2007年9月23日

家裡網路架構之變化-1(MPD+pf設定檔與心得)

FreeBSD PF 心得:

FreeBSD PF 推薦網址如下:
==================================================================
我的pf.conf的主體是參考
http://72.14.235.104/search?q=cache:uLgfqA9R6c4J:fangshen.hwai.edu.tw/%3Fp%3D24+freebsd+pf%E8%AA%AA%E6%98%8E&hl=zh-TW&ct=clnk&cd=3&gl=tw&lr=lang_zh-TW&client=firefox

這裡除了很簡要的設定之外,最下面的指令介紹我到現在還經常上google查
FreeBSD 5.3 Release PF 初體驗

這裡的防掃描偵測不錯,不過我沒用就是了,他的指令更完整....
http://netflow.kmseh.gov.tw/blog/index.php?op=ViewArticle&articleId=6&blogId=1
(失聯)

FreeBSD handbook的PF教學,這一定要看的,他的重點是跟你說kernel怎麼選會支援pf.....ALTQ有哪些~~~
FreeBSD 使用手冊 Chapter 27 防火牆

這篇很容易被查到,我好像看了好幾次了... = =||
他對pf的介紹還不錯
FreeBSD-我的 PF 學習筆記

這是大陸的善心人士,他們把pf的man 給翻譯成簡體了~
pf中文手冊(for openbsd,但同樣適用FREEBSD)
==================================================================

看的順序則建議如下:
==================================================================
先看handbook瞭解pf要怎麼編譯進去~~
FreeBSD 使用手冊 Chapter 27 防火牆

再來看介紹
FreeBSD-我的 PF 學習筆記

之後大致瞭解pf的架構(Macro、Table...等一堆的語法順序),接著需要個樣板,參考主體
http://72.14.235.104/search?q=cache:uLgfqA9R6c4J:fangshen.hwai.edu.tw/%3Fp%3D24+freebsd+pf%E8%AA%AA%E6%98%8E&hl=zh-TW&ct=clnk&cd=3&gl=tw&lr=lang_zh-TW&client=firefox

從主體中可以知道變數的定義方式,然後特別注意,有分單一的變數和多個的變數,接著可以這個,它對NAT、防火牆的定義講解的比較簡單,ALTQ一律先跳過,這東西每個人說得都不同,因為他有好幾種~
http://freebsd.ntut.idv.tw/document/freebsd_pf_nat.html

最後看上面或下面的網址,知道指令怎麼下
http://netflow.kmseh.gov.tw/blog/index.php?op=ViewArticle&articleId=6&blogId=1

而翻成簡體的pf man文件,則可以用來查
pf中文手冊(for openbsd,但同樣適用FREEBSD)
==================================================================

mpd可以先抄我的來改,之後再去看......基本上就是sample改的~

至於ALTQ.....我建議先不要用........
ALTQ很多人寫法差異很大,因為ALTQ是QoS的名稱....它裡面有好幾種演算法,每種演算法的設定參數和方式都不同.........

mpd.conf
startup:
# configure the console
set console port 5005
set console ip 0.0.0.0
set console user ycfu sister
set console open
# configure the web server
set web port 5006
set web user ycfu sister
set web open

#
# Default configuration is "myisp"

default:
#PPPoE Relay設定
rnew r1 PPPoE-in PPPoE-out
#載入PPPoE撥接設定
load PPPoE

#
# PPPoE client example (see also mpd.links.sample entry "PPPoE")
#

PPPoE:
new PPPoE PPPoE
set iface route default
set iface disable on-demand
set iface idle 0
set iface enable tcpmssfix
set iface up-script /usr/local/etc/mpd4/mpd_init.sh
set ipcp yes vjcomp
set link max-redial 0
set link mtu 1492
set ipcp ranges 0.0.0.0/0 0.0.0.0/0
set bundle disable multilink
set auth authname ooxxoox@ip.hinet.net
set link no acfcomp protocomp
set link disable pap chap
set link accept chap
set ipcp enable req-pri-dns
set ipcp enable req-sec-dns
set link keep-alive 10 60
open


mpd.links
#
# For our PPPoE connection, using Ethernte interface "fxp1"
# Often the service is ignored. If yours is required, replace
# the "whatever" string with your PPPoE service string.
#

