2008/04/14 16:29
freeBSD下的命令就是:
其中各种主要硬件说明例子如下:
硬盘的说明:
网卡的说明:
CPU的说明:
内存说明:
引用
less /var/run/dmesg.boot
其中各种主要硬件说明例子如下:
硬盘的说明:
引用
da0 at mpt0 bus 0 target 0 lun 0
da0: Fixed Direct Access SCSI-5 device
da0: 300.000MB/s transfers, Tagged Queueing Enabled
da0: 140014MB (286749480 512 byte sectors: 255H 63S/T 17849C)
da0:
da0: 300.000MB/s transfers, Tagged Queueing Enabled
da0: 140014MB (286749480 512 byte sectors: 255H 63S/T 17849C)
网卡的说明:
引用
brgphy0: on miibus0
brgphy0: 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, 1000baseTX, 1000baseTX-FDX, auto
bge0: Ethernet address: 00:17:08:2a:13:88
brgphy0: 10baseT, 10baseT-FDX, 100baseTX, 100baseTX-FDX, 1000baseTX, 1000baseTX-FDX, auto
bge0: Ethernet address: 00:17:08:2a:13:88
CPU的说明:
引用
CPU: Genuine Intel(R) CPU 3.20GHz (3191.87-MHz 686-class CPU)
Origin = "GenuineIntel" Id = 0xf62 Stepping = 2
Features=0xbfebfbff
Features2=0xe4bd,>
AMD Features=0x20100000
AMD Features2=0x1
Cores per package: 2
Logical CPUs per core: 2
Origin = "GenuineIntel" Id = 0xf62 Stepping = 2
Features=0xbfebfbff
Features2=0xe4bd
AMD Features=0x20100000
AMD Features2=0x1
Cores per package: 2
Logical CPUs per core: 2
内存说明:
引用
real memory = 2147287040 (2047 MB)
avail memory = 2096644096 (1999 MB)
avail memory = 2096644096 (1999 MB)
引用
本文由ArthurXF倾情奉献,另ArthurXF受聘于上海非凡进修学院进行PHP等IT课程培训,有意学习者,可以免费试听,联系电话:021-51097877,QQ:29011218,MSN:onenight11@hotmail.com
最近手头上管理的服务器有一台机器被网段中的其他服务器搞了arp欺骗,在网页上挂了木马。让机房赶快修理,竟然搞了两天还没搞好,最后推卸责任说是我们自己服务器有漏洞造成的。强烈鄙视一下不负责任的人!
看来还是要自力更生才行。大家准备了啊。
1.不安装软件的方法。
首先要重启,确保你拿到的网关地址是正确的。
步骤如下:
ifconfig
显示类似如下内容
bge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
options=1b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING>
inet 192.168.0.5 netmask 0xffffffc0 broadcast 192.168.0.1
ether 00:17:08:2a:13:88
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
plip0: flags=108810<POINTOPOINT,SIMPLEX,MULTICAST,NEEDSGIANT> mtu 1500
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
inet 127.0.0.1 netmask 0xff000000
我们把网关的信息存到一个文件里。
echo 192.168.0.1 00:17:08:2a:13:88 > /etc/ipmac
接着使用crontab -e编辑系统定时排程(计划任务)让它按照设定时间循环执行
*/5 * * * * /usr/sbin/arp -f /etc/ipmac
这样就每5分钟更新一次网关MAC地址,保证正确。
注意:这里有一个隐患,那就是如果网关设备更换,也就是网关的MAC地址变了就会发生网络不通的现象了。因此就要去机房修改ipmac文件,将新网关MAC改进去,所以我的建议是,先备份ipmac,但是不要马上定时更新,而是等发现有ARP病毒了,再更新,等病毒消除了,就停止更新。确保网络连接正常。
2.安装防ARP的保护软件
cd /usr/ports/security/ipguard/
make install
安装完之后会建立/etc/ethers文件来保护本机,抵御arp欺骗、攻击。
启动ipguard.
cd /usr/local/etc/rc.d
mv ipguard.sh.sample ipguard.sh
/usr/local/etc/rc.d/ipguard.sh start
ipguard用法详解
ipguard - tool designed to protect LAN IP adress space by ARP spoofing.
ipguard listens network for ARP packets. All permitted MAC/IP pairs
listed in 'ethers' file. If it recieves one with MAC/IP pair, which is
not listed in 'ethers' file, it will send ARP reply with configured
fake address. This will prevent not permitted host to work properly in
this ethernet segment. Especially Windows(TM) hosts.
EXAMPLES
Normal method, duplex, autoupdate /etc/ethers every 5 min and send 2
fake replies:
ipguard -x -u 300 -n 2 fxp0
Read-only mode and remember last 100 not listed in `ethers' MACs. Use-
ful for initial MAC/IP pairs collect:
ipguard -r -b 100 -f ./empty_file rl0
Do not go to background and be more verbose, with test ethers file:
ipguard -dv -f /tmp/ethers my1
TIPS
You must have read permission on /dev/bpf* if you want to start ipguard
in read-only mode and read/write permission for full functional if
you're not root.
First MAC/IP pair in list always taken from listening interface, so you
can't occasionally block yourself.
BUGS
ipguard will not prevent changing MAC address along with IP by client.
Linux send weird ARP packet when enters net. ipguard did'nt handle it.
Signals like HUP or TERM works only on new received arp packet.
ArthurXF从业10年的CTO,受上海非凡学院邀请,进行PHP,CSS,FREEBSD等网络技能授课培训,有意向参加的,请联系QQ:29011218,MSN:onenight11@hotmail.com
看来还是要自力更生才行。大家准备了啊。
1.不安装软件的方法。
首先要重启,确保你拿到的网关地址是正确的。
步骤如下:
ifconfig
显示类似如下内容
bge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
options=1b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING>
inet 192.168.0.5 netmask 0xffffffc0 broadcast 192.168.0.1
ether 00:17:08:2a:13:88
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
plip0: flags=108810<POINTOPOINT,SIMPLEX,MULTICAST,NEEDSGIANT> mtu 1500
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
inet 127.0.0.1 netmask 0xff000000
我们把网关的信息存到一个文件里。
echo 192.168.0.1 00:17:08:2a:13:88 > /etc/ipmac
接着使用crontab -e编辑系统定时排程(计划任务)让它按照设定时间循环执行
*/5 * * * * /usr/sbin/arp -f /etc/ipmac
这样就每5分钟更新一次网关MAC地址,保证正确。
注意:这里有一个隐患,那就是如果网关设备更换,也就是网关的MAC地址变了就会发生网络不通的现象了。因此就要去机房修改ipmac文件,将新网关MAC改进去,所以我的建议是,先备份ipmac,但是不要马上定时更新,而是等发现有ARP病毒了,再更新,等病毒消除了,就停止更新。确保网络连接正常。
2.安装防ARP的保护软件
cd /usr/ports/security/ipguard/
make install
安装完之后会建立/etc/ethers文件来保护本机,抵御arp欺骗、攻击。
启动ipguard.
cd /usr/local/etc/rc.d
mv ipguard.sh.sample ipguard.sh
/usr/local/etc/rc.d/ipguard.sh start
ipguard用法详解
ipguard - tool designed to protect LAN IP adress space by ARP spoofing.
ipguard listens network for ARP packets. All permitted MAC/IP pairs
listed in 'ethers' file. If it recieves one with MAC/IP pair, which is
not listed in 'ethers' file, it will send ARP reply with configured
fake address. This will prevent not permitted host to work properly in
this ethernet segment. Especially Windows(TM) hosts.
EXAMPLES
Normal method, duplex, autoupdate /etc/ethers every 5 min and send 2
fake replies:
ipguard -x -u 300 -n 2 fxp0
Read-only mode and remember last 100 not listed in `ethers' MACs. Use-
ful for initial MAC/IP pairs collect:
ipguard -r -b 100 -f ./empty_file rl0
Do not go to background and be more verbose, with test ethers file:
ipguard -dv -f /tmp/ethers my1
TIPS
You must have read permission on /dev/bpf* if you want to start ipguard
in read-only mode and read/write permission for full functional if
you're not root.
First MAC/IP pair in list always taken from listening interface, so you
can't occasionally block yourself.
BUGS
ipguard will not prevent changing MAC address along with IP by client.
Linux send weird ARP packet when enters net. ipguard did'nt handle it.
Signals like HUP or TERM works only on new received arp packet.
ArthurXF从业10年的CTO,受上海非凡学院邀请,进行PHP,CSS,FREEBSD等网络技能授课培训,有意向参加的,请联系QQ:29011218,MSN:onenight11@hotmail.com
很多人都不知道freebsd下如何重启mysql.现在我把命令放到下面,希望对大家有些帮忙。
/usr/local/etc/rc.d/mysql-server restart
/usr/local/etc/rc.d/mysql-server restart
很多Linux的朋友也许都非常熟悉LVS负载均衡软件了,但是在FREEBSD下如何做负载均衡呢?
其实FREEBSD也有很多负载均衡的方法。本文由ArthurXF倾情奉献,谢谢支持!
负载均衡就是要把高流量合理的分配给不同的服务器,让每台服务器在最大承受能力范围内,最好的为用户服务。负载均衡其实就是如何把流量合理分配的工作。
当然负载均衡的办法很多,我ArthurXF这里只给出两个方法,以供大家学习参考。
1.构建流量控制防火墙(桥接模式)
概述
利用FreeBSD内核支持的BRIDGE、IPFIREWALL以及DUMMYNET选项,可以建立基于FreeBSD的透明流量控制防火墙(桥接模式),起到限制流量和包过滤的功能。
激活桥接
重新启动计算机以后,使用以下命令激活桥接流量控制防火墙选项:
sysctl -w net.link.ether.bridge_ipfw=1
sysctl -w net.link.ether.bridge_cfg=""
sysctl -w net.link.ether.bridge=1
其中bridge_cfg参数用于设置多组桥接设备,如果仅考虑单组桥接,可以忽略。实例使用集成的Intel 82557网络适配器作为管理网络,其他3Com 3C905B网络适配器分为两组网桥使用。
--------------------------------------------------------------------------------
实例
# sysctl -w net.link.ether.bridge_ipfw=1
# sysctl -w net.link.ether.bridge_cfg="xl0:0,xl1:0,xl2:1,xl3:1"
# sysctl -w net.link.ether.bridge=1
2.SG Cluster(一个简单实现集群的方法)
官方网址:http://turtle.ee.ncku.edu.tw/sgcluster/
SG Cluster是基于FREEBSD的NAT执行和SG软件分配建立的负载均衡工具。
具有如下特点:
易管理 - 有非常友好和简单安装的web用户管理界面。
图形化 - 系统将运行在不同系统上的集群后台服务高亮图形化显示在一个客户端。
可升级 - 系统负载能力可随着加入新的集群服务器而得到提升。
负载平衡 - 系统自动发送请求到最小负载的服务器上,以达到系统的最佳性能。
容错性 - SG负载均衡系统监控所有的服务器,仅仅将请求发送给有效的服务器,并可在整个负载均衡系统中设置多个负载均衡服务器,以避免系统中的单点故障。
高负载 - SG负载均衡可以标记系统中的过多冗余,系统还能在系统升级的时候维持正常服务。
配置
Config document from offical site..
http://turtle.ee.ncku.edu....
CONFIGURATION
edit system config files
There is an editor 'ee' bundled in SG system disk, you can use 'ee' to edit the configuration files under /etc
/etc/rc.conf.local
this file contains hostname information, see below for example
1 hostname="ds211.ee.ncku.edu.tw" # Set this!
2
3 gateway_enable="YES" # Set to YES if this host will be a gateway.
4 firewall_enable="YES" # firewall (see /etc/rc.firewall) or NO
line 1: set the hostname of the SG load balancer
/etc/ sg.conf
this file contains the configuration information of SG system, see below for example
1 # SG CLUSTER CONFIGURATION, CHANGE FOR YOUR NEED!!!
2
3 sgpath="/stand" # where sg related program is
4 temporary_ip="10.0.0.1" # ip before start sg
5 temporary_gw="10.0.0.253" # gateway before start sg
6
7 public_interface="fxp0"
8 private_interface="fxp1"
9
10 default_gw="140.116.72.253"
11
12 public_ip="140.116.72.136"
13 public_netmask="255.255.255.0"
14 private_ip="192.168.1.253"
15 private_netmask="255.255.255.0"
16
17 group_ip="140.116.72.137 140.116.72.138"
18
19 # map real servers to server group
20 natd_parameter="
21 -redirect_address 192.168.1.1 140.116.72.137
22 -redirect_address 192.168.1.2 140.116.72.137
23 -redirect_address 192.168.1.3 140.116.72.137
24 -redirect_port tcp 192.168.1.2:23 140.116.72.138:23
25 -redirect_port tcp 192.168.1.3:23 140.116.72.138:23
26 -redirect_port tcp 192.168.1.4:23 140.116.72.138:23
27 "
28
29 # username/passwd used by sgcmd to connect sgctrld
30 username="dslab"
31 password="dslab"
32
33 # init command sent to sgctrld
34 init_command="
35 set g 140.116.72.137:0 keyport_list 0
36 set g 140.116.72.137:0 s 192.168.1.1:0 weight 2
37 set g 140.116.72.137:0 s 192.168.1.2:0 weight 1
38 set g 140.116.72.137:0 s 192.168.1.3:0 weight 1
39 set g 140.116.72.138:23 keep_same_server 1
40 set g 140.116.72.138:23 keyport_list 0 23/tcp
41 set g 140.116.72.138:23 s 192.168.1.2:23 weight 1
42 set g 140.116.72.138:23 s 192.168.1.3:23 weight 1
43 set g 140.116.72.138:23 s 192.168.1.4:23 weight 2
44 "
45
46 # THERE SHOULD NO NEED TO CHANGE FROM BELOW ########################################
47
48 bidd_ip="234.5.6.7" # multicast group ip for bidd
49 bidd_port="3456" # port for bidd
50 bidd_master_heartbeat_interval="8"
51 bidd_master_timeout="10"
52 bidd_bid_timeout="3"
53 bidd_start_script="$sgpath/sgstart.sh"
54 bidd_stop_script="$sgpath/sgstop.sh"
55 bidd_continue_script="$sgpath/sgcontinue.sh"
56
57 sgmon_calc_status_interval="10"
58 sgmon_port_test_interval="60"
59 sgmon_host_timeout="2"
60
61 sgctrld_passwd_file="/etc/sgctrld.passwd"
line 7,8: set the name of public interface and private interface
Ethernet card supported by SG load balancer:
ed - NE2000, 3com 3C503 (ed0 port 0x300 irq10, ed1 port 0x320 irq11)
ie - 3com 30507, Intel Ether Express (ie0 port 0x280 irq5, ie1 port 0x340 irq 7)
de - DEC 21040/21140 based PCI card
fxp - Intel Ether Express pro
vr - DLink DFE530tx
xl - 3Com 3C900/3C905/3C905B
line 10: the default gateway for public interface
line 12-15: set the ip and netmask of the public interface and private interface
line 17: the ip of server groups (separated by space)
line 20-27: define servers in each server group
In this example, 2 server groups, 140.116.72.137:0 and 140.116.72.138:23, are defined, echo of them has 3 member server in the group.
line 30,31: the username/passwd used by web interface to login sgctrld
line 34-44: initial command sent to sgctrld to set SG properties,
property setting syntax:
set group [group_ip] [group_property] [value]
set group [group_ip] server [server_ip] [server_property] [value]
group property name description
name group name
active_flag 0=off, 1=on
keyport_list port list, 0 means icmp, NNN/udp=udp port, NNN/tcp=tcp port, where NNN=1..65535
select_method 0=roundrobin, 1=by_conn, 2=by_pkt, 3=by_clntip, 4=by_ext
keep_same_server 0=off, 1=on
failure_detect_by_packet_snoop 0=off, 1=on
recovery_detect_by_packet_snoop 0=off, 1=on
packet_delta_threshold pkt lost upper limit for each keyport
packet_timeout_threshold timeout upper limit for each keyport, unit:second
failure_detect_by_porttest 0=off, 1=on
recovery_detect_by_porttest 0=off, 1=on
porttest_error_threshold 0-65535
failure_detect_by_heartbeat 0=off, 1=on
recovery_detect_by_heartbeat 0=off, 1=on
heartbeat_timeout_threshold 0-65535
mcast_mode 0=deny, 1=bypass, 2=readwrite, 3=rdonly
multicast_addr multicast address for service program
mcast_error_threshold 0-65535
deny_interval deny interval for evil client
connection_count_limit 1-65535, limit per client, 0 no limit
connection_rate_limit 1-65535, limit per client, 0 no limit
finwait_tcp_limit 1-65535, limit per client, 0 no limit
server property name value
name server name
ac_list server access control list, ex: "140.116.72/24 !140.116.49.0/24"
weight 0-255
external_count a counter representing server load defined server program
status 0=dead, 1=pending, 2=alive
/etc/resolv.conf
set the dns server
/etc/hosts
local host table
set root password
use 'passwd root' to change root password of SG system
set sgctrld password
The password file of sgctrld is /etc/sgctrld.passwd, you can use
echo 'your_name:`makepwd your_passwd`'>;>;/etc/sgctrld.passwd
to add your_name/your_passwd to /etc/sgctrld.passwd
Or you can also 'ee' to edit the /etc/sgctrld.passwd directly to remove old account
synchronize all modification into floppy disk
When SG system boot up, all things are loaded into the ram disk, and your modification is also on the ram disk. You have to use 'update' to synchronize the change to the floppy disk.
