FreeBSD5.4 + pf + oops实现透明代理 - Linux 时代

首页 | 博客 | Linux | 论坛 | 人才 | 培训 | 知识库 | 资料 | 读书 | 手册 | 精华 | 下载 | 沙龙 | 搜索

搜索

产品与方案

·中科红旗全面打造现代化邮政体系
·红旗助力“网上审批服务” 推动电子政务
·红旗正版化开创呼和浩特网吧建设新起点
·红旗Linux助信息产业部邮件服务器“快跑”
·中标普华Linux 为电子政务信息化保驾护航
·中标普华Linux助力基金产业
·中标普华Office率先支持UOF标准
·中标普华邮件系统助力西藏政府信息化建设
·红旗Linux助力国库集中支付系统改革
·红旗助中信卫星掀起GIS通信应用风暴
·红旗软件助力烟草总局全面建设“数字烟草”
·红旗助力“信访阳光工程”打造畅通信访渠道
·红帽联合FIS发布下一代实时核心银行平台
·红旗助力金盾打造全无忧出入境信息系统
·红旗Linux全力打造中国邮政总局名址信息库
·爱尔兰证交所从Unix迁移到红帽企业Linux
·一流的意大利银行选择使用红帽企业Linux
·PLUS Finanzservice选择使用红帽企业Linux
·红帽助力TransACT Communications 公司
·法国零售业巨头Lapeyre采用Redhat Linux
·旅游预订网站选择使用红帽企业Linux
·马哈拉施特拉邦政府的红帽解决之道
·美国联邦政府案例
·红帽为慕尼黑展览会提供现代化集群系统
·Yuba郡用开源软件和红帽产品提高了效率
·红帽企业Linux助印度理工建立高性能计算中心
·采用红帽Linux 将系统维护时间缩短了65%
·从UNIX迁移到Linux使PeÃ±oles公司获益非浅
·Hikal公司用红帽企业Linux开展任务关键的ERP项目
·KDE3.5.4新版本发布
·芝加哥商业交易所从Unix向Linux迁移
·南方基金管理有限公司成功案例 Red Hat Linux
·广东北电通讯设备有限公司成功案例
·挪威国家石油公司从UNIX迁移到红帽Linux，成本减半
·中央电视台CCTV动画部案例 Red Hat Linux

图书

鸟哥的Linux私房菜基础学..

Linux程序设计.第3版

Linux设备驱动开发详解

下载

·Endian Firewall
·linux kernel(Linux 内核)
·CentOS
·Fedora Core 6
·Scientific Linux
·Slackware 11.0
·Gentoo Linux
·ubuntu-6.10-i386服务器版本
·ubuntu-6.10-amd64服务器版
·ubuntu-6.10-i386桌面版
·ubuntu-6.10-amd64桌面版
·Engarde Linux

您的位置: Linux时代 > 技术文档 > 网络通讯 >

FreeBSD5.4 + pf + oops实现透明代理

日期：2006-11-16　作者：硬-盘　来自：cnfug

本文基本实现oops＋pf实现透明代理，oops其他认证，带宽管理都没用上，希望能够抛砖引玉，肯请用过oops的大侠指教！谢谢。

安装过程

1, cd /usr/ports/www/oops/
make config 选中
[X] DB4 Berkeley DB v4 storage
make install clean
2, 修改/usr/local/etc/oops/oops.cfg
3，cd /usr/local/sbin/
oops -z -c /usr/local/etc/oops/oops.cfg （创建其磁盘高速缓存）
4，vi /etc/rc.conf加入oops_enable="yes"
5，reboot

配置

more /etc/rc.conf
defaultrouter="218.75.x.x"
gateway_enable="YES"
hostname="firewall.test.com"
ifconfig_fxp0="inet 218.75.y.y netmask 255.255.255.128"
ifconfig_fxp1="inet 192.168.0.1 netmask 255.255.255.192"
ifconfig_fxp1_alias0="inet 192.168.1.62 netmask 255.255.255.192"
ifconfig_fxp1_alias1="inet 192.168.2.62 netmask 255.255.255.192"
ifconfig_fxp1_alias2="inet 192.168.3.62 netmask 255.255.255.192"
sshd_enable="YES"
pf_enable="YES"
pflog_enable="YES"
pflog_logfile="/var/log/pflog"
sendmail_enable="NONE"
ntpdate_enable="YES" # Run ntpdate to sync time on boot (or NO).
ntpdate_flags="207.46.232.189" # time.windows.com
oops_enable="yes"

more /etc/pf.conf
#firewall by tds 20050601

#macros
wanif="fxp0"
lanif="fxp1"
oops="127.0.0.1"
tcpsrv="{22,113}"
lan0="{192.168.0.0/26}"
lan1="{192.168.2.0/26}"
lan3="{192.168.3.0/26}"
lan4="{192.168.1.0/26}"
ftpsrv="192.168.0.8"
bt1="192.168.0.38"
bt2="192.168.0.39"
noroute="{127.0.0.0/8,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16}"

