很久沒寫文件了,今天搞定了家裡自己用的mail server,加上一些自己想要弄的東西,作各筆記好了
這台機器的任務很多,nat , firewall , web , email , web mail都在同一台,所以參考參考
採用www.ns2go.com所提供的動態dns來處理
01.安裝FreeBSD 5.0
這邊採用UFS2,並且啟動acls這裡少作了tunefs,所以並沒有完全啟動acls
- 代碼: 選擇全部
# Device Mountpoint FStype Options Dump Pass#
/dev/ad0s1b none swap sw 0 0
/dev/ad0s1a / ufs rw,acls 1 1
/dev/ad0s1g /home ufs rw,acls 2 2
/dev/ad0s1f /root ufs rw,acls 2 2
/dev/ad0s1e /tmp ufs rw,acls 2 2
/dev/ad0s1h /usr ufs rw,acls 2 2
/dev/ad0s1d /var ufs rw,acls 2 2
/dev/acd0 /cdrom cd9660 ro,noauto 0 0
02./etc/rc.conf
- 代碼: 選擇全部
kern_securelevel_enable="YES"
kern_securelevel="3"
nfs_reserved_port_only="NONE"
inetd_enable="NO"
network_interfaces="auto"
ifconfig_rl0="inet 10.0.0.1 netmask 255.0.0.0 -arp up"
ifconfig_rl1="inet 192.168.1.254 netmask 255.255.255.0 up"
ppp_enable="YES"
ppp_mode="ddial"
ppp_profile="pppoe"
defaultrouter="10.0.0.1"
gateway_enable="YES"
syslogd_flag="-ss"
firewall_enable="NO"
ipfilter_enable="YES"
ipfilter_flags=""
ipmon_enable="YES"
ipmon_flags="-Dsvn"
ipnat_enable="YES"
icmp_redirects_drop="YES"
icmp_log_redirect="YES"
sendmail_enable="YES"
sshd_enable="YES"
usbd_enable="NO"
hostname="damon.ns2go.com"
03./etc/resolv.conf
- 代碼: 選擇全部
nameserver 168.95.192.1
nameserver 168.95.1.1
04./etc/csh.cshrc
- 代碼: 選擇全部
setenv EDITOR joe
alias ls 'gnuls --color --show-control-chars'
set prompt = "%B%m[%/]-%n->"
05./etc/csh.login
- 代碼: 選擇全部
setenv ENABLE_STARTUP_LOCALE zh_TW.Big5
setenv LC_CTYPE is_IS.ISO_8859-1
setenv LANG zh_TW.Big5
06./etc/ipf.rules
- 代碼: 選擇全部
########################################################################
#Outside Interface
########################################################################
########################################################################
#Allow out all TCP , UDP and ICMP traffic & keep state
#on it , so that it's allowed back in.
########################################################################
pass out quick on tun0 proto tcp from any to any keep state
pass out quick on tun0 proto udp from any to any keep state
pass out quick on tun0 proto icmp from any to any keep state
block out quick on tun0 all
########################################################################
#Allow some services here
########################################################################
pass in quick on tun0 proto tcp from any to any port = 80 keep state
pass in quick on tun0 proto udp from any to any port = 80 keep state
pass in quick on tun0 proto tcp from 203.73.246.97 to any port = 22 keep state
pass in quick on tun0 proto udp from 203.73.246.97 to any port = 22 keep state
pass in quick on tun0 proto tcp from any to any port = 25 keep state
pass in quick on tun0 proto udp from any to any port = 25 keep state
########################################################################
#Block and log all remaining traffic coming into the firewall
#-Block TCP with a RST (to make it appear as if the service
#isn't listening)
#Block UDP with an ICMP port unreachable (to make it appear
#as if the service isn't listening)
#Block all remaining traffic the good 'ol fashioned way
########################################################################
block return-rst in log quick on tun0 proto tcp from any to any
block return-icmp-as-dest(port-unr)in log quick on tun0 proto udp from any to any
block in log quick on tun0 all
########################################################################
#Inside Interface
########################################################################
########################################################################
#Allow in all TCP , UDP and ICMP traffic & keep state
########################################################################
pass in quick on rl1 proto tcp from any to any keep state
pass in quick on rl1 proto udp from any to any keep state
pass in quick on rl1 proto icmp from any to any keep state
