Set up this server, so that intranet users through the server and external communication; The basic principle for intranet users through the FreeBSD Gateway routing function (route) and external network communication, server security and virus protection control through the FreeBSD IPFilter to complete. The initial erection process is as follows:
Network Card Interface Description:
vr0 : External network network card interface
VR1 : Intranet network Card Interface
1 , minimize the installation of Freebsd6.1release
Download the freebsd6.1release image file from ftp://ftp.FreeBSD.org/pub/FreeBSD/, then carve it into a CD, set the server to boot from the CD drive, start the installation, install when I choose to minimize the installation, open ftp and SSH. The other default installation is OK. Specific reference to this article. Reboot the machine after installation.
2 , install the kernel
Place the installation CD in the optical drive, and then:
Then select Configure--> distributions-> src-> sys, point install, reboot the machine after the installation is complete.
3 , the basic configuration
Configure/etc/rc.conf
The contents are as follows:
Hostname= "gatewall.wxic.edu.cn"
Defaultrouter= "172.16.252.17"
ifconfig_vr0= "inet 172.16.252.x netmask 255.255.255.252"
ifconfig_vr1= "inet 58.193.11x.25x netmask 255.255.248.0"
Inetd_enable= "YES"
Linux_enable= "YES"
Sshd_enable= "YES"
Usbd_enable= "YES"
Sendmail_enable= "NONE"
Configure/etc/resolv.conf
The contents are as follows:
NameServer 58.193.112.1
4 , the configuration of the kernel, to join the support of the IPFilter
# cd/usr/src/sys/i386/conf
# CP GENERIC Funpower
# EE Funpower
Then start editing the kernel files, the machine and the application will have different kernel files, because the need to use IPFilter, we add to the IPFilter support. Add the following content to the kernel:
Options IPFilter
Options Ipfilter_log
Options Ipfilter_default_block
Other options can refer to this article and then customize it yourself. Save the exit when you are finished editing. Then do the following:
#/usr/sbin/config Funpower
# CD ... /compile/funpower
# Make Cleandepend
# make Depend
# make
# make Install
Reboot the server after compiling (because IPFilter is blocking all traffic by default, so make sure you are working in front of the server).
5 , adding routing options in/etc/rc.conf
Add the following lines at the end:
Gateway_enable= "YES"
Static_routes= "Static1"
route_static1= "-net 58.193.11x.0/21 172.16.252.x/30"// Description The first IP for intranet IP range; The second IP is the gateway address of the external network card
6 , Configuration IPFilter
Add in/etc/rc.conf:
Ipfilter_enable= "YES"
Ipfilter_rules= "/etc/ipf.conf"
Then edit the/etc/ipf.conf file
The contents are as follows:
# Loop Network card Lo0
#out in all through
Pass in quick on lo0 all
Pass out quick on lo0 all
# External Network network card vr0
#out only allow the open IP traffic
Block out quick on vr0 from the to 192.168.0.0/16
Block out quick on vr0 from the to 0.0.0.0/8
Block out quick on vr0 from the to 169.254.0.0/8
Block out quick on vr0 from the to 10.0.0.0/8
Block out quick on vr0 from the to 127.16.0.0/12
Block out quick on vr0 from the to 127.0.0.0/8
Block out quick on vr0 from the to 192.0.2.0/24
Block out quick on vr0 from the to 204.152.64.0/23
Block out quick on vr0 from the to 224.0.0.0/3
# Open 58.193.112.1
Pass out quick on vr0 Proto tcp/udp from 58.193.112.1/32 to no keep state
Pass out quick on vr0 proto ICMP from 58.193.112.1/32 to no keep state
#开通 58.193.112.3
Pass out quick on vr0 Proto tcp/udp from 58.193.112.3/32 to no keep state
Pass out quick on vr0 proto ICMP from 58.193.112.3/32 to no keep state
#开通 58.193.113.1
Pass out quick on vr0 Proto tcp/udp from 58.193.113.1/32 to no keep state
Pass out quick on vr0 proto ICMP from 58.193.113.1/32 to no keep state
