[转]挪出一点时间,把时间投资在自己的未来
tar 用法 参数解释
Nov
12
OpenBSD4.1设PPPoE作NAT共享上网首先安装好OpenBSD4.1,我的机器有两个网卡:一个是pcn0是作为连接ADSL MODEL的,一个是pcn1是作为连接内网的。
其中下面全部配置中的pcn0是我的连接ADSL MODEL的网卡名,你要更改成你定际的网卡名。pcn1同样也要改成连接你内网的网卡名。
1) 连接ADSL MODEL的网卡不需要有IP,所以用 vi /etc/hostname.pcn0 编辑网卡配置文件。将里面的内容全部清空。
2)将/etc/mygate中的全部内容也删除。这样就没有设缺省网关了。
3)配置内网网卡的IP.
vi /etc/hostname.pcn1
在里面加上以下内容:
inet 192.168.188.1 255.255.255.0 192.168.188.255
4)在/etc/resolv.conf 中加入下面的内容,以设定DNS
lookup file bind
nameserver 202.96.128.166 202.96.128.86
5)运行sh /etc/netstart使所作的ip配置生效。这时,
在你内网的电脑可以ping 192.168.188.1来试下你的内网
网卡有没设错。
6)配置PPPoE需要用到的ppp拔号配置文件
vi /etc/ppp/ppp.conf
加入下面的内容,注意大小写和将我的pcn0网卡名换成你的:
default:
set log Phase Chat LCP IPCP CCP tun command
set timeout 0
set redial 15 0
set reconnect 15 10000
set server /var/run/ppp.sock "" 0177
pppoe:
set device "!/usr/sbin/pppoe -i pcn0"
set mtu max 1492
set mru max 1492
set speed sync
enable lqr
disable acfcomp protocomp
deny acfcomp
add! default HISADDR
set authname "你的ADSL账号名"
set authkey "你的ADSL密码"
现在可以试试你设的PPPoE是否正确
sh /sbin/ifconfig pcn0 up
sh /usr/sbin/ppp -ddial pppoe
命令中的-ddial是接断线后不断重拔。连接上了后,你可以用ifconfig
看到新加了一个网络设备tun0。你还可以ping一下google.com,看网络是不是真的通了。
再在/etc/rc.local中中入以下内容,使它下次开机自动拔号上网。
/sbin/ifconfig pcn0 up
/usr/sbin/ppp -ddial pppoe
7) 运行sysctl net.inet.ip.fowarding=1 ,
你可以看到屏幕显示 net.inet.ip.forwarding: 0 -> 1
这表示IP转发开启了,想要在下次开机后自动开启,
vi /etc/sysctl.conf
将#net.inet.ip.forwarding=1 中的最前面的#号删除
8)下面我们来配置package filter配置文件,将以下内容加在/etc/pf.conf中
ext_if="tun0"
int_if="pcn1"
internal_net="192.168.188.0/24"
scrub in all
# for NAT
nat on $ext_if from $internal_net to any -> ($ext_if)
# for firewall
block in all
block out all
pass quick on lo0 all
pass out on $ext_if proto tcp all modulate state flags S/SA
pass out on $ext_if proto { udp, icmp } all keep state
pass in on $int_if from $internal_net to any
pass out on $int_if from any to $internal_net
其中的tun0是pppoe拔号连接上后系统自动新加的虚拟网卡,pcn1是我的内网网卡,
192.168.188.0/24是我的内网网段。
现在运行 pfctl -e 来运行package filter.
屏幕上会显示 pf enabled 。
这时,你内网的电脑就可以上网了。
最后将/etc/rc.conf中的pf=NO修改为
pf=YES
使下次开机自动运行package filter.
====================================
使Openbsd的网络更加安全,更加快
vi /etc/inetd.conf
在
ident stream tcp nowait _identd /usr/libexec/identd identd -el
ident stream tcp6 nowait _identd /usr/libexec/identd identd -el
这两行前加上#号,让系统开机不自动运行ident网络服务。
同样,对comsat的两行也同样加上#号,禁止自动运行comsat网络服务。
127.0.0.1:comsat dgram udp wait root /usr/libexec/comsat comsat
[::1]:comsat dgram udp6 wait root /usr/libexec/comsat comsat
同样,对daytime和time网络服务作同样禁止处理。
daytime stream tcp nowait root internal
daytime stream tcp6 nowait root internal
time stream tcp nowait root internal
time stream tcp6 nowait root internal
--------------------------------------------------------------------------------------
vi /etc/rc.conf 设置
sendmail_flags=NO
关闭sendmail.