#options
set block-policy return
set loginterface $wanif
set optimization aggressive

#scrub
scrub in all

#nat and rdr
nat on $wanif from $lan0 to any -> $wanif
nat on $wa nif from $lan1 to any -> $wanif
nat on $wanif from $lan3 to any -> $wanif
nat on $wanif from $lan4 to any -> $wanif

rdr on $lanif proto tcp from any to any port 80 -> $oops port 3128
rdr on $wanif proto tcp from any to any port 21 -> $ftpsrv
rdr on $wanif proto tcp from any to any port 18888 -> $bt2
rdr on $wanif proto tcp from any to any port 4662 -> $bt2
rdr on $wanif proto udp from any to any port 4672 -> $bt2
rdr on $wanif proto tcp from any to any port 3389 -> $bt2
rdr on $wanif proto tcp from any to any port 3388 -> $bt1 port 3389

#filter rules
block all
block drop in quick on $wanif from $noroute
block drop out quick on $wanif from any to $noroute
block drop out quick on $wanif from any to 202.103.67.53
pass quick on lo0 all
pass in quick on $lanif from $lanif:network to any keep state
pass out quick on $lanif from any to $lanif:network keep state

pass in quick on $wanif proto tcp from an y to $wanif port $tcpsrv flags S/SA keep state
pass in quick on $wanif proto tcp from any to $ftpsrv port 21 flags S/SA keep state
pass in quick on $wanif proto tcp from any to $bt2 port {3389,4662,18888} flags S/SA keep state
pass in quick on $wanif proto tcp from any to $bt1 port 3389 flags S/SA keep state
pass in quick on $wanif proto udp from any to $bt2 port 4672 keep state
pass out on $wanif proto tcp all flags S/SA keep state
pass out on $wanif proto {udp,icmp} all keep state&n bsp;

more /usr/local/etc/oops/oops.cfg

只记录修改部分

nameserver 127.0.0.1
nameserver 220.168.208.3
nameserver 220.168.208.6

http_port 3128
#icp_port 3130
userid oops

logfile /var/log/oops/oops.log { 3 1m } unbuffered
accesslog /var/log/oops/access.log { 3 1m } unbuffered
pidfile /var/run/oops/oops.pid
statistics /var/run/oops/oops_statfile
mem_max 128m
lo_mark 80m
disk-low-free 3
disk-ok-free 5

force_http11
force_completion 85
maxresident 1m
insert_x_forwarded_for no
insert_via no
always_check_freshness

group mynet {
##
# You can describe group ip adresses here, or using src_ip acl's
# with networks_acl directive.
# networks_acl always have higher preference (checked first) and
# are checked in the order of appearance.
# If host wil not fall in any networks_acl - we check in networks.
# networks are ordered by masklen - longest masks(most specific networks)
# are checked first.
##
networks 192.168/16 127/8 ;
redir_mods transparent;（添加此行实现透明代理）
# networks_acl LOCAL_NETWORKS !BAD_NETWORKS ;
badports [0:79],110,138,139,513,[6000:6010] ;
miss allow;

module&nb sp;transparent { （实现透明代理）
# myport can have next form:
# myport [{hostname|ip_addr}:]port ...
myport 3128
# broken_browsers MSIE
}

storage {
path /usr/local/oops/storages/oops_storage ;
# Size of the storage. Can be in bytes or 'auto'. Auto is
# usefull for pre-created storages or disk slices.
# NOTE: 'size auto' won't work for Linux on disk slices.
# To use large ( > 2G ) files run configure with --enable-large-files

size 200m ; （磁盘高速缓存）

参考文章

高性能、多线程的高速Web代理服务器--OOPS!

原文链接：http://www.cnfug.org/journal/systems/2006/000129.html

本文被浏览次