Build a high-performance enterprise-level gateway and proxy server under FreeBSD FreeBSD + PF + squid
1. kernel Compilation To make FreeBSD a shared Internet server, we also need to compile a new kernel.
(1) Compile the Kernel configuration file First, we need to compile the Kernel configuration file to support pF and bandwidth control. After logging on to the system as root, use EE to edit the FreeBSD Kernel configuration file.
Nat # Ee/usr/src/sys/i386/CONF/generic
Move the cursor to the last line, add the following content, save and exit (2 ).
# Kernel-level pf support
Device pf
Device pflog
Device pfsync
# Bandwidth control
Options altq
Options altq_cbq
(2) Compile the kernel Run the following command to compile the kernel.
Nat # cd/usr/src
Nat # Make kernel kernconf = generic
Re-editing the operating system kernel is a long process. Now you can have a cup of coffee ......
After the system returns to the prompt, restart the system.
Nat # reboot
(3) Let the system automatically load pf After logging on to the system as root again, run the following command to edit the RC. conf file with ee, so that the system will automatically load PF after it is started.
Nat # Ee/etc/rc. conf
The following content is related to the author's RC. conf. Please judge the trade-off based on your own needs (3 ).
# First, set the server host name
Hostname = "nat.scetc.net"
# Then set the default gateway for the server
Defaultrouter = "218.6.165.1"
# Allow the server to act as a gateway
Gateway_enable = "yes"
# Two network card configurations on the server
# Bge0 is Broadcom Gigabit Nic, connected to external network
# Em0 is an Intel Gigabit Nic connected to the internal network
Ifconfig_bge0 = "Inet 218.6.165.6 netmask quota limit 192"
Ifconfig_em0 = "Inet 192.168.0.254 netmask 255.255.0.0"
# Allow the system to run BIND to provide DNS services
Named_enable = "yes"
# Allow the system to run squid as the Proxy Server
Squid_enable = "yes"
Squid_user = "squid"
Achieve Internet sharing-the simplest pf Configuration All functions that require pf are implemented by editing the configuration file. First, we can write a simple configuration file so that intranet machines can connect to the Internet without any restrictions.
# Define network cards, IP addresses, and other features to facilitate future calls
Ext_if = "bge0" # Internet Nic
Int_if = "em0" # Intranet Nic
Noroute = "{127.0.0.1/8, 172.16.0.0/12, 10.0.0.0/8, 255.255.255.255/32 }"
# Define IP Spoofing
Routerip = "192.168.0.254" # server Intranet IP Address
Internal_net = "192.168.0.0/16" # Intranet IP address range
Ext_addr = "218.6.165.6" # server Internet IP Address
Loop = "lo0" # loop device
# The following statements are used to achieve transparent Internet access.
# All internal requests go out through the external Nic
Nat on $ ext_if from $ internal_net to any-> ($ ext_if)
# Allow all access through the gateway
Pass in all
Pass out all
PF control commands After we reconfigure pf as needed, do we have to restart the server to make the new rule take effect? The answer is no. We can use the PF control command to reload new application rules, or help administrators understand the operation of PF at any time.
1. enable or disable pf PF provides the pfctl command to control the operation of PF.
Pfctl-E; Start pf
Pfctl-D; Disable pf
However, it should be noted that pfctl-e only enables PF, but does not load any rules.
2. Reload the PF Configuration After modifying the PF configuration file PF. conf, run the following command to use the new configuration without restarting the PF service.
Pfctl-F/etc/PF. conf
If we only want to confirm loading the NAT rules in the configuration file:
Pfctl-NF/etc/PF. conf
You can even reload the NAT rules in the configuration file:
Pfctl-NF/etc/PF. conf
Or firewall filter rules:
Pfctl-RF/etc/PF. conf
3. View server operation To give administrators a better understanding of PF performance, pfctl also provides the following useful server parameters.
View Nat rules: pfctl-Sn
View filter rules: pfctl-Sr | more
In addition, we can use the following command to view the server's strong State (4)
View pf status: pfctl-SS
View pf filter status: pfctl-Si
View All statistics: pfctl-sa
TIPS: Make the gateway work more efficiently ---- optimize pf
To improve the performance and stability of PF, we also need to perform micro-control on PF.