再来vi /var/cron/tabs/root
将其中sendmail的一部分修改,加上一个#号,让sendmail不开机自动运行。
*/30 * * * * /usr/sbin/sendmail -L sm-msp-queue -Ac -q
而sshd就看是不是需要远程ssh连接过来,要的话,就保持它
sshd_flags=""
不需要的话,就vi /etc/rc.conf,修改
sshd_flags=NO
------------------------------------------------------------------------------------
vi /etc/sysctl.conf 在文件中开启swap分区加密
vm.swapencrypt.enable=1 # 1=Encrypt pages that go to swap
-----------------------------------------------------------------------------------
加以下内容到/etc/sysctl.conf中,使增加wan口上的tcp性能。
# 1. Path MTU discovery: enabled by default
# 2. TCP Extension (RFC1323): enabled by default
# 3. Increase TCP Window size for increase in network performance
net.inet.tcp.recvspace=65535
net.inet.tcp.sendspace=65535
# 4. SACK (RFC2018): enabled by default
完。
参考了网上找的这个资料。特别是pf.conf的配置。
===========================================
I've been using an OpenBSD box for NAT/firewall at home (with Verizon DSL) for a while now. I switched to OpenBSD after Red Hat dropped their non-enterprise version (don't get me wrong, I still use Fedora on desktop machines). The installation/setup is actually quite simple. Here are some notes.
Update(20040708): The notes have been updated for OpenBSD 3.5.
1. My internal and external network interfaces are fxp0 and fxp1, respectively. Note that after PPPoE is done, fxp1 will be represented by tun0.
2. Follow this to install OpenBSD 3.5 and configure the internal interface during the installation. After the installation, modify configuration files as follows.
Note: Section 4.5.2 of the installation guide says "It is important that the first partition skips the first track of the disk, in this case, starting on sector 63". However, I'm using the first partition for OpenBSD, and I had to make the partition start on sector 0 (otherwise, it seems that the bootloader won't be installed correctly). Of course, YMMV.
3. /etc/rc.conf: make sure "pf=NO" (will start pf after the DSL link is up).
4. /etc/rc.local: put the following lines at the end to bring up the external interface and start ppp.
/sbin/ifconfig fxp1 up
/usr/sbin/ppp -ddial pppoe
5. /etc/sysctl.conf: make sure "net.inet.ip.forwarding=1" (enable IP forwarding).
6. My /etc/ppp/ppp.conf is as follows:
default:
set log Phase Chat LCP IPCP CCP tun command
set timeout 0
set redial 15 0
set reconnect 15 10000
set server /var/run/ppp.sock "" 0177
pppoe:
set device "!/usr/sbin/pppoe -i fxp1"
set mtu max 1492
set mru max 1492
set speed sync
enable lqr
disable acfcomp protocomp
deny acfcomp
add! default HISADDR
set authname
set authkey
Note: you can remove "LCP" from the first line of "default" if it's generating too many log messages.
7. My /etc/ppp/ppp.linkup is as follows:
MYADDR:
! sh -c "/sbin/pfctl -e -f /etc/pf.conf"
This will start pf after the link is up.
8. Finally, the NAT/firewall rules are specified in /etc/pf.conf (for more information about the rules, see here):
ext_if="tun0"
int_if="fxp0"
internal_net="192.168.0.0/24"
scrub in all
# for NAT
nat on $ext_if from $internal_net to any -> ($ext_if)
# for firewall
block in all
block out all
pass quick on lo0 all
pass out on $ext_if proto tcp all modulate
state flags S/SA
pass out on $ext_if proto { udp, icmp } all keep
state
pass in on $int_if from $internal_net to any
pass out on $int_if from any to $internal_net
These are based on several online documents I've read. Please let me know if you find something I missed. Thanks!
