先確認目前的kernel版本:

root@test:/etc # uname -a
FreeBSD test.sinomatrix.com 9.1-RELEASE FreeBSD 9.1-RELEASE #0 r243826: Tue Dec  4 06:55:39 UTC 2012     root@obrian.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC  i386

root@test:/etc # date
Fri Jun  7 15:55:16 CST 2013

系統時間確認,如果ntp工作正常,這個時間是正確的。

重要:重編kernel和修改firewall規則,請儘可能在console上操作,或是不要離機器太遠,以免失敗後console失去控制。

 

1. 將現用的GENERIC加入firewall的設定,也可以把不需要的option或driver都用#標記起來,速度會快很多。

不過我實際編過幾次的經驗是,加上firewall設定沒問題,但標記一些我以為用不到的drivers有時編譯會出問題,偷懶的話就加上需要的就好,其他不用修改。

root@test:/etc # cd /sys/i386/conf
root@test:/sys/i386/conf # cp GENERIC newkernel
root@test:/sys/i386/conf # vi newkernel

修改:
ident           newkernel

新增:
# ----- Firewall Settings ----- #
options IPFIREWALL
options IPDIVERT                        # for NAT
options IPFIREWALL_DEFAULT_TO_ACCEPT
options IPFIREWALL_VERBOSE
options IPFIREWALL_FORWARD              #for ip forward
options DUMMYNET                        #use pipe to limit brand
# ----- END ----- #

newkernel: 371 lines, 14817 characters.

存檔退出。

 

2. 編譯新的核心檔newkernel:

root@test:/sys/i386/conf # config newkernel
Kernel build directory is ../compile/newkernel
Don't forget to do ``make cleandepend && make depend''

root@test:/sys/i386/conf # cd ../compile/newkernel/
root@test:/sys/i386/compile/newkernel # make cleandepend && make depend
............................................

modules/zlib/../../net/zlib.c

root@test:/sys/i386/compile/newkernel # make (這段就跑得久一點了)
..........................................
objcopy --only-keep-debug zlib.ko.debug zlib.ko.symbols
objcopy --strip-debug --add-gnu-debuglink=zlib.ko.symbols zlib.ko.debug zlib.ko

root@test:/sys/i386/compile/newkernel # make install
..........................
kldxref /boot/kernel

root@test:/sys/i386/compile/newkernel # reboot

看電腦速度多快,我這台老機器大概跑了45min完成。


3. 因為新增了firewall的設定,所以現在要加上防火牆規則:

新增ipfw rules:

# cd /etc
# vi rc.firewall

/sbin/ipfw -f flush
/sbin/ipfw add divert natd all from any to any via fxp0   //對外的網卡
/sbin/ipfw add allow icmp from any to any icmptypes 0,8,11
/sbin/ipfw add deny icmp from any to any
/sbin/ipfw add pass all from 192.168.0/16 to me 21
/sbin/ipfw add drop tcp from any to me 21
/sbin/ipfw add pass all from any to any

更新完後請記得將rc.conf中的firewall開啟,規則就會啟動。

 

4. 除了加上firewall的規則之外,也要記得修改/etc/hosts.allow中的設定,否則無法遠端連進來唷。


root@test: /# vi /etc/hosts.allow

# Start by allowing everything (this prevents the rest of the file
# from working, so remove it when you need protection).
# The rules here work on a "First match wins" basis.
#ALL : ALL : allow

# Wrapping sshd(8) is not normally a good idea, but if you
# need to do it, here's how
#sshd : .evil.cracker.example.com : deny

# ------ SSH Allow Hosts list ----- #
sshd : 1.2.3.5 : allow
sshd : 1.2.3.1 : allow
sshd : 192.168.0.0/24 : allow
# ------ End ----- #

# Protect against simple DNS spoofing attacks by checking that the
# forward and reverse records for the remote host match. If a mismatch
# occurs, access is denied, and any positive ident response within
# 20 seconds is logged. No protection is afforded against DNS poisoning,
# IP spoofing or more complicated attacks. Hosts with no reverse DNS
# pass this rule.
ALL : PARANOID : RFC931 20 : deny

