FreeBsd5.4 + pf + squid reverse proxy battle notes

1. hardware configuration H N E T S P E R V E R 800 P Ⅲ 1000 memory 256MInter82559 card two 2, partitioning situation FilesystemSizeUsedAvailCapacityMountedon/dev/da0s1a248M54M174M24%/devfs1.0K1.0K0B100%/dev/dev/da0s1f4.8G130M4.3G3%/ome/dev/da0s1d248M12K228M0%/tmp/dev/da0s1g4.8G565M3.9G12%/usr/dev/da0s1e5.8G410K5.3G0%/var3, system installation with minimal installation and installation of the src and ports (originally intended to use ports installed, but somehow, it cannot cvs source code, of course, can not be installed by ports, desperation can only use source code compilation) 4, kernel compilation is not used for kernel optimization, here just to verify that the pf and squid with the possibility of doing a reverse proxy, in a real production application should do on server core, a degree of optimization.

Cd/usr/src/sys/i386/con cpGENERICcac edit the kernel in the kernel cache, add the following option devicep deviceplogdevicepfsyncoptionsALTQoptionsALTQ_CBQ compile kernel/usr/sbin/configcacecd.. At this point the kernel compile is complete/config/cacemakedependmakemakeinstall reboot5, let the system automatically load p editing/etc/rc.con usbd_enable = "NO" defaultrouter = "218.4.xxx.xxx" hostname = "cache.aaa.com" ifconfig_fxp0 = "inet218.4.xxx.xxxnetmask255.255.255.248" ifconfig_fxp1 = "inet192.168.2.10netmask255.255.255.0" gateway_enable = "YES" inetd_enable = "YES" pf_enable = "YES" pf_rules = "/etc/pf.con" pf_flags = "" YES "pflog_enable =" pflog_logfile = "/var/log/pflog" sshd_enable = "YES" 6, turn on IP forwarding in/etc/sysctl.conf and add the following content in net.inet.ip.forwarding = 17, shared Internet access, the simplest pf set wan_if = "fxp0" lan_if = "fxp1" inter_net = "192.168.2.0/24" web_server = "192.168.2.3" ftp_server = "192.168.2.3" scrubinallnaton $ wan_iffrom $ inter_nettoany-> xp0rdronfxp1prototcpfrom $ lan_iftoanyport80-> $ lan_ifport80rdronfxp1prototcpfromanytoanyport21-> 127.0.0.1port8021 # rdronfxp0prototcpfromanyto $ wan_ifport80-> $ web_serverport8080 # rdronfxp1prototcpfrom $ lan_ifto $ wan_ifport80-> $ web_serverport8080rdron $ wan_ifprototcpfromanytoanyport21-> $ ftp_serverport21rdron $ wan_ifprototcpfromanytoanyport49152: 65535-> $ ftp_serverport49152: 65535 # inon $ wan_i passinquickon $ wan_ifprototcpfromanyto $ ftp_serverport21keepstatepassinquickon $ wan_ifprototcpfromanyto $ ftp_serverport > 49151keepstate # outon $ lan_i passoutquickon $ lan_ifprototcpfromanyto $ ftp_serverport21keepstatepassoutquickon $ lan_ifprototcpfromanyto $ ftp_serverport > 49151keepstate # Disabledangerport # Danger_Port = "{445135139593555499959996}" # blockquickon $ wan_ifinetprototcpfromanytoanyport $ Danger_Port # blockquickon $ wan_ifinetprototcpfromanytoanyport$Danger_Portpassinallpassoutall