FreeBSD5.4 + pf + oops實現透明代理

本文基本實現oops＋pf實現透明代理，oops其他認證，帶寬管理都沒用上，希望能夠拋磚引玉，肯請用過oops的大俠指教！謝謝。

安裝過程

1, cd /usr/ports/www/oops/
make config 選中
[X] DB4 Berkeley DB v4 storage
make install clean
2, 修改/usr/local/etc/oops/oops.cfg
3，cd /usr/local/sbin/
oops -z -c /usr/local/etc/oops/oops.cfg （創建其磁盤高速緩存）
4，vi /etc/rc.conf加入oops_enable="yes"
5，reboot

配置

more /etc/rc.conf
defaultrouter="218.75.x.x"
gateway_enable="YES"
hostname="firewall.test.com"
ifconfig_fxp0="inet 218.75.y.y netmask 255.255.255.128"
ifconfig_fxp1="inet 192.168.0.1 netmask 255.255.255.192"
ifconfig_fxp1_alias0="inet 192.168.1.62 netmask 255.255.255.192"
ifconfig_fxp1_alias1="inet 192.168.2.62 netmask 255.255.255.192"
ifconfig_fxp1_alias2="inet 192.168.3.62 netmask 255.255.255.192"
sshd_enable="YES"
pf_enable="YES"
pflog_enable="YES"
pflog_logfile="/var/log/pflog"
sendmail_enable="NONE"
ntpdate_enable="YES" # Run ntpdate to sync time on boot (or NO).
ntpdate_flags="207.46.232.189" # time.windows.com
oops_enable="yes"

more /etc/pf.conf
#firewall by tds 20050601

#macros
wanif="fxp0"
lanif="fxp1"
oops="127.0.0.1"
tcpsrv="{22,113}"
lan0="{192.168.0.0/26}"
lan1="{192.168.2.0/26}"
lan3="{192.168.3.0/26}"
lan4="{192.168.1.0/26}"
ftpsrv="192.168.0.8"
bt1="192.168.0.38"
bt2="192.168.0.39"
noroute="{127.0.0.0/8,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16}"

#options
set block-policy return
set loginterface $wanif
set optimization aggressive

#scrub
scrub in all

#nat and rdr
nat on $wanif from $lan0 to any -> $wanif
nat on $wa nif from $lan1 to any -> $wanif
nat on $wanif from $lan3 to any -> $wanif
nat on $wanif from $lan4 to any -> $wanif

rdr on $lanif proto tcp from any to any port 80 -> $oops port 3128
rdr on $wanif proto tcp from any to any port 21 -> $ftpsrv
rdr on $wanif proto tcp from any to any port 18888 -> $bt2
rdr on $wanif proto tcp from any to any port 4662 -> $bt2
rdr on $wanif proto udp from any to any port 4672 -> $bt2
rdr on $wanif proto tcp from any to any port 3389 -> $bt2
rdr on $wanif proto tcp from any to any port 3388 -> $bt1 port 3389

#filter rules
block all
block drop in quick on $wanif from $noroute
block drop out quick on $wanif from any to $noroute
block drop out quick on $wanif from any to 202.103.67.53
pass quick on lo0 all
pass in quick on $lanif from $lanif:network to any keep state
pass out quick on $lanif from any to $lanif:network keep state

pass in quick on $wanif proto tcp from an y to $wanif port $tcpsrv flags S/SA keep state
pass in quick on $wanif proto tcp from any to $ftpsrv port 21 flags S/SA keep state
pass in quick on $wanif proto tcp from any to $bt2 port {3389,4662,18888} flags S/SA keep state
pass in quick on $wanif proto tcp from any to $bt1 port 3389 flags S/SA keep state
pass in quick on $wanif proto udp from any to $bt2 port 4672 keep state
pass out on $wanif proto tcp all flags S/SA keep state
pass out on $wanif proto {udp,icmp} all keep state&n bsp;

more /usr/local/etc/oops/oops.cfg

只記錄修改部分

nameserver 127.0.0.1
nameserver 220.168.208.3
nameserver 220.168.208.6

http_port 3128
#icp_port 3130
userid oops

logfile /var/log/oops/oops.log { 3 1m } unbuffered
aclearcase/" target="_blank" >ccesslog /var/log/oops/access.log { 3 1m } unbuffered
pidfile /var/run/oops/oops.pid
statistics /var/run/oops/oops_statfile
mem_max 128m
lo_mark 80m
disk-low-free 3
disk-ok-free 5

force_http11
force_completion 85
maxresident 1m
insert_x_forwarded_for no
insert_via no
always_check_freshness

group mynet {
##
# You can describe group ip adresses here, or using src_ip acl's
# with networks_acl directive.
# networks_acl always have higher preference (checked first) and
# are checked in the order of appearance.
# If host wil not fall in any networks_acl - we check in networks.
# networks are ordered by masklen - longest masks(most specific networks)
# are checked first.
##
networks 192.168/16 127/8 ;
redir_mods transparent;（添加此行實現透明代理）
# networks_acl LOCAL_NETWORKS !BAD_NETWORKS ;
badports [0:79],110,138,139,513,[6000:6010] ;
miss allow;

module&nb sp;transparent { （實現透明代理）
# myport can have next form:
# myport [{hostname|ip_addr}:]port ...
myport 3128
# broken_browsers MSIE
}

storage {
path /usr/local/oops/storages/oops_storage ;
# Size of the storage. Can be in bytes or 'auto'. Auto is
# usefull for pre-created storages or disk slices.
# NOTE: 'size auto' won't work for Linux on disk slices.
# To use large ( > 2G ) files run configure with --enable-large-files

size 200m ; （磁盤高速緩存）

參考文章

高性能、多線程的高速Web代理服務器--OOPS!