老管网络日志[停止更新,转至guanjianfeng.com]

FreeBSD笔记 网络管理 Google 互联网

2. FreeBSD应用安装笔记

FreeBSD企业应用
FreeBSD6.1Release下利用BIND架设DNS服务器
通过此服务器,使内网用户能正常访问INTERNET,这里我们使用FreeBSD自带的BIND来实现DNS的解析,事实上INTERNET上很多DNS都使用了这个软件。基本的操作步骤如下:

DNS父域(edu.cn)给我的信息如下:
域 ->  wxicab.edu.cn
DNS主服务器 -> 58.193.128.55 [dns1.wxicab.edu.cn]
DNS辅服务器 -> 58.193.128.56 [dns2.wxicab.edu.cn]
(本笔记中只架设主服务器的配置过程)

网卡接口说明:
xl0:3com外网网卡接口

预先想好的DNS信息表:
Domain:wxicab.edu.cn
DNS Server:dns1.wxicab.edu.cn(58.193.128.55) dns2.wxicab.edu.cn(58.193.128.56)
58.193.128.55  ->  dns1.wxicab.edu.cn (DNS主服务器)
58.193.128.56  ->  dns2.wxicab.edu.cn (DNS辅服务器)
58.193.128.53  ->  wxicab.edu.cn (WEB服务器)
58.193.128.53  ->  www.wxicab.edu.cn (WEB服务器)
58.193.128.52  ->  mail.wxicab.edu.cn (邮件服务器)
58.193.128.51  ->  ftp.wxicab.edu.cn  (文件服务器)
58.193.128.50  ->  windowsupdate.wxicab.edu.cn (Windows升级服务器)
58.193.128.49  ->  virus.wxicab.edu.cn (防病毒服务器)


开始安装:

1、下载并安装FreeBSD6.1Release
从ftp://ftp.FreeBSD.org/pub/FreeBSD/下载FreeBSD6.1Release镜像文件,然后刻成光盘,将服务器设置成从光驱启动,开始安装,安装时我选择最小化安装,开通ftp及ssh。其它的默认安装就可以。具体可参考这篇文章。安装完后重启机器。

2、基本的配置
配置/etc/rc.conf
# cd /etc
# ee rc.conf
内容如下:
hostname="dns1.wxicab.edu.cn"
defaultrouter="58.193.128.254"
ifconfig_xl1="inet 58.193.128.55 netmask 255.255.248.0"
inetd_enable="YES"
linux_enable="YES"
sshd_enable="YES"
usbd_enable="YES"

3、 配置DNS

(1)新建并配置/etc/named/db.wxicab.edu.cn(从主机名到IP的映射)
# cd /etc/namedb
# ee db.wxicab.edu.cn
内容如下:
$TTL 3d
@ IN SOA dns1.wxicab.edu.cn. hostmaster.wxicab.edu.cn. (
                          2006626
                          3h
                          1h
                          1w
                          1h )

                     IN  NS  dns1
                     IN  NS  dns2

                     IN  A   58.193.128.53
                     IN  MX  10  mail.wxicab.edu.cn.
dns1            IN  A   58.193.128.55
dns2            IN  A   58.193.128.56
mail             IN  A   58.193.128.52
ftp                 IN  A    58.193.128.51
windowsupdate     IN  A    58.193.128.50
virus              IN  A   58.193.128.49

www             IN  CNAME  wxicab.edu.cn.

(2)新建并配置/etc/named/db.58.193.128(从IP到主机名的映射)
# cd /etc/namedb
# ee db.58.193.128
内容如下:
$TTL 3d
@ IN SOA dns1.wxicab.edu.cn. hostmaster.wxicab.edu.cn. (
                          2006626
                          3h
                          1h
                          1w
                          1h )

                     IN  NS   dns1.wxicab.edu.cn.
                     IN  NS   dns2.wxicab.edu.cn.
56                IN  PTR  dns1.wxicab.edu.cn.
55                IN  PTR  dns2.wxicab.edu.cn.
53                IN  PTR  wxicab.edu.cn.
52                IN  PTR  mail.wxicab.edu.cn.
51                IN  PTR  ftp.wxicab.edu.cn.
50                IN  PTR  windowsupdate.wxicab.edu.cn.
49    IN  PTR  virus.wxicab.edu.cn.

(3)配置locahost.rev文件:
# cd /etc/namedb
# chmod 755 make-localhost
# ./make-localhost
运行后在/etc/namedb/master目录下会自动生成localhost.rev和localhost-v6.rev两个文件;localhost-v6.rev是针对下一代IP,暂时用不到,我的localhost.rev文件的内容为:

$TTL    3600

@       IN      SOA     dns1.wxicab.edu.cn. root.dns1.wxicab.edu.cn.  (
                                20060627        ; Serial
                                3600    ; Refresh
                                900     ; Retry
                                3600000 ; Expire
                                3600 )  ; Minimum
        IN      NS      dns1.wxiabc.edu.cn.
1       IN      PTR     localhost.wxicab.edu.cn.

(4)配置/etc/namedb/named.conf文件:
# cd /etc/namedb
# ee named.conf
内容如下:
options {
        directory       "/etc/namedb";
        pid-file        "/var/run/named/pid";
        dump-file       "/var/dump/named_dump.db";
        statistics-file "/var/stats/named.stats";
};

zone "." {
        type hint;
        file "named.root";
};

zone "0.0.127.IN-ADDR.ARPA" {
        type master;
        file "master/localhost.rev";
};

zone "wxicab.edu.cn" {
        type master;
        file "db.wxicab.edu.cn";
};

zone "128.193.58.in-addr.arpa" {
        type master;
        file "db.58.193.128";
};

(5)开启named服务器,并使其和系统一起启动
在/etc/rc.conf中加入如下一行:

named_enable="YES"

编辑后保存退出。

重启服务器,利用top命令查看,如果有named进程,说明启动正常。然后找一台客户机,将DNS设置成本机IP:58.193.128.55,然后ping edu.cn测试,如果能ping通,说明解析正常。也可以使用nslookup工具测试。

作者:老管(funpower)     email:funpower@gmail.com  2006-7-1
参考文章:25.6 域名系统 (DNS)  \ 《DNS与BIND(第四版)》

发表于 @ 2006年07月01日 1:50 PM | 评论 (0)

FreeBSD6.1Release下利用route和ipfilter架设路由
架设此服务器,使内网用户通过本服务器与外界通讯;基本原理为内网用户通过FreeBSD内自带的网关路由功能(route)与外网进行通讯,服务器的安全性及病毒的防护控制通过FreeBSD的ipfilter来完成。初步架设过程如下:

网卡接口说明:
vr0:外网网卡接口
vr1:内网网卡接口

1、    最小化安装FreeBSD6.1Release
从ftp://ftp.FreeBSD.org/pub/FreeBSD/下载FreeBSD6.1Release镜像文件,然后刻成光盘,将服务器设置成从光驱启动,开始安装,安装时我选择最小化安装,开通ftp及ssh。其它的默认安装就可以。具体可参考这篇文章。安装完后重启机器。

2、    安装内核
将安装光盘放入光驱,然后:
# /usr/sbin/sysinstall
然后选择Configure --> Distributions -> src -> sys,点install,安装完成后重启机器。