PF control mainly includes set timeout, set limit, Set Optimization and set block-policy parameters. The following section describes the Parameter Optimization Configuration of the author.
Set timeout {interval 10, frag 30}
Set limit {States 10000, frag 5000}
Set Optimization aggressive
Set block-policy drop
Scrub in all
Advanced PF skills The above are the most basic settings and monitoring commands for PF. Different enterprises will certainly develop different gateway configurations according to their own requirements.
1. Stop QQ Some organizations do not want some computers to use QQ. This function can be easily implemented through the PF filter rules.
(1) define the QQ Server We first define the IP address of the QQ server as a string (we recommend that you store all the definitions in the same part of the configuration file for future calls and modifications ).
# Define the IP address of the QQ Server
Qqserverips = "{202.103.149.40, 202.103.190.61,..., 218.17.114.0/24 }"
Due to space limitations, the IP addresses of QQ servers in this article are not fully listed. If you need them, please download them at online.cniti.com.
(2) define QQ prohibited users Now let's define a computer ip address segment that prohibits QQ use and name it "book_lib ".
# Define the IP address range of the library Multimedia Reading Room
Book_lib = "{192.168.0.184/29,192.168 .0.192/27,192.168 .0.20./ 28,
192.168.200.128/25 }"
(3) define pf filtering rules In PF. conf, add the following statement to prevent the Multimedia Reading Room user from using QQ.
# Do not allow the Library's Multimedia Reading Room to use QQ
Block quick on $ ext_if from $ qqserverips to $ book_lib
Block quick on $ int_if from $ book_lib to $ qqserverips
After all rules are specified, Run "pfctl-F/etc/PF. conf" to make the new rule take effect. In this way, unauthorized users cannot use QQ.
Note: Some users may also use QQ through the proxy provided by squid. We will introduce how to prevent the use of QQ through Squid proxy in the following section.
The implementation method of prohibiting a certain segment of online games, such as connected games, chinesegames, and bubble bubbles, is similar to QQ restrictions. Please configure it by yourself.
2. Do not download the 3721 plug-in Our users here are disgusted with 3721, which occupies a lot of network bandwidth. Therefore, my primary task also includes how to prohibit downloading the 3721 plug-in.
Add the corresponding content to PF. conf and set it to that all users do not access the 3721 website.
# Define the IP address segment of 3721
Damn_3721 = "{218.244.45.0/24,..., 218.224.44.5/32,202.165 .102.158/32 }"
# Do not allow all computers to access 3721
Block quick on $ ext_if from $ damn_3721 to any
Block quick on $ int_if from any to $ damn_3721
3. Release of Intranet websites For security purposes, administrators generally place Web servers in the intranet. To access the Web server after PF, computers on the Internet need to make corresponding settings in PF.
Assume that the working port of the Intranet web server IP address 192.168.0.10 is 80. We can picture port 80 on the PF server to port 80 on the Web server on the Intranet.
# Forward access to port 80 of the PF server's Internet IP address to port 80 of the internal machine 192.168.0.10
RDR on $ ext_if proto TCP from any to $ ext_addr port 80-> 192.168.0.10 port 80
4. prohibit access to high-risk ports As an enterprise gateway, it will certainly be scanned and intruded by bored people. In addition, worms such as shock waves can also intrude into the gateway. How to prevent these attacks or scan security issues that must be considered by the PF administrator.
We can define some high-risk ports and then impose special restrictions on the access to these ports.
# Define high-risk ports
Danger_port = "{445 135 139 593 5554 9995 9996 }"
# Prohibit machines in the internal network and external network from accessing high-risk ports such as ports 135 and 139 of the server
Block quick on $ int_if Inet proto TCP from any to any port $ danger_port
Block quick on $ ext_if Inet proto TCP from any to any port $ danger_port
In this rule, we use "from any to any" to indicate that no one can access these defined ports, whether in an internal network or an external network. Some readers may ask why Internal access is disabled? We need to explain this question. As you know, for an enterprise gateway, the biggest threat may not be an external network, but an internal network. The reason is very simple-the bandwidth of the internal network is definitely better than that of the external network. Everyone can send and receive packets to the server at high speed (such as 100 Mb/s. If there are two people inside, they should be able to compare to dozens of computers outside.
