1, cd /usr/ports/www/oops/
make config Ñ¡ÖÐ
[X] DB4 Berkeley DB v4 storage
make install clean
2, ÐÞ¸Ä/usr/local/etc/oops/oops.cfg
3£¬cd /usr/local/sbin/
oops -z -c /usr/local/etc/oops/oops.cfg £¨´´½¨Æä´ÅÅ̸ßËÙ»º´æ£©
4£¬vi /etc/rc.conf¼ÓÈëoops_enable="yes"
5£¬reboot
more /etc/rc.conf
defaultrouter="218.75.x.x"
gateway_enable="YES"
hostname="firewall.test.com"
ifconfig_fxp0="inet 218.75.y.y netmask 255.255.255.128"
ifconfig_fxp1="inet 192.168.0.1 netmask 255.255.255.192"
ifconfig_fxp1_alias0="inet 192.168.1.62 netmask 255.255.255.192"
ifconfig_fxp1_alias1="inet 192.168.2.62 netmask 255.255.255.192"
ifconfig_fxp1_alias2="inet 192.168.3.62 netmask 255.255.255.192"
sshd_enable="YES"
pf_enable="YES"
pflog_enable="YES"
pflog_logfile="/var/log/pflog"
sendmail_enable="NONE"
ntpdate_enable="YES" # Run ntpdate to sync time on boot (or NO).
ntpdate_flags="207.46.232.189" # time.windows.com
oops_enable="yes"
more /etc/pf.conf
#firewall by tds 20050601
#macros
wanif="fxp0"
lanif="fxp1"
oops="127.0.0.1"
tcpsrv="{22,113}"
lan0="{192.168.0.0/26}"
lan1="{192.168.2.0/26}"
lan3="{192.168.3.0/26}"
lan4="{192.168.1.0/26}"
ftpsrv="192.168.0.8"
bt1="192.168.0.38"
bt2="192.168.0.39"
noroute="{127.0.0.0/8,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16}"
#options
set block-policy return
set loginterface $wanif
set optimization aggressive
#scrub
scrub in all
#nat and rdr
nat on $wanif from $lan0 to any -> $wanif
nat on $wa nif from $lan1 to any -> $wanif
nat on $wanif from $lan3 to any -> $wanif
nat on $wanif from $lan4 to any -> $wanif
rdr on $lanif proto tcp from any to any port 80 -> $oops port 3128
rdr on $wanif proto tcp from any to any port 21 -> $ftpsrv
rdr on $wanif proto tcp from any to any port 18888 -> $bt2
rdr on $wanif proto tcp from any to any port 4662 -> $bt2
rdr on $wanif proto udp from any to any port 4672 -> $bt2
rdr on $wanif proto tcp from any to any port 3389 -> $bt2
rdr on $wanif proto tcp from any to any port 3388 -> $bt1 port 3389
#filter rules
block all
block drop in quick on $wanif from $noroute
block drop out quick on $wanif from any to $noroute
block drop out quick on $wanif from any to 202.103.67.53
pass quick on lo0 all
pass in quick on $lanif from $lanif:network to any keep state
pass out quick on $lanif from any to $lanif:network keep state
pass in quick on $wanif proto tcp from an y to $wanif port $tcpsrv flags S/SA keep state
pass in quick on $wanif proto tcp from any to $ftpsrv port 21 flags S/SA keep state
pass in quick on $wanif proto tcp from any to $bt2 port {3389,4662,18888} flags S/SA keep state
pass in quick on $wanif proto tcp from any to $bt1 port 3389 flags S/SA keep state
pass in quick on $wanif proto udp from any to $bt2 port 4672 keep state
pass out on $wanif proto tcp all flags S/SA keep state
pass out on $wanif proto {udp,icmp} all keep state&n bsp;
more /usr/local/etc/oops/oops.cfg
Ö»¼Ç¼Ð޸IJ¿·Ö
nameserver 127.0.0.1
nameserver 220.168.208.3
nameserver 220.168.208.6
http_port 3128
#icp_port 3130
userid oops
logfile /var/log/oops/oops.log { 3 1m } unbuffered
accesslog /var/log/oops/access.log { 3 1m } unbuffered
pidfile /var/run/oops/oops.pid
statistics /var/run/oops/oops_statfile
mem_max 128m
lo_mark 80m
disk-low-free 3
disk-ok-free 5
force_http11
force_completion 85
maxresident 1m
insert_x_forwarded_for no
insert_via no
always_check_freshness
group mynet {
##
# You can describe group ip adresses here, or using src_ip acl's
# with networks_acl directive.
# networks_acl always have higher preference (checked first) and
# are checked in the order of appearance.
# If host wil not fall in any networks_acl - we check in networks.
# networks are ordered by masklen - longest masks(most specific networks)
# are checked first.
##
networks 192.168/16 127/8 ;
redir_mods transparent;£¨Ìí¼Ó´ËÐÐʵÏÖ͸Ã÷´úÀí£©
# networks_acl LOCAL_NETWORKS !BAD_NETWORKS ;
badports [0:79],110,138,139,513,[6000:6010] ;
miss allow;
module&nb sp;transparent { £¨ÊµÏÖ͸Ã÷´úÀí£©
# myport can have next form:
# myport [{hostname|ip_addr}:]port ...
myport 3128
# broken_browsers MSIE
}
storage {
path /usr/local/oops/storages/oops_storage ;
# Size of the storage. Can be in bytes or 'auto'. Auto is
# usefull for pre-created storages or disk slices.
# NOTE: 'size auto' won't work for Linux on disk slices.
# To use large ( > 2G ) files run configure with --enable-large-files
size 200m ; £¨´ÅÅ̸ßËÙ»º´æ£©
¸ßÐÔÄÜ¡¢¶àÏ̵߳ĸßËÙWeb´úÀí·þÎñÆ÷--OOPS!
| ×ÔÓɹã¸æÇø |
| ¡¡ |