3、    基本的配置
配置/etc/rc.conf
# cd /etc
# ee rc.conf
内容如下:
hostname="gatewall.wxic.edu.cn"
defaultrouter="172.16.252.17"
ifconfig_vr0="inet 172.16.252.x netmask 255.255.255.252"
ifconfig_vr1="inet 58.193.11x.25x netmask 255.255.248.0"
inetd_enable="YES"
linux_enable="YES"
sshd_enable="YES"
usbd_enable="YES"
sendmail_enable="NONE"
 
配置/etc/resolv.conf
# ee /etc/resolv.conf
内容如下:
nameserver 58.193.112.1

4、    配置内核,加入对ipfilter的支持
# cd /usr/src/sys/i386/conf
# cp GENERIC funpower
# ee funpower
然后开始编辑内核文件,机器和应用方面的不同会有不同的内核文件,因为需要用到ipfilter,我们加入对ipfilter的支持。在内核中加入如下内容:
options   IPFILTER
options   IPFILTER_LOG
options   IPFILTER_DEFAULT_BLOCK
其它选项可以参考这篇文章,然后自己定制。编辑完后保存退出。然后进行如下操作:
# /usr/sbin/config funpower
# cd ../compile/funpower
# make cleandepend
# make depend
# make
# make install
编译完后重启服务器(因为ipfilter默认是阻止所有通讯,所以确保你是在服务器前操作)。

5、    在/etc/rc.conf中加入路由选项
# cd /etc
# ee rc.conf
在最后加入如下几行:
gateway_enable="YES"
static_routes="static1"
route_static1="-net 58.193.11x.0/21 172.16.252.x/30" //说明第一个IP为内网IP范围;第二个IP为外网网卡的网关地址

6、    配置ipfilter
在/etc/rc.conf中加入:
ipfilter_enable="YES"
ipfilter_rules="/etc/ipf.conf"
然后编辑/etc/ipf.conf文件
# cd /etc/
# ee ipf.conf
内容如下:
#环路网卡lo0 
#out in 全部通过
pass in quick on lo0 all
pass out quick on lo0 all

#外网网卡vr0
#out 只让开通的IP通讯
block out quick on vr0 from any to 192.168.0.0/16
block out quick on vr0 from any to 0.0.0.0/8
block out quick on vr0 from any to 169.254.0.0/8
block out quick on vr0 from any to 10.0.0.0/8
block out quick on vr0 from any to 127.16.0.0/12
block out quick on vr0 from any to 127.0.0.0/8
block out quick on vr0 from any to 192.0.2.0/24
block out quick on vr0 from any to 204.152.64.0/23
block out quick on vr0 from any to 224.0.0.0/3

#开通58.193.112.1
pass out quick on vr0 proto tcp/udp from 58.193.112.1/32 to any keep state
pass out quick on vr0 proto icmp from 58.193.112.1/32 to any keep state

#开通58.193.112.3
pass out quick on vr0 proto tcp/udp from 58.193.112.3/32 to any keep state
pass out quick on vr0 proto icmp from 58.193.112.3/32 to any keep state

#开通58.193.113.1
pass out quick on vr0 proto tcp/udp from 58.193.113.1/32 to any keep state
pass out quick on vr0 proto icmp from 58.193.113.1/32 to any keep state

#开通58.193.113.2
pass out quick on vr0 proto tcp/udp from 58.193.113.2/32 to any keep state
pass out quick on vr0 proto icmp from 58.193.113.2/32 to any keep state

block out on vr0 all

#in 阻止一些IP(比如私有IP)和一些病毒攻击端口(如138\139\445等)
block in quick on vr0 from 192.168.0.0/16 to any
block in quick on vr0 from 172.16.0.0/12 to any
block in quick on vr0 from 10.0.0.0/8 to any
block in quick on vr0 from 127.0.0.0/8 to any
block in quick on vr0 from 0.0.0.0/8 to any
block in quick on vr0 from 169.254.0.0/16 to any
block in quick on vr0 from 192.0.2.0/24 to any
block in quick on vr0 from 204.152.64.0/23 to any
block in quick on vr0 from 224.0.0.0/3 to any
block in quick on vr0 from 58.193.112.0/21 to any

block in quick on vr0 proto udp from any to any port = 69
block in quick on vr0 proto tcp/udp from any to any port = 135
block in quick on vr0 proto udp from any to any port = 137
block in quick on vr0 proto udp from any to any port = 138
block in quick on vr0 proto tcp/udp from any to any port = 139
block in quick on vr0 proto tcp/udp from any to any port = 445
block in quick on vr0 proto tcp/udp from any to any port = 593
block in quick on vr0 proto tcp from any to any port = 1022
block in quick on vr0 proto tcp from any to any port = 1023
block in quick on vr0 proto tcp from any to any port = 1025
block in quick on vr0 proto tcp from any port = 1034 to any port = 80
block in quick on vr0 proto tcp from any to any port = 1068
block in quick on vr0 proto tcp from any to any port = 1433
block in quick on vr0 proto udp from any to any port = 1434
block in quick on vr0 proto tcp from any to any port = 1871
block in quick on vr0 proto tcp from any to any port = 2745
block in quick on vr0 proto tcp from any to any port = 3208
block in quick on vr0 proto tcp from any to any port = 3127
block in quick on vr0 proto tcp from any to any port = 4331
block in quick on vr0 proto tcp from any to any port = 4334
block in quick on vr0 proto tcp from any to any port = 4444
block in quick on vr0 proto tcp from any port = 4444 to any
block in quick on vr0 proto tcp from any to any port = 4510
block in quick on vr0 proto tcp from any to any port = 4557
block in quick on vr0 proto tcp from any to any port = 5554
block in quick on vr0 proto tcp from any to any port = 5800
block in quick on vr0 proto tcp from any to any port = 5900
block in quick on vr0 proto tcp from any to any port = 6129
block in quick on vr0 proto tcp from any to any port = 6667
block in quick on vr0 proto tcp from any to any port = 9995
block in quick on vr0 proto tcp from any to any port = 9996
block in quick on vr0 proto tcp from any to any port = 10080

block in quick on vr0 all with frags
block in quick on vr0 proto tcp all with short
block in quick on vr0 all with opt lsrr
block in quick on vr0 all with opt ssrr
block in log first quick on vr0 proto tcp from any to any flags FUP
block in quick on vr0 all with ipopts

pass in quick on vr0 proto tcp from any to any port = 80 flags S keep state
pass in quick on vr0 proto tcp from any to any port = 23 flags S keep state
pass in quick on vr0 proto tcp from any to any port = 22 flags S keep state
pass in quick on vr0 proto tcp from any to any port = ftp flags S/SA keep state
pass in quick on vr0 proto tcp from any to any port = ftp-data flags S/SA keep state
pass in quick on vr0 proto tcp from any to any port 30000 >< 50001 flags S/SA keep state

pass in quick on vr0 proto icmp from any to any icmp-type 0
pass in quick on vr0 proto icmp from any to any icmp-type 11
block in log quick on vr0 proto icmp from any to any

block in log on vr0 all


#内网网卡vr1
#out 全部通过
pass out on vr1 all
#in 全部通过
pass in on vr1 all

配置完后重启服务器。

找一台客户机测试,首先使用ipf.conf中开通的IP,然后ping edu.cn,可以ping通,说明可以连接外网了。
然后将IP设置为不是开通列表中的IP,如果ping不通,则说明ipf.conf的设置生效了。

作者:老管(funpower)     email:funpower@gmail.com  2006-6-30
参考文章:IP Filter Based Firewalls HOWTO \ 26.5 IPFILTER (IPF) 防火墙(freebsd handbook) \ 27.2 网关和路由

发表于 @ 2006年06月30日 7:03 PM | 评论 (0)

FreeBSD6.0下通过squid的acl语句对上网用户作进一步设置
去年末写过<FreeBSD6.0Release+Squid+Socks5服务器架设笔记>, 但对某些用户的上网还没作进一步的限制. 今天完成这项工作.

