forum.lissyara.su

Код: Выделить всё

#FONT
font8x14="cp866-8x14"
font8x16="cp866b-8x16"
font8x8="cp866-8x8"

#HOST
hostname="c1.any.com"
ifconfig_em0="inet 192.168.10.100 netmask 255.255.255.0"
ifconfig_em1="inet 10.10.10.10 netmask 255.255.255.0"
defaultrouter="192.168.10.1"

#KEYBORD
keymap="ru.koi8-r"
keyrate="fast"
scrnmap="koi8-r2cp866"

#NTP
ntpd_enable="YES"
#ntpdate_hosts="europe.pool.ntp.org"

#SSH
sshd_enable="YES"

#DNS
named_enable="YES"
named_program="/usr/sbin/named"
named_flags="-c /etc/namedb/named.conf"
named_pidfile="/var/run/named/pid"
named_uid="bind"
named_chrootdir="/var/named"
named_chroot_autoupdate="YES"

#DHCP
dhcpd_enable="yes"
dhcpd_iface="em1"

#INET
inetd_enable="yes"

#SENDMAIL
sendmail_enable="yes"

#SQUID
squid_enable="yes"

#PF
pf_enable="YES"
pf_rules="/etc/pf.conf"
pf_flags=""
pflog_enable="YES"
pflog_logfile="/var/log/pflog"
pflog_flags=""

Код: Выделить всё

ext_if = "em0" # macro for external interface - use tun0 for PPPoE
int_if = "em1" # macro for internal interface

nat on $ext_if from $int_if:network to any -> ($ext_if)

tcp_services = "{ ssh, smtp, domain, 953, http, https, 110, 821, 1723, 3128, 3129, nfsd, rpcbind }"
ftp_ports = "{ ftp, ftp-data }"
udp_services = "{ domain, ntp, rpcbind, 821, 1723, nfsd, 3130 }"

#block in all

pass quick inet proto gre to any keep state

pass quick inet proto { tcp, udp } from any to any port $ftp_ports keep state
pass quick inet proto { tcp, udp } from any to any port > 18000 keep state

pass quick inet proto udp to any port $udp_services keep state
pass quick inet proto tcp to any port $tcp_services keep state
pass quick inet proto { tcp, udp, icmp } from $int_if:network to any keep state

pass quick inet proto icmp from any to any

pass out on $ext_if inet proto udp from any to any port 33433 >< 33626 keep state

pass quick inet proto { tcp, udp } from any to port { nfsd, rpcbind } keep state

pass quick inet proto { tcp, udp } from any to port 883 keep state

pass quick inet proto { tcp, udp } from any to port 884 keep state

pass quick inet proto { tcp, udp } from any to port 885 keep state

block in log all

rdr proto tcp from 10.10.10.0/24 to any port 80 -> 127.0.0.1 port 3129

Код: Выделить всё

auth_param basic program /usr/local/libexec/squid/basic_ncsa_auth /usr/local/etc
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours

acl passwd proxy_auth REQUIRED
acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT
acl myhost src 10.10.10.10
acl mynet src 10.10.10.0/24
acl vk dstdomain .vk.com
acl wt time 10:00-23:00
acl ya dstdomain .ya.ru .yandex.ru
acl media urlpath_regex -i \.mpg$ \.avi$ \.mp3$

#
# Recommended minimum Access Permission configuration:
#
# Deny requests to certain unsafe ports
http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports

# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager

# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost

#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#

# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
#http_access allow localnet
http_access allow localhost

# Mysettings
http_access allow myhost
http_access deny vk
http_access allow ya passwd
http_access deny ya
http_access allow mynet wt

# And finally deny all other access to this proxy
http_access deny all

# Squid normally listens to port 3128
http_port 127.0.0.1:3128
http_port 127.0.0.1:3129 intercept

# Uncomment and adjust the following to add a disk cache directory.
cache_dir ufs /var/squid/cache 100 16 256

# Leave coredumps in the first cache dir
coredump_dir /var/squid/cache

delay_pools 1
delay_class 1 1
delay_parameters 1 400/400
delay_access 1 allow media
delay_access 1 deny all

#
# Add any of your own refresh_pattern entries above these.
#
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern .               0       20%     4320

Код: Выделить всё

# $FreeBSD: release/8.4.0/etc/sysctl.conf 112200 2003-03-13 18:43:50Z mux $
#
#  This file is read when going to multi-user and its contents piped thru
#  ``sysctl'' to adjust kernel values.  ``man 5 sysctl.conf'' for details.
#

# Uncomment this to prevent users from seeing information about processes that
# are being run under another UID.
#security.bsd.see_other_uids=0
net.inet.ip.forwarding=1
net.inet6.ip6.forwarding=1

