FreeBSD Server 架站筆記
以下內容從網路上轉載
很久沒寫文件了,今天搞定了家裡自己用的mail server,加上一些自己想要弄的東西,作各筆記好了。這台機器的任務很多,nat , firewall , web , email , web mail都在同一台,所以參考參考
採用www.ns2go.com所提供的動態dns來處理
01.安裝FreeBSD 5.0
這邊採用UFS2,並且啟動acls,這裡少作了tunefs,所以並沒有完全啟動acls
# Device Mountpoint FStype Options Dump Pass#
/dev/ad0s1b none swap sw 0 0
/dev/ad0s1a / ufs rw,acls 1 1
/dev/ad0s1g /home ufs rw,acls 2 2
/dev/ad0s1f /root ufs rw,acls 2 2
/dev/ad0s1e /tmp ufs rw,acls 2 2
/dev/ad0s1h /usr ufs rw,acls 2 2
/dev/ad0s1d /var ufs rw,acls 2 2
/dev/acd0 /cdrom cd9660 ro,noauto 0 0
02./etc/rc.conf
kern_securelevel_enable="YES"
kern_securelevel="3"
nfs_reserved_port_only="NONE"
inetd_enable="NO"
network_interfaces="auto"
ifconfig_rl0="inet 10.0.0.1 netmask 255.0.0.0 -arp up"
ifconfig_rl1="inet 192.168.1.254 netmask 255.255.255.0 up"
ppp_enable="YES"
ppp_mode="ddial"
ppp_profile="pppoe"
defaultrouter="10.0.0.1"
gateway_enable="YES"
syslogd_flag="-ss"
firewall_enable="NO"
ipfilter_enable="YES"
ipfilter_flags=""
ipmon_enable="YES"
ipmon_flags="-Dsvn"
ipnat_enable="YES"
icmp_redirects_drop="YES"
icmp_log_redirect="YES"
sendmail_enable="YES"
sshd_enable="YES"
usbd_enable="NO"
hostname="damon.ns2go.com"
03./etc/resolv.conf
nameserver 168.95.192.1
nameserver 168.95.1.1
04./etc/csh.cshrc
setenv EDITOR joe
setenv ENABLE_STARTUP_LOCALE zh_TW.Big5
setenv LC_CTYPE is_IS.ISO_8859-1
setenv LANG zh_TW.Big5
setenv PAGER more
setenv BLOCKSIZE K
alias h history 25
alias j jobs -l
alias la ls -a
alias lf ls -FA
alias ll ls -lA
alias telnet telnet -8
alias ls gnuls --color=auto --show-control-chars
set prompt = "%B%m[%/]-%n->"
set path = (/sbin /bin /usr/sbin /usr/bin /usr/games /usr/local/sbin /usr/local/sbin /usr/local/bin /usr/X11R6/bin $HOME/bin)
05./etc/csh.login
06./etc/ipf.rules
########################################################################
#Outside Interface
########################################################################
########################################################################
#Allow out all TCP , UDP and ICMP traffic & keep state
#on it , so that it's allowed back in.
########################################################################
pass out quick on tun0 proto tcp from any to any keep state
pass out quick on tun0 proto udp from any to any keep state
pass out quick on tun0 proto icmp from any to any keep state
block out quick on tun0 all
########################################################################
#Allow some services here
########################################################################
pass in quick on tun0 proto tcp from any to any port = 80 keep state
pass in quick on tun0 proto udp from any to any port = 80 keep state
pass in quick on tun0 proto tcp from 203.73.246.97 to any port = 22 keep state
pass in quick on tun0 proto udp from 203.73.246.97 to any port = 22 keep state
pass in quick on tun0 proto tcp from any to any port = 25 keep state
pass in quick on tun0 proto udp from any to any port = 25 keep state
########################################################################
#Block and log all remaining traffic coming into the firewall
#-Block TCP with a RST (to make it appear as if the service
#isn't listening)
#Block UDP with an ICMP port unreachable (to make it appear
#as if the service isn't listening)
#Block all remaining traffic the good 'ol fashioned way
########################################################################
block return-rst in log quick on tun0 proto tcp from any to any
block return-icmp-as-dest(port-unr)in log quick on tun0 proto udp from any to any
block in log quick on tun0 all
########################################################################
#Inside Interface
########################################################################
########################################################################
#Allow in all TCP , UDP and ICMP traffic & keep state
########################################################################
pass in quick on rl1 proto tcp from any to any keep state
pass in quick on rl1 proto udp from any to any keep state
