FreeBsd5.4+pf+squid反向代理实战笔记(2)

中国IT动力,最新最全的IT技术教程

最新100篇 | 推荐100篇 | 专题100篇 | 排行榜 | 搜索 | 在线API文档 | 网通镜像

当前位置：> 操作系统 > Linux > LinuxUnix安全

FreeBsd5.4+pf+squid反向代理实战笔记(2)

作者:佚名时间:2007-08-25 21:37 出处:中国IT实验室责编:月夜寒箫

摘要：FreeBsd5.4+pf+squid反向代理实战笔记(2)

7、实现共享上网，最简单的pf设置

wan_if="fxp0"
            lan_if="fxp1"
            inter_net="192.168.2.0/24"
            web_server="192.168.2.3"
            ftp_server="192.168.2.3"
            scrub in all
            nat on $wan_if from $inter_net to any -> fxp0
            rdr on fxp1 proto tcp from $lan_if to any port 80 -> $lan_if port 80
            rdr on fxp1 proto tcp from any to any port 21 -> 127.0.0.1 port 8021
            #rdr on fxp0 proto tcp from any to $wan_if port 80 ->$web_server port 8080
            #rdr on fxp1 proto tcp from $lan_if to $wan_if port 80 ->$web_server port 8080
            rdr on $wan_if proto tcp from any to any port 21 -> $ftp_server port 21
            rdr on $wan_if proto tcp from any to any port 49152:65535 -> $ftp_server port 49152:65535
            # in on $wan_if
            pass in quick on $wan_if proto tcp from any to $ftp_server port 21 keep state
            pass in quick on $wan_if proto tcp from any to $ftp_server port > 49151 keep state
            # out on $lan_if
            pass out quick on $lan_if proto tcp from any to $ftp_server port 21 keep state
            pass out quick on $lan_if proto tcp from any to $ftp_server port > 49151 keep state
            #Disable danger port
            #Danger_Port="{445 135 139 593 5554 9995 9996}"
            #block quick on $wan_if inet proto tcp from any to any port $Danger_Port
            #block quick on $wan_if inet proto tcp from any to any port $Danger_Port
            pass in all
            pass out all

（最后这两条在实际的应用中是不可靠的，应该先限制所有，然后逐步打开自己需要的服务）

pf的设置到此基本完毕

下面开始squid部分

1、安装squid

./configure --enable-useragent-log
            --enable-referer-log
            --enable-default-err-language=Simplify_Chinese
            --enable-err-languages="Simplify_Chinese English"
            --disable-internal-dns
            --enable-pf-transparent
            #make
            #make install
            #mkdir /home/cache(创建存放cache的目录)

2、增加squid运行的用户和用户组（我的都设为squid）

chown squid:squid /home/cache
            ee /usr/local/squid/etc/squid.conf

在/etc/hosts中加入内部的DNS解析，比如我的：

192.168.2.2 www.aaa.com
            192.168.2.3 mail.aaa.com

3、下面开始配置squid.conf文件（下面是我的配置文件）

visible_hostname cache . example.com
            cache_dir ufs /home/cache 1024 16 256
            cache_mem 100 MB
            cache_effective_user squid
            cache_effective_group squid
            http_port 80
            httpd_accel_host virtual
            httpd_accel_single_host off
            httpd_accel_port 80
            httpd_accel_uses_host_header on
            httpd_accel_with_proxy on
            # accelerater my domain only
            acl acceleratedHostA dstdomain . example1.com
            #acl acceleratedHostB dstdomain .example2.com
            #acl acceleratedHostC dstdomain .example3.com
            # accelerater http protocol on port 80
            acl acceleratedProtocol protocol HTTP
            acl acceleratedPort port 80
            # access arc
            acl all src 0.0.0.0/0.0.0.0
            # Allow requests when they are to the accelerated machine AND to the
            # right port with right protocol
            http_access allow acceleratedProtocol acceleratedPort acceleratedHostA
            #http_access allow acceleratedProtocol acceleratedPort acceleratedHostB
            #http_access allow acceleratedProtocol acceleratedPort acceleratedHostC
            # logging
            emulate_httpd_log on
            cache_store_log none
            # manager
            acl manager proto cache_object
            http_access allow manager all
            cachemgr_passwd pass all
            squid.conf文件配置完成

squid.conf文件配置完成

关闭本页