以下为通过squid的acl语句对上网用户进行限制:

1. 先列出表格:

--------星期一星期二星期三星期四星期五星期六星期天
特殊用户
00:00-24:0000:00-24:0000:00-24:0000:00-24:0000:00-24:0000:00-24:00
00:00-24:00
 用户18:30-23:008:30-23:0012:00-23:008:30-23:008:30-23:008:00-21:308:00-21:30
 用户214:30-23:0014:30-23:0012:00-23:0014:30-23:0014:30-23:008:00-21:308:00-21:30
 用户316:00-23:0016:00-23:0012:00-23:0016:00-23:0016:00-23:008:00-21:308:00-21:30
 用户416:30-23:0016:30-23:0012:00-23:0016:30-23:0016:30-23:008:00-21:308:00-21:30


2. 编辑/usr/local/squid/etc/squid.conf文件, 从1475行开始, 加入如下内容:

acl tieshuyonghu src 192.168.121.210/32 192.168.121.211/32 192.168.121.212/32
acl yonghu1 src 192.168.120.1-192.168.120.52/255.255.255.255
acl yonghu2 src 192.168.120.53-192.168.120.104/255.255.255.255
acl yonghu3 src 192.168.120.105-192.168.120.157/255.255.255.255
acl yonghu4 src 192.168.120.158-192.168.120.208/255.255.255.255
acl 8:30-23:00 time MTHF 8:30-23:00
acl 14:30-23:00 time MTHF 14:30-23:00
acl 16:00-23:00 time MTHF 16:00-23:00
acl shan time W 12:00-23:00
acl zm time AS 8:00-21:30
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443 563     # https, snews
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow tieshuyonghu
http_access allow yonghu1 8:30-23:00
http_access allow yonghu1 shan
http_access allow yonghu2 14:30-23:00
http_access allow yonghu2 shan
http_access allow yonghu3 16:00-23:00
http_access allow yonghu3 shan
http_access allow yonghu3 zm
http_access allow yonghu4 16:30-23:00
http_access allow yonghu4 shan
http_access allow yonghu4 zm
http_access deny all

这里利用了squid的acl中的src和time两个标签, time对星期的表示为 S-Sunday(星期天)  M-Monday(星期一) T-Tuesday(星期二)  W-Wednesday(星期三) H-Thursday(星期四)  F-Friday(星期五)  A-Saturday(星期六), 对acl更多的信息可看这里.

发表于 @ 2006年03月10日 3:14 PM | 评论 (0)

FreeBSD6.0Release+Squid+Socks5服务器架设笔记
架设此服务器,使客户端通过设置代理服务器的squid来浏览网页,通过代理服务器的socks5来使用QQ、MSN、证券等服务,下面简单介绍服务器的架设过程。

一、安装FreeBSD6.0Release

从ftp://ftp.freebsd.org/pub/FreeBSD/torrents/6.0-RELEASE下载最新版本FreeBSD6.0Release刻成光盘并选择最小化安装(安装时开通ftp及ssh服务)。

网络信息:
网段 -> 192.168.10.0/24
fxp0 -> 内网网卡 192.168.10.254
em0 -> 外网网卡 218.104.52.x/32

1、选择软件包时选择最小化安装。

2、编辑inetd.conf时开通ftp及telnet服务。
其它的都默认安装,具体可参考这,安装完后重启机器。

二、配置freebsd

1、配置/etc/rc.conf:
hostname="jifangproxy.jscpu.com"
defaultrouter="218.104.52.x"
ifconfig_em0="inet 218.104.52.x netmask 255.255.255.248"
ifconfig_fxp0="inet 192.168.10.254 netmask 255.255.255.0"
inetd_enable="YES"
kern_securelevel_enable="NO"
linux_enable="YES"
nfs_reserved_port_only="YES"
sendmail_enable="NONE"
sshd_enable="YES"
usbd_enable="NO"

2、配置/etc/resolv.conf:
domain jscpu.com
nameserver 218.104.48.106
nameserver 221.6.4.66

3、将光盘放入光驱中,安装ports和src
# /usr/sbin/sysinstall
然后选择Configure-->Distributions,然后利用空格键选择src和ports两项,点install,安装完成后重启机器。

三、配置内核

# cd /usr/src/sys/i386/conf
# cp GENERIC funpower
# ee funpower
内核根据服务器的不同具体配置。
编辑好funpower后开始编译安装内核:
#/usr/sbin/config funpower
#cd ../compile/funpower
#make cleandepend
#make depend
#make
#make intall
编译安装完成后重启机器。

四、安装squid服务

1、安装perl(freebsd5.4以后要先安装perl后再安装squid)

http://www.cpan.org/authors/id/R/RG/RGARCIA/下载perl-5.6.2.tar.gz,然后拷贝到/usr/ports/distfiles中,然后:

# cd /usr/ports/lang/perl5
# make install

2、下载并安装squid

http://www.squid-cache.org/Versions/v2/2.5/下载squid最新版squid-2.5.STABLE12.tar.gz,通过ftp上传至服务器目录中。

<安装>
# cd /home/funpower
# tar zxvf squid-2.5.STABLE12.tar.gz
# cd squid-2.5.STABLE7
# ./configure –prefix=/usr/local/squid
# make
# make install

<配置squid配置文件>
# cd /usr/local/squid/etc
# ee squid.conf
配置文件中改如下几项:
http_port 3128          //56行
cache_mem 128 MB     //490行
cache_dir ufs /usr/local/squid/cache 1024 16 256      //705行
cache_access_log /dev/null              //712
cache_log /dev/null                    //720
cache_store_log none                  //730
配置文件中加入以下几项:
acl web src 192.168.10.254             //在1830行左右acl all src 0.0.0.0/0.0.0.0这行前加入
http_access allow web               //在1890行左右的http_access deny all这行前加入
在配置文件开头加入以下四行:
visible_hostname jifangproxy.jscpu.com
cache_mgr admin@jifangproxy.jscpu.com
cache_effective_user squid
cache_effective_group squid

<添加用户及组及目录权限的修改>
# pw groupadd squid
# pw adduser squid –g squid –s /nonexistent
# mkdir /usr/local/squid/cache
# chown –R squid /usr/local/squid/cache
# chgrp –R squid /usr/local/squid/cache
# chown –R squid /usr/local/squid/var/logs
# chgrp –R squid /usr/local/squid/var/logs

