FreeBsd5.4 + pf + squid reverse proxy practical notes

Article Title: FreeBsd5.4 + pf + squid reverse proxy practical notes. Linux is a technology channel of the IT lab in China. Includes basic categories such as desktop applications, Linux system management, kernel research, embedded systems, and open source.

1. hardware configuration
Hp netserver 800 P Ⅲ 1000 memory 256 M Inter82559 two NICs
2. Partition Information
Filesystem Size Used Avail Capacity Mounted on
/Dev/da0s1a 248 M 54 M 174 M 24%/
Devfs 1.0 K 1.0 K 0B 100%/dev
/Dev/da0s1f 4.8G 130 M 4.3G 3%/home
/Dev/da0s1d 248 M 12 K 228 M 0%/tmp
/Dev/da0s1g 4.8G 565 M 3.9G 12%/usr
/Dev/da0s1e 5.8G 410 K 5.3G 0%/var
3. System Installation
Minimal Installation
And install src and ports (originally intended to use ports for installation, but do not know how to do it, it is impossible to use the cvs source code, of course, it cannot be installed through ports, but can only use the source code for compilation)
4. kernel Compilation
The kernel is not optimized. Here, we only want to verify the feasibility of combining pf and squid for reverse proxy. in actual production applications, we should optimize the server kernel to a certain extent.

Cd/usr/src/sys/i386/conf
Cp GENERIC cache

Edit the kernel cache and add the following options to the kernel:
Device pf
Device pflog
Device pfsync
Options ALTQ
Options ALTQ_CBQ

Compile the kernel
/Usr/sbin/config cache
Cd ../config/cache
Make depend
Make
Make install

At this point, the kernel has been compiled.
Reboot
5. Let the system automatically load pf
Edit/etc/rc. conf
Usbd_enable = "NO"
Defaultrouter = "218.4.xxx.xxx"
Hostname = "cache.aaa.com"
Ifconfig_fxp0 = "inet 218.4.xxx.xxx netmask 255.255.255.255.248"
Ifconfig_fxp1 = "inet 192.168.2.10 netmask 255.255.255.0"
Gateway_enable = "YES"
Inetd_enable = "YES"
Pf_enable = "YES"
Pf_rules = "/etc/pf. conf"
Pf_flags = ""
Pflog_enable = "YES"
Pflog_logfile = "/var/log/pflog"
Sshd_enable = "YES"

6. Enable ip Forwarding
Add the following content to/etc/sysctl. conf:
Net. inet. ip. forwarding = 1
7. Implement shared Internet access with the simplest pf settings
Wan_if = "fxp0"
Lan_if = "fxp1"
Inter_net = "192.168.2.0/24"
Web_server = "192.168.2.3"
Ftp_server = "192.168.2.3"
Scrub in all
Nat on $ wan_if from $ inter_net to any-> fxp0

Rdr on fxp1 proto tcp from $ lan_if to any port 80-> $ lan_if port 80

Rdr on fxp1 proto tcp from any to any port 21-> 127.0.0.1 port 8021
# Rdr on fxp0 proto tcp from any to $ wan_if port 80> $ web_server port 8080
# Rdr on fxp1 proto tcp from $ lan_if to $ wan_if port 80-> $ web_server port 8080

Rdr on $ wan_if proto tcp from any to any port 21-> $ ftp_server port 21
Rdr on $ wan_if proto tcp from any to any port 49152: 65535-> $ ftp_server port 49152: 65535

# In on $ wan_if
Pass in quick on $ wan_if proto tcp from any to $ ftp_server port 21 keep state
Pass in quick on $ wan_if proto tcp from any to $ ftp_server port> 49151 keep state

# Out on $ lan_if
Pass out quick on $ lan_if proto tcp from any to $ ftp_server port 21 keep state
Pass out quick on $ lan_if proto tcp from any to $ ftp_server port> 49151 keep state

# Disable danger port
# Danger_Port = "{445 135 139 593 5554 9995 9996 }"
# Block quick on $ wan_if inet proto tcp from any to any port $ Danger_Port
# Block quick on $ wan_if inet proto tcp from any to any port $ Danger_Port
Pass in all
Pass out all

 

[1] [2] Next page