# Allow anything from localhost.  Note that an IP address (not a host
# name) *MUST* be specified for rpcbind(8).
ALL : localhost 127.0.0.1 : allow

# Comment out next line if you build libwrap without IPv6 support.
ALL : [::1] : allow
#ALL : my.machine.example.com 192.0.2.35 : allow
All : test.com 192.168.0.0/24 : allow

# To use IPv6 addresses you must enclose them in []'s
#ALL : [fe80::%fxp0]/10 : allow
#ALL : [fe80::]/10 : deny
#ALL : [2001:db8:2:1:2:3:4:3fe1] : deny
#ALL : [2001:db8:2:1::]/64 : allow

# Sendmail can help protect you against spammers and relay-rapers
sendmail : localhost : allow
#sendmail : .nice.guy.example.com : allow
#sendmail : .evil.cracker.example.com : deny
sendmail : ALL : allow

# Exim is an alternative to sendmail, available in the ports tree
#exim : localhost : allow
#exim : .nice.guy.example.com : allow
#exim : .evil.cracker.example.com : deny
#exim : ALL : allow

# Rpcbind is used for all RPC services; protect your NFS!
# (IP addresses rather than hostnames *MUST* be used here)
#rpcbind : 192.0.2.32/255.255.255.224 : allow
#rpcbind : 192.0.2.96/255.255.255.224 : allow
rpcbind : ALL : deny

# NIS master server. Only local nets should have access
# (Since this is an RPC service, rpcbind needs to be considered)
#ypserv : localhost : allow
#ypserv : .unsafe.my.net.example.com : deny
#ypserv : .my.net.example.com : allow
ypserv : ALL : deny

# Provide a small amount of protection for ftpd
ftpd : localhost : allow
#ftpd : .nice.guy.example.com : allow
#ftpd : .evil.cracker.example.com : deny
#ftpd : ALL : allow
ftpd : 192.9.100.0/24 : allow

# You need to be clever with finger; do _not_ backfinger!! You can easily
# start a "finger war".
fingerd : ALL \
        : spawn (echo Finger. | \
         /usr/bin/mail -s "tcpd\: %u@%h[%a] fingered me!" root) & \
        : deny

# The rest of the daemons are protected.
ALL : ALL \
        : severity auth.info \
        : twist /bin/echo "You are not welcome to use %d from %h."

存檔退出。

 

5. 編輯hosts,將常用的servers名稱都設進hosts中。

root@test:/etc # vi hosts

::1                     localhost localhost.test.com
127.0.0.1               localhost localhost.test.com
1.2.3.4                  ns2 ns2.test.com
192.168.0.1             ns2 ns2.test.com
192.168.0.3             server3  server3.test.com
192.9.100.254           ns2 ns2.test.com

 

6. 啟動轉址NAT:雖然這個檔是空的,但一定要做喔,不然natd不會啟動。
root@test:/etc # touch natd.conf  

 

7. 最後請記得打開/etc/rc.conf中的防火牆設定:
root@test:/etc # vi rc.conf

 

8. 重開機:
root@test:/etc # reboot

 

9. 檢查:

檢查版本,可以看到kernel已經換成新的了。

root@mail:/ # uname -a
FreeBSD ns2.test.com 9.1-RELEASE FreeBSD 9.1-RELEASE #0: Fri Jun  7 16:15:58 CST 2013     root@test.test.com:/sys/i386/compile/newkernel  i386

檢查防火牆規則:

root@mail:/ # ipfw list
00100 divert 8668 ip from any to any via fxp0
00200 allow icmp from any to any icmptypes 0,8,11
00300 deny icmp from any to any
00400 allow ip from 192.168.0.0/16 to me dst-port 21
00500 deny tcp from any to me dst-port 21
00600 allow ip from any to any
65535 allow ip from any to any

Kernel編譯完成,防火牆完成。

, , ,

貓熊麗麗 發表在 痞客邦 PIXNET 留言(0) 人氣()