<创建初始cache目录>
# /usr/local/squid/sbin/squid –Z
运行测试squid,如果运行后没有error之类的错误,用top命令能看到squid进程的话,说明安装成功:
# cd /usr/local/squid/sbin
# ./squid

<建立squid启动脚本(随系统一起启动)>
# ee /etc/rc.local
加入如下一行,然后保存退出:
/usr/local/squid/sbin/squid

重启服务器。

五、安装socks5服务

1、下载并安装socks5

从北大天网上下载socks5-v1.0r11.tar.gz,大小为401.093KB(我提供的这个就是),然后通过FTP拷贝到服务器上,然后:

# cd /home/funpower
# cp socks5-v1.0r11.tar.gz /usr/ports/distfiles

<查看distinfo>
# cd /usr/ports/net/socks5
#more distinfo
显示如下:
MD5 (socks5-v1.0r11.tar.gz) = 9d6db7d3c425bbafb8c8d67e128eedfe
SIZE (socks5-v1.0r11.tar.gz) = 401093
查看SIZE的大小是否和刚才下载的大小一样(401.093KB)

<开始安装>
# cd /usr/ports/net/socks5
# make install

2、配置socks5

# cd /usr/local/etc
# ee socks5.conf
<内容如下>
auth - - -
permit - - 192.168. - - -
set SOCKS5_NOIDENT
set SOCKS5_V4SUPPORT

保存退出,重启服务器。

然后通过QQ的测试连接测试你服务器HTTP的3128端口和SOCKS5的1080端口。

作者:老管     email:funpower@gmail.com
参考文章:在Linux上配置和实现SOCKS v5    在FreeBSD上安装Squid

发表于 @ 2005年12月29日 8:02 PM | 评论 (1)

FreeBSD 6.0-RELEASE下建立高速DNS缓存服务器
前阵子将服务器改成通过ipfilter+ipnat+dhcp——freebsd5.4ipfilter+ipnat包过滤、转发和DHCP服务器架构笔记,但最近感觉服务器时常会掉线,就在服务器再开了个dns缓存服务,通过缓存希望能缓解一下目前的状况。

首先介绍在freebsd上如何建立高速dns缓存服务器,引用freebsd中文手册中的话:


缓存域名服务器是对任何域都不提供权威解析的域名服务器。 它自己简单地完成查询, 并记住这些查询以备后续使用。 要建立这样的服务器, 只需像平时一样配置一个域名服务器, 而不配置域就可以了


安装如下:

所使用的软件是BIND,安装完freebsd6.0后BIND是自动安装好的,版本为BIND9,路径一般为/etc/namedb。freebsd5.2及更早版本的用户可以通过到ISC网站上下载BIND9.3目前, BIND Internet Software Consortium http://www.isc.org/ 维护。

1、创建本地DNS反向解析域文件

proxy4bak# cd /etc/namedb
proxy4bak# sh make-localhost

在/etc/namedb/master目录下会生成localhost.rev文件。

2、编辑dns配置文件/etc/namedb/named.conf

内容如下:

options {
        directory       "/etc/namedb";
        pid-file        "/var/run/named/pid";
        dump-file       "/var/dump/named_dump.db";
        statistics-file "/var/stats/named.stats";

//        forwarders {
//                221.228.255.1; 218.2.135.1;
//        };
};

zone "." {
        type hint;
        file "named.root";
};

zone "0.0.127.IN-ADDR.ARPA" {
        type master;
        file "master/localhost.rev";
};

这里我没有用到forwarders(转发),在freebsd中文手册中有这样一段话:

要从上级的缓存中受益, 可以在此处启用 forwarders 在一般情况下, 域名服务器会逐级地查询 Internet 来找到特定的域名服务器, 直到得到答案为止。 启用这个将让它首先查询上级域名服务器 (或另外提供的域名服务器) 从而从它们的缓存中得到结果。 如果上级域名服务器的负载很重, 在更快的域名服务器上启用它将有助于改善服务品质。
3、更改/etc/resolv.conf

将resolv.conf内容更改为:

nameserver 127.0.0.1

3、使named启动

编辑/etc/rc.conf,加入启动内容,如下:

proxy4bak# cd /etc
proxy4bak# ee rc.conf
加入
named_enable="YES"

添加完成后重启服务器,使用top命令可以查看named进程是否启动。也可以通过nslookup查询一个网址,如果可以,说明缓存已经建立了,显示如下:

proxy4bak# nslookup
> set type=any
> www.google.com
Server:         127.0.0.1
Address:        127.0.0.1#53

Non-authoritative answer:
www.google.com  canonical name = www.l.google.com.

Authoritative answers can be found from:
google.com      nameserver = ns4.google.com.
google.com      nameserver = ns1.google.com.
google.com      nameserver = ns2.google.com.
google.com      nameserver = ns3.google.com.

在搜索相关参考资料时还发现了一个dns缓存软件——djbdns也有朋友已经在用了。我为了方便,就直接用BIND了,因为freebsd安装时就带上了。但在性能上具体还不知道哪个会好些。

第一次建立dns缓存服务器,写的有错误之处请指出。希望这篇笔记能对想要在局域网中建立高速dns缓存服务器的朋友有用。

作者:老管   email:funpower AT gmail.com
参考文章:dns配置全文  域名系统 (DNS) - FreeBSD中文使用手册

发表于 @ 2005年12月07日 3:09 PM | 评论 (0)

FreeBSD5.4Release下安装维基-mediawiki-1.5.2笔记
今天利用早上一段时间,完成了mediawiki服务的安装,使用的版本为mediawiki-1.5.2,安装步骤:

1、下载以下所需软件

php-4.3.9.tar.gz
apache_1.3.33.tar.gz
mysql-4.0.21.tar.gz
mediawiki-1.5.2.tar.gz

将下载的软件通过ftp拷贝到服务器上(/home/funpower)

2、安装apache和php

# cd /home/funpower
# tar zxvf apache_1.3.33.tar.gz
# tar zxvf php-4.3.9.tar.gz
# cd apache_1.3.33
# ./configure --prefix=/usr/local/apache
# cd php-4.3.9
# ./configure --with-apache=../apache_1.3.33 --with-mysql --disable-debug --enable-track-vars
# cp php.ini-dist /usr/local/lib
# cd /usr/local/lib
# mv php.ini-dist php.ini
# cd apache_1.3.33
# ./configure --prefix=/usr/local/apache --activate-module=src/modules/php4/libphp4.a
# make
# make install

配置/usr/local/apache/conf/httpd.conf
加入:
AddType application/x-httpd-php .php
AddType application/x-httpd-php-source .phps
并修改以下几项:
Servername itnew.3322.org
DirectoryIndex index.php

将apache加入到启动项:
# ee /etc/rc.local
加入如下一行:
/usr/local/apache/bin/apachectl start

重启服务器,在/usr/local/apache/htdocs下新建一个test.php,内容为,然后输入http://yourdomain.com/test.php,如果能看到php-4.3.9的信息,则apache和php安装成功。

3、安装mysql

# cd /home/funpower
# pw groupadd mysql
# pw adduser mysql -g mysql -s /nonexitent
# tar zxvf mysql-4.0.21.tar.gz
# ./configure --prefix=/usr/local/mysql
# make
# make install
至此,mysql安装完成,下面开始具体的配置。

