipfw add deny all from any to 124.72.44.27 #pp365 login27
#/sbin/ipfw add deny all from any to 125.115.49.101 #pp365 login28
#/sbin/ipfw add deny all from any to 121.29.112.250 #pp365 login29
#/sbin/ipfw add deny all from any to 221.10.177.24 #pp365 login30
#/sbin/ipfw add deny all from any to 125.109.31.34 #pp365 login31
#/sbin/ipfw add deny all from any to 59.60.199.186 #pp365 login32
#/sbin/ipfw add deny all from any to 123.154.80.246 #pp365 login33
#/sbin/ipfw add deny all from any to 218.23.215.9 #pp365 login34
#/sbin/ipfw add deny all from any to 58.52.93.6 #pp365 login35
#/sbin/ipfw add deny all from any to 61.140.115.76 #pp365 login36
#/sbin/ipfw add deny all from any to 220.168.192.35 #pp365 login37
#/sbin/ipfw add deny all from any to 211.150.64.183 #pp365 login38
#/sbin/ipfw add deny all from any to 60.211.39.218 #pp365 login39
#/sbin/ipfw add deny all from any to 221.13.183.132 #pp365 login40
#/sbin/ipfw add deny all from any to 221.1.13.128 #pp365 login41
#/sbin/ipfw add deny all from any to 121.63.55.69 #pp365 login42
#/sbin/ipfw add deny all from any to 222.209.234.72 #pp365 login43
#/sbin/ipfw add deny all from any to 125.115.202.103 #pp365 login44
/sbin/ipfw add deny all from any to any 5354 out log#pp365 login port
/sbin/ipfw add deny all from any to any 5354 in #pp365 login port-in
/sbin/ipfw add deny all from any to any 8093 out log#poco
/sbin/ipfw add deny all from any to any 8093 in #poco
/sbin/ipfw add deny all from any to 61.145.118.224 #poco
/sbin/ipfw add deny all from any to 61.153.0.0/16 #poco
/sbin/ipfw add deny all from any to 61.143.156.37 #poco
/sbin/ipfw add deny all from any to 60.190.58.139 #poco
/sbin/ipfw add deny all from any to 60.190.138.100 #poco
/sbin/ipfw add deny all from any to 61.143.156.37 #poco
/sbin/ipfw add deny all from any to 61.175.235.196 #poco
/sbin/ipfw add deny all from any to 220.165.143.67 #poco
/sbin/ipfw add deny all from any to 218.0.0.187 #poco
/sbin/ipfw add deny all from any to 61.143.156.136 #poco
/sbin/ipfw add deny all from any to 218.0.7.134 #poco
/sbin/ipfw add deny all from any to 202.101.167.152 #poco
/sbin/ipfw add deny all from any to 61.174.62.142 #poco
/sbin/ipfw add deny all from any to 121.11.69.145 #poco
/sbin/ipfw add deny all from any to 218.0.7.158 #poco
/sbin/ipfw add deny all from any to 218.16.229.163 #poco
/sbin/ipfw add deny all from any to 60.190.58.119 #poco
/sbin/ipfw add deny all from any to 218.0.7.157 #poco
#/sbin/ipfw add deny all from any to any 6646 out #emule login port1
#/sbin/ipfw add deny all from any to any 6646 in #emule login port1-in
#/sbin/ipfw add deny all from any to any 6656 out #emule login port2
#/sbin/ipfw add deny all from any to any 6656 in #emule login port2-in
#/sbin/ipfw add deny all from any to 194.213.0.20 #emule data port
#/sbin/ipfw add deny all from any to 218.88.96.153 #emule port
#/sbin/ipfw add deny all from any to 62.241.53.16 #emule mohu
#/sbin/ipfw add deny all from any to 62.241.53.2 #emule 443 4242
#/sbin/ipfw add deny all from any to 58.44.131.68 #emule 80
#/sbin/ipfw add deny all from any to 62.241.53.17 #emule 443 mohu
#/sbin/ipfw add deny all from any to 62.241.53.4 #emule mohu
/sbin/ipfw add deny all from any to 62.241.53.0/24 #emule mohu
#/sbin/ipfw add deny all from any to 83.149.102.0/16 #emule mohu
#/sbin/ipfw add deny all from any to 83.149.123.189 #emule mohu
/sbin/ipfw add deny all from any to 83.149.0.0/16 #emule mohu
/sbin/ipfw add deny all from any to 80.239.0.0/16 #emule mohu
/sbin/ipfw add deny all from any to 193.138.0.0/16 #emule mohu
/sbin/ipfw add deny all from any to 85.17.0.0/16 #emule mohu
/sbin/ipfw add deny all from any to 66.135.0.0/16 #emule mohu
/sbin/ipfw add deny all from any to 72.8.136.158 #11sss
/sbin/ipfw add deny all from any to 221.130.191.207 #36XP
/sbin/ipfw add deny all from any to 72.8.130.58 #a.36xp
/sbin/ipfw add deny all from any to 58.22.101.138 #44xp
/sbin/ipfw add deny all from any to 219.153.43.80 #11mmm
/sbin/ipfw add deny all from any to 208.98.47.141 #&9.11xp
/sbin/ipfw add deny all from any to 60.190.217.227 #22kao.com
/sbin/ipfw add deny all from any to 204.16.198.3 #22kao.com
/sbin/ipfw add deny all from any to 74.52.47.4 #22kao.com
/sbin/ipfw add deny all from any to 222.73.207.234 #11se.com
/sbin/ipfw add deny all from any to 204.13.67.195 #z.11se.com
/sbin/ipfw add deny all from any to 219.90.112.205 #10086mm.com
/sbin/ipfw add deny all from any to 218.85.134.136 #a.sexzzz.com
/sbin/ipfw add deny all from any to 72.8.136.159 #1.55sss.com
/sbin/ipfw add deny all from any to 221.122.65.245 #www.55sss.com
/sbin/ipfw add deny all from any to 72.8.130.59 #e.36xp.com
# ================
/sbin/ipfw add pass all from any to any

