單位100M光纖接入互聯網,文章中網卡為ed0[202.182.96.2],內網ed2的地址為200.200.1.0/24,其中200.200.1.33是一台web服務器。
要完成的任務是,使所有的互聯網微機可以訪問200.200.1.33,所有的內網主機可以訪問互聯網。
規則暫時不考慮,網上相關的文章也很多。
DL# cat ipnat.rules
代碼:
map ed0 200.200.1.0/24 -> 202.182.96.2/32 portmap tcp/udp 1000:6000
map ed0 200.200.1.0/24 -> 202.182.96.2/32 proxy port ftp ftp/tcp
map ed0 200.200.1.0/24 -> 202.182.96.2/32
rdr ed0 0.0.0.0/0 port 80 -> 200.200.1.33 port 80 tcp
DL# cat ipf.rules
代碼:
pass in quick on lo0 all
pass out quick on lo0 all
pass in from any to any
pass out from any to any
/etc/rc.conf
代碼:
DL# cat rc.conf
defaultrouter="218.22.205.1"
hostname="DL.net"
network_interfaces="ed0 ed2 lo0"
ifconfig_ed0="inet 202.182.96.2 netmask 255.255.255.248"
ifconfig_ed2="inet 200.200.1.180 netmask 255.255.255.0"
sendmail_enable="NONE"
inetd_enable="NO"
kern_securelevel_enable="NO"
linux_enable="YES"
nfs_reserved_port_only="NO"
sshd_enable="YES"
usbd_enable="NO"
gateway_enable="YES"
#######################IPFILTER###########
ipfilter_enable="YES"
ipfilter_program="/sbin/ipf"
ipfilter_rules="/etc/ipf.rules"
ipfilter_flags=""
ipnat_enable="YES"
ipnat_program="/sbin/ipnat"
ipnat_rules="/etc/ipnat.rules"
ipnat_flags=""
######################IPFW#################
#firewall_enable="YES"
#firewall_script="/etc/rc.firewall"
#firewall_type="open"
#firewall_quiet="NO"
#firewall_logging_enable="YES"
#natd_enable="YES"
#natd_interface="ed0"
#natd_flags="-config /etc/natd.conf"
內核文件,注意 options BRIDGE
代碼:
DL# cd /usr/src/sys/i386/conf/
DL# cat DL
machine i386
cpu I686_CPU
ident DL
maxusers 0
options MATH_EMULATE #Support for x87 emulation
options INET #InterNETworking
options FFS #Berkeley Fast Filesystem
options FFS_ROOT #FFS usable as root device [keep this!]
options SOFTUPDATES #Enable FFS soft updates support
options UFS_DIRHASH #Improve performance on big directories
options CD9660_ROOT #CD-ROM usable as root, CD9660 required
options PROCFS #Process filesystem
options COMPAT_43 #Compatible with BSD 4.3 [KEEP THIS!]
options SCSI_DELAY=15000 #Delay (in ms) before probing SCSI
options UCONSOLE #Allow users to grab the console
options USERCONFIG #boot -c editor
options VISUAL_USERCONFIG #visual boot -c editor
options KTRACE #ktrace(1) support
options SYSVSHM #SYSV-style shared memory
options SYSVMSG #SYSV-style message queues
options SYSVSEM #SYSV-style semaphores
options P1003_1B #Posix P1003_1B real-time extensions
options _KPOSIX_PRIORITY_SCHEDULING
options ICMP_BANDLIM #Rate limit bad replies
options KBD_INSTALL_CDEV # install a CDEV entry in /dev
options AHC_REG_PRETTY_PRINT # Print register bitfields in debug
# output. Adds ~128k to driver.
options AHD_REG_PRETTY_PRINT # Print register bitfields in debug
# output. Adds ~215k to driver.
##################this is ok for ipfw#######
#options IPFIREWALL
#options IPFIREWALL_VERBOSE
#options IPFIREWALL_VERBOSE_LIMIT=90
#options IPFIREWALL_DEFAULT_TO_ACCEPT
#options IPDIVERT
####################for bridge############
options BRIDGE
options IPFILTER
options ACCEPT_FILTER_DATA
options ACCEPT_FILTER_HTTP
options ICMP_BANDLIM
device isa
device eisa
device pci
options AUTO_EOI_1
options RANDOM_IP_ID
options TCP_DROP_SYNFIN
options PANIC_REBOOT_WAIT_TIME=0
device ata0 at isa? port IO_WD1 irq 14
device ata1 at isa? port IO_WD2 irq 15
device ata
device atadisk # ATA disk drives
device atapicd # ATAPI CDROM drives
options ATA_STATIC_ID #Static device numbering
# SCSI Controllers
device ahb # EISA AHA1742 family
device ahc # AHA2940 and onboard AIC7xxx devices
device ahd # AHA39320/29320 and onboard AIC79xx devices
device amd # AMD 53C974 (Tekram DC-390(T))
device isp # Qlogic family
device mpt # LSI-Logic MPT/Fusion
device ncr # NCR/Symbios Logic
device sym # NCR/Symbios Logic (newer chipsets)
options SYM_SETUP_LP_PROBE_MAP=0x40
# Allow ncr to attach legacy NCR devices when
device adv0 at isa?
device adw
device bt0 at isa?
device aha0 at isa?
device aic0 at isa?
device ncv # NCR 53C500
device nsp # Workbit Ninja SCSI-3
device stg # TMC 18C30/18C50
# SCSI peripherals
device scbus # SCSI bus (required)
device da # Direct Access (disks)
device cd # CD
device pass # Passthrough device (direct SCSI access)
# atkbdc0 controls both the keyboard and the PS/2 mouse
device atkbdc0 at isa? port IO_KBD
device atkbd0 at atkbdc? irq 1 flags 0x1
device psm0 at atkbdc? irq 12
device vga0 at isa?
# splash screen/screen saver
pseudo-device splash
# syscons is the default console driver, resembling an SCO console
device sc0 at isa? flags 0x100
device agp # support several AGP chipsets
device sc
options MAXCONS=2 ##
options SC_DISABLE_REBOOT
options SC_NO_CUTPASTE #
options SC_NO_FONT_LOADING #
options SC_NO_SYSMOUSE
device npx0 at nexus? port IO_NPX irq 13
# Parallel port
device ppc0 at isa? irq 7
device ppbus # Parallel port bus (required)
device plip # TCP/IP over parallel
device ppi # Parallel port interface device
device miibus # MII bus support
device rl # RealTek 8129/8139
#device ed0 at isa? port 0x300 net irq 3 iomem 0xd8000 vector edintr #
device ed0 at isa? disable port 0x300 irq 3 iomem 0xd8000
device pty
# Pseudo devices - the number indicates how many units to allocate.
pseudo-device loop # Network loopback
pseudo-device ether # Ethernet support
pseudo-device bpf #Berkeley packet filter