Код: Выделить всё

2014/12/08 22:10:56| Startup: Initializing Authentication Schemes ...
2014/12/08 22:10:56| Startup: Initialized Authentication Scheme 'basic'
2014/12/08 22:10:56| Startup: Initialized Authentication Scheme 'digest'
2014/12/08 22:10:56| Startup: Initialized Authentication Scheme 'negotiate'
2014/12/08 22:10:56| Startup: Initialized Authentication Scheme 'ntlm'
2014/12/08 22:10:56| Startup: Initialized Authentication.
2014/12/08 22:10:56| Processing Configuration File: /usr/local/etc/squid/squid.conf (depth 0)
2014/12/08 22:10:56| Processing: auth_param basic program /usr/local/libexec/squid/basic_ncsa_auth /usr/local/etc/squid/passwd
2014/12/08 22:10:56| Processing: auth_param basic children 5
2014/12/08 22:10:56| Processing: auth_param basic realm Squid proxy-caching webserver
2014/12/08 22:10:56| Processing: auth_param basic credentialsttl 2 hours
2014/12/08 22:10:56| Processing: acl passwd proxy_auth REQUIRED
2014/12/08 22:10:56| Processing: acl SSL_ports port 443
2014/12/08 22:10:56| Processing: acl Safe_ports port 80         # http
2014/12/08 22:10:56| Processing: acl Safe_ports port 21         # ftp
2014/12/08 22:10:56| Processing: acl Safe_ports port 443                # https
2014/12/08 22:10:56| Processing: acl Safe_ports port 70         # gopher
2014/12/08 22:10:56| Processing: acl Safe_ports port 210                # wais
2014/12/08 22:10:56| Processing: acl Safe_ports port 1025-65535 # unregistered ports
2014/12/08 22:10:56| Processing: acl Safe_ports port 280                # http-mgmt
2014/12/08 22:10:56| Processing: acl Safe_ports port 488                # gss-http
2014/12/08 22:10:56| Processing: acl Safe_ports port 591                # filemaker
2014/12/08 22:10:56| Processing: acl Safe_ports port 777                # multiling http
2014/12/08 22:10:56| Processing: acl CONNECT method CONNECT
2014/12/08 22:10:56| Processing: acl myhost src 192.168.10.100 10.10.10.10
2014/12/08 22:10:56| Processing: acl mynet src 192.168.10.0/24 10.10.10.0/24
2014/12/08 22:10:56| Processing: acl rambler dstdomain .rambler.ru
2014/12/08 22:10:56| Processing: acl wt time 10:00-23:00
2014/12/08 22:10:56| Processing: acl ya dstdomain .ya.ru .yandex.ru
2014/12/08 22:10:56| Processing: acl media urlpath_regex -i \.mpg$ \.avi$ \.mp3$
2014/12/08 22:10:56| Processing: http_access deny !Safe_ports
2014/12/08 22:10:56| Processing: http_access deny CONNECT !SSL_ports
2014/12/08 22:10:56| Processing: http_access allow localhost manager
2014/12/08 22:10:56| Processing: http_access deny manager
2014/12/08 22:10:56| Processing: http_access allow localhost
2014/12/08 22:10:56| Processing: http_access allow myhost
2014/12/08 22:10:56| Processing: http_access deny rambler
2014/12/08 22:10:56| Processing: http_access allow ya passwd
2014/12/08 22:10:56| Processing: http_access deny ya
2014/12/08 22:10:56| Processing: http_access allow mynet wt
2014/12/08 22:10:56| Processing: http_access deny all
2014/12/08 22:10:56| Processing: http_port 127.0.0.1:3128
2014/12/08 22:10:56| Processing: http_port 127.0.0.1:3129 intercept
2014/12/08 22:10:56| Starting Authentication on port 127.0.0.1:3129
2014/12/08 22:10:56| Disabling Authentication on port 127.0.0.1:3129 (interception enabled)
2014/12/08 22:10:56| Processing: cache_dir ufs /var/squid/cache 100 16 256
2014/12/08 22:10:56| Processing: coredump_dir /var/squid/cache
2014/12/08 22:10:56| Processing: delay_pools 1
2014/12/08 22:10:56| Processing: delay_class 1 1
2014/12/08 22:10:56| Processing: delay_parameters 1 400/400
2014/12/08 22:10:56| Processing: delay_access 1 allow media
2014/12/08 22:10:56| Processing: delay_access 1 deny all
2014/12/08 22:10:56| Processing: refresh_pattern ^ftp:          1440    20%    10080
2014/12/08 22:10:56| Processing: refresh_pattern ^gopher:       1440    0%     1440
2014/12/08 22:10:56| Processing: refresh_pattern -i (/cgi-bin/|\?) 0    0%     0
2014/12/08 22:10:56| Processing: refresh_pattern .              0       20%    4320

Код: Выделить всё

pass quick inet proto tcp to any port $tcp_services keep state

Код: Выделить всё

wan="rl0"
lan="rl1"
web="{80:83 1080 8080:8088}"
scrub in all
rdr pass on $lan inet proto tcp from 192.168.1.0/24 to any port $web ->
nat on $wan from 192.168.1.0/24 to any  -> ($wan)
pass all

Код: Выделить всё

gateway_enable="YES"
pf_enable="YES"
pf_rules="/etc/pf.conf"
squid_enable="YES"

Код: Выделить всё

# добавить или раскаментить строку, остальное не трогать
http_port 3128 transparent

Код: Выделить всё

rdr pass on $lan inet proto tcp from 192.168.1.0/24 to any port $web ->  ??????