openBSD4.8 Linux系统做路由及防火墙

openBSD4.8 Linux操作系统做网关服务及配置防火墙

一、 openBSD4.8做路由及防火墙

1、 openBSD4.8系统的安装

2、 硬件要求：旧电脑一台、网卡两张、MODEL一台

3、 安装openBSD4.8系统成功后，进入/etc目录下，配置以下文件

4、 #vi /etc/0(连接内网的网卡，也称为网关)

inet 192.168.0.1 255.255.255.0 NONE

:wq

#注意，此网卡本身为网关地址，因此不需要配置网关地址。将系统默认的网关地

址删除 #rm /etc/mygate

5、#vi /etc/1(连接外网的网卡)

up

description “ADSL Port”

:wq

#此网卡设置为拨号网卡

6、#vi /etc/0

inet 0.0.0.0 255.255.255.255 NONE pppoedev rl1 authproto pap authname

„拨号用户名‟ authkey „拨号密码‟ up

!/sbin/route add default –ifp pppoe0 0.0.0.1

:wq

#新建拨号文件，并设置拨号信息

7、#vi /etc/

ding=1 #1=Permit forwarding (routing) of IPv4 packets

rding=1 #1=Permit forwarding (routing) of IPv4 multicast packets

=1

=1

:wq

#去掉前面的“#”，开启路由转发功能（NAT）

8、#vi /etc/

Lookup file bind

nameserver 202.96.134.133

nameserver 202.96.128.86

:wq

#配置DNS服务器

9、#vi /etc/

此文件为配置DHCP服务器文件，将此文件里面的IP改为内网IP段 192.168.0.0/24

10、#vi /etc/

pf=YES

pf_rules=/etc/

#加载系统开机运行文件，开启防火墙

11、防火墙的配置（文件）

#vi /etc/

###marcos:START

WAN=”pppoe0”

LAN=”rl0”

###marcos:END

###Options: tune the behavior of pf, default values are given.

set limit { states 100000, frags 50000}

set skip on lo0

set skip on gre0

###Tables:START

table persist file “/etc/pf/ALLOW_REMOTE_DOMAIN”

table persist file “/etc/pf/ALLOW_REMOTE_HOST”

table persist file “/etc/pf/BADLIST_HOST”

table persist file “/etc/pf/BADLIST_USER”

table persist file “/etc/pf/BADLIST_DOMAIN”

table persist file “/etc/pf/PROXY_USER”

table persist file “/etc/pf/HK_USER”

table persist file “/etc/pf/ERP_USER”

table persist file “/etc/pf/MSN_USER”

table persist file “/etc/pf/QQ_USER”

table persist file “/etc/pf/TCP_USER”

table persist file “/etc/pf/UDP_USER”

table persist file “/etc/pf/MSN_SRV”

table persist file “/etc/pf/tax_websiste”

table persist file “/etc/pf/direct_website”

###Tables:END

###NAT:START

match out on $WAN inet from 192.168.0.0/24 to any nat-to ($WAN)

###NAT:END

###RULES:START

## start system default rules

block in all

pass quick on {gif0,gif1,tun0} inet all

pass out quick inet keep state

#WAN interface

pass in quick on $WAN inet proto ipencap from any to ($WAN) keep state

pass in quick on $WAN inet proto esp from any to ($WAN) keep state

pass in quick on $WAN inet proto tcp from any to ($WAN) port {80,822,443} flags S

/SA keep state

pass in quick on $WAN inet proto icmp from any to ($WAN) keep state

pass in quick on $WAN inet proto udp from any to ($WAN) port {1194} keep state

##LAN

pass in quick on $LAN inet proto tcp from any to

pass in quick on $LAN inet proto tcp from any to

pass in quick on $LAN inet proto tcp from any to 202.67.155.136

## for Accounting

pass in quick on $LAN inet proto tcp from 192.168.0.165 to keep state

pass in quick on $LAN inet proto tcp from 192.168.0.3 to keep state

pass in quick on $LAN inet proto tcp from 192.168.0.3 to any port 80 keep state

pass in quick on $LAN inet from 192.168.0.3 to any keep state

pass in quick on $LAN inet proto tcp from 192.168.0.3 to any port

{82,7001,7002,5678,8001} keep state

##MSN

pass in quick on $LAN inet proto tcp from 192.168.0.0/24 to keep state

pass in quick on $LAN inet proto tcp from 192.168.0.0/24 to any port {https} keep state

pass in quick on $LAN inet proto tcp from 192.168.0.0/24 to any port {1863} keep state