PPPoE-in:
set phys type pppoe
set pppoe iface ste0
set pppoe service ""
set pppoe enable incoming

PPPoE-out:
set phys type pppoe
set pppoe iface ste1
set pppoe service ""
set pppoe enable originate
set pppoe disable incoming
PPPoE:
set phys type pppoe
set pppoe iface ste1
set pppoe service ""
set pppoe enable originate
set pppoe disable incoming


pf.conf
#===================== 介面與變數設定 ================
ext_if = "ng0"
int_if = "ste1"
out_bw = "20Mb" # 要做 QoS 要設定頻寬總量(總上傳頻寬20Mb)
in_bw = "100Mb" # 下載頻寬(總下載頻寬100Mb)
ack_bw = "19.6Mb" # TCP ACK 的頻寬設定(ack頻寬保留2%, 0.4Mb)
internal_net = "192.168.0.0/16"
ycfu_pc = "192.168.1.1" # 個人PC區域網路IP
file_server = "192.168.1.6" # 檔案伺服器區域網路IP
media_server = "192.168.1.7" # MediaCenter區域網路IP

# 表格區,同上也是變數定義,但可以定義多個位址
ftp_port="{21,2201,20021}"
# Linux aMule
linux_amule_port = "{4712, 4662, 4665, 4672}"
windows_emule_port = "{4771, 4772, 4775}"
windows_telnet_ssh = "1024"
bittorrent_port = "1045"
windows_vnc_port = "{7800, 7801, 7802, 7803, 7804, 7805, 7900, 7901, 7902, 7903, 7904, 7905}"
file_nx_port = "5901"
media_nx_port = "5902"
web_port = "{1000, 1001}"
bbonline_port = "{2927, 2896, 2897, 2898, 2899}"

# 針對 Echo Request 即 icmp type 8 如 ping 做出回應
icmp_types = "echoreq"

#===================== 選項設定區 ================
set loginterface $ext_if
#set optimization normal #一般的網路環境
#set optimization high-latency #高反應時間的網路
set block-policy return
set limit { states 30000, src-nodes 30000, frags 15000 }

# scrub 重新整理
scrub in all
scrub out on $ext_if max-mss 1452 # PPPoE 時,MSS (Maximum Segment Size) 的設定

#===================== ALTQ QoS ================
# Queueing: rule-based bandwidth control.
#altq on $ext_if bandwidth 2Mb cbq queue { dflt, developers, marketing }
#queue dflt bandwidth 5% cbq(default)
#queue developers bandwidth 80%
#queue marketing bandwidth 15%

# TCP ACK 設置
#(因為上下傳不對稱,當上傳滿載時就會影響下載)
#(原因在於 TCP「下載」時,需要回應「上傳」ACK,上傳已經滿載了,ACK自然送不出去)
#(透過 ALTQ QoS,我們可以設定 TCP ACK 有高於所有封包的優先權)
#關於 TCP ACK 可以參考:http://www.chweng.idv.tw/swintro/cfos.php
#關於 pf ALTQ 設定 TCP ACK 可以參考:http://www.benzedrine.cx/ackpri.html
#(測試中)
altq on $ext_if priq bandwidth $ack_bw queue { ack_pri, def_pri}
queue ack_pri priority 7
#queue ssh_pri priority 2
queue def_pri priority 1 priq(default)

#altq on $ext_if priq bandwidth $out_bw queue { max_out }
#queue max_out priority 2 priq(default)

