#cp
/usr/src/sys/i386/conf/GENERIC/etc/NEWNAT
#cd /usr/src/sys/i386/conf/
#ln -s /etc/NEWNAT
#vi /usr/src/sys/i386/conf/NEWNAT
options IPDIVERT
options IPFIREWALL
options DUMMYNET
#config NEWNAT # config
完成後系統會提醒你記得更換路徑去make
#cd ../../compile/NEWNAT
#make depend all install
#make clean #
清除make後所建的檔案
Setp
2.
設定 rc.conf #vi
/etc/rc.conf
defaultrouter="203.107.34.30"
hostname="nat.ntut.idv.tw"
ifconfig_ed1="inet 203.107.34.3
netmask 255.255.255.224"
ifconfig_ed1_alias0="inet
203.107.34.4 netmask 255.255.255.255"
ifconfig_ed1_alias1="inet
203.107.34.5 netmask 255.255.255.255"
ifconfig_ed1_alias2="inet
203.107.34.6 netmask 255.255.255.255"
ifconfig_ed2="inet 10.254.10.254
netmask 255.255.255.0"
ifconfig_ed3="inet 192.168.10.254
netmask 255.255.255.0"
firewall_enable="YES"
firewall_type="OPEN"
gateway_enable="YES"
sendmail_enable="NONE"
natd_enable="YES"
natd_interface="ed1"
natd_flags="-f /etc/natd.conf"
ed1 為對外的網卡為《 真實 IP 》ed2 和 ed3 是對內的網卡為《 虛擬 IP 》,其
實對內一片網卡就夠用了,可是後來考慮到 security 的問題,所以將內網切開為兩段,ed2 的 10.254.10.0/24 這段IP
,是給內部員工使用,也就是我們要做頻寬限制的這一段IP,ed3 的192.168.10.0/24 這段IP,則是給我的所有 Server
Group 使用的 IP,加入以上設定後可用 #/etc/netstart 讓
rc.conf 的設定檔重新 run 一次,新加入的設定值就會寫進去系統了。
Setp
3.
設定 natd.conf
#vi /etc/natd.conf 加入設定範例如下
(可將你內部的
Private IP 對應到 Real IP)
redirect_port tcp
192.168.10.1:21:80 203.107.34.4:21:80
redirect_address 192.168.10.2
203.107.34.5 -interface ed1
以上的設定檔可以 #man
natd 參考如何設定
Setp
4.
設定 rc.firewall
先將原本的rc.firewall copy 備份下來為rc.firewall.backup
#true > rc.firewall
(清掉rc.firewall裡所有的設定檔)
#vi rc.firewall
(編輯rc.firewall的rule如下)
#!/bin/sh
#delete all rule
/sbin/ipfw -f flush
#define NAT pass to ed1
/sbin/ipfw add divert natd all
from any to any via ed1
#internal transfer
/sbin/ipfw add 1100 pass all from
10.254.10.0/24 to 203.107.34.3/32
/sbin/ipfw add 1101 pass all from
203.107.34.3/32 to 10.254.10.0/24
/sbin/ipfw add 1102 pass all from
203.107.34.3/32 to 203.107.34.3/32
/sbin/ipfw add 1103 pass all from
10.254.10.0/24 to 10.254.10.0/24
#icmp
/sbin/ipfw add 1200 pass icmp from
any to any
#dns
/sbin/ipfw add 1300 pass tcp from
any to any domain
/sbin/ipfw add 1301 pass tcp from
any domain to any
/sbin/ipfw add 1302 pass udp from
any to any domain
/sbin/ipfw add 1303 pass udp from
any domain to any
#telnet out
/sbin/ipfw add 1400 pass tcp from
any to any telnet
#telnet in
/sbin/ipfw add 1500 pass tcp from
any telnet to any
#www out
/sbin/ipfw add 1600 pipe 1 tcp
from 203.107.34.3/32 to any www
/sbin/ipfw add 1601 pipe 1 tcp
from 10.254.10.0/24 to any www
#www in
/sbin/ipfw add 1700 pipe 1 tcp
from any www to 10.254.10.0/24
/sbin/ipfw add 1701 pipe 1 tcp
from any www to 203.107.34.3/32
#ftp out
/sbin/ipfw add 1800 pipe 1 tcp
from 203.107.34.3/32 to any ftp-data-ftp
/sbin/ipfw add 1801 pipe 1 tcp
from 10.254.10.0/24 to any ftp-data-ftp
#ftp in
/sbin/ipfw add 1900 pipe 1 tcp
from any ftp-data-ftp to 203.107.34.4/32
/sbin/ipfw add 1901 pipe 1 tcp
from any ftp-data-ftp to 10.254.10.0/24
#mail
/sbin/ipfw add 2000 pass tcp from
any to any 25
/sbin/ipfw add 2001 pass tcp from
any 25 to any
/sbin/ipfw add 2002 pass tcp from
any to any 995
/sbin/ipfw add 2003 pass tcp from
any 995 to any
#bandwidth
/sbin/ipfw pipe 1 config bw
400Kbit/s queue 80Kbytes
#192.168.10.0/24
/sbin/ipfw add 65000 pass all from
192.168.10.0/24 to any
/sbin/ipfw add 65100 pass all from
any to 192.168.10.0/24
/sbin/ipfw add 65200 pass all from
203.107.34.4/32 to any
/sbin/ipfw add 65300 pass all from
any to 203.107.34.4/32
To Add :
FreeBSD 的 Firewall 預設 rule 有這個 rule --> 65535 deny ip from any to
any ,所以會將所有的東西都 DENY 掉因此它是放在最後 65535 。流量控制是透過pipe 控制的,而10.254.10.0/24
這段 IP 的流量進出受限在400kbit ,而192.168.10.0/24 這段Server Group 的 IP則不做任何流量控制。
#ipfw list
# 可看firewal的所有rule
#ipfw pipe list #
可看pipe的設定
#ipfw delete
"rule編號" # 可殺掉一個rule