|
查看: 1618|回复: 6
|
freeBSD与Streamyx ADSL + Firewall + Kernel Compile
[复制链接]
|
|
|
大家好,
我只会一些关于FreeBSD的东西,文笔不怎么好。 现在来献丑了。。。 呵呵呵。。。。
在这里想和大家分享一些玩意儿。
系统需要:
pentium133 and above
RAM 64 and above
Harddisk 4GB
首先你得重新篇译内核。使用sysinstall来安装kernel-source.
然后执行以下命令:-
root# cd /sys/i386/conf
root# cp GENERIC GATEWAY
root# vi GATEWAY
请添加以下掺数:-
options IPFILTER # IPFilter firewall support
options IPFILTER_LOG # IPFilter logging support
options IPFILTER_DEFAULT_BLOCK # Block all packets by default
options NETGRAPH
options NETGRAPH_ETHER
options NETGRAPH_PPPOE
options NETGRAPH_SOCKET
把文档储存,然后再执行以下命令:-
root# config GATEWAY
root# cd ../../compile/GATEWAY
root# make depend
root# make
如果你使用超慢的电脑,如奔腾450以下。建议你去睡觉吧。。。 记得要睡足八个小时, 身体才会健康。
当你醒来了以后。 内核就篇译好了。恭喜,恭喜。。。(如有问题, 请游览freebsd手册 )
安装内核, 然后重起电脑。
root# make install
root# reboot
内核检查。
root# uname -a
[ 本帖最后由 joebabe 于 11-5-2006 09:02 PM 编辑 ] |
评分
-
查看全部评分
|
|
|
|
|
|
|
|
|
|
|
楼主 |
发表于 11-5-2006 09:02 PM
|
显示全部楼层
如果顺利的话,可以进行以下基本pppoe的掺数。
root# vi /etc/ppp/ppp.conf
###########################
# /etc/ppp/ppp.conf
###########################
default:
set log Phase tun command # you can add more detailed logging if you wish
#set ifaddr 219.1.1.1/0 219.1.1.2/0 # if you using Fixed IPs, uncomment the line and set the proper IP address
streamyx:
set device PPPoE:xl1 # replace xl1 with your ethernet device
set authname USERNAME@streamyx
set authkey PASSWORD
set dial
set login
add default HISADDR
然后请在/etc/rc.conf加上几行掺数:
network_interfaces="auto" #Set network interfaces automatically
ifconfig_xl0="inet 192.168.1.1 netmask 255.255.255.0 -arp up"
ifconfig_xl1="up"
ppp_enable="YES" #This enables PPP on startup (recommended)
ppp_mode="background"
ppp_profile="streamyx"
pppoe连接检查:
root# ppp -background streamyx
root# ifconfig -a
如果很顺利的话,你可以继续防火墙的设置:
在/etc/sysctl.conf添加以下掺数。
root# vi /etc/sysctl.conf
net.inet.ip.forwarding=1 # enable packet forwarding
net.inet.ip.check_interface=1 #verify that an incoming packet arrives on an interface that has an address matching the packet's destination address
net.inet.tcp.blackhole=2 # drop SYN packets destine to non-listening tcp/udp port. This will create a blackhole and protect against stealth port scans
net.inet.udp.blackhole=1
如果你还不知道需要block什么东西,先在/etc/ipf.rules加上这两条掺数。
root# vi /etc/ipf.rules
pass in all
pass out all
以下是我的/etc/ipf.rules掺数:
#################################################################
# Loopback Interface
#################################################################
#----------------------------------------------------------------
# Allow everything to/from your loopback interface so you
# can ping yourself (e.g. ping localhost)
#----------------------------------------------------------------
pass in quick on lo0 all
pass out quick on lo0 all
#################################################################
# Inside Interface
#################################################################
#----------------------------------------------------------------
# Allow out all TCP, UDP, and ICMP traffic & keep state
#----------------------------------------------------------------
pass out quick on xl0 proto tcp from any to any flags S/SAFR keep state keep frags
pass out quick on xl0 proto udp from any to any keep state keep frags
pass out quick on xl0 proto icmp from any to any keep state keep frags
#----------------------------------------------------------------
# Allow in all TCP, UDP, and ICMP traffic & keep state
#----------------------------------------------------------------
pass in quick on xl0 proto tcp from any to any flags S/SAFR keep state keep frags