pass in quick on rl1 proto icmp from any to any keep state
block in quick n rl1 all
########################################################################
#Loopback Interface
########################################################################
########################################################################
#Allow everything to/from your loopback interface so you
#can ping yourself (e.g. ping localhost)
########################################################################
pass in quick on lo0 all
pass out quick on lo0 all
07./etc/ipnat.rules
map rl0 192.168.1.254/24 -> 0/32
08./etc/ppp/ppp.conf
default:
set log Phase Chat LCP IPCP CCP tun command
set redial 15 28800
set reconnect 12 28800
pppoe:
set device PPPoE:rl0:
set mru 1492
set mtu 1492
set speed sync
enable lqr
set lqrperiod 5
set cd 5
set dial
set login
set timeout 0
set authname xxxxxxx@hinet.net
set authkey yyyyyyyyy
set ifaddr 10.0.0.1/0 10.0.0.2/0 255.255.255.0 0.0.0.0
add default HISADDR
enable dns
09.setup ns2go client for FreeBSD
fetch http://www.ns2go.com/ns2goc_unix.tgz
mv ns2goc_unix.tgz /usr/local/
cd /usr/local/
tar -zxvf ns2goc_unix.tgz
cd ns2goc/bin/
./ns2goc.pl -c
跟著說明作就好,當然要先在http://www.ns2go.com/註冊帳號跟密碼
10.crontab
#minute hour mday month wday who command
*/5 * * * * root /usr/local/ns2goc/bin/ns2goc.pl > /dev/null
11./etc/syslog.conf,加入firewall的log設定
local0.* /var/log/firewall.log
12./etc/newsyslog.conf,加入firewall的log設定
/var/log/firewall.log root:wheel 600 7 100 * J
13.重新開機,開機過程中有關於ipfilter的錯誤不管他
14.現在應該已經順利的連上網路了,開始安裝所需要的東西
cd /usr/ports/net/cvsup-without-gui/
make install clean;rehash
cd /usr/ports/
fetch ftp://freebsd.csie.nctu.edu.tw/pub/CVSup/cvsupfile-ports
cd /usr/src/
fetch ftp://freebsd.csie.nctu.edu.tw/pub/CVSup/cvsupfile-stable
ee cvsupfile-stable,在這邊要注意的是,現在最好還是用RELENG_5_0用tag=.跑current,最好還是不要考驗自己的運氣
*default release=cvs tag=RELENG_5_0
cd /usr/src/
cvsup cvsupfile-stable
cd /usr/ports/
cvsup cvsupfile-ports
cd /usr/ports/chinese/joe/
make install clean
cd /usr/ports/misc/gnuls/
make WITH_ACL_SUPPORT=yes install clean
cd /usr/src/sys/i386/conf/
cp GENERIC FreeBSD
ee FreeBSD,這一步重點是加入firewall的功能順便把一些自己沒有東西都拿掉
options IPFILTER
options IPFILTER_LOG
options IPFILTER_DEFAULT_BLOCK
options TCP_DROP_SYNFIN
cd /usr/src/
make buildworld;make buildkernel KERNCONF=FreeBSD
做完這兩部,先把/etc/rc.conf裡面有關於kernel_security_level的設定先註解起來,並重新開機
cd /usr/src/
make installkernel KERNCONF=FreeBSD;make installworld;mergemaster
這些做完之後把/etc/rc.conf裡的設定復原,並重新開機
15.設定sendmail
cd /etc/mail/
touch local-host-names
ee local-host-names加入
damon.ns2go.com
cp access.sample access
ee access
修改成符合自己需求的網域設定,這邊只設定兩個,127.0.0.1是給web mail用的,192.168.1是給家裡內部網路用的
個人不喜歡用甚麼smtp auth,寧願用web mail
127.0.0.1 RELAY
192.168.1 RELAY
cd /etc/mail/
make cf install
sh /etc/rc.sendmail start
重新啟動sendmail
http://www.abuse.net/relay.html
順便測試一下剛剛所設定是否有漏網之魚,不小心開了open relay
16.安裝web server , mysql , mod_php4 , openwebmail , gallery
cd /usr/ports/www/apache13-modssl/
make install clean
cd /usr/ports/www/mod_php4/
make install clean
這邊把所需要用到的功能選取起來
cd /usr/ports/database/mysql323-server/
make install clean
cd /usr/ports/mail/openwebmail/
make WITH_SPEEDYCGI=yes install clean
cd /usr/ports/www/gallery/
make install clean
cp /usr/local/etc/php.ini-dist /usr/local/etc/php.ini
/usr/local/etc/rc.d/000.mysql-client.sh start
/usr/local/etc/rc.d/mysql-server.sh start
/usr/local/etc/rc.d/apache.sh start
17.修改mysql root密碼
rehash
mysqladmin -u root password yourpassword
mysql -u root測試一下
18.設定一下openwebmail並改成中文版
domainnames damon.ns2go.com
default_language zh_TW.Big5
19.設定一下gallery
cd /usr/local/www/data/gallery/
sh configure.sh
在用瀏覽器打開http://damon.ns2go.com/gallery/再跟著設定畫面走就可以了,設定完之後
cd /usr/local/www/data/gallery/
sh secure.sh
20./usr/local/etc/pkgtools.conf
MAKE_ARGS = {
'databases/mysql323-* => 'SKIP_INSTALL_DB=yes',
}
21./etc/newsyslog.conf
/var/log/firewall.og root:wheel 600 7 100 * J
/var/log/httpd-access.log 644 7 100 24 B /var/run/httpd.pid 30
/var/log/httpd-error.log 644 7 100 24 B /var/run/httpd.pid 30
/var/log/openwebmail.log 600 7 100 24 B
沒有留言:
張貼留言