分类: BSD
2008-04-09 08:40:26
#cp /usr/src/sys/i386/conf/GENERIC/etc/NEWNAT
#cd /usr/src/sys/i386/conf/
#ln -s /etc/NEWNAT
#vi /usr/src/sys/i386/conf/NEWNAT
options IPDIVERT
options IPFIREWALL
options DUMMYNET
#config NEWNAT # config 完成後系統會提醒你記得更換路徑去make
#cd ../../compile/NEWNAT
#make depend all install
#make clean # 清除make後所建的檔案
Setp 2.
設定 rc.conf #vi /etc/rc.conf
defaultrouter="203.107.34.30"
hostname="nat.ntut.idv.tw"
ifconfig_ed1="inet 203.107.34.3 netmask 255.255.255.224"
ifconfig_ed1_alias0="inet 203.107.34.4 netmask 255.255.255.255"
ifconfig_ed1_alias1="inet 203.107.34.5 netmask 255.255.255.255"
ifconfig_ed1_alias2="inet 203.107.34.6 netmask 255.255.255.255"
ifconfig_ed2="inet 10.254.10.254 netmask 255.255.255.0"
ifconfig_ed3="inet 192.168.10.254 netmask 255.255.255.0"
firewall_enable="YES"
firewall_type="OPEN"
gateway_enable="YES"
sendmail_enable="NONE"
natd_enable="YES"
natd_interface="ed1"
natd_flags="-f /etc/natd.conf"
ed1 為對外的網卡為《 真實 IP 》ed2 和 ed3 是對內的網卡為《 虛擬 IP 》,其實對內一片網卡就夠用了,可是後來考慮到 security 的問題,所以將內網切開為兩段,ed2 的 10.254.10.0/24 這段IP ,是給內部員工使用,也就是我們要做頻寬限制的這一段IP,ed3 的192.168.10.0/24 這段IP,則是給我的所有 Server Group 使用的 IP,加入以上設定後可用 #/etc/netstart 讓 rc.conf 的設定檔重新 run 一次,新加入的設定值就會寫進去系統了。
Setp 3.
設定 natd.conf
#vi /etc/natd.conf 加入設定範例如下 (可將你內部的 Private IP 對應到 Real IP)
redirect_port tcp 192.168.10.1:21:80 203.107.34.4:21:80
redirect_address 192.168.10.2 203.107.34.5 -interface ed1
以上的設定檔可以 #man natd 參考如何設定
Setp 4.
設定 rc.firewall
先將原本的rc.firewall copy 備份下來為rc.firewall.backup
#true > rc.firewall (清掉rc.firewall裡所有的設定檔)
#vi rc.firewall (編輯rc.firewall的rule如下)
#!/bin/sh
#delete all rule
/sbin/ipfw -f flush
#define NAT pass to ed1
/sbin/ipfw add divert natd all from any to any via ed1
#internal transfer
/sbin/ipfw add 1100 pass all from 10.254.10.0/24 to 203.107.34.3/32
/sbin/ipfw add 1101 pass all from 203.107.34.3/32 to 10.254.10.0/24
/sbin/ipfw add 1102 pass all from 203.107.34.3/32 to 203.107.34.3/32
/sbin/ipfw add 1103 pass all from 10.254.10.0/24 to 10.254.10.0/24
#icmp
/sbin/ipfw add 1200 pass icmp from any to any
#dns
/sbin/ipfw add 1300 pass tcp from any to any domain
/sbin/ipfw add 1301 pass tcp from any domain to any
/sbin/ipfw add 1302 pass udp from any to any domain
/sbin/ipfw add 1303 pass udp from any domain to any
#telnet out
/sbin/ipfw add 1400 pass tcp from any to any telnet
#telnet in
/sbin/ipfw add 1500 pass tcp from any telnet to any
#www out
/sbin/ipfw add 1600 pipe 1 tcp from 203.107.34.3/32 to any www
/sbin/ipfw add 1601 pipe 1 tcp from 10.254.10.0/24 to any www
#www in
/sbin/ipfw add 1700 pipe 1 tcp from any www to 10.254.10.0/24
/sbin/ipfw add 1701 pipe 1 tcp from any www to 203.107.34.3/32
#ftp out
/sbin/ipfw add 1800 pipe 1 tcp from 203.107.34.3/32 to any ftp-data-ftp
/sbin/ipfw add 1801 pipe 1 tcp from 10.254.10.0/24 to any ftp-data-ftp
#ftp in
/sbin/ipfw add 1900 pipe 1 tcp from any ftp-data-ftp to 203.107.34.4/32
/sbin/ipfw add 1901 pipe 1 tcp from any ftp-data-ftp to 10.254.10.0/24
#mail
/sbin/ipfw add 2000 pass tcp from any to any 25
/sbin/ipfw add 2001 pass tcp from any 25 to any
/sbin/ipfw add 2002 pass tcp from any to any 995
/sbin/ipfw add 2003 pass tcp from any 995 to any
#bandwidth
/sbin/ipfw pipe 1 config bw 400Kbit/s queue 80Kbytes
#192.168.10.0/24
/sbin/ipfw add 65000 pass all from 192.168.10.0/24 to any
/sbin/ipfw add 65100 pass all from any to 192.168.10.0/24
/sbin/ipfw add 65200 pass all from 203.107.34.4/32 to any
/sbin/ipfw add 65300 pass all from any to 203.107.34.4/32
To Add :
FreeBSD 的 Firewall 預設 rule 有這個 rule --> 65535 deny ip from any to any ,所以會將所有的東西都 DENY 掉因此它是放在最後 65535 。流量控制是透過pipe 控制的,而10.254.10.0/24 這段 IP 的流量進出受限在400kbit ,而192.168.10.0/24 這段Server Group 的 IP則不做任何流量控制。
#ipfw list # 可看firewal的所有rule
#ipfw pipe list # 可看pipe的設定
#ipfw delete "rule編號" # 可殺掉一個rule