pass in quick on xl0 proto udp from any to any keep state keep frags
pass in quick on xl0 proto icmp from any to any keep state keep frags
block in quick on xl0 all
#################################################################
# Outside Interface
#################################################################
#----------------------------------------------------------------
# Allow out all TCP, UDP, and ICMP traffic & keep state on it
# so that it's allowed back in.
#
# If you wanted to do egress filtering...here's where you'd do it.
# You'd change the lines below so that rather than allowing out any
# arbitrary TCP connection, it would only allow out mail, pop3, and http
# connections (for example). So, the first line, below, would be
# replaced with:
# pass out quick on tun0 proto tcp from any to any port = 25 keep state
# pass out quick on tun0 proto tcp from any to any port = 110 keep state
# pass out quick on tun0 proto tcp from any to any port = 80 keep state
# ...and then do the same for the remaining lines so that you allow
# only specified protocols/ports 'out' of your network
#----------------------------------------------------------------
pass out quick on tun0 proto tcp from any to any flags S/SAFR keep state keep frags
pass out quick on tun0 proto tcp from any to any keep state keep frags
pass out quick on tun0 proto udp from any to any keep state keep frags
#-----------------------------------------------------------------------
# Block all inbound traffic from non-routable or reserved address spaces
#-----------------------------------------------------------------------
block in log quick on tun0 from 192.168.0.0/16 to any #RFC 1918 private IP
block in log quick on tun0 from 172.16.0.0/12 to any #RFC 1918 private IP
block in log quick on tun0 from 10.0.0.0/8 to any #RFC 1918 private IP
block in log quick on tun0 from 127.0.0.0/8 to any #loopback
block in log quick on tun0 from 0.0.0.0/8 to any #loopback
block in log quick on tun0 from 169.254.0.0/16 to any #DHCP auto-config
block in log quick on tun0 from 192.0.2.0/24 to any #reserved for doc's
block in log quick on tun0 from 204.152.64.0/23 to any #Sun cluster interconnect
block in quick on tun0 from 224.0.0.0/3 to any #Class D & E multicast
#----------------------------------------------------------------
# Allow bootp traffic in from your ISP's DHCP server only.
#----------------------------------------------------------------
pass in quick on tun0 proto tcp from any to any keep state
pass in quick on tun0 proto udp from any to any keep state
# For Emule/amule port forwarding
pass in quick on tun0 proto tcp from any to 192.168.1.55 port = 4662 keep state
pass in quick on tun0 proto udp from any to 192.168.1.55 port = 4672 keep state
#----------------------------------------------------------------
# Block and log all remaining traffic coming into the firewall
# - Block TCP with a RST (to make it appear as if the service
# isn't listening)
# - Block UDP with an ICMP Port Unreachable (to make it appear
# as if the service isn't listening)
# - Block all remaining traffic the good 'ol fashioned way
#----------------------------------------------------------------