##Secure WEB-stie

pass in quick on $LAN inet proto tcp from to any keep state

pass in quick on $LAN inet proto udp from to any port {8000,8001}

keep state

pass in quick on $LAN inet proto udp from to any port {8000,8001}

keep state

##TO HK Print SERVER

pass in quick on $LAN inet from 192.168.0.0/24 to 192.168.1.223 keep state

pass in quick on $LAN inet proto tcp from 192.168.0.147 to any port {7001,5678} keep

state

##for accounting

pass in quick on $LAN inet from 192.168.0.165 to any keep state

##TO

pass in quick on $LAN inet proto tcp from 192.168.0.0/24 to 202.82.144.87 port

{25,110,443,465,995} keep state

#RULES:END

#sh /etc/netstart #启动网络接口

#ifconfig rl0 up #打开rl0网卡

#pfctl –f /etc/ #重新加载防火墙配置

#pfctl –e #开启防火墙

#pfctl –d #关闭防火墙

安装及配置防火墙

一、操作系统：openBSD4.8

二、硬件要求：DELL电脑一台、网卡两张

三、安装系统及配置防火墙

1、OpenBSD4.8操作系统的安装（此省略）；

2、配置第一张网卡（0）此网卡做内网网关。

#cd /etc/

#vi 0

inet 192.168.0.1 255.255.255.0 NONE

:wq

3、配置第二张网卡（1）此网卡用于拨号。

#cd /etc

#vi 1

up

description “ADSL Port”

:wq

4、配置拨号文件（0）。

#cd /etc

#vi 0

inet 0.0.0.0 255.255.255.255 NONE pppoedev rl1 authproto pap authname „宽带帐号‟

authkey „密码‟ up

dest 0.0.0.1

!/sbin/route add default –ifp pppoe0 0.0.0.1

:wq

5、配置DNS服务器

#cd /etc

#vi

nameserver 202.96.128.86

nameserver 202.96.134.133

:wq

6、开启路由转发功能。

#cd /etc

#vi

ding=1 //去掉前面的#号

7、开启防火墙功能。

#cd /etc

#vi

pf=YES

pf_rules=/etc/

8、配置防火墙PF

#cd /etc

#vi

##marcos:START

WAN=”pppoe0”

LAN=”rl0”

##marcos:END //定义宏

##option:START

set limit {states 100000, frags 50000}

set skip lo0

set skip gre0

##option:END //选项定义

##table:START

table <表格名称> persist file “表格路径”

##table:END //配置表格

##queue:START

##QUEUE:END //优先级处理、带宽设置

. ##NAT:START

match out on $WAN inet from 192.168.0.0/24 to any nat-to ($WAN)

##NAT:END //转发内网IP地址访问互联网

##RULES:START //定义转发规则

block in all

pass quick on {gif0,gif1,tun0} inet all

pass out quick inet keep state

##WAN interfaces

pass in quick on $WAN inet proto ipencap from any to ($WAN) keep state

pass in quick on $WAN inet proto esp from any to ($WAN) keep state

pass in quick on $WAN inet proto tcp from any to ($WAN) port {80,822,443} flags S/SA keep

state

pass in quick on $WAN inet proto icmp from any to ($WAN) keep state

pass in quick on $WAN inet proto udp from any to ($WAN) port {1194} keep state

##LAN interfaces

pass in quick on $LAN inet proto tcp from 192.168.0.0/24 to any keep state

block in quick on $LAN inet proto tcp from 192.168.0.0/24 to any

block in quick on $LAN inet proto tcp from 192.168.0.0/24 to port 80