Создание шлюза для глобальной сети на FreeBSD – это один из самых частых случаев использования этой системы.
Основными плюсами этого решения являются: стабильность, масштабируемость, устойчивость к высоким нагрузкам и, конечно, бесплатно все используемое программное обеспечение.
В этой статье были использованы FreeBSD 7.0 RELEASE amd64, IPFW как брандмауэр, daemon natd и squid в качестве прокси-сервера.
Начнем с установки IPFW.
Для этого перекомпилируйте ядро с поддержкой нескольких функций.
Перейдите в каталог, соответствующий архитектуре нашего процессора, и сделайте копию ядра по умолчанию как ROUTER:
cd / cp usr/src/sys/amd64/conf GENERIC ROUTER
редактирование нашего нового ядра и добавление новых функций:
cpu HAMMERident ROUTERmakeoptions DEBUG=- G # Build kernel with gdb (1) debug symbolsoptions IPFIREWALL # firewalloptions IPFIREWALL_VERBOSE # Logging package, if in rule is written logoptions IPFIREWALL_VERBOSE_LIMIT = 100 # limit log (repeated)options IPFIREWALL_DEFAULT_TO_ACCEPT # default rule - permittingoptions IPDIVERT # required for NAToptions IPFIREWALL_FORWARD # packet forwardingoptions DUMMYNET # speed limit
сборка и установка нового ядра:
cd /usr/srcmake buildkernel KERNCONF = ROUTERmake installkernel KERNCONF = ROUTER
добавьте в rc.conf следующие строки:
firewall_enable = "YES"firewall_type = "Open"firewall_logging "YES"natd_enable = "YES"natd_interface = "rl0"; |
перезапуск: если все пойдет хорошо, тогда у нас должен быть открытый брандмауэр с NAT.
Следующим шагом будет установка прокси-сервера.
cd /usr/ports/www/squidmake install cleanrehashЗатем отредактируйте файл конфигурации SQUID. (все ограничения основаны на IP): vi /usr/local/etc/squid/squid.conf
Port to listenhttp_port 3128 # Port for transparent proxyhttp_port 3129 transparent # List of words that are being discovered in the URL cause processing without cachinghierarchy_stoplist cgi-bin? # The ACL that cause mismatch with the cache, and query with an answer will not be cachedacl QUERY urlpath_regex cgi-bin \? #no_cache deny QUERY # cache memorycache_mem 256 MB # The directory for the cache, the number - the size of the cache in Mb, number of first level directories, number of second-level directories in each directory of the first.cache_dir ufs /usr/local/squid/cache 50000 64 512# Access log - path of log file.access_log /var/log/squid/access.log# File hosts, checked at startup. Because it takes a domain name and added to the incomplete addresseshosts_file /etc/hosts# Directory where you store HTML c text errorserror_directory /usr/local/etc/squid/errors/Russian-1251cache_log /var/log/squid/cache.log# Debug_options ALL, 5pid_filename /var/log/squid/squid.pid# Ports on which will open truth proxyacl safe_ports port 80 # httpacl safe_ports port 21 # ftpacl safe_ports port 443 # sslacl icq_ports port 5190 # ICQ# Users who will use internet with some restrictionsacl inet_users src "/usr/local/etc/squid/inet_users"# Users with full access to internetacl inet_full src "/usr/local/etc/squid/inet_full" Describe the networks (all IPs) acl all src 0.0.0.0/0.0.0.0 # Describe localhost acl localhost src 127.0.0.1/255.255.255.255 # Forbidden in the URL of expression (for all Url) acl deny_url url_regex "/usr/local/etc/squid/deny_url" # Illegal domain names acl deny_domains dstdomain "/usr/local/etc/squid/deny_domains" # Users with limited Internet access, only # A specific set of resources. acl inet_restrict src "/usr/local/etc/squid/inet_restrict" # List of sites for those who have their particular set of acl domains_for_restrict dstdomain "/usr/local/etc/squid/domains_for_restrict" # ICQ users acl inet_icq src "/usr/local/etc/squid/inet_icq" # Allow access to the entire group inet_full http_access allow inet_full # Notch prohibited chunks url, chop advertising if necessary # Http_access deny deny_url # Allow port asechny those who have ICQ http_access allow inet_icq icq_ports # Notch banned domains http_access deny deny_domains # Notch all the ports intermediate safe_ports http_access deny! safe_ports # Inet allow ordinary users http_access allow inet_users # Inet allow limited users to the Allowed Sites http_access allow inet_restrict domains_for_restrict # Block all unnecessary http_access deny all |
сводка конфигурации: теперь у нас есть стандартный порт и прозрачный прокси; прием запросов http, https ftp, icq.