#queue file_server_p2p priority 1 priq # File Server 的預設優先權最低 (限制 P2P 用)
#queue file_server_std priority 2 priq # File Server 的其他 Port 優先權一般
#queue default_std priority 2 priq

#altq on $ext_if priq bandwidth $in_bw queue { max_in }
#queue max_in priority 1 priq(default)

#===================== NAT 設定區 ================
# 基本設定
nat on $ext_if from $internal_net to any -> ($ext_if)

# Port 對應
# rdr: packets coming in on $ext_if with destination $external_addr:1234 will
# be redirected to 10.1.1.1:5678. A state is created for such packets, and
# outgoing packets will be translated as coming from the external address.
rdr on $ext_if proto tcp from any to any port $linux_amule_port -> $file_server
rdr on $ext_if proto udp from any to any port $linux_amule_port -> $file_server
rdr on $ext_if proto tcp from any to any port $bittorrent_port -> $file_server
#rdr on $ext_if proto tcp from any to any port $windows_vnc_port -> $ycfu_pc
rdr on $ext_if proto tcp from any to any port $windows_telnet_ssh -> $ycfu_pc
rdr on $ext_if proto tcp from any to any port $bbonline_port -> $ycfu_pc
rdr on $ext_if proto tcp from any to any port $file_nx_port -> $file_server
rdr on $ext_if proto tcp from any to any port $media_nx_port -> $media_server
rdr on $ext_if proto tcp from any to any port $web_port -> $file_server

# IP 對應
# 參照: http://blog.chinaunix.net/u/10047/showart_218183.html
#web_serv_int = "192.168.1.100"
#web_serv_ext = "24.5.0.6"
#binat on tl0 from $web_serv_int to any -> $web_serv_ext

# 解決 FTP 問題
# 參考 http://www.chinaunix.net/jh/5/879515.html
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
rdr on $int_if proto tcp from any to any port 21 -> 127.0.0.1 port 8021
anchor "ftp-proxy/*"
#antispoof for $ext_if inet

#===================== 防火牆規則區 ================
pass in all
pass out all

# 搭配 ALTQ QoS 的防火牆設定
#block on $ext_if proto tcp from any to any # 先將所有 TCP 封包擋住,之後兩個再作 QoS
pass out on $ext_if proto tcp from $ext_if to any flags S/SA keep state queue ( def_pri, ack_pri )
pass in on $ext_if proto tcp from any to $ext_if flags S/SA keep state queue ( def_pri, ack_pri )
#pass out on $ext_if proto tcp from any to any port 22 keep state queue ssh_pri #無作用

#pass out on $ext_if proto tcp from 192.168.1.6 to any port $linux_amule_port keep state queue p2p_pri
#pass out on $ext_if proto tcp from 192.168.1.6 to any port $bittorrent_port keep state queue p2p_pri

#pass out on $ext_if proto { tcp, udp } from $file_server to any queue (file_server_p2p, file_server_std)
#pass in on $ext_if proto { tcp, udp } from any to $file_server queue (file_server_p2p, file_server_std)
#pass out on $ext_if proto { tcp, udp } from $ext_if to any flags S/SA keep state queue ( max_out )
#pass out on $ext_if proto { tcp, udp } from any to $ext_if flags S/SA keep state queue ( max_in )

# block all incoming packets but allow ssh, pass all outgoing tcp and udp
# connections and keep state, logging blocked packets.
#block in log all
#pass in on $ext_if proto tcp from any to $ext_if port 22 keep state
#pass out on $ext_if proto { tcp, udp } all keep state

# pass incoming packets destined to the addresses given in table .
#pass in on $ext_if proto { tcp, udp } from any to port 80 keep state

# pass incoming ports for ftp-proxy
#pass in on $ext_if inet proto tcp from any to $ext_if user proxy keep state

# assign packets to a queue.
#pass out on $ext_if from 192.168.0.0/24 to any keep state queue developers
#pass out on $ext_if from 192.168.1.0/24 to any keep state queue marketing

沒有留言: