1) Конфигурация ядра
2) Стартовый скрипт rc.conf
3) Firewall IPFW
4) Синхронизация времени по протоколу ntp
5) Настройка разрешения имён
6) Файл hosts
7) PHP 5.5.14
8) PhpMyAdmin 4.2.5
9) Настройка клиента MySql
10) UCARP
11)ProFTPd
12)
13)
14)
15)
16)
17)
/usr/src/sys/amd64/conf/SERGEY
- Код: выделить все
cpu HAMMER
ident SERGEY
makeoptions DEBUG=-g # Build kernel with gdb(1) debug symbols
makeoptions WITH_CTF=1 # Run ctfconvert(1) for DTrace support
options SCHED_ULE # ULE scheduler
options PREEMPTION # Enable kernel thread preemption
options INET # InterNETworking
#options INET6 # IPv6 communications protocols
options TCP_OFFLOAD # TCP offload
options SCTP # Stream Control Transmission Protocol
options FFS # Berkeley Fast Filesystem
options SOFTUPDATES # Enable FFS soft updates support
options UFS_ACL # Support for access control lists
options UFS_DIRHASH # Improve performance on big directories
options UFS_GJOURNAL # Enable gjournal-based UFS journaling
options QUOTA # Enable disk quotas for UFS
options MD_ROOT # MD is a potential root device
options NFSCL # New Network Filesystem Client
options NFSD # New Network Filesystem Server
options NFSLOCKD # Network Lock Manager
options NFS_ROOT # NFS usable as /, requires NFSCL
options MSDOSFS # MSDOS Filesystem
options CD9660 # ISO 9660 Filesystem
options PROCFS # Process filesystem (requires PSEUDOFS)
options PSEUDOFS # Pseudo-filesystem framework
options GEOM_PART_GPT # GUID Partition Tables.
options GEOM_RAID # Soft RAID functionality.
options GEOM_LABEL # Provides labelization
options COMPAT_FREEBSD32 # Compatible with i386 binaries
options COMPAT_FREEBSD4 # Compatible with FreeBSD4
options COMPAT_FREEBSD5 # Compatible with FreeBSD5
options COMPAT_FREEBSD6 # Compatible with FreeBSD6
options COMPAT_FREEBSD7 # Compatible with FreeBSD7
options SCSI_DELAY=5000 # Delay (in ms) before probing SCSI
options KTRACE # ktrace(1) support
options STACK # stack(9) support
options SYSVSHM # SYSV-style shared memory
options SYSVMSG # SYSV-style message queues
options SYSVSEM # SYSV-style semaphores
options _KPOSIX_PRIORITY_SCHEDULING # POSIX P1003_1B real-time extensions
options PRINTF_BUFR_SIZE=128 # Prevent printf output being interspersed.
options KBD_INSTALL_CDEV # install a CDEV entry in /dev
options HWPMC_HOOKS # Necessary kernel hooks for hwpmc(4)
options AUDIT # Security event auditing
options CAPABILITY_MODE # Capsicum capability mode
options CAPABILITIES # Capsicum capabilities
options PROCDESC # Support for process descriptors
options MAC # TrustedBSD MAC Framework
options KDTRACE_FRAME # Ensure frames are compiled in
options KDTRACE_HOOKS # Kernel DTrace hooks
options DDB_CTF # Kernel ELF linker loads CTF data
options INCLUDE_CONFIG_FILE # Include this file in kernel
# Debugging support. Always need this:
options KDB # Enable kernel debugger support.
options KDB_TRACE # Print a stack trace for a panic.
##########################################
include OPTIONS
##########################################
# Make an SMP-capable kernel by default
options SMP # Symmetric MultiProcessor Kernel
# CPU frequency control
device cpufreq
# Bus support.
device acpi
device pci
# Floppy drives
device fdc
# ATA controllers
device ahci # AHCI-compatible SATA controllers
device ata # Legacy ATA/SATA controllers
options ATA_STATIC_ID # Static device numbering
device mvs # Marvell 88SX50XX/88SX60XX/88SX70XX/SoC SATA
device siis # SiliconImage SiI3124/SiI3132/SiI3531 SATA
# SCSI Controllers
device ahc # AHA2940 and onboard AIC7xxx devices
options AHC_REG_PRETTY_PRINT # Print register bitfields in debug
# output. Adds ~128k to driver.
device ahd # AHA39320/29320 and onboard AIC79xx devices
options AHD_REG_PRETTY_PRINT # Print register bitfields in debug
# output. Adds ~215k to driver.
device esp # AMD Am53C974 (Tekram DC-390(T))
device hptiop # Highpoint RocketRaid 3xxx series
device isp # Qlogic family
#device ispfw # Firmware for QLogic HBAs- normally a module
device mpt # LSI-Logic MPT-Fusion
device mps # LSI-Logic MPT-Fusion 2
#device ncr # NCR/Symbios Logic
device sym # NCR/Symbios Logic (newer chipsets + those of `ncr')
device trm # Tekram DC395U/UW/F DC315U adapters
device adv # Advansys SCSI adapters
device adw # Advansys wide SCSI adapters
device aic # Adaptec 15[012]x SCSI adapters, AIC-6[23]60.
device bt # Buslogic/Mylex MultiMaster SCSI adapters
device isci # Intel C600 SAS controller
# ATA/SCSI peripherals
device scbus # SCSI bus (required for ATA/SCSI)
device ch # SCSI media changers
device da # Direct Access (disks)
device sa # Sequential Access (tape etc)
device cd # CD
device pass # Passthrough device (direct ATA/SCSI access)
device ses # Enclosure Services (SES and SAF-TE)
#device ctl # CAM Target Layer
# RAID controllers interfaced to the SCSI subsystem
device amr # AMI MegaRAID
device arcmsr # Areca SATA II RAID
#XXX it is not 64-bit clean, -scottl
#device asr # DPT SmartRAID V, VI and Adaptec SCSI RAID
device ciss # Compaq Smart RAID 5*
device dpt # DPT Smartcache III, IV - See NOTES for options
device hptmv # Highpoint RocketRAID 182x
device hptnr # Highpoint DC7280, R750
device hptrr # Highpoint RocketRAID 17xx, 22xx, 23xx, 25xx
device hpt27xx # Highpoint RocketRAID 27xx
device iir # Intel Integrated RAID
device ips # IBM (Adaptec) ServeRAID
device mly # Mylex AcceleRAID/eXtremeRAID
device twa # 3ware 9000 series PATA/SATA RAID
device tws # LSI 3ware 9750 SATA+SAS 6Gb/s RAID controller
# RAID controllers
device aac # Adaptec FSA RAID
device aacp # SCSI passthrough for aac (requires CAM)
device aacraid # Adaptec by PMC RAID
device ida # Compaq Smart RAID
device mfi # LSI MegaRAID SAS
device mlx # Mylex DAC960 family
#XXX pointer/int warnings
#device pst # Promise Supertrak SX6000
device twe # 3ware ATA RAID
# atkbdc0 controls both the keyboard and the PS/2 mouse
device atkbdc # AT keyboard controller
device atkbd # AT keyboard
device psm # PS/2 mouse
device kbdmux # keyboard multiplexer
device vga # VGA video card driver
options VESA # Add support for VESA BIOS Extensions (VBE)
device splash # Splash screen and screen saver support
# syscons is the default console driver, resembling an SCO console
device sc
options SC_PIXEL_MODE # add support for the raster text mode
device agp # support several AGP chipsets
# PCCARD (PCMCIA) support
# PCMCIA and cardbus bridge support
#device cbb # cardbus (yenta) bridge
#device pccard # PC Card (16-bit) bus
device cardbus # CardBus (32-bit) bus
# Serial (COM) ports
device uart # Generic UART driver
# Parallel port
device ppc
device ppbus # Parallel port bus (required)
device lpt # Printer
device ppi # Parallel port interface device
#device vpo # Requires scbus and da
device puc # Multi I/O cards and multi-channel UARTs
# PCI Ethernet NICs.
device bxe # Broadcom NetXtreme II BCM5771X/BCM578XX 10GbE
device de # DEC/Intel DC21x4x (``Tulip'')
device em # Intel PRO/1000 Gigabit Ethernet Family
device igb # Intel PRO/1000 PCIE Server Gigabit Family
device ixgbe # Intel PRO/10GbE PCIE Ethernet Family
device le # AMD Am7900 LANCE and Am79C9xx PCnet
device ti # Alteon Networks Tigon I/II gigabit Ethernet
device txp # 3Com 3cR990 (``Typhoon'')
device vx # 3Com 3c590, 3c595 (``Vortex'')
# PCI Ethernet NICs that use the common MII bus controller code.
# NOTE: Be sure to keep the 'device miibus' line in order to use these NICs!
#device miibus # MII bus support
#device ae # Attansic/Atheros L2 FastEthernet
#device age # Attansic/Atheros L1 Gigabit Ethernet
#device alc # Atheros AR8131/AR8132 Ethernet
#device ale # Atheros AR8121/AR8113/AR8114 Ethernet
#device bce # Broadcom BCM5706/BCM5708 Gigabit Ethernet
#device bfe # Broadcom BCM440x 10/100 Ethernet
#device bge # Broadcom BCM570xx Gigabit Ethernet
#device cas # Sun Cassini/Cassini+ and NS DP83065 Saturn
#device dc # DEC/Intel 21143 and various workalikes
#device et # Agere ET1310 10/100/Gigabit Ethernet
#device fxp # Intel EtherExpress PRO/100B (82557, 82558)
#device gem # Sun GEM/Sun ERI/Apple GMAC
#device hme # Sun HME (Happy Meal Ethernet)
#device jme # JMicron JMC250 Gigabit/JMC260 Fast Ethernet
#device lge # Level 1 LXT1001 gigabit Ethernet
#device msk # Marvell/SysKonnect Yukon II Gigabit Ethernet
#device nfe # nVidia nForce MCP on-board Ethernet
#device nge # NatSemi DP83820 gigabit Ethernet
#device nve # nVidia nForce MCP on-board Ethernet Networking
#device pcn # AMD Am79C97x PCI 10/100 (precedence over 'le')
#device re # RealTek 8139C+/8169/8169S/8110S
#device rl # RealTek 8129/8139
#device sf # Adaptec AIC-6915 (``Starfire'')
#device sge # Silicon Integrated Systems SiS190/191
#device sis # Silicon Integrated Systems SiS 900/SiS 7016
#device sk # SysKonnect SK-984x & SK-982x gigabit Ethernet
#device ste # Sundance ST201 (D-Link DFE-550TX)
#device stge # Sundance/Tamarack TC9021 gigabit Ethernet
#device tl # Texas Instruments ThunderLAN
#device tx # SMC EtherPower II (83c170 ``EPIC'')
#device vge # VIA VT612x gigabit Ethernet
#device vr # VIA Rhine, Rhine II
#device wb # Winbond W89C840F
#device xl # 3Com 3c90x (``Boomerang'', ``Cyclone'')
# ISA Ethernet NICs. pccard NICs included.
#device cs # Crystal Semiconductor CS89x0 NIC
# 'device ed' requires 'device miibus'
#device ed # NE[12]000, SMC Ultra, 3c503, DS8390 cards
#device ex # Intel EtherExpress Pro/10 and Pro/10+
#device ep # Etherlink III based cards
#device fe # Fujitsu MB8696x based cards
#device sn # SMC's 9000 series of Ethernet chips
#device xe # Xircom pccard Ethernet
# Wireless NIC cards
device wlan # 802.11 support
options IEEE80211_DEBUG # enable debug msgs
options IEEE80211_AMPDU_AGE # age frames in AMPDU reorder q's
options IEEE80211_SUPPORT_MESH # enable 802.11s draft support
device wlan_wep # 802.11 WEP support
device wlan_ccmp # 802.11 CCMP support
device wlan_tkip # 802.11 TKIP support
device wlan_amrr # AMRR transmit rate control algorithm
device an # Aironet 4500/4800 802.11 wireless NICs.
device ath # Atheros NICs
device ath_pci # Atheros pci/cardbus glue
device ath_hal # pci/cardbus chip support
options AH_SUPPORT_AR5416 # enable AR5416 tx/rx descriptors
options AH_AR5416_INTERRUPT_MITIGATION # AR5416 interrupt mitigation
options ATH_ENABLE_11N # Enable 802.11n support for AR5416 and later
device ath_rate_sample # SampleRate tx rate control for ath
#device bwi # Broadcom BCM430x/BCM431x wireless NICs.
#device bwn # Broadcom BCM43xx wireless NICs.
device ipw # Intel 2100 wireless NICs.
device iwi # Intel 2200BG/2225BG/2915ABG wireless NICs.
device iwn # Intel 4965/1000/5000/6000 wireless NICs.
device malo # Marvell Libertas wireless NICs.
device mwl # Marvell 88W8363 802.11n wireless NICs.
device ral # Ralink Technology RT2500 wireless NICs.
device wi # WaveLAN/Intersil/Symbol 802.11 wireless NICs.
device wpi # Intel 3945ABG wireless NICs.
# Pseudo devices.
device loop # Network loopback
device random # Entropy device
device padlock_rng # VIA Padlock RNG
device rdrand_rng # Intel Bull Mountain RNG
device ether # Ethernet support
device vlan # 802.1Q VLAN support
device tun # Packet tunnel.
device md # Memory "disks"
device gif # IPv6 and IPv4 tunneling
device faith # IPv6-to-IPv4 relaying (translation)
device firmware # firmware assist module
# The `bpf' device enables the Berkeley Packet Filter.
# Be aware of the administrative consequences of enabling this!
# Note that 'bpf' is required for DHCP.
device bpf # Berkeley packet filter
# USB support
options USB_DEBUG # enable debug msgs
device uhci # UHCI PCI->USB interface
device ohci # OHCI PCI->USB interface
device ehci # EHCI PCI->USB interface (USB 2.0)
device xhci # XHCI PCI->USB interface (USB 3.0)
device usb # USB Bus (required)
device ukbd # Keyboard
device umass # Disks/Mass storage - Requires scbus and da
# Sound support
device sound # Generic sound driver (required)
#device snd_cmi # CMedia CMI8338/CMI8738
#device snd_csa # Crystal Semiconductor CS461x/428x
#device snd_emu10kx # Creative SoundBlaster Live! and Audigy
#device snd_es137x # Ensoniq AudioPCI ES137x
device snd_hda # Intel High Definition Audio
#device snd_ich # Intel, NVidia and other ICH AC'97 Audio
#device snd_via8233 # VIA VT8233x Audio
# MMC/SD
device mmc # MMC/SD bus
device mmcsd # MMC/SD memory card
device sdhci # Generic PCI SD Host Controller
# VirtIO support
device virtio # Generic VirtIO bus (required)
device virtio_pci # VirtIO PCI device
device vtnet # VirtIO Ethernet device
device virtio_blk # VirtIO Block device
device virtio_scsi # VirtIO SCSI device
device virtio_balloon # VirtIO Memory Balloon device
# HyperV drivers
##device hyperv # HyperV drivers
# Xen HVM Guest Optimizations
# NOTE: XENHVM depends on xenpci. They must be added or removed together.
options XENHVM # Xen HVM kernel infrastructure
device xenpci # Xen HVM Hypervisor services driver
# VMware support
# device vmx # VMware VMXNET3 Ethernet
/usr/src/sys/amd64/conf/OPTIONS
- Код: выделить все
device carp
############# IPFW #################
options IPFIREWALL
options IPFIREWALL_VERBOSE
options IPFIREWALL_VERBOSE_LIMIT=10
options IPFIREWALL_NAT
options IPDIVERT
options LIBALIAS
options ROUTETABLES=2
options DUMMYNET
######################################
options ACCEPT_FILTER_HTTP
options ACCEPT_FILTER_DATA
####### SMB ########
options NETSMB #SMB/CIFS requester
#options NETSMBCRYPTO #encrypted password support for SMB
options LIBMCHAIN #mbuf management library
options LIBICONV
options SMBFS
# Disable reboot on Ctrl Alt Del
options SC_DISABLE_REBOOT
# Change normal|kernel messages color
options SC_NORM_ATTR=(FG_GREEN|BG_BLACK)
options SC_KERNEL_CONS_ATTR=(FG_YELLOW|BG_BLACK)
options SC_NORM_REV_ATTR=(FG_YELLOW|BG_GREEN)
options SC_KERNEL_CONS_REV_ATTR=(FG_BLACK|BG_RED)
# More scroll space
options SC_HISTORY_SIZE=8192
# UTF-8
#options TEKEN_UTF8
options VGA_WIDTH90
options DEVICE_POLLING
#### netgraph options ####
options HZ=1000
options NETGRAPH
options NETGRAPH_PPPOE
options NETGRAPH_SOCKET
options NETGRAPH_CISCO
options NETGRAPH_ECHO
options NETGRAPH_FRAME_RELAY
options NETGRAPH_HOLE
options NETGRAPH_KSOCKET
options NETGRAPH_LMI
options NETGRAPH_RFC1490
options NETGRAPH_TTY
options NETGRAPH_ASYNC
options NETGRAPH_BPF
options NETGRAPH_ETHER
options NETGRAPH_IFACE
options NETGRAPH_L2TP
options NETGRAPH_MPPC_ENCRYPTION
options NETGRAPH_PPP
options NETGRAPH_PPTPGRE
options NETGRAPH_TEE
options NETGRAPH_UI
options NETGRAPH_VJC
/etc/rc.conf
- Код: выделить все
### SCREEN MODE ###
#allscreens_flags="MODE_324"
### ZFS ###
zfs_enable="YES"
### Suppart linux ###
linux_enable="YES"
### Name of host ###
hostname="srv"
### RUS & mouse ###
font8x14="cp866-8x14"
font8x16="cp866-8x16"
font8x8="cp866-8x8"
scrnmap="koi8-r2cp866"
keymap="ru.koi8-r.win.kbd"
moused_enable="YES"
### Screen Saver ###
# beastie green blank logo daemon rain dragon snake fade star fire warp
saver="beastie" # screen saver: Uses /boot/kernel/${saver}_saver.ko
blanktime="100"
### NETWORK ###
ifconfig_em0="inet 195.0.1.1 netmask 255.255.255.0"
ifconfig_em1="inet 192.168.1.1 netmask 255.255.255.0"
defaultrouter="195.0.1.2"
# ===== NETWORK SERVICES ===== #
### IPFW ###
firewall_enable="YES"
firewall_script="/usr/local/etc/rc.d/ipfw.sh"
firewall_type="SIMPLE"
firewall_quiet="NO"
### NAT ###
firewall_nat_enable="YES"
firewall_flags="unreg_only same_ports reset"
firewall_nat_interface="em0"
dummynet_enable="YES"
### gateway ###
gateway_enable="YES"
### Time Server ###
ntpd_enable="YES"
ntpd_sync_on_start="YES"
### SSH ###
sshd_enable="YES"
### WEB SERVER ###
apache24_enable="YES"
### DataBase Server ###
mysql_enable="YES"
### DHCP SERVER ###
dhcpd_enable="YES"
### UCARP ####
ucarp_enable="YES"
ucarp_vhid="1"
ucarp_if="em1"
ucarp_src="192.168.1.1"
ucarp_addr="192.168.1.254"
# ucarp_advskew="50"
# ucarp_preempt="YES" # For always use master with lover advskew
ucarp_pass="secret"
ucarp_upscript="/usr/local/etc/vip-up.sh"
ucarp_downscript="/usr/local/etc/vip-down.sh"
###clear tmp###
clear_tmp_enable="YES"
dumpdev="NO"
/usr/local/etc/rc.d/ipfw.sh
- Код: выделить все
#!/bin/sh
# Объявляем переменные
IpFw="/sbin/ipfw -q" # бинарник IPFW
LanOut="em0" # Внешняя сетевуха
LanIn="em1" # внутренняя сетевуха
IpOut="195.0.1.1" # Внешний IP
NetOut="195.0.1.0/24" # внешняя сеть
NetIn="192.168.1.0/24" # Внутренняя сеть
Ip_Lan="192.168.1." # Шаблон внутреннего адреса нужен для ввода разрешений на инет
Vpn_Lan="15.15.15.0/24{50-99}"
# список ip серверов времени и при необходимости внешняя сеть для отачи времени
ntp="{ 212.1.224.6 or 212.1.244.6 or 195.0.1.0/24 }"
dns="{ 195.0.1.3 or 195.0.1.2 }" #список ip днс провайдера
# Чистим старые правила, очереди перед обновлением правил
${IpFw} -f flush
${IpFw} -f pipe flush
${IpFw} -f queue flush
#####################################################
# Позволяем пакету проходить, если предыдущий был добавлен
# в "динамическую" таблицу правил с разрешением состояния keep-state.
${IpFw} add check-state
# Пример разрешения SSH-трафика с определённого хоста
${IpFw} add allow tcp from 195.0.1.8 to me 22 in via ${LanOut} setup keep-state
${IpFw} add allow tcp from me to 195.0.1.8 22 out via ${LanOut} setup keep-state
#####################################################
# Разрешить прохождение любых пакетов с адреса админской машины
${IpFw} add allow tcp from 195.0.1.3 to me in via ${LanOut} setup keep-state
# Разрешить прохождение любых пакетов на адрес админской машины
#${IpFw} add 100 allow tcp from me to 195.0.1.3 out via ${LanOut} setup keep-state
# NAT
${IpFw} nat 1 config ip ${IpOut} log
${IpFw} add nat 1 ip from 192.168.1.0/24 to any out via ${LanOut}
${IpFw} add nat 1 ip from any to ${IpOut} in via ${LanOut}
### Запрет фрагментирванных пакетов
${IpFw} add deny log all from any to any frag
# Запрещаем ACK пакеты которые не совпадают с динамической таблицей правил
${IpFw} add deny log tcp from any to any established in via ${LanOut}
## Запрещаем принимать на lo0 и отправлять с lo0 пакеты с иных интерфейсов
${IpFw} add deny log all from 0.0.0.0/8 to any in via ${LanOut} #loopback
${IpFw} add deny log ip from any to 127.0.0.0/8 in via ${LanOut}
${IpFw} add deny log ip from 127.0.0.0/8 to any out via ${LanOut}
# Запретить принимать пакеты из частных сетей внешним интерфейсом из инета
${IpFw} add deny log ip from any to 10.0.0.0/8 via ${LanOut}
${IpFw} add deny log ip from any to 172.16.0.0/12 via ${LanOut}
${IpFw} add deny log ip from any to 192.168.0.0/16 via ${LanOut}
# Запрет мультикаста на интернет интерфейсе
${IpFw} add deny log ip from any to 240.0.0.0/4 in via ${LanOut}
${IpFw} add deny log ip from 224.0.0.0/4 to any out via ${LanOut}
# Запрет частной сети MS на интернет интерфейсе
${IpFw} add deny log ip from any to 169.254.0.0/16 in via ${LanOut}
${IpFw} add deny log ip from 169.254.0.0/16 to any out via ${LanOut}
#
${IpFw} add deny log all from 192.0.2.0/24 to any in via ${LanOut} #reserved for docs
${IpFw} add deny log all from 204.152.64.0/23 to any in via ${LanOut} #Sun cluster interconnect
# Запрещаем весь сервис Netbios. 137=имя, 138=дейтаграмма, 139=сессия
# Netbios это сервис общего доступа MS/Windows. Блокируем MS/Windows hosts2 name server requests 81
${IpFw} add deny log tcp from any to any 137 via ${LanOut}
${IpFw} add deny log tcp from any to any 138 via ${LanOut}
${IpFw} add deny log tcp from any to any 139 via ${LanOut}
${IpFw} add deny log tcp from any to any 81 via ${LanOut}
### Запрещаем ident
${IpFw} add deny log tcp from any to any 113 via ${LanOut}
### разрешаем пакеты на интерфейсе lo0
${IpFw} add allow ip from any to any via lo0
### NTP ТРАФИК
${IpFw} add allow udp from any to ${ntp} 123
${IpFw} add allow udp from ${ntp} to any 123
### DNS ТРАФИК
${IpFw} add allow udp from me to ${dns} 53 out via ${LanOut}
${IpFw} add allow tcp from me to ${dns} 53 out via ${LanOut} setup keep-state
#####################################################
# Разрешить трафик в интернет
# setup - Это обязательное ключевое слово определяет начало запроса сессии для TCP пакетов.
# keep-state - Это обязательное ключевое слово. При совпадении межсетевой экран создает
# динамическое правило, которое по умолчанию будет совпадать с двунаправленным трафиком
# между отправителем и получателем для данной пары IP/порт по указанному протоколу.
${IpFw} add allow tcp from me to any 20 out via ${LanOut} setup keep-state
${IpFw} add allow tcp from me to any 21 out via ${LanOut} setup keep-state
${IpFw} add allow tcp from me to any 80 out via ${LanOut} setup keep-state
${IpFw} add allow tcp from me to any 443 out via ${LanOut} setup keep-state
${IpFw} add allow tcp from me to any 1024-65535 out via ${LanOut} setup keep-state
### VPN
${IpFw} add allow tcp from any to me dst-port 1723 setup keep-state
${IpFw} add allow gre from any to me
${IpFw} add allow gre from me to any
# Traceroute может работать используя udp или icmp протокол.
# Для udp:
${IpFw} add allow udp from any to any 33434-33625 out via ${LanOut} keep-state
#####################################################
# Traceroute на icmp нудны следующие типы (0,3,4,8,11,12)
# PING
# 0 - Эхо-ответ (Echo Replay)
# 3 - Узел назначения недостижим (Destination Unreachable)
# 4 - Подавление источника (Source Quench)
# 5 - Перенаправление маршрута (Redirect)
# 8 - Эхо-запрос (Echo Request)
# 11 - Истечение времени дейтаграммы (Time Exceeded for a Datagram)
# 12 - Проблема с параметром пакета (Parameter Problem on a Datagram)
${IpFw} add allow icmp from ${NetOut} to me icmptype 0,3,4,5,8,11,12 in via ${LanOut} keep-state
${IpFw} add allow icmp from me to ${NetOut} icmptype 0,3,4,5,8,11,12 out via ${LanOut} keep-state
# --- РАЗРЕШАЕМ ПОЛЬЗОВАТЕЛЯМ ВЫХОД В ИНЕТ --- #
${IpFw} add allow all from 192.168.1.0/24 to any
${IpFw} add allow all from any to 192.168.1.0/24
#####################################################
printf "\n#################################\n# RULES LOADED. FIREWALL WORKS! # \n#################################\n"
/etc/ntp.conf
- Код: выделить все
server 212.1.224.6 prefer
server 212.1.244.6
# restrict default nomodify notrap nopeer noquery
restrict 212.1.224.6
restrict 212.1.244.6
restrict 127.0.0.1
restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap
restrict 195.0.1.0 mask 255.255.255.0 nomodify notrap
server 127.127.1.0
fudge 127.127.1.0 stratum 5
driftfile /etc/ntp.drift
logfile /var/log/ntp.log # Основной лог
/etc/resolv.conf
- Код: выделить все
search serg.ru test.ru
# Время ожидания ответа от сервера имён
option timeout:1
# Список адресов DNS-серверов
nameserver 195.0.1.3
nameserver 195.0.1.2
/etc/hosts
- Код: выделить все
#::1 localhost localhost.serg.ru
127.0.0.1 localhost localhost.serg.ru
195.0.1.1 srv.serg.ru srv
192.168.1.1 gate1.test.ru gate1
195.0.1.8 srv92.serg.ru srv92
192.168.1.2 gate2.test.ru gate2
# для машины админа, чтобы SSH не тормазил при проблемах с DNS
195.0.1.3 sergey.serg.ru sergey
Создать файл /usr/local/etc/apache24/Includes/php.conf
- Код: выделить все
<FilesMatch "\.php$">
SetHandler application/x-httpd-php
</FilesMatch>
<FilesMatch "\.phps$">
SetHandler application/x-httpd-php-source
</FilesMatch>
или
- Код: выделить все
AddType application/x-httpd-php .php
AddType application/x-httpd-php-source .phps
/usr/local/etc/php/extensions.ini
Если не запускается Apache после сборки PHP 5.5.14. то нужно закомментировать запуск модуля recode
- Код: выделить все
;extension=recode.so
~/.my.cnf
- Код: выделить все
[mysql]
password = 123456
# Отключает автоматическое рехеширование. rehash следует использовать для получения
# хеша таблиц и полей. Это обеспечивает более быстрый старт mysql.
no-auto-rehash
#connect_timeout=2
pager = less -n -i -S
prompt =(\u@\h) [\d]>
[mysqlhotcopy]
interactive-timeout
UCARP
cat /usr/local/etc/vip-up.sh
/usr/local/etc/vip-down.sh
- Код: выделить все
#!/bin/sh
ifconfig em1 inet 192.168.1.254/32 alias
/usr/local/etc/vip-down.sh
- Код: выделить все
#!/bin/sh
ifconfig em1 inet 192.168.1.254/32 -alias
/usr/local/etc/proftpd.conf
- Код: выделить все
#
# For more information about Proftpd configuration
# see http://www.proftpd.org/
#
# This is a basic ProFTPD configuration file (rename it to
# 'proftpd.conf' for actual use. It establishes a single server
# and a single anonymous login. It assumes that you have a user/group
# "nobody" and "ftp" for normal operation and anon.
ServerName "ProFTPD on FreeBsd v11"
ServerType standalone
# Привязка к интерфейсу
#DefaultServer on
SocketBindTight on
DefaultAddress em0
##############################################
ScoreboardFile /var/run/proftpd/proftpd.scoreboard
# Port 21 is the standard FTP port.
Port 21
# Use IPv6 support by default.
#UseIPv6 off
# Umask 022 is a good standard umask to prevent new dirs and files
# from being group and world writable.
Umask 022
# To prevent DoS attacks, set the maximum number of child processes
# to 30. If you need to allow more than 30 concurrent connections
# at once, simply increase this value. Note that this ONLY works
# in standalone mode, in inetd mode you should use an inetd server
# that allows you to limit maximum number of processes per service
# (such as xinetd).
MaxInstances 30
CommandBufferSize 512
# Set the user and group under which the server will run.
User nobody
Group nogroup
# Normally, we want files to be overwriteable.
AllowOverwrite on
# Без этой опции proftpd сваливается с ошибкойalarm clock
ScoreboardScrub off
###############################################
DebugLevel 9
LogFormat default "%h %l %u %t \"%r\" %s %b"
LogFormat auth "%v [%P] %h %t \"%r\" %s"
LogFormat write "%h %l %u %t \"%r\" %s %b"
SystemLog /var/log/proftpd/proftpd.log
TransferLog /var/log/proftpd/xfer.log
ExtendedLog /var/log/proftpd/access.log WRITE,READ write
ExtendedLog /var/log/proftpd/auth.log AUTH auth
###############################################
<Global>
# To cause every FTP user to be "jailed" (chrooted) into their home
# directory, uncomment this line.
# Если нужно сделать исключение из правил и дать
# некоторым пользователям полный доступ, то создаете группу, например admins
# и пишете
# DefaultRoot ~ !admins
DefaultRoot ~
PassivePorts 40000 45535
AuthUserFile /usr/local/etc/proftpd/ftpd.passwd
# RequireValidShell off
LangEngine on
UseEncoding UTF-8 WINDOWS-1251
</Global>
LangPath /usr/share/locale
AuthOrder mod_auth_file.c
#----------------------------------------------------------
LoadModule mod_tls.c
TLSEngine on
TLSLog /var/log/proftpd/tls.log
TLSProtocol SSLv23
TLSRequired auth
TLSOptions NoCertRequest
TLSRSACertificateFile /usr/local/etc/proftpd/cert.pem
TLSRSACertificateKeyFile /usr/local/etc/proftpd/key.pem
TLSVerifyClient off
###############################################
# Bar use of SITE CHMOD by default
<Limit SITE_CHMOD>
DenyAll
</Limit>
# A basic anonymous configuration, no upload directories. If you do not
# want anonymous users, simply delete this entire <Anonymous> section.
<Directory /usr/home/~>
Umask 022 022
<Limit READ WRITE STOR>
AllowAll
</Limit>
</Directory>
#########################################################################
# #
# Uncomment lines with only one # to allow basic anonymous access #
# #
#########################################################################
#<Anonymous ~ftp>
# User ftp
# Group ftp
### We want clients to be able to login with "anonymous" as well as "ftp"
# UserAlias anonymous ftp
### Limit the maximum number of anonymous logins
# MaxClients 10
### We want 'welcome.msg' displayed at login, and '.message' displayed
### in each newly chdired directory.
# DisplayLogin welcome.msg
# DisplayFirstChdir .message
### Limit WRITE everywhere in the anonymous chroot
# <Limit WRITE>
# DenyAll
# </Limit>
#</Anonymous>
И создаём ключи
- Код: выделить все
openssl req -new -x509 -days 720 -nodes -out /usr/local/etc/proftpd/cert.pem -keyout /usr/local/etc/proftpd/key.pem
12
13
14
15
16
17