运行脚本
# cd scripts
# ./mysql_install_db

更改文件和目录权限
# chown -R root /usr/local/mysql
# chown -R mysql /usr/local/mysql/var
# chgrp -R mysql /usr/local/mysql

复制配置文件至/etc
# cp ../support-files/my-medium.cnf /etc/my.cnf

添加启动脚本,使mysql随系统一起启动
# echo "/usr/local/mysql/bin/mysqld_safe --user=mysql &" >> /etc/rc.local

启动mysql
# cd /usr/local/mysql/bin
# ./mysqld_safe --user=mysql &

更改mysql的root密码
# cd /usr/local/mysql/bin
# ./mysqladmin -u root password '123456'

拷贝mysql的libmysqlclient.so.10
# cp /usr/local/mysql/lib/mysql/* /usr/lib
# cp /usr/local/mysql/include/mysql/* /usr/include

添加wiki使用的数据库及数据库用户名
# cd /usr/local/mysql/bin
# ./mysql -u root -p
mysql> create database wikidb;
mysql> grant all on wikidb.* to wikidb@localhost identified by '654321';
mysql> flush privileges;
mysql> exit

4、安装mediawiki

# cd /home/funpower
# tar zxvf mediawiki-1.5.2.tar.gz
# mkdir /usr/local/apache/htdocs/wiki
# cd mediawiki-1.5.2
# cp –R * /usr/local/apache/htdocs/wiki

在IE浏览器中输入http://127.0.0.1/wiki/,填写一些wiki安装基本参数,填写的数据库及数据库用户名就是刚才创建的数据库。填写完后点击“安装”按扭,完成安装。

完成最后几步:

# cd /usr/local/apache/htdocs/wiki/config
# cp cp LocalSettings.php ../
# cd ../
# mv config config.bak

访问http://127.0.0.1/wiki/,出现首页,安装成功!

截图:

http://static.flickr.com/30/67817347_629808523f_m.jpg        http://static.flickr.com/30/67817347_629808523f_m.jpg


-----------------------------------------------------------------------------------
作者:老管        email:funpower at gmail.com
参考文章:http://www.linuxmine.com/5557.html

发表于 @ 2005年11月28日 4:13 PM | 评论 (1)

在freebsd安装socks5服务的总结
在freebsd下,安装socks5已经很多次了(12),但最近一直碰到一些问题。特写个小结。

1、从ports安装:

天网上搜索socks5-v1.0r11.tar.gz,然后复制到/usr/ports/distfiles,进入/usr/ports/net/socks5,打入make install命令,可总是安装不成功:

===>  Vulnerability check disabled, database not found
===>  Extracting for socks5-1.0.11_3
=> Checksum mismatch for socks5-v1.0r11.tar.gz.
===>  Refetch for 1 more times files: socks5-v1.0r11.tar.gz
===>  Vulnerability check disabled, database not found
=> socks5-v1.0r11.tar.gz doesn't seem to exist in /usr/ports/distfiles/.
=> Attempting to fetch from ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/distfiles/.
fetch: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/distfiles/socks5-v1.0r11.tar.gz: File unavailable (e.g., file not found, no access)
=> Couldn't fetch it - please try to retrieve this
=> port manually into /usr/ports/distfiles/ and try again.
*** Error code 1

Stop in /usr/ports/net/socks5.
*** Error code 1

Stop in /usr/ports/net/socks5.

2、直接编译安装包(笔记),安装时一点错误也没有,但使用时就出现问题,刚启动服务器时能用一段时间,大约一二分针,过会测试,就发现1080端口就再也连不上。具体原因还不太清楚,个人怀疑可能是安装包版本的原因。


仔细想想,如果是版本原因,那如果在ports中安装成功的话应该就排除版本的原因了,所以最后还是选择从ports 安装。可安装了十几次,还是出现第一次方法的错误。一直提示在/usr/ports/distfiles中找不到socks5-v1.0r11.tar.gz安装包,奇怪,明明我把包复制到/urs/ports/distfiles的。实在没办法,在freebsdchina.org上发了个贴子,坛友suek225提到了MD5检验出错,安装包大小的问题。安照他的方法:

# cd /usr/ports/net/socks5
# more distinfo
MD5 (socks5-v1.0r11.tar.gz) = 9d6db7d3c425bbafb8c8d67e128eedfe
SIZE (socks5-v1.0r11.tar.gz) = 401093

很明显,安装包的大小为401093 kb,找了相同大小的包复制到/usr/ports/distfiles中,进入 /usr/ports/net/socks5,运行make install,成功安装。接下来完成以下操作就可以运行socks5了:

1、配置socks5.conf及socks5.passwd

# ee /etc/socks5.conf
加入如下内容:
auth - - u
permit u - 172.16.0. - - -
set SOCKS5_NOIDENT
set SOCKS5_V4SUPPORT
set SOCKS5_PWDFILE /etc/socks5.passwd

# ee /etc/socks5.passwd
加入如下内容:
user password

2、设置随系统一起启动

#ee /etc/rc.local
加入如下内容:
/usr/local/bin/socks5

重启服务器。


小结:安装socks5-v1.0r11.tar.gz,我以后还是尽量ports安装,从ports安装成功,至少说明安装包的版本应该没问题。

发表于 @ 2005年11月16日 1:17 PM | 评论 (0)

freebsd5.4下ipfilter+ipnat包过滤、转发和DHCP服务器架构笔记
通过架设此服务器,使网内客户端不用任何网络的配置,就可以直接网络互联网。
网络信息:
网段 -> 192.168.61.0/24
xl0 -> 内网网卡 192.168.61.254 (dhcp网卡)
em0 -> 外网网卡 218.104.52.x/32

一、安装freebsd4.11STABLE

http://www.freebsd.org/releases/4.11R/announce.html选择一个FTP服务器下载,然后刻成光盘。接下来从光盘安装,我的几点选项:

1、选择软件包时选择最小化安装。
2、编辑inetd.conf时开通ftp及telnet服务。

其它的都默认安装,具体可参考:<http://www.freebsd.org.cn/snap/doc/zh_CN.GB2312/books/handbook/install-start.html>,安装完后重启机器。

二、配置freebsd

1、配置/etc/rc.conf:

hostname="gateway_bake.jscpu.com"
defaultrouter="218.104.52.x"
ifconfig_em0="inet 218.104.52.x netmask 255.255.255.248"
ifconfig_xl0="inet 192.168.61.254 netmask 255.255.255.0"

ipfilter_enable="YES"
ipfilter_rules="/etc/ipf.conf"
ipnat_enable="YES"
ipnat_rules="/etc/ipnat.conf"
gateway_enable="YES"
inetd_enable="YES"
kern_securelevel_enable="NO"
linux_enable="YES"
nfs_reserved_port_only="YES"
sendmail_enable="NONE"
sshd_enable="YES"
usbd_enable="NO"

2、配置/etc/resolv.conf:

domain jscpu.com
nameserver 218.104.48.106
nameserver 221.6.4.66

3、将光盘放入光驱中,安装ports和src

# /stand/sysinstall
然后选择Configure-->Distributions,然后利用空格键选择src和ports两项,点install,安装完成后重启机器。

三、配置内核

# cd /usr/src//sys/i386/conf
# cp GENERIC funpower
# ee funpower

内核文件具体如下:

#
# GENERIC -- Generic kernel configuration file for FreeBSD/i386
#
# For more information on this file, please read the handbook section on
# Kernel Configuration Files:
#
# http://www.FreeBSD.org/doc/en_US.ISO8859-1/books/handbook/kernelconfig-config.html
#
# The handbook is also available locally in /usr/share/doc/handbook
# if you've installed the doc distribution, otherwise always see the
# FreeBSD World Wide Web server (http://www.FreeBSD.org/) for the
# latest information.
#
# An exhaustive list of options and more detailed explanations of the
# device lines is also present in the ./LINT configuration file. If you are
# in doubt as to the purpose or necessity of a line, check first in LINT.
#
# $FreeBSD: src/sys/i386/conf/GENERIC,v 1.246.2.62.2.1 2005/01/14 03:07:39 scottl Exp $

machine i386
#cpu I386_CPU
#cpu I486_CPU
#cpu I586_CPU
cpu I686_CPU
ident funpower
maxusers 0

#makeoptions DEBUG=-g #Build kernel with gdb(1) debug symbols

options MATH_EMULATE #Support for x87 emulation
options INET #InterNETworking
#options INET6 #IPv6 communications protocols
options FFS #Berkeley Fast Filesystem
options FFS_ROOT #FFS usable as root device [keep this!]
options SOFTUPDATES #Enable FFS soft updates support
options UFS_DIRHASH #Improve performance on big directories
options MFS #Memory Filesystem
options MD_ROOT #MD is a potential root device
options NFS #Network Filesystem
options NFS_ROOT #NFS usable as root device, NFS required
options MSDOSFS #MSDOS Filesystem
options CD9660 #ISO 9660 Filesystem
options CD9660_ROOT #CD-ROM usable as root, CD9660 required
options PROCFS #Process filesystem
options COMPAT_43 #Compatible with BSD 4.3 [KEEP THIS!]
options SCSI_DELAY=15000 #Delay (in ms) before probing SCSI
options UCONSOLE #Allow users to grab the console
options USERCONFIG #boot -c editor
options VISUAL_USERCONFIG #visual boot -c editor
options KTRACE #ktrace(1) support
options SYSVSHM #SYSV-style shared memory
options SYSVMSG #SYSV-style message queues
options SYSVSEM #SYSV-style semaphores
options P1003_1B #Posix P1003_1B real-time extensions
options _KPOSIX_PRIORITY_SCHEDULING
options ICMP_BANDLIM #Rate limit bad replies
options KBD_INSTALL_CDEV # install a CDEV entry in /dev
options AHC_REG_PRETTY_PRINT # Print register bitfields in debug
# output. Adds ~128k to driver.
options AHD_REG_PRETTY_PRINT # Print register bitfields in debug
# output. Adds ~215k to driver.

# To make an SMP kernel, the next two are needed
#options SMP # Symmetric MultiProcessor Kernel
#options APIC_IO # Symmetric (APIC) I/O

options IPFILTER
options IPFILTER_LOG
options IPFILTER_DEFAULT_BLOCK

device isa
device eisa
device pci

# Floppy drives
device fdc0 at isa? port IO_FD1 irq 6 drq 2
device fd0 at fdc0 drive 0
device fd1 at fdc0 drive 1
#
# If you have a Toshiba Libretto with its Y-E Data PCMCIA floppy,
# don't use the above line for fdc0 but the following one:
#device fdc0

# ATA and ATAPI devices
device ata0 at isa? port IO_WD1 irq 14
device ata1 at isa? port IO_WD2 irq 15
device ata
device atadisk # ATA disk drives
device atapicd # ATAPI CDROM drives
device atapifd # ATAPI floppy drives
device atapist # ATAPI tape drives
options ATA_STATIC_ID #Static device numbering

# SCSI Controllers
#device ahb # EISA AHA1742 family
#device ahc # AHA2940 and onboard AIC7xxx devices
#device ahd # AHA39320/29320 and onboard AIC79xx devices
#device amd # AMD 53C974 (Tekram DC-390(T))
#device isp # Qlogic family
#device mpt # LSI-Logic MPT/Fusion
#device ncr # NCR/Symbios Logic
#device sym # NCR/Symbios Logic (newer chipsets)
#options SYM_SETUP_LP_PROBE_MAP=0x40
# Allow ncr to attach legacy NCR devices when
# both sym and ncr are configured

device adv0 at isa?
device adw
device bt0 at isa?
device aha0 at isa?
device aic0 at isa?#

device ncv # NCR 53C500
device nsp # Workbit Ninja SCSI-3
device stg # TMC 18C30/18C50

# SCSI peripherals
device scbus # SCSI bus (required)
#device da # Direct Access (disks)
#device sa # Sequential Access (tape etc)
#device cd # CD
#device pass # Passthrough device (direct SCSI access)

# RAID controllers interfaced to the SCSI subsystem
#device asr # DPT SmartRAID V, VI and Adaptec SCSI RAID
#device dpt # DPT Smartcache - See LINT for options!
#device iir # Intel Integrated RAID
#device mly # Mylex AcceleRAID/eXtremeRAID
#device ciss # Compaq SmartRAID 5* series
#device twa # 3ware 9000 series PATA/SATA RAID

# RAID controllers
#device aac # Adaptec FSA RAID, Dell PERC2/PERC3
device aacp # SCSI passthrough for aac (requires CAM)
#device ida # Compaq Smart RAID
#device ips # IBM/Adaptec ServeRAID
#device amr # AMI MegaRAID
#device mlx # Mylex DAC960 family
#device pst # Promise Supertrak SX6000
#device twe # 3ware Escalade

# atkbdc0 controls both the keyboard and the PS/2 mouse
device atkbdc0 at isa? port IO_KBD
device atkbd0 at atkbdc? irq 1 flags 0x1
device psm0 at atkbdc? irq 12

device vga0 at isa?

# splash screen/screen saver
pseudo-device splash

# syscons is the default console driver, resembling an SCO console
device sc0 at isa? flags 0x100

# Enable this and PCVT_FREEBSD for pcvt vt220 compatible console driver
#device vt0 at isa?
#options XSERVER # support for X server on a vt console
#options FAT_CURSOR # start with block cursor
# If you have a ThinkPAD, uncomment this along with the rest of the PCVT lines
#options PCVT_SCANSET=2 # IBM keyboards are non-std

device agp # support several AGP chipsets

# Floating point support - do not disable.
device npx0 at nexus? port IO_NPX irq 13

# Power management support (see LINT for more options)
device apm0 at nexus? disable flags 0x20 # Advanced Power Management

# PCCARD (PCMCIA) support
#device card
#device pcic0 at isa? irq 0 port 0x3e0 iomem 0xd0000
#device pcic1 at isa? irq 0 port 0x3e2 iomem 0xd4000 disable

# Serial (COM) ports
#device sio0 at isa? port IO_COM1 flags 0x10 irq 4
#device sio1 at isa? port IO_COM2 irq 3
#device sio2 at isa? disable port IO_COM3 irq 5
#device sio3 at isa? disable port IO_COM4 irq 9

