|
作者: sumrin [sumrin] 论坛用户 | 登录 |
cd /usr/ports/net/mpd5 make cd /usr/ports/net/mpd5 在make install之后若出现报错"/usr/share/mk/bsd.kmod.mk", line 12: "can't find kernel source tree",则是因为sys、base库没有安装 解决方法: running “sysinstall” as root, choosing “Configure”, then “Distributions”, then “src”, then “base” and “sys”. 在 中启用 mpd5 添加如下行 mpd_enable="YES"配置 mpd pptp VPN 复制默认的 mpd.conf 配置文件 cd /usr/local/etc/mpd5/ cp mpd.conf.sample mpd.conf 修改 mpd.conf 文件中的 startup: default: pptp_server: 三块,其它的不要理睬,放在里面不要删除,因为可以通过 default: 标签来调用需要执行的模块,所以不受影响。 以下是这三部分的代码,需要修改的地方见我的中文解释。 startup: #configure mpd users set user admin password ### 设置 mpd 的访问帐号及密码,通过 telnet 或 web 访问时需要此帐号 #set user foo1 bar1 #configure the console set console self 127.0.0.1 5005 set console open #configure the web server set web self 0.0.0.0 5006 set web open #Default configuration is "dialup" default: #load dialup load pptp_server ### 默认调用 pptp_server 模块 pptp_server: #Mpd as a PPTP server compatible with Microsoft Dial-Up Networking clients. #Suppose you have a private Office LAN numbered 192.168.1.0/24 and the #machine running mpd is at 192.168.1.1, and also has an externally visible #IP address of 1.2.3.4. #We want to allow a client to connect to 1.2.3.4 from out on the Internet #via PPTP. We will assign that client the address 192.168.1.50 and proxy-ARP #for that address, so the virtual PPP link will be numbered 192.168.1.1 local #and 192.168.1.50 remote. From the client machine's perspective, it will #appear as if it is actually on the 192.168.1.0/24 network, even though in #reality it is somewhere far away out on the Internet. # #Our DNS server is at 192.168.1.3 and our NBNS (WINS server) is at 192.168.1.4. #If you don't have an NBNS server, leave that line out. #Define dynamic IP address pool. set ippool add pool1 172.16.0.100 172.16.0.199 # 此处是配置vpn客户端分配的ip地址池 #Create clonable bundle template named B create bundle template B set iface enable proxy-arp set iface idle 1800 set iface enable tcpmssfix set ipcp yes vjcomp #Specify IP address pool for dynamic assigment. set ipcp ranges 172.16.0.1/32 ippool pool1 # 此处是配置vpn客户端分配的ip地址的网关 set ipcp dns 218.108.248.200 ### 设置 dns #set ipcp nbns 192.168.1.4 ###如果你用不到 wins 的话,可以注释掉这块, #The five lines below enable Microsoft Point-to-Point encryption #(MPPE) using the ng_mppc(8) netgraph node type. set bundle enable compression set ccp yes mppc set mppc yes e40 set mppc yes e128 set mppc yes stateless #Create clonable link template named L create link template L pptp #Set bundle template to use set link action bundle B #Multilink adds some overhead, but gives full 1500 MTU. set link enable multilink set link yes acfcomp protocomp set link no pap chap eap set link enable chap #We can use use RADIUS authentication/accounting by including #another config section with label 'radius'. #load radius set link keep-alive 10 60 #We reducing link mtu to avoid GRE packet fragmentation. set link mtu 1460 #Configure PPTP set pptp self 202.101.8.18 ###设置 pptp 的监听 ip 地址,也就是你的网卡的 IP 地址 #Allow to accept calls set link enable incoming 好了,that's all。 启动 mpd5 /usr/local/etc/rc.d/mpd5 start 检查 mpd5 是否已经启动 netstat -a 可以看到类似于这样的输出信息 tcp4 0 0 vpn.server..pptp *.* LISTEN 说明 pptp 已正常启动 添加 VPN 帐号 创建 /usr/local/etc/mpd5/mpd.secret 文件,输入用户名及密码,一行一个 example: vpn "123456" test "123456" 然后就可以在 windows 下尝试登录 vpn 服务器了 启用nat 另一个可选项是打开默认的内核配置文件/usr/src/sys/i386/conf,并找到IPFIREWALL选项: # grep IPFIREWALL /usr/src/sys/i386/conf 第二步:编译并安装带有IPFW的定制内核 首先是复制默认的内核文件: # cd /usr/src/sys/i386/conf # cp GENERIC IPFWKERNEL 然后增加IPFW支持: # vi IPFWKERNEL 添加下面的指令: 在options中加入 ident GENERIC #可以更改此文件名为你想要内核文件名 options IPFIREWALL options IPDIVERT options IPFIREWALL_DEFAULT_TO_ACCEPT options IPFIREWALL_VERBOSE options IPFIREWALL_VERBOSE_LIMIT=100 options IPFIREWALL_FORWARD options DUMMYNET 保存并关闭文件。编译内核,键入如下的命令: # cd /usr/src # make buildkernel KERNCONF=IPFWKERNEL 安装新的内核: # make installkernel KERNCONF=IPFWKERNEL 现在重新启动系统: 执行完毕即完成内核编译 在 /etc/rc.conf 中加入以下行 gateway_enable="YES" firewall_enable="YES" firewall_script="/etc/ipfw.rules" natd_enable="yes" natd_interface="bge0" #该设置为公网ip所在网卡,下同 启动natd和使gateway_enable生效: /etc/rc.d/natd start sysctl net.inet.ip.forwarding=1 在/etc目录下创建文件ipfw.rules 编辑文件内容如下: #!/bin/sh IPFW="/sbin/ipfw -q" $IPFW -f flush $IPFW add 100 divert natd all from any to any via bge0 $IPFW add 200 allow all from any to any 修改ipfw.rules属性:chmod 755 ipfw.rules 是ipfw规则生效,运行该脚本:/etc/ipfw.rules 执行完毕后,ipfw show查看是否运行了规则 正常情况下,vpn可以正常启用了。并且可以访问外网。 |
地主 发表时间: 12-04-29 15:38 |
回复: NetDemon [netdemon] ADMIN | 登录 |
1.FB6之后基本完全支持内核模块,绝大多数支持都不需要编译内核,但某个模块的选项可能要 2.目前FB系统上的3个FW是由openBSD移植来的pf最好,ipfw最差,从任何方面讲,FB还保留这个是因为这是FB团队开发的而已。 3.I think you should know what I'm saying that. |
B1层 发表时间: 12-06-11 03:23 |
|
20CN网络安全小组版权所有
Copyright © 2000-2010 20CN Security Group. All Rights Reserved.
论坛程序编写:NetDemon
粤ICP备05087286号