发信人: zenz.hu(真)
整理人: sungang(2004-01-20 20:18:45), 站内信件
|
必须是两张网卡,假设拨号的是rl0,内网的是rl1
如果不是rl0和rl1网卡,请根据所用网卡设备名对下面的配置做相应修改。
修改/etc/ppp/ppp.conf
default:
set log Phase Chat LCP IPCP CCP tun command
pppoe:
set device "!/usr/sbin/pppoe -i rl0"
set mtu max 1492
set mru max 1492
enable mssfixup
enable dns # 如果会自己配置Bind9域名缓存,可以去掉这个。
set speed sync
disable acfcomp protocomp
deny acfcomp
add! default HISADDR
set authname "your_account"
set authkey "your_passwd"
注意文件属性,因为这个文件里面有密码的。
修改/etc/ppp/ppp.linkup
MYADDR:
! sh -c "/sbin/pfctl -e -F all -f /etc/pf.conf.pppoe"
修改/etc/pf.conf.pppoe
ext_if="tun0"
int_if="rl1"
int_addr="192.168.1.0/24" # 你内网的IP范围
router_ip="192.168.1.2" # rl1的ip地址
services="{ ssh, www, domain }"
block_ports="{ 135, 445, 57, 1080, 3128, 6588, 8080, 25, 161, 1433, 67, 2847 }"
set timeout { interval 10, frag 30 }
set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 }
set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 }
set timeout { udp.first 60, udp.single 30, udp.multiple 60 }
set timeout { icmp.first 20, icmp.error 10 }
set timeout { other.first 60, other.single 30, other.multiple 60 }
set timeout { adaptive.start 0, adaptive.end 0 }
set limit { states 10000, frags 5000 }
set loginterface tun0
set optimization normal
set block-policy drop
set require-order yes
set fingerprints "/etc/pf.os"
scrub in on $ext_if all fragment reassemble
nat on $ext_if from $int_addr to any -> $ext_if
rdr on $int_if proto tcp from !$router_ip to !$int_addr port ftp -> 127.0.0.1 port 8021
# 如果你采用默认内核,有IPv6支持的,加上下面两句,否则去掉。
block in quick inet6 all
block out quick inet6 all
pass in quick on lo0 all
pass out quick on lo0 all
block return-rst in on $ext_if proto tcp all
block return-rst out on $ext_if proto tcp all
block return-icmp in on $ext_if proto udp all
block return-icmp out on $ext_if proto udp all
block in log quick on $ext_if inet proto tcp from any to any flags FUP/FUP
block in log quick on $ext_if inet proto tcp from any to any flags SF/SFRA
block in log quick on $ext_if inet proto tcp from any to any flags /SFRA
pass in quick on $ext_if inet proto icmp from any to any icmp-type { echorep, echoreq, timex, unreach }
block in quick on $ext_if inet proto icmp from any to any
block in log quick on $ext_if inet proto { tcp, udp } from any to $ext_if port $block_ports
pass in quick on $ext_if inet proto udp from any to any port domain
pass in quick on $ext_if inet proto tcp from any to any port $services flags S/SAFR keep state
pass in quick on $ext_if inet proto tcp from any to any port > 30000 user proxy flags S/SAFR keep state
pass out quick on $ext_if all modulate state
block in on $ext_if all
block out on $ext_if all
修改/etc/pf.conf文件
pass in all
pass out all
修改/etc/rc.conf
pf=YES
修改/etc/hostname.rl0
up
修改/etc/sysctl.conf
net.inet.ip.forwarding=1
修改/etc/inetd.conf
127.0.0.1:8021 stream tcp nowait root /usr/libexec/ftp-proxy ftp-proxy
修改/etc/dhcpd.conf
shared-network LOCAL-NET {
option domain-name "yourlocaldomainname.com";
option domain-name-servers 192.168.1.2, 202.96.128.68; # 这里是rl1的ip地址
subnet 192.168.1.0 netmask 255.255.255.0 {
option routers 192.168.1.2;
range 192.168.1.32 192.168.1.127;
}
}
修改/etc/dhcpd.interfaces
rl1
重启后用ppp -ddial pppoe拨号,然后从内网试一试访问出去。
【 在 zymh_zy 的大作中提到:】
:【 在 zenz.hu 的大作中提到:】
::1、你的规则完全没有问题,但是,不应该在/etc/rc.conf里面指定开机载入这个规则,因为,开机的时候,tun0虚拟设备还没有up,更加没有任何IP地址绑定,因此语句出错(nat on $Ext from $IntNet to any -> $Ext 中,后面的$Ext实际是tun0的地址,PF自动转换的),应该在ppp.linkup里面加载这个防火墙规则,这样就好了。
::
::2、如果局域网无法通过网关出去,你可能是漏了修改/etc/sysctl.conf
::net.inet.ip.forwarding=1
:
:......
----
ZBlog |
|