# Parallel port
device ppc0 at isa? irq 7
device ppbus # Parallel port bus (required)
device lpt # Printer
device plip # TCP/IP over parallel
device ppi # Parallel port interface device
#device vpo # Requires scbus and da


# PCI Ethernet NICs.
device de # DEC/Intel DC21x4x (``Tulip'')
device em # Intel PRO/1000 adapter Gigabit Ethernet Card (``Wiseman'')
device txp # 3Com 3cR990 (``Typhoon'')
device vx # 3Com 3c590, 3c595 (``Vortex'')

# PCI Ethernet NICs that use the common MII bus controller code.
# NOTE: Be sure to keep the 'device miibus' line in order to use these NICs!
device miibus # MII bus support
#device dc # DEC/Intel 21143 and various workalikes
#device fxp # Intel EtherExpress PRO/100B (82557, 82558)
#device pcn # AMD Am79C97x PCI 10/100 NICs
#device rl # RealTek 8129/8139
#device sf # Adaptec AIC-6915 (``Starfire'')
#device sis # Silicon Integrated Systems SiS 900/SiS 7016
#device ste # Sundance ST201 (D-Link DFE-550TX)
#device tl # Texas Instruments ThunderLAN
#device tx # SMC EtherPower II (83c170 ``EPIC'')
#device vr # VIA Rhine, Rhine II
#device wb # Winbond W89C840F
device xl # 3Com 3c90x (``Boomerang'', ``Cyclone'')
#device bge # Broadcom BCM570x (``Tigon III'')

# ISA Ethernet NICs.
# 'device ed' requires 'device miibus'
device ed0 at isa? disable port 0x280 irq 10 iomem 0xd8000
device ex
device ep
device fe0 at isa? disable port 0x300
# Xircom Ethernet
device xe
# PRISM I IEEE 802.11b wireless NIC.
device awi
# WaveLAN/IEEE 802.11 wireless NICs. Note: the WaveLAN/IEEE really
# exists only as a PCMCIA device, so there is no ISA attachment needed
# and resources will always be dynamically assigned by the pccard code.
device wi
# Aironet 4500/4800 802.11 wireless NICs. Note: the declaration below will
# work for PCMCIA and PCI cards, as well as ISA cards set to ISA PnP
# mode (the factory default). If you set the switches on your ISA
# card for a manually chosen I/O address and IRQ, you must specify
# those parameters here.
device an
# The probe order of these is presently determined by i386/isa/isa_compat.c.
device ie0 at isa? disable port 0x300 irq 10 iomem 0xd0000
#device le0 at isa? disable port 0x300 irq 5 iomem 0xd0000
device lnc0 at isa? disable port 0x280 irq 10 drq 0
device cs0 at isa? disable port 0x300
device sn0 at isa? disable port 0x300 irq 10

# Pseudo devices - the number indicates how many units to allocate.
pseudo-device loop # Network loopback
pseudo-device ether # Ethernet support
#pseudo-device sl 1 # Kernel SLIP
#pseudo-device ppp 1 # Kernel PPP
pseudo-device tun # Packet tunnel.
pseudo-device pty # Pseudo-ttys (telnet etc)
pseudo-device md # Memory "disks"
#pseudo-device gif # IPv6 and IPv4 tunneling
#pseudo-device faith 1 # IPv6-to-IPv4 relaying (translation)

# The `bpf' pseudo-device enables the Berkeley Packet Filter.
# Be aware of the administrative consequences of enabling this!
pseudo-device bpf #Berkeley packet filter

# USB support
#device uhci # UHCI PCI->USB interface
#device ohci # OHCI PCI->USB interface
device usb # USB Bus (required)
#device ugen # Generic
#device uhid # "Human Interface Devices"
#device ukbd # Keyboard
#device ulpt # Printer
#device umass # Disks/Mass storage - Requires scbus and da
#device ums # Mouse
#device uscanner # Scanners
#device urio # Diamond Rio MP3 Player
# USB Ethernet, requires mii
#device aue # ADMtek USB ethernet
#device axe # ASIX Electronics USB ethernet
#device cue # CATC USB ethernet
#device kue # Kawasaki LSI USB ethernet

# FireWire support
device firewire # FireWire bus code
device sbp # SCSI over FireWire (Requires scbus and da)
device fwe # Ethernet over FireWire (non-standard!)

编辑好funpower后开始编译安装内核:
#/usr/sbin/config funpower
#cd ../../compile/funpower
#make depend
#make
#make intall

编译安装完成后重启机器。

四、配置包过滤(ipfilter)及包转发(ipnat)服务

1、编辑/etc/ipf.conf

block in log quick all with short
block in log quick all with ipopts
block in log quick all with frag
block in log quick all with opt lsrr
block in log quick all with opt ssrr

pass out on xl0 all
pass in on xl0 all
pass out quick on lo0 all
pass in quick on lo0 all

block out on em0 all

block out log on em0 from any to 192.168.0.0/16
block out log quick on em0 from any to 0.0.0.0/8
block out log quick on em0 from any to 169.254.0.0/8
block out log quick on em0 from any to 10.0.0.0/8
block out log quick on em0 from any to 127.16.0.0/12
block out log quick on em0 from any to 127.0.0.0/8
block out log quick on em0 from any to 192.0.2.0/24
block out log quick on em0 from any to 204.152.64.0/23
block out log quick on em0 from any to 224.0.0.0/3

pass in quick on em0 proto tcp from any to 218.104.52.x port = 22 flags S keep state
pass in quick on em0 proto tcp from any to 218.104.52.x port = 23 flags S keep state
pass out log on em0 proto tcp/udp from any to any keep state
pass out log on em0 proto icmp all keep state

block in log on em0 from 192.168.0.0/16 to any
block in log quick on em0 from 10.0.0.0/8 to any
block in log quick on em0 from 172.16.0.0/12 to any
block in log quick on em0 from 127.0.0.0/8 to any
block in log quick on em0 from 192.0.2.0/24 to any
block in log quick on em0 from 169.254.0.0/16 to any
block in log quick on em0 from 224.0.0.0/3 to any
block in log quick on em0 from 204.152.64.0/23 to any

pass in quick on em0 proto tcp from any to any port = 80 flags S/SA keep state
pass in quick on em0 proto tcp from any to any port = ftp flags S/SA keep state
pass in quick on em0 proto tcp from any to any port = ftp-data flags S/SA keep state
pass in quick on em0 proto tcp from any to any port 30000 >< 50001 flags S/SA keep state

block in quick on em0 all

block in log quick on em0 proto icmp from any to any icmp-type redir
block in log quick on em0 proto icmp from any to any
block in log quick on em0 proto icmp from any to any icmp-type echo

block return-rst in log on em0 proto tcp from any to any flags S/SA
block return-icmp(net-unr) in log on em0 proto udp from any to any


2、编辑/etc/ipnat.conf

map em0 192.168.61.0/24 -> 218.104.52.x/32 portmap tcp/udp 20000:39999
map em0 192.168.61.0/24 -> 218.104.52.x/32
map xl0 192.168.61.0/24 -> 218.104.52.x/32
map em0 192.168.61.0/24 -> 218.104.52.x/32 proxy port ftp ftp/tcp