5,在/etc/rc.conf中加入相关网段,请根据实际情况修改:
ifconfig_em1_alias0="inet 192.168.0.249  netmask 255.255.255.0"
ifconfig_em1_alias1="inet 192.168.1.249  netmask 255.255.255.0"
ifconfig_em1_alias2="inet 192.168.2.249  netmask 255.255.255.0"
ifconfig_em1_alias3="inet 192.168.3.249  netmask 255.255.255.0"
ifconfig_em1_alias4="inet 192.168.12.249  netmask 255.255.255.0"
ifconfig_em1_alias5="inet 192.168.13.249  netmask 255.255.255.0"
ifconfig_em0="inet 125.74.120.94  netmask 255.255.255.252"
natd_interface="em0"
natd_enable="YES"
natd_flags="-config /etc/natd.conf"

6,重新启动

至此基本满足你的1、3点要求。

然后说说MAC绑定:
1,cd /usr/ports/ipguard
2,make install clean
3,根据实际情况按照IP MAC的格式将IP和MAC对放入/etc/ethers文件中。
4,在/etc/rc.conf中加入 ipguard_enable="YES"

第二种方案:
1,执行上种方案的第三步。
2,在/etc/rc.conf中加入 /usr/sbin/arp -f /etc/ethers

大功告成,打完收工。

给你的几点建议:
1,读读《提问的智慧》
2,如果我上面讲的内容在FreeBSD在线用户手册中找不到的话,麻烦你扣出我的眼睛仍到地上踩爆了听响。请遇到问题先man再手册再google。

不然的话,你这又要成为某人说的FB堕落的明证并可能得不到回答。
Good Luck         

论坛徽章:
0
3 [报告]
发表于 2008-03-10 21:10 |只看该作者
忘了,好人当到底,送你份文档。

当局域网内某台主机使用P2P进行下载时,P2P软件会占用局域网到互联网出口的大量的带宽,导致其他用户网速慢、卡等现象。BT等软件在下载的同时又作为种子为其他人提供下载服务,由于ADSL上行带宽最大只有512K,所以使用P2P软件后更容易造成局域网出口上行带宽的拥塞,但是任何上网操作均需要上行/下行两个方向的流量,如果上行带宽被占满,就会影响到所有用户的使用。以下是常见P2P软件默认端口:

?软件名称      协议/端口
BT         tcp:6881-6889
电驴eMule     tcp:4661-4662
迅雷        tcp:3077
poco        udp:9000 udp:5356 tcp:5354

但大部分P2P软件都可以手工改变端口,因此对P2P最有效的方法还是对带宽进行
限制。
Active Wall在网关、网桥、单机模式下可以实现精确的上行、下行、总计带宽控制(单位为千字节每秒)。

现在qq直播非常严重,所以很多网管都在烦这个问题.无意中得知!
封qq直播端口即可解决此问题.这东西比BT还BT..
封13000-14000的udp 端口
-------------------------------------------------------------------
2005-10-09更新几个常见软件端口与IP
讯雷
端口:3077 3076
I P: 202.96.155.91, 210.22.12.53 61.128.198.97

网络精灵(NetFairy 2004)
端口:7777, 7778,11300,
I P: 61.134.33.5, 61.233.75.13, 61.138.213.251,
222.240.210.68, 61.177.95.140, 61.177.95.137
电骡
端口:4662,4661,4242
I P:62.241.53.15
酷狗
端口:7000,3318
I P: 218.16.125.227 61.143.210.56 218.16.125.226
61.129.115.206 61.145.114.33
比特精灵:
端口:16881
宝酷
端口: 6346
I P: 61.172.197.196 218.1.14.3 218.1.14.4 218.1.14.9
61.172.197.209 61.172.197.197 218.1.14.5 218.5.72.118
61.172.197.196

百事通下载工具
端口:
I P: 61.145.126.150

百度MP3下载
端口:
I P: 202.108.156.206

PTC下载工具
端口:50007
I P:
eDonkey2000下载工具
端口:4371 4662
I P: 62.241.53.15 62.241.53.17

Poco2005
端口:8094 2881 5354
I P: 61.145.118.224 210.192.122.147 207.46.196.108
卡盟
端口:3751 3753 4772 4774
I P: 211.155.224.67
维宇RealLink
端口:
I P: 211.91.135.114 221.233.18.180 61.145.119.55 221.3.132.99
百宝
端口: 3468
I P: 219.136.251.56 61.149.124.173

百花PP
端口: 5093
I P: 221.229.241.243
快递通
端口:
I P: 202.96.137.56

酷乐
端口:6801 6800 7003
I P:218.244.45.67 220.169.192.145
百度下吧
端口: 11000
I P: 202.108.249.171
百兆P2P
端口: 9000
I P: 221.233.19.30
石头(OPENEXT)
端口:5467 2500 4173 10002 10003
I P:66.197.13.166 210.22.12.245 69.93.222.56

iLink 1.1
端口:5000
I P:
DDS
端口:11608
I P:210.51.168.13 211.157.105.252 212.179.66.17
iMesh 5
端口:4662
I P:212.179.66.17 212.179.66.24 38.117.175.23
winmx
端口:5690
I P:64.246.15.43
网酷
端口:2122
I P:211.152.22.9 211.152.22.101 221.192.132.29
PPlive网络电视
端口:UDP 4004
端口:TCP 8008
端口如果没有说明,均为tcp

论坛徽章:
0
4 [报告]
发表于 2008-03-11 10:20 |只看该作者
解决方案不错
学习了

论坛徽章:
5
金牛座
日期:2013-12-04 11:26:08处女座
日期:2013-12-04 12:32:17金牛座
日期:2014-03-19 09:49:11双鱼座
日期:2014-03-20 08:28:152015亚冠之柏斯波利斯
日期:2015-05-30 09:01:13
5 [报告]
发表于 2008-03-11 10:35 |只看该作者
原帖由 ahlai 于 2008-3-10 16:15 发表
想把freebsd做成具有如下的功能,
都需要安全什么软件?
1.带宽管理
2.网关杀毒(对网页中嵌入的病毒木马可以查杀)
3.限制bt,电驴等p2p软件
4.基于mac地址限制客户端是否可以上网
懂的朋友说下,
谢谢

2.网关杀毒(对网页中嵌入的病毒木马可以查杀)
这个好像要用squid结合clamav
直接用edain firewall
多给你做好了
您需要登录后才可以回帖 登录 | 注册

本版积分规则 发表回复

  

北京盛拓优讯信息技术有限公司. 版权所有 京ICP备16024965号-6 北京市公安局海淀分局网监中心备案编号:11010802020122 niuxiaotong@pcpop.com 17352615567
未成年举报专区
中国互联网协会会员  联系我们:huangweiwei@itpub.net
感谢所有关心和支持过ChinaUnix的朋友们 转载本站内容请注明原作者名及出处

清除 Cookies - ChinaUnix - Archiver - WAP - TOP