#开通 58.193.113.2
Pass out quick on vr0 Proto tcp/udp from 58.193.113.2/32 to no keep state
Pass out quick on vr0 proto ICMP from 58.193.113.2/32 to no keep state
Vr0 All
#in block some IP (such as private IP) and some virus attack ports (such as 138139445 )
Block in quick on vr0 from 192.168.0.0/16 to any
Block in quick on vr0 from 172.16.0.0/12 to any
Block in quick on vr0 from 10.0.0.0/8 to any
Block in quick on vr0 from 127.0.0.0/8 to any
Block in quick on vr0 from 0.0.0.0/8 to any
Block in quick on vr0 from 169.254.0.0/16 to any
Block in quick on vr0 from 192.0.2.0/24 to any
Block in quick on vr0 from 204.152.64.0/23 to any
Block in quick on vr0 from 224.0.0.0/3 to any
Block in quick on vr0 from 58.193.112.0/21 to any
Block in quick on vr0 Proto UDP ' from ' to ' any port = 69
Block in quick on vr0 Proto TCP/UDP-from-to-any port = 135
Block in quick on vr0 Proto UDP ' from ' to ' any port = 137
Block in quick on vr0 Proto UDP ' from ' to ' any port = 138
Block in quick on vr0 Proto TCP/UDP-from-to-any port = 139
Block in quick on vr0 Proto TCP/UDP-from-to-any port = 445
Block in quick on vr0 Proto TCP/UDP-from-to-any port = 593
Block in quick on vr0 Proto TCP-from-to-any port = 1022
Block in quick on vr0 Proto TCP-from-to-any port = 1023
Block in quick on vr0 Proto TCP-from-to-any port = 1025
Block in quick on vr0 Proto TCP from any port = 1034 to any port = 80
Block in quick on vr0 Proto TCP-from-to-any port = 1068
Block in quick on vr0 Proto TCP-from-to-any port = 1433
Block in quick on vr0 Proto UDP ' from ' to ' any port = 1434
Block in quick on vr0 Proto TCP-from-to-any port = 1871
Block in quick on vr0 Proto TCP-from-to-any port = 2745
Block in quick on vr0 Proto TCP-from-to-any port = 3208
Block in quick on vr0 Proto TCP-from-to-any port = 3127
Block in quick on vr0 Proto TCP-from-to-any port = 4331
Block in quick on vr0 Proto TCP-from-to-any port = 4334
Block in quick on vr0 Proto TCP-from-to-any port = 4444
Block in quick on vr0 Proto TCP from any port = 4444 to any
Block in quick on vr0 Proto TCP-from-to-any port = 4510
Block in quick on vr0 Proto TCP-from-to-any port = 4557
Block in quick on vr0 Proto TCP-from-to-any port = 5554
Block in quick on vr0 Proto TCP-from-to-any port = 5800
Block in quick on vr0 Proto TCP-from-to-any port = 5900
Block in quick on vr0 Proto TCP-from-to-any port = 6129
Block in quick on vr0 Proto TCP-from-to-any port = 6667
Block in quick on vr0 Proto TCP-from-to-any port = 9995
Block in quick on vr0 Proto TCP-from-to-any port = 9996
Block in quick on vr0 Proto TCP-from-to-any port = 10080
Block in quick on vr0 all with frags
Block in quick on vr0 proto TCP all and short
Block in quick on vr0 all with opt LSRR
Block in quick on vr0 all with opt SSRR
Block in log the ' vr0 proto TCP from ' to ' any flags FUP
Block in quick on vr0 all with ipopts
Pass in quick on vr0 Proto TCP-from-to-any port = S. Keep state
Pass in quick on vr0 Proto TCP-from-to-any port = The flags S Keep state
Pass in quick on vr0 Proto TCP-from-to-a port = flags S Keep state
Pass in quick on vr0 Proto TCP-from-to-a port = FTP flags S/sa Keep state
Pass in quick on vr0 Proto TCP from the any to any port = Ftp-data flags S/sa Keep state
Pass in quick on vr0 Proto TCP-from-to-a port 30000 >< 50001 flags S/sa Keep state
Pass in quick on vr0 Proto ICMP from the any icmp-type 0
Pass in quick on vr0 Proto ICMP from the any Icmp-type 11
Block in log quick on vr0 proto ICMP from the Any
Block in log on vr0 all
#内网网卡 VR1
#out all through
VR1 All
#in all through
VR1 All
reboot the server after the configuration is complete.
Find a client test, first use the IP in ipf.conf, and then ping edu.cn, you can ping, the description can be connected to the extranet.
IP is then set to not open the IP in the list, if the ping does not pass, then the ipf.conf settings are in effect.