reboot the SG system disk
If everything is right, you would see some message like 'bidd...BID->;MASTER' appears on the console. Try to telnet to the SG load balancer from remote host and browse the web page of 'http://your.load.balancer.hostname.or.ip'. If everything is right, congratulations!
其实FREEBSD也有很多负载均衡的方法。本文由ArthurXF倾情奉献,谢谢支持!
负载均衡就是要把高流量合理的分配给不同的服务器,让每台服务器在最大承受能力范围内,最好的为用户服务。负载均衡其实就是如何把流量合理分配的工作。
当然负载均衡的办法很多,我ArthurXF这里只给出两个方法,以供大家学习参考。
1.构建流量控制防火墙(桥接模式)
概述
利用FreeBSD内核支持的BRIDGE、IPFIREWALL以及DUMMYNET选项,可以建立基于FreeBSD的透明流量控制防火墙(桥接模式),起到限制流量和包过滤的功能。
引用
准备
可以在任何FreeBSD的兼容硬件上构建流量控制防火墙,但是基于性能和管理上的考虑,建议:
使用Intel PII450以上的处理器
使用至少128MB RAM
使用高性能10/100Mbps自适应网络适配器
如果多于一组桥接设备,建议使用双处理器系统
另外准备一块单独的网络适配器用于管理
--------------------------------------------------------------------------------
实例
联想万全1300 PC服务器,具有一颗Intel PII300处理器,配置有128MB RAM,主板集成Intel 82557网络适配器,另外安装了4块3Com 3C905B 10/100Mbps自适应PCI网络适配器。
可以在任何FreeBSD的兼容硬件上构建流量控制防火墙,但是基于性能和管理上的考虑,建议:
使用Intel PII450以上的处理器
使用至少128MB RAM
使用高性能10/100Mbps自适应网络适配器
如果多于一组桥接设备,建议使用双处理器系统
另外准备一块单独的网络适配器用于管理
--------------------------------------------------------------------------------
实例
联想万全1300 PC服务器,具有一颗Intel PII300处理器,配置有128MB RAM,主板集成Intel 82557网络适配器,另外安装了4块3Com 3C905B 10/100Mbps自适应PCI网络适配器。
引用
配置
完成操作系统安装以后,必须重新编译系统内核使其支持桥接流量控制防火墙选项。必须在系统内核编译配置文件中添加以下内容:
options BRIDGE
options DUMMYNET
options IPFIREWALL
options IPFIREWALL_DEFAULT_TO_ACCEPT
重新编译完系统内核以后必须重新启动计算机。
--------------------------------------------------------------------------------
实例
# cd /usr/src/sys/i386/conf
# cp GENERIC BRGFW
# echo "options BRIDGE" >;>; BRGFW
# echo "options DUMMYNET" >;>; BRGFW
# echo "options IPFIREWALL" >;>; BRGFW
# echo "options IPFIREWALL_DEFAULT_TO_ACCEPT" >;>; BRGFW
# config
# cd ../../compile/BRGFW
# make depend all install
# reboot
完成操作系统安装以后,必须重新编译系统内核使其支持桥接流量控制防火墙选项。必须在系统内核编译配置文件中添加以下内容:
options BRIDGE
options DUMMYNET
options IPFIREWALL
options IPFIREWALL_DEFAULT_TO_ACCEPT
重新编译完系统内核以后必须重新启动计算机。
--------------------------------------------------------------------------------
实例
# cd /usr/src/sys/i386/conf
# cp GENERIC BRGFW
# echo "options BRIDGE" >;>; BRGFW
# echo "options DUMMYNET" >;>; BRGFW
# echo "options IPFIREWALL" >;>; BRGFW
# echo "options IPFIREWALL_DEFAULT_TO_ACCEPT" >;>; BRGFW
# config
# cd ../../compile/BRGFW
# make depend all install
# reboot
引用
激活桥接
重新启动计算机以后,使用以下命令激活桥接流量控制防火墙选项:
sysctl -w net.link.ether.bridge_ipfw=1
sysctl -w net.link.ether.bridge_cfg=""
sysctl -w net.link.ether.bridge=1
其中bridge_cfg参数用于设置多组桥接设备,如果仅考虑单组桥接,可以忽略。实例使用集成的Intel 82557网络适配器作为管理网络,其他3Com 3C905B网络适配器分为两组网桥使用。
--------------------------------------------------------------------------------
实例
# sysctl -w net.link.ether.bridge_ipfw=1
# sysctl -w net.link.ether.bridge_cfg="xl0:0,xl1:0,xl2:1,xl3:1"
# sysctl -w net.link.ether.bridge=1
引用
使用
使用ipfw命令来控制流量和防火墙策略。其中流量控制是作为一条防火墙策略实现的,因此ipfw是唯一的管理界面。通过实例来说明ipfw的使用。
在实例中,网段192.168.254.0/24经过第一组网桥,网段192.168.250.0/24经过第二组网桥,并建立以下策略:
允许所有的ICMP连接,限制总流量为10Kbit/s
允许所有的UDP链接,限制总流量为100Kbit/s
允许TCP到网段192.168.254.0/24的所有连接,限制流量为5Mbit/s
允许TCP到主机192.168.250.222的HTTP连接,限制流量为2Mbit/s
允许TCP到主机192.168.250.0/24的所有其他连接,限制流量为1Mbit/s
禁止其他所有连接
--------------------------------------------------------------------------------
实例
# ipfw -flush
# ipfw add 100 pipe 1 icmp from any to any
# ipfw pipe 1 config bw 10Kbit/s
# ipfw add 200 pipe 2 udp from any to any
# ipfw pipe 2 config bw 100Kbit/s
# ipfw add 300 pipe 3 tcp from 192.168.254.0/24 to any
# ipfw pipe 3 config bw 5Mbit/s
# ipfw add 400 pipe 4 tcp from any to 192.168.254.0/24
# ipfw pipe 4 config bw 5Mbit/s
# ipfw add 500 pipe 5 tcp from any to 192.168.250.222 80
# ipfw pipe 5 config bw 2Mbit/s
# ipfw add 600 pipe 6 tcp from 192.168.250.222 80 to any
# ipfw pipe 6 config bw 2Mbit/s
# ipfw add 700 pipe 7 tcp from 192.168.250.0/24 to any
# ipfw pipe 7 config bw 1Mbit/s
# ipfw add 800 pipe 8 tcp from any to 192.168.250.0/24
# ipfw pipe 8 config bw 1Mbit/s
# ipfw add 60000 deny ip from any to any
# ipfw -a l
使用ipfw命令来控制流量和防火墙策略。其中流量控制是作为一条防火墙策略实现的,因此ipfw是唯一的管理界面。通过实例来说明ipfw的使用。
在实例中,网段192.168.254.0/24经过第一组网桥,网段192.168.250.0/24经过第二组网桥,并建立以下策略:
允许所有的ICMP连接,限制总流量为10Kbit/s
允许所有的UDP链接,限制总流量为100Kbit/s
允许TCP到网段192.168.254.0/24的所有连接,限制流量为5Mbit/s
允许TCP到主机192.168.250.222的HTTP连接,限制流量为2Mbit/s
允许TCP到主机192.168.250.0/24的所有其他连接,限制流量为1Mbit/s
禁止其他所有连接
--------------------------------------------------------------------------------
实例
# ipfw -flush
# ipfw add 100 pipe 1 icmp from any to any
# ipfw pipe 1 config bw 10Kbit/s
# ipfw add 200 pipe 2 udp from any to any
# ipfw pipe 2 config bw 100Kbit/s
# ipfw add 300 pipe 3 tcp from 192.168.254.0/24 to any
# ipfw pipe 3 config bw 5Mbit/s
# ipfw add 400 pipe 4 tcp from any to 192.168.254.0/24
# ipfw pipe 4 config bw 5Mbit/s
# ipfw add 500 pipe 5 tcp from any to 192.168.250.222 80
# ipfw pipe 5 config bw 2Mbit/s
# ipfw add 600 pipe 6 tcp from 192.168.250.222 80 to any
# ipfw pipe 6 config bw 2Mbit/s
# ipfw add 700 pipe 7 tcp from 192.168.250.0/24 to any
# ipfw pipe 7 config bw 1Mbit/s
# ipfw add 800 pipe 8 tcp from any to 192.168.250.0/24
# ipfw pipe 8 config bw 1Mbit/s
# ipfw add 60000 deny ip from any to any
# ipfw -a l
2.SG Cluster(一个简单实现集群的方法)
官方网址:http://turtle.ee.ncku.edu.tw/sgcluster/
SG Cluster是基于FREEBSD的NAT执行和SG软件分配建立的负载均衡工具。
具有如下特点:
易管理 - 有非常友好和简单安装的web用户管理界面。
图形化 - 系统将运行在不同系统上的集群后台服务高亮图形化显示在一个客户端。
可升级 - 系统负载能力可随着加入新的集群服务器而得到提升。
负载平衡 - 系统自动发送请求到最小负载的服务器上,以达到系统的最佳性能。
容错性 - SG负载均衡系统监控所有的服务器,仅仅将请求发送给有效的服务器,并可在整个负载均衡系统中设置多个负载均衡服务器,以避免系统中的单点故障。
高负载 - SG负载均衡可以标记系统中的过多冗余,系统还能在系统升级的时候维持正常服务。
配置
Config document from offical site..
http://turtle.ee.ncku.edu....
CONFIGURATION
edit system config files
There is an editor 'ee' bundled in SG system disk, you can use 'ee' to edit the configuration files under /etc
/etc/rc.conf.local
this file contains hostname information, see below for example
1 hostname="ds211.ee.ncku.edu.tw" # Set this!
2
3 gateway_enable="YES" # Set to YES if this host will be a gateway.
4 firewall_enable="YES" # firewall (see /etc/rc.firewall) or NO
line 1: set the hostname of the SG load balancer
/etc/ sg.conf
this file contains the configuration information of SG system, see below for example
1 # SG CLUSTER CONFIGURATION, CHANGE FOR YOUR NEED!!!
2
3 sgpath="/stand" # where sg related program is
4 temporary_ip="10.0.0.1" # ip before start sg
5 temporary_gw="10.0.0.253" # gateway before start sg
6
7 public_interface="fxp0"
8 private_interface="fxp1"
9
10 default_gw="140.116.72.253"
11
12 public_ip="140.116.72.136"
13 public_netmask="255.255.255.0"
14 private_ip="192.168.1.253"
15 private_netmask="255.255.255.0"
16
17 group_ip="140.116.72.137 140.116.72.138"
18
19 # map real servers to server group
20 natd_parameter="
21 -redirect_address 192.168.1.1 140.116.72.137
22 -redirect_address 192.168.1.2 140.116.72.137
23 -redirect_address 192.168.1.3 140.116.72.137
24 -redirect_port tcp 192.168.1.2:23 140.116.72.138:23
25 -redirect_port tcp 192.168.1.3:23 140.116.72.138:23
26 -redirect_port tcp 192.168.1.4:23 140.116.72.138:23
27 "
28
29 # username/passwd used by sgcmd to connect sgctrld
30 username="dslab"
31 password="dslab"
32
33 # init command sent to sgctrld
34 init_command="
35 set g 140.116.72.137:0 keyport_list 0
36 set g 140.116.72.137:0 s 192.168.1.1:0 weight 2
37 set g 140.116.72.137:0 s 192.168.1.2:0 weight 1
38 set g 140.116.72.137:0 s 192.168.1.3:0 weight 1
39 set g 140.116.72.138:23 keep_same_server 1
40 set g 140.116.72.138:23 keyport_list 0 23/tcp
41 set g 140.116.72.138:23 s 192.168.1.2:23 weight 1
42 set g 140.116.72.138:23 s 192.168.1.3:23 weight 1
43 set g 140.116.72.138:23 s 192.168.1.4:23 weight 2
44 "
45
46 # THERE SHOULD NO NEED TO CHANGE FROM BELOW ########################################
47
48 bidd_ip="234.5.6.7" # multicast group ip for bidd
49 bidd_port="3456" # port for bidd
50 bidd_master_heartbeat_interval="8"
51 bidd_master_timeout="10"
52 bidd_bid_timeout="3"
53 bidd_start_script="$sgpath/sgstart.sh"
54 bidd_stop_script="$sgpath/sgstop.sh"
55 bidd_continue_script="$sgpath/sgcontinue.sh"
56
57 sgmon_calc_status_interval="10"
58 sgmon_port_test_interval="60"
59 sgmon_host_timeout="2"
60
61 sgctrld_passwd_file="/etc/sgctrld.passwd"
line 7,8: set the name of public interface and private interface
Ethernet card supported by SG load balancer:
ed - NE2000, 3com 3C503 (ed0 port 0x300 irq10, ed1 port 0x320 irq11)
ie - 3com 30507, Intel Ether Express (ie0 port 0x280 irq5, ie1 port 0x340 irq 7)
de - DEC 21040/21140 based PCI card
fxp - Intel Ether Express pro
vr - DLink DFE530tx
xl - 3Com 3C900/3C905/3C905B
line 10: the default gateway for public interface
line 12-15: set the ip and netmask of the public interface and private interface
line 17: the ip of server groups (separated by space)
line 20-27: define servers in each server group
In this example, 2 server groups, 140.116.72.137:0 and 140.116.72.138:23, are defined, echo of them has 3 member server in the group.
