home-gate
操作系统版本:OpenBSD 4.4
1 硬件
配置3块网卡,分别映射到/dev/vmnet1、/dev/vmnet3、/dev/vmnet2。
2 初始安装
安装除了game和Xwindow之外的全部软件包。
配置网络。
打开ssh端口。
参考:OpenBSD 4.4 Installation Guide
3 修改内核时区
OpenBSD假定机器硬件时间为UTC时间,而不是本地时间。调整为东八区:
# config -ef /bsd >>>timezone -480 >>quit # config -ef /bsd.mp >>>timezone -480 >>>quit # reboot
这里同时修改了两种内核。
参考:Why is my clock off by several hours?
4 切换内核(可选)
使用SMP内核替代默认的单CPU内核:
# cd / # cp bsd bsd.sp # cp bsd.mp bsd # reboot
5 安装源代码
安装kernel与userland源代码:
# cd /usr/src # tar xzvf /root/sys.tar.gz # tar xzvf /root/src.tar.gz
参考:Fetching the appropriate source code
6 安装补丁
下载各个补丁,根据补丁指示进行操作。
注意:如果补丁涉及编译内核,在重启之前要进行前面第3步设置时区的操作。
7 建立普通用户
# adduser
用户名:duangw,添加到组wheel。
参考:What is the best way to add and delete users?
8 关闭不需要的网络服务
编辑/etc/inetd.conf,注释掉所有不需要的服务,如time、comsat等。
编辑/etc/rc.conf.local,增加一行:
sendmail_flag=NO
以取消sendmail服务。
参考:How do I start daemons with the system? (Overview of rc(8))
9 配置系统参数
编辑/etc/sysctl.conf,打开IP转发:
net.inet.ip.forwarding=1 net.inet6.ip6.forwarding=1
如果不想重启机器就生效,可使用sysctl命令设置:
# sysctl net.inet.ip.forwarding=1 # sysctl net.inet6.ip6.forwarding=1
10 配置named
这里网关只作为一个cache-only的域名缓存服务器。
由于openbsd中的named启动后会chroot到/var/named/目录下,所以配置文件/etc/named.conf的实际位置在/var/named/etc/named.conf。
编辑/var/named/etc/named.conf,添加:
options { ... forward only; forwarders { 172.18.0.30; }; ... };
编辑/etc/rc.conf.local,增加:
named_flags=""
11 配置PF防火墙
编辑/etc/rc.conf.local,增加:
pf=YES ftpproxy_flags=""
这里既允许内网用户使用ftp,也允许外网访问本地的ftp服务器,所以需要启动两个ftp-proxy实例。一个通过如上的rc启动,另一个在rc.local脚本中启动。编辑/etc/rc.local,增加:
echo -n 'ftp-proxy' /usr/sbin/ftp-proxy -R 10.10.20.20 -p 21 -b 172.16.0.10
其中10.10.20.20是本地DMZ的ftp服务器地址,172.16.0.10为网关的外网接口地址。
在pf.conf配置中的模板基础上进行修改,当前使用的是不含vpn的网关模板pf.conf-gate-novpn.ref。复制为/etc/pf.conf,编辑:
# macros: int_if="vic0" ext_if="vic1" dmz_if="vic2" #mng_if="vic3" int_net=$int_if:network dmz_net=$dmz_if:network #mng_net=$mng_if:network dmz_web_server="10.10.20.20" dmz_ftp_server="10.10.20.20" # tables: table <firewall> const { self } table <lan_net> const { self, $int_net, $dmz_net } #table <lan_net> const { self, $int_net, $dmz_net, $mng_net } # don't filter on the loopback interface set skip on lo # scrub incoming packets scrub in # nat table begin: nat pass on $ext_if -> ($ext_if:0) #nat pass on $ext_if from !($ext_if) -> ($ext_if:0) nat-anchor "ftp-proxy/*" rdr-anchor "ftp-proxy/*" # in --> out.ftp rdr pass on $int_if proto tcp to !<lan_net> port ftp -> 127.0.0.1 port 8021 # in --> dmz.ftp rdr pass on $int_if proto tcp to $dmz_net port ftp -> 127.0.0.1 port 8021 # dmz <-- out # https(s) rdr on $ext_if proto tcp to $ext_if port www -> $dmz_web_server rdr on $ext_if proto tcp to $ext_if port https -> $dmz_web_server # ftp (see filter section) # nat table end. # filter table begin: anchor "ftp-proxy/*" # block spoofed packtes antispoof quick for { lo $int_if $dmz_if } #antispoof quick for { lo $int_if $dmz_if $mng_if } # setup a default deny policy block all # enable I access anywhere(disabled!!!) #pass out from <firewall> to any # enable ssh for management in int_if,mng_if pass in quick on $int_if proto tcp to <firewall> port ssh #pass in quick on $mng_if proto tcp to <firewall> port ssh # enable LAN pine me pass in quick on $int_if inet proto icmp to <firewall> icmp-type echoreq pass in quick on $dmz_if inet proto icmp to <firewall> icmp-type echoreq #pass in quick on $mng_if inet proto icmp to <firewall> icmp-type echoreq # enable dns query in int_if pass in quick on $int_if proto udp to $int_if port domain # in --> out # ping pass in quick on $int_if inet proto icmp to !<lan_net> icmp-type echoreq # http(s) pass in quick on $int_if proto tcp to !<lan_net> port www pass in quick on $int_if proto tcp to !<lan_net> port https # ftp (see nat section) # in --> dmz # ping pass in quick on $int_if inet proto icmp to $dmz_net icmp-type echoreq pass out quick on $dmz_if inet proto icmp from $int_net icmp-type echoreq # http(s) pass in quick on $int_if proto tcp to $dmz_net port www pass out quick on $dmz_if proto tcp from $int_net to port www pass in quick on $int_if proto tcp to $dmz_net port https pass out quick on $dmz_if proto tcp from $int_net to port https # ftp (see nat section and below) pass out quick on $dmz_if proto tcp from $dmz_if to port ftp # dmz <-- out # http(s) pass in quick on $ext_if proto tcp to $dmz_web_server port www synproxy state pass out quick on $dmz_if proto tcp from !<lan_net> to $dmz_web_server port www pass in quick on $ext_if proto tcp to $dmz_web_server port https synproxy state pass out quick on $dmz_if proto tcp from !<lan_net> to $dmz_web_server port https # ftp pass in quick on $ext_if proto tcp to $ext_if port ftp pass out quick on $dmz_if proto tcp from !<lan_net> to $dmz_ftp_server port ftp user proxy # filter table end.
参考:PF: The OpenBSD Packet Filter