五、配置DHCP服务

1、通过ports安装isc-dhcp3-server

安装前先从http://ftp.bestcom.ru/FreeBSD/ports/distfiles/下载rc_subr-1.16.tar.gz,然后利用ftp将它放入/usr/ports/distfiles,下来开始安装:

# cd /usr/ports/net/isc-dhcp3-server
# make install

2、配置dhcp.conf

# ee /etc/dhcp.conf

内容如下:

default-lease-time 600;
max-lease-time 86400;
option subnet-mask 255.255.255.0;
option domain-name-servers 218.104.48.106;
option perform-mask-discovery on;
option mask-supplier on;
ddns-update-style none;

#ip网络地址信息
subnet 192.168.61.0 netmask 255.255.255.0 {
option routers 192.168.61.254;
option broadcast-address 192.168.61.255;
range 192.168.61.1 192.168.61.250;
}

#服务器表态ip
host fileserver {
hardware ethernet 02:03:04:05:06:07;
fixed-address 192.168.61.250;
}


保存退出。

3、设置dhcp一些文件使其正常工作

a.建立DHCP分配记录档:

# touch /var/db/dhcpd.leases

b.编辑/etc/hosts,加入如下一行:

255.255.255.255 For-DHCP

c.修改路由表,使dhcp使用vr0网卡接口:

# route add -host For-DHCP -interface xl0

d.修改isc-dhcpd.sh启动文件权限:

# chmod 755 /usr/local/etc/rc.d/isc-dhcpd.sh

4、编辑/etc/rc.local使其跟系统一起启动

# ee /etc/rc.local

加入如下一行:

/usr/local/sbin/dhcpd -cf /etc/dhcp.conf xl0

保存并退出,重启服务器。

最后用一台网内的机器将ip地址设置为“自动获得ip地址”,然后将ie浏览器的代理服务器去掉,直接上网,如果能上,再试试oicq,也是不用代理直接登陆,如果也能上,说明网络配置成功。

发表于 @ 2005年11月13日 2:15 PM | 评论 (0)

在线rss阅读聚合器lilina-0.7安装笔记

http://prdownloads.sourceforge.net/lilina/lilina-0.7.tar.gz?download下载lilina最新版lilina-0.7.tar.gz,从http://cn2.php.net/get/php-4.3.9.tar.gz/from/a/mirrorhttp://apache.justdn.org/httpd/下载php-4.3.9.tar.gz和apache_1.3.33.tar.gz,用ftp将三个文件放到服务器上(/funpower)


1、 安装apache和php

#tar zxvf apache_1.3.33.tar.gz
#tar zxvf php-4.3.9.tar.gz
#cd apache_1.3.33
#./configure --prefix=/usr/local/apache
#cd php-4.3.9
#./configure --with-apache=../apache_1.3.33 --with-mysql --disable-debug --enable-track-vars
#cp php.ini-dist /usr/local/lib
#cd /usr/local/lib
#mv php.ini-dist php.ini
#cd apache_1.3.33
#./configure --prefix=/usr/local/apache --activate-module=src/modules/php4/libphp4.a
#make
#make install

配置/usr/local/apache/conf/httpd.conf
加入:
AddType application/x-httpd-php .php
AddType application/x-httpd-php-source .phps
并修改以下几项:
Servername funpower_info.3322.org
DirectoryIndex index.php

将apache加入到启动项:

#ee /etc/rc.local
加入如下一行:
/usr/local/apache/bin/apachectl start

重启服务器,在/usr/local/apache/htdocs下新建一个test.php,内容为,然后输入http://yourdomain.com/test.php,如果能看到php-4.3.9的信息,则apache和php安装成功。


2、安装lilina-0.7

删除/usr/local/apache/htdocs下的全面内容,将lilina0.7文件夹下的所以内容复制过去,并作如下修改:

#chmod 777 cache
#chmod 777 .myfeeds.data
#chown -R nobody:nobody htdocs

配置conf.php文件,内容如下:

$BASEURL = 'http://lilina.sourceforge.net' ; // no trailling slash!
$USERNAME = 'funpower' ; //改自己的
$PASSWORD = '123456789' ; //改自己的
$SITETITLE = "funpower blog" ; //改自己的
$OWNERNAME = "guanjianfeng" ; //改自己的
$OWNEREMAIL = "guanjianfeng@jscpu.com" ; //改自己的

$DATAFILE = './.myfeeds.data' ; //不修改
$TIMEFILE = './.time.data' ; //不修改

$GOOGLE_KEY = '' ; // Use your Google WEB APIs key here. For info visit http://www.google.com/apis/

/*
IMPORTANT NOTE! Setting ENABLE_DELICIOUS to 1 will make lilina poll del.icio.us for tags.
THIS MAY RESULT TO DEL.ICIO.US BANNING YOUR IP!!!
Until del.icio.us officially allows such use, it is better to leave this to 0.
*/
$ENABLE_DELICIOUS = 0 ;

/*
Default cache expiration is set to 1 hour.
This can be overriden by loading index.php?force_update=1
*/
define('MAGPIE_CACHE_AGE',60 * 60);
?>

保存退出。重启服务器,打开首页,就能看到lilina-0.7的页面了,进入管理界面就能订阅你自己喜欢的rss了 :)


参考文章
http://www.douzhe.com/article/data/2/649.html


20051113更新:安装lilina续 - 更改首页显示天数

lilina默认首页上显示的是一天的内容,更改index.php的:

$TIMERANGE = ( $_REQUEST['hours'] ? $_REQUEST['hours']*3600 : 3600*24 ) ;

改成

$TIMERANGE = ( $_REQUEST['hours'] ? $_REQUEST['hours']*3600 : 3600*168 ) ;

这样就能显示一星期(24*7=168)的内容了。

发表于 @ 2005年11月13日 2:09 PM | 评论 (0)

socks5-v1.0r11.tar.gz安装笔记

2005-10-21更新:将socks5.conf中的permit u - 172.16.0 - - -更改为permit u - 172.16.0. - - -

========================================

作者:老管 email: funpower@gmail.com

北大天网搜索下载socks5-v1.0r11.tar.gz,然后通过ftp放入服务器的/home/funpower中,开始安装:

1、解压编译安装socks5

# tar xvzf socks5-v1.0r11.tar.gz
# cd socks5-v1.0r11
# ./configure
# make
# make install

2、配置socks5.conf及socks5.passwd

# ee /etc/socks5.conf
加入如下内容:
auth - - u
permit u - 172.16.0. - - -
set SOCKS5_NOIDENT
set SOCKS5_V4SUPPORT
set SOCKS5_PWDFILE /etc/socks5.passwd

# ee /etc/socks5.passwd
加入如下内容:
user password

3、设置随系统一起启动

#ee /etc/rc.local
加入如下内容:
/usr/local/bin/socks5

重启服务器。

参考文章(一些参数的解释讲的很详细):

在Linux上配置和实现SOCKS v5
Socks5代理服务器安装及配置文件

发表于 @ 2005年11月13日 2:08 PM | 评论 (1)

第1页,共2页

news

常用工具

freebsd文档

my douban

我读的文章

my del.icio.us

反向链接

link

导航

blog stats

文章

收藏

相册

freebsd站点

朋友blog

存档


正在读取评论……