In addition, this can also avoid any abnormal relationship between viruses such as shock waves and gateways ...... this is especially important for a VLAN-based network. When the shock wave is raging, the gateway and computers with different VLANs can use the network normally, however, only the VLAN of the computer in which the shock wave occurs is abnormal. In this way, the loss can be reduced to the lowest point.
5. Preventive Scanning Likewise, the gateway is always subject to many scans, and now one of the most popular and powerful scanning tools-NMAP (there are already multiple versions of UNIX and Windows) it will be an extremely experienced enemy of the gateway. We must give NMAP some scanning difficulty ...... although it cannot prevent the gateway from being scanned, it can at least reject Nmap, which is a terrible scanning tool ......
# Disable the use of NMAP for port scanning on the server
Block log quick on $ ext_if Inet proto TCP from any to any flags FUP/FUP
Block quick on $ ext_if Inet proto TCP from any to any flags SF/sfra
Block quick on $ ext_if Inet proto TCP from any to any flags/sfra
Block quick on $ ext_if on NMAP
6. prevent IP Spoofing IP spoofing is also a terrible means of intrusion. Especially for companies with VPN, it is necessary to prevent IP spoofing. We can use the following definitions and rules to solve some IP Address Spoofing problems.
# Define IP Spoofing
Noroute = "{127.0.0.1/8, 127.16.0.0/12, 10.0.0/8, 255.255.255.255/32 }"
# Prevent IP Spoofing
Antispoof quick for $ int_if inet
Block quick on $ ext_if Inet from $ noroute to any
Block quick on $ ext_if Inet from any to $ noroute
Many boring people often use dictionary tools to intrude their servers. In this case, we must block these IP addresses. How to do it? The following rules can be used to easily solve the problem. All you need to do is maintain this "hack_ips" address table.
# Define scan and intrusion IP addresses
Hack_ips = "{220.166.11.92/32 }"
# Do not have any relationship with malicious scanning or IP intrusion
Block quick on $ ext_if from $ hack_ips to any
Block quick on $ ext_if from any to $ hack_ips
7. Safer Internet sharing So far, the filtering rules have been set almost, but do you still remember the two dangerous rules we set: "Pass in all" and "pass out all? To ensure security, we must disable these two rules and allow the Intranet to access the internet securely.
# Enterprise-level security gateway practices
# First stop all data that enters or exits from the Gateway
Block in all
Block out all
# Open the required permissions one by one
# Allow inbound and outbound access of the Loop Network to the Gateway
Pass in quick on lo0 all keep state
Pass out quick on lo0 all keep state
# Allow machines in the network to ping any resources
# Do not allow Internet machines to ping external network cards of servers
Block in on $ ext_if Inet proto ICMP all ICMP-type 8 code 0
Pass out on $ ext_if Inet proto ICMP all ICMP-type 8 code 0 keep state
Pass in quick on $ ext_if Inet proto ICMP all ICMP-type 8 code 0
# Allow all UDP connections to go out through the gateway
# Keep state
Pass out on $ ext_if proto UDP all keep state
# Allow external DNS requests to enter the gateway, which provides DNS services
Pass in on $ ext_if proto UDP from any to any port = domain keep state
# Allow all TCP connections to go out through the gateway
# Modulate state
Pass out on $ ext_if proto TCP all modu-late state
# Allow external access to the "tcp_services" defined in the front"
# Port service and keep state
Pass in on $ ext_if Inet proto TCP from any to ($ ext_if) Port $ tcp_services flags S/SA keep state
# Allow marked TCP packets to go out through the local root table Gateway
Pass out on $ ext_if proto TCP all modulate state flags S/SA
# Allow Internet computers to connect to port 22 of the gateway to provide SSH2 management permissions to administrators
Pass in on $ ext_if proto TCP from any to $ ext_if port 22 keep state
Pass in on $ int_if proto TCP from any to $ int_if port 22 keep state
# Allow internal network machines to access port 8080 (Squid proxy port) of the internal IP address of the Gateway)
Pass in on $ int_if Inet proto TCP from any to $ routerip port 8080 keep state
In the PF chain, each packet is filtered from top to bottom by rules. The final matching rule is "the head of the family"-he has the say! However, you can cancel further processing with the quick keyword. If you want to block an access, do not write as follows:
Block in on fxp0 proto TCP from any to any port SSH
Pass in all
Because the last line will allow all traffic to pass. It should be modified:
Block in quick on fxp0 proto TCP from any to any port SSH
Pass in all
The general rules of PF should all be described here. With the combination of these rules, you will be able to write the PF configuration file suitable for your enterprise.
If you want to use pf with squid to implement a gateway + proxy server with more powerful cache functions, please stay tuned for the following content.
This article introduced how to share the Internet with FreeBSD through PF. However, the efficiency is not very high because there is no cache (proxy mechanism) for shared Internet access through pf alone. In this article, we will use squid in combination with PF to achieve more efficient Internet sharing.
King of open source proxy servers ---- squid Squid is the most popular agent server software in Linux. It is powerful and supports proxies for HTTP, FTP, Gopher, SSL, WAIS, and other protocols. Its configuration is also very simple. You only need to slightly modify the configuration file to run the proxy server. Squid also provides the page cache function, which receives the user's download application and automatically processes the downloaded data. That is to say, when a user wants to download a page, it sends an application to squid to download it for it. Squid will get the requested page and send it to the user to keep a backup at the same time. In this way, when other users need to access the same page, squid will immediately pass the saved backup to the user, instead of getting it again on the internet server, which speeds up access, in addition, you can save limited bandwidth.
If you use a credit card for online consumption when using squid to share the Internet and execute a remote scripts, it is not appropriate to cache the content. Squid intelligently selects the content to be cached. The administrator can also set squid as needed so that it does not cache related content.
Squid can work in a wide range of operating systems, such as Aix, digital, UNIX, FreeBSD, HP-UX, Irix, Linux, NetBSD, nextstep, SCO, Solaris, and OS/2, many others have compiled and run squid in other operating systems.
Install squid Now we can install squid in FreeBSD. Anyone who has been familiar with FreeBSD should know that FreeBSD has a very convenient software installation method-port installation.
TIPS: squid
Under FreeBSD, we can also directly compile the source code to install squid, an open-source proxy server software. The latest version of squid is 2.5 stable9. its official website is http://www.squid-cache.org /.
If you have deployed the FreeBSD system in full installation mode, follow me to quickly install squid (the squid installed in ports mode is 2.5 stable9 ).
Before using ports, we should update the ports tree directory of FreeBSD through CVSup to ensure proper installation. Due to space limitations, we cannot describe how to use CVSup in detail here. Please refer to the relevant articles to update the ports directory tree.
Nat # cd/usr/ports/www/squid
Nat # make install clean
In this case, the squid Installation option configuration interface (1) is displayed ). By default, squid can work well, and readers can also select options based on their own needs. All options, you can enable it to support more proxies, identity authentication, and management through SNMP.
The following are my options for your reference only:
[] Squid_ldap_auth
[X] squid_delay_pools
[X] squid_snmp
[] Squid_carp
[X] squid_ssl
[] Squid_pinger
[X] squid_dns_helper
[] Squid_htcp
[X] squid_via_db
[X] squid_cache_digests
[X] squid_wccp
[X] squid_underscores
[X] squid_check_hostname
[] Squid_strict_http
[X] squid_ident
[] Squid_useragent_log
[X] squid_arp_acl
[X] squid_pf
[] Squid_follow_xff
[] Squid_aufs
[] Squid_coss
[] Squid_stacktraces
[X] squid_rcng
Based on your network conditions, the squid source code package will be automatically downloaded from the Internet by the server, and then automatically selected and installed on the computer (2 ).
Configure squid Now we will configure squid.
Nat # Ee/usr/local/etc/squid. conf
The following configuration file is my instance. You can delete it as needed.
Configuration files vary depending on the server configurations, network conditions, and connection conditions. I have commented on important statements to help you modify them according to your actual situation.
# Squid listening IP address and port (Intranet)
Http_port 192.168.0.254: 8080
# Additional memory usage, which can be set according to your system memory, generally 1/3 of the actual memory
Cache_mem 256 MB
# Lowest cache percentage
Cache_swap_low 80
# The highest cache ratio. After this ratio is exceeded, the old cache is deleted until the minimum cache ratio is reached.
Cache_swap_high 95
# Do not cache a single content larger than MB
Maximum_obiect_size: 100 MB
# Maximum memory size of a single file
Maximum_obiect_size_in_memory 512 KB
#
# The location of the cache directory and the disk size occupied are determined by the host. dir1 refers to the number of directories set up by dir1 under the cache directory, dir2 is used to create dir2 directories under each dir1 directory to save the cache.
Cache_dir ufs/Cache/squid 512 128 256
# Cache log file storage location
# If no logs are required, set it to/dev/null.
Cache_access_log/data/log/squid/access. Log
Cache_store_log none
# DNS sub-process. If the client fails to resolve the domain name, add
Dns_children 60
# Redirection process, comment out without squidguard
# Redirect_children 10
# If there are no response in more than 5 sub-categories, the access will be abandoned.
Connect_timeout 5 minute
# Timeout time for upper-layer proxy connection
Peer_connect_timeout 30 seconds
# Return timeout
Request_timeout 2 minutes
# Duration
Persistent_request_timeout 1 minute
Read_timeout 5 minute
Half_closed_clients off
Pconn_timeout 300 seconds
# Access Control List
ACL all SRC 0.0.0.0/0.0.0.0
ACL manager proto cache_object
ACL localhost SRC 127.0.0.1/255.255.255.255
ACL to_localhost DST 127.0.0.0/8
ACL ssl_ports port 443 563
# Encrypted Port
ACL safe_ports port 80 # HTTP
ACL safe_ports port 21 # ftp
ACL safe_ports port 443 563 # https, snews
ACL safe_ports port 70 # Gopher
ACL safe_ports port 210 # wais
ACL safe_ports port 1025-65535 # unregistered ports
# Unencrypted Port
ACL safe_ports port 280 # http-Mgmt
ACL safe_ports port 488 # GSS-HTTP
ACL safe_ports port 591 # FileMaker
ACL safe_ports port 777 # multiling HTTP
ACL connect method connect
# Define HTTP Connection Methods
# Define an internal network IP address
ACL our_networks SRC 192.168.0.0/16
# Only allow access by cachemgr in localhost Mode
Http_access allow manager localhost
Http_access deny Manager
# Prohibit all the above ports from passing through squid
Http_access deny! Safe_ports
# Disable all ports outside the unencrypted Port
Http_access deny connect! Ssl_ports
# Allow all machines in the LAN to access through squid
Http_access allow our_networks
Http_access deny all
Http_reply_access allow all
Icp_access allow all
# Administrator email address
Cache_mgr webmaster@scetc.net
# Run squid as squid
Cache_inclutive_user squid
Cache_paitive_group squid
# Proxy server name
Visible_hostname nat.scetc.net
# Set transparent proxy
Httpd_accel_host virtual
Httpd_accel_port 80
Httpd_accel_with_proxy on
Httpd_accel_uses_host_header on
# Average cache target size
Store_avg_object_size 64 KB
# Language types on the error prompt page
Error_directory/usr/local/etc/squid/errors/simplify_chinese
# When squid suddenly fails, the system will write the data in Squid memory to the hard disk.
Coredump_dir none
Ignore_unknown_nameservers off
Initialize squid After the configuration is complete, check whether the directory permission is correct. Otherwise, squid cannot be started.
1. directory permission settings First, determine whether the user ID and group ID of the squid Directory attribute are squid. If you cannot judge, run the following command. Assign the owner of the squid directory and all sub-directories to squid.
Nat # chown-r squid: Squid/usr/local/etc/squid
Then, check whether the user ID and group ID of the cache and log directory owner are squid. Or directly execute the following command to set its owner to squid.
Nat # chown-r squid: Squid/Cache/squid
Nat # chown-r squid: Squid/data/log/squid
Next, initialize the Squid cache directory. Since the cache directory structure we set is "cache_dir ufs/Cache/squid 512 128 256", the system will be in the cache partition, or create a "128*256 = 32768" directory under the cache directory. This process may take about 30-40 seconds. During this process, you can also see that the hard drive lights will be on for so long.