затем создайте и заполните содержимое всех файлов, перечисленных в этом конфиге, а затем сделайте пользователя squid владельцем папки кеша, затем создайте cNche и запустите squid:
chown -R squid:wheel /usr/local/squidsquid -z/usr/local/etc/rc.d/squid startps -waux | grep squidsquid 965 0,0 0,1 7688 2076 ?? Is 21:37 0:00,00 /usr/local/sbin/squid -Dsquid 967 0,0 1,0 28168 20008 ?? S 21:37 0:06,00 (squid)-D (squid)squid 1008 0.0 0.0 2532 844 ?? Is 21:37 0:00,00 (unlinkd) (unlinkd)root 7943 0,0 0,1 6928 1428 p0 S+ 16:02 0:00,00 grep squidТеперь вернитесь к брандмауэру. Вот пример скрипта
#! /bin/sh# Before we start, reset the listipfw -q -f flush# Set the prefix command to set the rulescmd = "ipfw -q add"skip = "skipto 400"wanip = "111.111.111.111" # external IPlannet = "192.168.0.0/24" # Internal networkeif = "rl0" # external interface# There is no prohibition within the interface looking into a local network$cmd 010 allow all from any to any via re0# No restrictions on the Loopback interface$cmd 020 allow all from any to any via lo0# Chop attempts lo0 climb to somewhere and somewhere to climb on the lo0$cmd 030 deny ip from any to 127.0.0.0/8cmd 040 deny ip from 127.0.0.0/8 to any# Send all on a transparent squid$cmd 050 fwd 127.0.0.1,3129 tcp from $lannet to any 21,80,443,5190 out via $eif# Incoming NAT$cmd 060 divert natd ip from any to any in via $eif# Allow a package to pass, if the previous was added to# "Dynamic" rules table with a resolution of the state keep-state$cmd 070 check-state############## Outgoing ################# Outgoing PING$cmd 100 $skip icmp from any to any keep-state# Outgoing NTP$cmd 105 $skip udp from any to any 123 out via $eif keep-state# Allow DNS$cmd 110 $skip udp from any to any 53 out via $eif keep-state$cmd 111 $skip tcp from any to any 53 out via $eif setup keep-state# We produce user to bypass SQUID$cmd 140 $skip all from $lannet to any 4899 out via $eif setup keep-state$cmd 150 $skip all from $lannet to any 3389 out via $eif setup keep-state$cmd 160 $skip all from $lannet to any 25 out via $eif setup keep-state$cmd 170 $skip all from $lannet to any 110 out via $eif setup keep-state# Allow full output from server$cmd 190 $skip all from $wanip to any out via $eif setup keep-state############# Incoming ################# Disallow all incoming traffic from the reserved address spaces$cmd 200 deny all from 192.168.0.0/16 to any in via $eif # RFC 1918 private IP$cmd 201 deny all from 172.16.0.0/12 to any in via $eif # RFC 1918 private IP$cmd 202 deny all from 10.0.0.0/8 to any in via $eif # RFC 1918 private IP$cmd 203 deny all from 127.0.0.0/8 to any in via $eif # loopback$cmd 204 deny all from 0.0.0.0/8 to any in via $eif # loopback$cmd 205 deny all from 169.254.0.0/16 to any in via $eif # DHCP auto-config$cmd 206 deny all from 192.0.2.0/24 to any in via $eif # reserved for docs$cmd 207 deny all from 204.152.64.0/23 to any in via $eif # Sun cluster$cmd 208 deny all from 224.0.0.0/3 to any in via $eif # Class D & E multicast# Disallow ident$cmd 215 deny tcp from any to any 113 in via $eif# Disallow all Netbios services. 137, 138, 139$cmd 220 deny tcp from any to any 137 in via $eif$cmd 221 deny tcp from any to any 138 in via $eif$cmd 222 deny tcp from any to any 139 in via $eif$cmd 223 deny tcp from any to any 81 in via $eif# Incoming ping, several types$cmd 300 allow icmp from any to $wanip in via $eif icmptypes 0,8,11 limit src-addr 2# Allow incoming www function, if there is a web server$cmd 310 allow tcp from any to $wanip 80 in via $eif setup limit src-addr 2# Allow incoming secure SSH, port number better change$cmd 320 allow tcp from any to $wanip 22 in via $eif setup limit src-addr 2# Allow incoming mail SMTP, if there is a mail server$cmd 330 allow tcp from any to $wanip 25 in via $ eif setup limit src-addr 2# Allow incoming mail POP3, if you have mail server$cmd 340 allow tcp from any to $wanip 110 in via $eif setup limit src-addr 2# Allow RAdmin, better change the port number$cmd 350 allow tcp from any to $wanip 4899 in via $eif setup limit src-addr 2# Allow already established connections$cmd 360 allow all from any to any established########### Final ################ Chop everything that is not spent in a skip$cmd 399 deny log all from any to any# Outgoing NAT$cmd 400 divert natd ip from any to any out via $eif# We produce packages from the skip$cmd 410 allow all from any to any# We cut all unnecessary to be entered in the log$cmd 999 deny log all from any to anyв rc.conf измените firewall_type = “open” на firewall_script = “/ etc / rules” и примените правила скрипта:
nohup sh /etc/rules 