block return-rst in log quick on tun0 proto tcp from any to any
block return-icmp-as-dest(port-unr) in log quick on tun0 proto udp from any to any
block in log quick on tun0 all
# END #
IPNAT/etc/ipnat.rules掺数:-
root# vi /etc/ipnat.rules
map xl0 192.168.1.0/24 -> 0.0.0.0/32 proxy port ftp ftp/tcp
map xl0 192.168.1.0/24 -> 0.0.0.0/32 portmap tcp/udp 40000:60000
map xl0 192.168.1.0/24 -> 0.0.0.0/32
如果你有使用amule/emule
rdr xl0 0.0.0.0/0 port 4662 -> 192.168.1.55 port 4662
rdr xl0 0.0.0.0/0 port 4672 -> 102.169.1.55 port 4672
然后在/etc/rc.conf加上
ipfilter_enable="YES" #Stateful firewall
ipfilter_flags="" #IPFilter is enabled in the kernel and not module
ipnat_enable="YES" #Network Address Translation
ipmon_enable="YES" #Firewall logging
ipmon_flags="-Dsn"
当你的防火墙设置好了。重起电脑, 搞定。。。
如果你还想要在添加ipf掺数 请游览 http://coombs.anu.edu.au/~avalon/ 或者freebsd手册
以下是一些常用命令:-
root# /sbin/ipf -Fa -f /etc/ipf.rules # 重新读取/etc/ipf.rules
root# /sbin/ipnat -CF -f /etc/ipnat.rules # 重新读取/etc/ipnat.rules
root# /sbin/ipnat -l # 读取内核nat(map/rdr)列表。
root# /sbin/ipfstat -hio # 读取ipfilter列表
root# man ipfstat
root# man ipnat
其他:-
防火墙测试软件:-
nmap
xprobe
hping2
firewalk |
评分
-
查看全部评分
|
|
|
|
|
|
|
|
|
|
|
发表于 19-5-2006 04:31 PM
|
显示全部楼层
N年前我弄过, 可是忘记了。 太久没有去动这个东东。
连cvs upgrade port都忘记这么搞了。。 |
|
|
|
|
|
|
|
|
|
|
|
发表于 21-5-2006 03:59 PM
|
显示全部楼层
|
|
|
|
|
|
|
|
|
|
|
发表于 13-6-2006 12:32 PM
|
显示全部楼层
bsd# ppp -ddial streamyx
Warning: Bad label in /etc/ppp/ppp.conf (line 2) - missing colon
Working in ddial mode
Using interface: tun3
Warning: Bad label in /etc/ppp/ppp.conf (line 2) - missing colon
Warning: Bad label in /etc/ppp/ppp.conf (line 2) - missing colon
Warning: Bad label in /etc/ppp/ppp.conf (line 4) - missing colon
《--我以dial,就中这个msg了。
#tail /var/log/ppp.log
Jun 13 11:23:11 bsd ppp[508]: Phase: deflink: 0 packets in, 105 packets out
Jun 13 11:23:11 bsd ppp[508]: Phase: total 15 bytes/sec, peak 21 bytes/sec on Tue Jun 13 11:22:59 2006
Jun 13 11:23:11 bsd ppp[508]: Phase: deflink: hangup -> opening
Jun 13 11:23:11 bsd ppp[508]: Phase: deflink: Enter pause (3) for redialing.
Jun 13 11:23:14 bsd ppp[508]: Phase: deflink: Connected!
Jun 13 11:23:14 bsd ppp[508]: Phase: deflink: opening -> dial
Jun 13 11:23:14 bsd ppp[508]: Phase: deflink: dial -> carrier
Jun 13 11:23:15 bsd ppp[508]: Phase: deflink: /dev/cuad1 doesn't support CD
Jun 13 11:23:15 bsd ppp[508]: Phase: deflink: carrier -> login
Jun 13 11:23:15 bsd ppp[508]: Phase: deflink: login -> lcp
[ 本帖最后由 hackintosh 于 13-6-2006 12:33 PM 编辑 ] |
|
|
|
|
|
|
|
|
|
|
|
发表于 13-6-2006 12:37 PM
|
显示全部楼层
|
|
|
|
|
|
|
|
|
|
|
发表于 15-6-2006 10:47 AM
|
显示全部楼层
解决了。
问题出在
default:
xset log Phase tun command
streamyx:
xset device PPPoE:xl1 # replace xl1 with your ethernet device
xset authname USERNAME@streamyx
xset authkey PASSWORD
xset dial
xset login
xadd default HISADDR
# x的就是前面要空一格。 TMD。这样也会有问题。 |
|
|
|
|
|
|
|
|
|
| |
 本周最热论坛帖子
|
变色卡
千斤顶
3235 
76