Nat # squid-z
After the command is completed, squid can be used properly.
Squid Advanced Configuration The above configuration file only contains the most basic functions without any optimization. We will optimize the configuration below.
1. Accelerate DNS resolution You can set a DNS cache to store the resolution results obtained by DNS positive and negative resolution in the cache to speed up resolution.
Ipcache_size 65535
Ipcache_log 80
Ipcache_high 95
Fqdncache_size 32768
2. Disable cache settings We mentioned earlier that it is not safe to cache credit card accounts, scripts that can be executed, homepage changes, and so on. If squid is required for automatic processing, we need to use "Disable cache Rules ".
We use the following rules to prohibit squid from caching scripts such as HTTPS sites, CGI, ASP, PHP, and JSP.
Hierarchy_stoplist cgi-bin?
Hierarchy_stoplist-I ^ https ://?
ACL query urlpath_regex-I cgi-bin \? \. Asp \. php \. jsp \. cgi
No_cache deny Query
ACL denyssl urlpath_regex-I ^ https ://
No_cache deny denyssl
For websites we do not want to cache, we can create a nocache file, store the list of sites that do not need to be cached in it, and then let squid prohibit the site from being cached in the nocache file.
ACL nocache url_regex-I "/usr/local/etc/squid/nocache"
No_cache deny nocache
In the nocache file, each row has one site. Do not forget to change the owner in this file to squid.
Nat # chown-r squid: Squid/usr/local/etc/squid/nocache
3. Access Control Next, let's take a look at the most important access control configuration for squid security. We still remember that we disabled QQ in the PF settings, but QQ can still be launched through the HTTP proxy provided by squid. How can we prevent such illegal network access? This involves squid access control.
First, we define the IP address segment of the QQ server and the IP address group of the QQ server. The former is defined as SRC, and the latter is defined as DST.
* Define IP address segments that are not allowed to use QQ
ACL book1 SRC 192.168.0.184/29
ACL book2 SRC 192.168.0.192/27
ACL book3 SRC 192.168.0.20./ 28
ACL book4 SRC 192.168.200.128/25
* Define the IP address of the QQ Server
Note that it is best to write the IP address segment of the QQ server in one line, or use the "\" symbol to write the segment.
Acl qq dst 202.103.149.40 202.103.190.61 ...... 219.129.21.0/24 202.94.140.0/24 218.17.114.0/24
* Access Restrictions
Prohibit machines in the Multimedia Reading Room from logging on to QQ via HTTP (supplement the PF Rules)
Http_access deny book1 QQ
Http_access deny book2 QQ
Http_access deny book3 QQ
Http_access deny book4 QQ
After this setting, it is impossible to use the Squid proxy to log on to the IP segments of QQ.
In fact, there are simpler implementation methods. We only need to define one source and one target, and then allow the source to only access the target. All the others can be disabled.
# Define the terminal query machine (only some sites can be accessed)
ACL query_terminal SRC 192.168.200.96/28
# Define the external web service IP address of the organization
ACL school_ips DST 218.6.165.8 218.6.165.7
# Only allow querying the external IP address of the terminal access unit
Http_access allow query_terminal school_ips
Http_access deny query_terminal all
4. Transparent proxy If You Want To implement transparent proxy, you need to use RDR. Assume that the proxy server is ready on the server, and all web access requests are expected to go out through the proxy server rather than through PF. In this way, the efficient Squid proxy can be fully reflected.
Assuming that the Web Proxy server port is 8080, we can use the following rules to allow all web access to go out through the proxy server.
RDR on $ int_if Inet proto TCP from $ internal_net to any www-> 192.168.0.254 port 8080
All accesses to port 80 are forwarded to the squid listening port on the gateway. Later, the client only needs to set the gateway as the internal IP address of the NAT, instead of setting the proxy server on IE. In fact, it still uses the Squid proxy for Internet access.
Adding the previously configured pf rules to squid, we have implemented an enterprise gateway + transparent proxy. Now, you can publish your gateway usage method to the internal network.
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.