block in quick n rl1 all
########################################################################
#Loopback Interface
########################################################################
########################################################################
#Allow everything to/from your loopback interface so you
#can ping yourself (e.g. ping localhost)
########################################################################
pass in quick on lo0 all
pass out quick on lo0 all
07./etc/ipnat.rules
- 代碼: 選擇全部
map rl0 192.168.1.254/24 -> 0/32
08./etc/ppp/ppp.conf
- 代碼: 選擇全部
default:
set log Phase Chat LCP IPCP CCP tun command
nat enable yes
nat same_ports yes
nat use_sockets yes
set redial 15 28800
set reconnect 12 28800
pppoe:
set device PPPoE:rl0:
set mru 1492
set mtu 1492
set speed sync
enable lqr
set lqrperiod 5
set cd 5
set dial
set login
set timeout 0
set authname xxxxxxx@hinet.net
set authkey yyyyyyyyy
set ifaddr 10.0.0.1/0 10.0.0.2/0 255.255.255.0 0.0.0.0
add default HISADDR
enable dns
09.setup ns2go client for FreeBSD
- 代碼: 選擇全部
fetch http://www.ns2go.com/ns2goc_unix.tgz
mv ns2goc_unix.tgz /usr/local/
cd /usr/local/
tar -zxvf ns2goc_unix.tgz
cd ns2goc/bin/
./ns2goc.pl -c
跟著說明作就好,當然要先在http://www.ns2go.com/註冊帳號跟密碼
10.crontab
- 代碼: 選擇全部
#minute hour mday month wday who command
*/5 * * * * root /usr/local/ns2goc/bin/ns2goc.pl > /dev/null
11./etc/syslog.conf,加入firewall的log設定
- 代碼: 選擇全部
local0.* /var/log/firewall.log
12./etc/newsyslog.conf,加入firewall的log設定
- 代碼: 選擇全部
/var/log/firewall.log root:wheel 600 7 100 * J
13.重新開機,開機過程中有關於ipfilter的錯誤不管他
14.現在應該已經順利的連上網路了,開始安裝所需要的東西
- 代碼: 選擇全部
cd /usr/ports/net/cvsup-without-gui/
make install clean;rehash
cd /usr/ports/
fetch ftp://freebsd.csie.nctu.edu.tw/pub/CVSup/cvsupfile-ports
cd /usr/src/
fetch ftp://freebsd.csie.nctu.edu.tw/pub/CVSup/cvsupfile-stable
ee cvsupfile-stable
*default release=cvs tag=RELENG_5_0
在這邊要注意的是,現在最好還是用RELENG_5_0用tag=.跑current,最好還是不要考驗自己的運氣
- 代碼: 選擇全部
cd /usr/src/
cvsup cvsupfile-stable
cd /usr/ports/
cvsup cvsupfile-ports
cd /usr/ports/chinese/joe/
make install clean
cd /usr/ports/misc/gnuls/
make install clean
cd /usr/src/sys/i386/conf/
cp GENERIC FreeBSD
ee FreeBSD
options IPFILTER
options IPFILTER_LOG
options IPFILTER_DEFAULT_BLOCK
cd /usr/src/
make buildworld;make buildkernel KERNCONF=FreeBSD
這一步重點是加入firewall的功能順便把一些自己沒有東西都拿掉
做完這兩部,先把/etc/rc.conf裡面有關於kernel_security_level的設定先註解起來,並重新開機
- 代碼: 選擇全部
cd /usr/src/
make installkernel KERNCONF=FreeBSD;make installworld;mergemaster
這些做完之後把/etc/rc.conf裡的設定復原,並重新開機
15.設定sendmail
- 代碼: 選擇全部
cd /etc/mail/
touch local-host-names
ee local-host-names�[入
damon.ns2go.com
cp access.sample access
ee access
修改成符合自己需求的網域設定,這邊只設定兩個,127.0.0.1是給web mail用的,192.168.1是給家裡內部網路用的
個人不喜歡用甚麼smtp auth,寧願用web mail
- 代碼: 選擇全部
127.0.0.1 RELAY
192.168.1 RELAY
cd /etc/mail/
make cf install
sh /etc/rc.sendmail start
重新啟動sendmail
http://www.abuse.net/relay.html
順便測試一下剛剛所設定是否有漏網之魚,不小心開了open relay
16.安裝web server , mysql , mod_php4 , openwebmail , gallery
- 代碼: 選擇全部
cd /usr/ports/www/apache13/
make install clean
cd /usr/ports/www/mod_php4/
make install clean
這邊把所需要用到的功能選取起來
- 代碼: 選擇全部
cd /usr/ports/database/mysql323-server/
make install clean
cd /usr/ports/mail/openwebmail/
make install clean
cd /usr/ports/www/gallery/
make install clean
cp /usr/local/etc/php.ini-dist /usr/local/etc/php.ini
/usr/local/etc/rc.d/000.mysql-client.sh start
/usr/local/etc/rc.d/mysql-server.sh start
/usr/local/etc/rc.d/apache.sh start
17.修改mysql root密碼
- 代碼: 選擇全部
rehash
mysqladmin -u root password yourpassword
mysql -u root測試一下
18.設定一下openwebmail並改成中文版
- 代碼: 選擇全部
domainnames damon.ns2go.com
default_language zh_TW.Big5
19.設定一下gallery
- 代碼: 選擇全部
cd /usr/local/www/data/gallery/
sh configure.sh
在用瀏覽器打開http://damon.ns2go.com/gallery/再跟著設定畫面走就可以了,設定完之後
- 代碼: 選擇全部
cd /usr/local/www/data/gallery/
sh secure.sh
