Recently due to the virus ravage, I plan to change the original Windows 2000 Server gateway. Since I have used FreeBSD, I feel that this system can also - use it as a server, there is no problem in running for a few months, so I plan to use FreeBSD. To do a security gateway. I have taken some information on the Internet for a long time, and the FreeBSD-based gateway is taken: I now share the following: a network environment: Internet access, dynamic IP, no service. There are dozens of computers inside, to share the Internet. FreeBSD 5.3, two NIC, 8139 (RL0), external, connected to ADSL cats, 530TX (VR0), internal, and switches. Second system installation: As for the system's installation network, there are many information on this, which is not meticulous. For details, please see http://www.xyinfo.ha.cn/netschool/freebsd/index.htm three compilation kernel: Adding IPFilter support, remove the system default IPFireWall. #CD / USR / SRC / SYS / I386 / CONF # CP Generic Dafei # EE Dafei Modify this line, the red part is the same as the file name. Ident Dafei Add a few lines at the end: # Disable IPFireWall. #oPtions ipfirewall # Options ipfirewall_verbose # Options ipfirewall_verbose_limit = 90 # Options ipfirewall_default_to_accept # options ipdivert
# Support IPFilterOptions bridgeOptions ipfilterOptions accept_filter_dataOptions accept_filter_http Since IPFIREWALL and IPFILTER are running in the kernel, both cannot coexist at the same time, so you must comment out of IPFireWall, other kernel optimization options are not detailed. Compile the kernel: #CD / usr / src # make kernel kernconf = DAFEI to restart your computer after compiling. Four configuration dial-up: Modify PPP.conf file #CD / etc / ppp # cp ppp.conf cpp.conf.bak # eE PPP.conf modified as follows: Default: set log phase chat LCP IPCP CCP Tun Command IdEnt user-PPP Version (Built CompilationDate) SET Redial 15 28800 Set Dial "Abort Busy Abort No // Scarrier Timeout 5 / /" / "AT OK-AT-OK ATE1Q0 OK // DATDT / / T TIMEOUT 40 Connect"
adsl: set device PPPoE: rl0 set mru 1492 set mtu 1492 set speed sync enable lqr set lqrperiod 5 set cd 5 set dial set login set timeout 0 set authname YOURUSERNAME used to login set authkey YOURPASSWORD used to loginset ifaddr 10.0.0.1/0 10.0 .0.2 / 0 255.255.255.0 0.0.0.0 Add default hisaddr enable DNS red part is the need to modify the five-way firewall rules: #CD / etc # touch ipf.rules # ee ipf.rules Add to: Block in log quick all with shortblock in log quick all with ipoptsblock in log quick all with fragblock in log quick all with opt lsrrblock in log quick all with opt ssrrpass out on vr0 allpass in on vr0 allpass out quick on lo0 allpass in quick on lo0 allblock out on rl0 allpass out quick on rl0 proto tcp from any to any flags S keep state keep fragspass out quick on rl0 proto udp from any to any keep statepass out quick on rl0 proto icmp all keep stateblock in quick on rl0 all due to space constraints, deleted Some rules. Six Configuration Address Transformation (Realizing NAT Features): # cd / etc # touch ipnat.rules # eE ipnat.rules Add to: Map RL0 192.168.0.0/16 -> 0/32 Proxy Port FTP FTP / TCPMAP RL0 192.168.0.0 / 24-> 0/32 portmap TCP / UDP 10000: 30000map RL0 192.168.0.0/24 -> 0/32 seven configuration rc.conf file: #CD / etc # eE rc.conf modified as follows: Gateway_enable = "Yes" Hostname = "ginifab-gatway.ginifab.com" ifconfig_vr0 = "inet 192.168.1.1 netmask 255.255.255.0" kern_securelevel = "1" kern_securelevel_enable = "YES" inetd_enable = "YES" linux_enable = "NO" sendmail_enable = "NO"
KeyRate = "fast" nisdomainName = "no" sshd_enable = "yes" USBD_ENABLE = "NO"
