- 论坛徽章:
- 0
|
本帖最后由 cnllww 于 2012-02-23 15:58 编辑
经常需要针对内网用户的上网行为进行一定的限制,所以在防火墙电脑(OpenBSD系统)上安装了Squid代理软件,对内网用户的上网行为作一些简单过滤。
OpenBSD5.0,em0连接内网,em1连接外网。
打开数据包转发:- $cat /etc/sysctl.conf
- net.inet.ip.forwarding=1 # 1=Permit forwarding (routing) of IPv4 packets
- net.inet.ip.mforwarding=1 # 1=Permit forwarding (routing) of IPv4 multicas
- $ cat /etc/rc.conf.local
- #Enable or Disable System Daemon
- ntpd_flags= # enabled during install
- ftpproxy_flags= # enabled by pf.conf 允许FTP-PROXY
- pkg_scripts="squid" # 开机启动squid
- $cat /etc/pf.conf
- #Macros
- int_if="em0"
- open_tcp_services="{ 2200,80 }" #指定开放服务的端口
- icmp_types="echoreq"
- allow_tcp_ports="{ 80,443,701,800,7002,8001,8002,8080,8089,8601,9002 }" #指定允许内网访问的端口
- tencent_udp_ports="8000" #开放QQ服务端口
- table <badhosts> persist { 172.20.6.40,172.20.6.41 } #指定黑名单地址
- table <manager_ip> persist { 172.20.6.1,172.20.6.2,172.20.6.13,172.20.6.15 } #指定特权地址
- #Options
- set block-policy drop
- set optimization aggressive
- set loginterface none
- set skip on lo0
- set limit { states 65535, frags 200, src-nodes 65536, tables 65536, table-entries 1048576 }
- #Firewall Rules
- ####### default
- block quick from <badhosts>
- block in all
- block out all
- antispoof quick for { lo0 $int_if }
- ###### ftp client
- anchor "ftp-proxy/*"
- pass in quick on $int_if inet proto tcp to any port 21 divert-to 127.0.0.1 port 8021
- ###### squid,转发www访问到squid端口
- pass in quick on $int_if inet proto tcp to any port 80 divert-to 127.0.0.1 port 3128
- ###### nat
- match out on egress inet proto tcp from !(egress:network) to any port $allow_tcp_ports nat-to (egress)
- match out on egress inet proto udp from !(egress:network) to any port $tencent_udp_ports nat-to (egress)
- match out on egress inet from <manager_ip> to any nat-to (egress)
- ####### pass out
- pass out quick on egress inet from (egress) to any flags S/SA keep state
- pass out quick on $int_if
- ####### Pass in for EXT_IF _egress
- pass in on egress inet proto tcp from any to (egress) port $open_tcp_services
- ####### enable icmp
- pass in quick inet proto icmp all icmp-type $icmp_types
- ####### Pass in for int_if
- pass in on $int_if
- $cat /etc/squid/squid.conf
- http_port 127.0.0.1:3128 transparent #指定透明代理
- acl all src all
- acl manager proto cache_object
- acl localhost src 127.0.0.1/32
- acl to_localhost dst 127.0.0.0/8 0.0.0.0/32
- acl manager_ip src "/etc/squid/ip_manager.txt" #指定特权地址
- acl badhosts_ip src "/etc/squid/ip_badhosts.txt" #指定黑名单地址
- acl OverConnLimit maxconn 200
- acl work_time time S M T W H F A 7:00-11:00 13:00-17:00 #定义工作时间
- acl filter_flash urlpath_regex -i "/etc/squid/filter_flash.txt" #过滤Flash
- acl filter_files urlpath_regex -i "/etc/squid/filter_files.txt" #过滤下载文件后缀
- acl filter_sites dstdom_regex "/etc/squid/filter_sites.txt" #过滤特定网址
- acl filter_keys url_regex -i "/etc/squid/filter_keys.txt" #过滤特定关键词
- acl nocache_sites dstdom_regex "/etc/squid/nocache_sites.txt" #指定不缓存网址
- acl nocache_files urlpath_regex -i "/etc/squid/nocache_files.txt" #指定不缓存文件后缀
- http_access deny badhosts_ip
- http_access deny filter_flash work_time !manager_ip #阻止非特权地址在工作时间查看FLASH动画
- http_access deny filter_files work_time !manager_ip #阻止非特权地址在工作时间下载文件
- http_access deny filter_keys work_time !manager_ip
- http_access deny filter_sites work_time !manager_ip
- http_access deny OverConnLimit
- no_cache deny nocache_sites
- no_cache deny nocache_files
- http_access allow localnet
- $ cat /etc/squid/filter_flash.txt
- \.swf
- \.flash
- \.flv
- $ cat /etc/squid/filter_files.txt
- \.rar
- \.zip
- \.exe
- \.msi
- \.cab
- $ cat /etc/squid/filter_sites.txt
- v.ifeng.com
- v.sohu.com
|
|
免费注册
发表于 2012-02-23 15:55
