Duangw

home-gate

操作系统版本:OpenBSD 4.4

 

1 硬件

配置3块网卡,分别映射到/dev/vmnet1、/dev/vmnet3、/dev/vmnet2。

 

2 初始安装

安装除了game和Xwindow之外的全部软件包。

配置网络。

打开ssh端口。

参考:OpenBSD 4.4 Installation Guide

 

3 修改内核时区

OpenBSD假定机器硬件时间为UTC时间,而不是本地时间。调整为东八区:

# config -ef /bsd
>>>timezone -480
>>quit
# config -ef /bsd.mp
>>>timezone -480
>>>quit
# reboot

这里同时修改了两种内核。

参考:Why is my clock off by several hours?

 

4 切换内核(可选)

使用SMP内核替代默认的单CPU内核:

# cd /
# cp bsd bsd.sp
# cp bsd.mp bsd
# reboot

 

5 安装源代码

安装kernel与userland源代码:

# cd /usr/src
# tar xzvf /root/sys.tar.gz
# tar xzvf /root/src.tar.gz

参考:Fetching the appropriate source code

 

6 安装补丁

下载各个补丁,根据补丁指示进行操作。

注意:如果补丁涉及编译内核,在重启之前要进行前面第3步设置时区的操作。

 

7 建立普通用户

# adduser

用户名:duangw,添加到组wheel。

参考:What is the best way to add and delete users?

 

8 关闭不需要的网络服务

编辑/etc/inetd.conf,注释掉所有不需要的服务,如time、comsat等。

编辑/etc/rc.conf.local,增加一行:

sendmail_flag=NO

以取消sendmail服务。

参考:How do I start daemons with the system? (Overview of rc(8))

 

9 配置系统参数

编辑/etc/sysctl.conf,打开IP转发:

net.inet.ip.forwarding=1
net.inet6.ip6.forwarding=1

如果不想重启机器就生效,可使用sysctl命令设置:

# sysctl net.inet.ip.forwarding=1
# sysctl net.inet6.ip6.forwarding=1

参考:IP Forwarding

 

10 配置named

这里网关只作为一个cache-only的域名缓存服务器。

由于openbsd中的named启动后会chroot到/var/named/目录下,所以配置文件/etc/named.conf的实际位置在/var/named/etc/named.conf。

编辑/var/named/etc/named.conf,添加:

options {
...
        forward only;
        forwarders {
                172.18.0.30;
        };
...
};

编辑/etc/rc.conf.local,增加:

named_flags=""

 

11 配置PF防火墙

编辑/etc/rc.conf.local,增加:

pf=YES
ftpproxy_flags=""

这里既允许内网用户使用ftp,也允许外网访问本地的ftp服务器,所以需要启动两个ftp-proxy实例。一个通过如上的rc启动,另一个在rc.local脚本中启动。编辑/etc/rc.local,增加:

echo -n 'ftp-proxy'
/usr/sbin/ftp-proxy -R 10.10.20.20 -p 21 -b 172.16.0.10

其中10.10.20.20是本地DMZ的ftp服务器地址,172.16.0.10为网关的外网接口地址。

pf.conf配置中的模板基础上进行修改,当前使用的是不含vpn的网关模板pf.conf-gate-novpn.ref。复制为/etc/pf.conf,编辑:

# macros:
int_if="vic0"
ext_if="vic1"
dmz_if="vic2"
#mng_if="vic3"

int_net=$int_if:network
dmz_net=$dmz_if:network
#mng_net=$mng_if:network

dmz_web_server="10.10.20.20"
dmz_ftp_server="10.10.20.20"

# tables:
table <firewall> const { self }
table <lan_net> const { self, $int_net, $dmz_net }
#table <lan_net> const { self, $int_net, $dmz_net, $mng_net }

# don't filter on the loopback interface
set skip on lo

# scrub incoming packets
scrub in

# nat table begin:
nat pass on $ext_if -> ($ext_if:0)
#nat pass on $ext_if from !($ext_if) -> ($ext_if:0)

nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
# in --> out.ftp
rdr pass on $int_if proto tcp to !<lan_net> port ftp -> 127.0.0.1 port 8021
# in --> dmz.ftp
rdr pass on $int_if proto tcp to $dmz_net port ftp -> 127.0.0.1 port 8021
# dmz <-- out
# https(s)
rdr on $ext_if proto tcp to $ext_if port www -> $dmz_web_server
rdr on $ext_if proto tcp to $ext_if port https -> $dmz_web_server
# ftp (see filter section)
# nat table end.

# filter table begin:
anchor "ftp-proxy/*"

# block spoofed packtes
antispoof quick for { lo $int_if $dmz_if }
#antispoof quick for { lo $int_if $dmz_if $mng_if }

# setup a default deny policy
block all

# enable I access anywhere(disabled!!!)
#pass out from <firewall> to any

# enable ssh for management in int_if,mng_if
pass in quick on $int_if proto tcp to <firewall> port ssh
#pass in quick on $mng_if proto tcp to <firewall> port ssh

# enable LAN pine me
pass in quick on $int_if inet proto icmp to <firewall> icmp-type echoreq
pass in quick on $dmz_if inet proto icmp to <firewall> icmp-type echoreq
#pass in quick on $mng_if inet proto icmp to <firewall> icmp-type echoreq

# enable dns query in int_if
pass in quick on $int_if proto udp to $int_if port domain

# in --> out
# ping
pass in quick on $int_if inet proto icmp to !<lan_net> icmp-type echoreq
# http(s)
pass in quick on $int_if proto tcp to !<lan_net> port www
pass in quick on $int_if proto tcp to !<lan_net> port https
# ftp (see nat section)

# in --> dmz
# ping
pass in quick on $int_if inet proto icmp to $dmz_net icmp-type echoreq
pass out quick on $dmz_if inet proto icmp from $int_net icmp-type echoreq
# http(s)
pass in quick on $int_if proto tcp to $dmz_net port www
pass out quick on $dmz_if proto tcp from $int_net to port www
pass in quick on $int_if proto tcp to $dmz_net port https
pass out quick on $dmz_if proto tcp from $int_net to port https
# ftp (see nat section and below)
pass out quick on $dmz_if proto tcp from $dmz_if to port ftp

# dmz <-- out
# http(s)
pass in quick on $ext_if proto tcp to $dmz_web_server port www synproxy state
pass out quick on $dmz_if proto tcp from !<lan_net> to $dmz_web_server port www
pass in quick on $ext_if proto tcp to $dmz_web_server port https synproxy state
pass out quick on $dmz_if proto tcp from !<lan_net> to $dmz_web_server port https
# ftp
pass in quick on $ext_if proto tcp to $ext_if port ftp
pass out quick on $dmz_if proto tcp from !<lan_net> to $dmz_ftp_server port ftp user proxy
# filter table end.

参考:PF: The OpenBSD Packet Filter