line 30,31: the username/passwd used by web interface to login sgctrld
line 34-44: initial command sent to sgctrld to set SG properties,
property setting syntax:
set group [group_ip] [group_property] [value]
set group [group_ip] server [server_ip] [server_property] [value]
group property name description
name group name
active_flag 0=off, 1=on
keyport_list port list, 0 means icmp, NNN/udp=udp port, NNN/tcp=tcp port, where NNN=1..65535
select_method 0=roundrobin, 1=by_conn, 2=by_pkt, 3=by_clntip, 4=by_ext
keep_same_server 0=off, 1=on
failure_detect_by_packet_snoop 0=off, 1=on
recovery_detect_by_packet_snoop 0=off, 1=on
packet_delta_threshold pkt lost upper limit for each keyport
packet_timeout_threshold timeout upper limit for each keyport, unit:second
failure_detect_by_porttest 0=off, 1=on
recovery_detect_by_porttest 0=off, 1=on
porttest_error_threshold 0-65535
failure_detect_by_heartbeat 0=off, 1=on
recovery_detect_by_heartbeat 0=off, 1=on
heartbeat_timeout_threshold 0-65535
mcast_mode 0=deny, 1=bypass, 2=readwrite, 3=rdonly
multicast_addr multicast address for service program
mcast_error_threshold 0-65535
deny_interval deny interval for evil client
connection_count_limit 1-65535, limit per client, 0 no limit
connection_rate_limit 1-65535, limit per client, 0 no limit
finwait_tcp_limit 1-65535, limit per client, 0 no limit
server property name value
name server name
ac_list server access control list, ex: "140.116.72/24 !140.116.49.0/24"
weight 0-255
external_count a counter representing server load defined server program
status 0=dead, 1=pending, 2=alive
/etc/resolv.conf
set the dns server
/etc/hosts
local host table
set root password
use 'passwd root' to change root password of SG system
set sgctrld password
The password file of sgctrld is /etc/sgctrld.passwd, you can use
echo 'your_name:`makepwd your_passwd`'>;>;/etc/sgctrld.passwd
to add your_name/your_passwd to /etc/sgctrld.passwd
Or you can also 'ee' to edit the /etc/sgctrld.passwd directly to remove old account
synchronize all modification into floppy disk
When SG system boot up, all things are loaded into the ram disk, and your modification is also on the ram disk. You have to use 'update' to synchronize the change to the floppy disk.
reboot the SG system disk
If everything is right, you would see some message like 'bidd...BID->;MASTER' appears on the console. Try to telnet to the SG load balancer from remote host and browse the web page of 'http://your.load.balancer.hostname.or.ip'. If everything is right, congratulations!
由于安装apache的时候安装了LDAP2.3的客户端,后来将LDAP升级到2.4的时候,apache启动碰到了如下错误,apache启动失败:
进入/usr/local/lib查看,发现所有的ldap文件版本都变成2.4了。
我们为了不重新安装,用软链接来解决这个问题,具体办法如下:
现在ArthurXF本人正在搞PHP等技术培训,如果想学习的人可以跟我联系。另外培训的招生简章在这个网址,想了解的可以去看看。加我QQ:29011218交流也可。
PHP培训招生简章
引用
/libexec/ld-elf.so.1: Shared object "libldap-2.3.so.2" not found, required by "httpd"
进入/usr/local/lib查看,发现所有的ldap文件版本都变成2.4了。
我们为了不重新安装,用软链接来解决这个问题,具体办法如下:
引用
cd /usr/local/lib
ln -s libldap-2.4.so.2 libldap-2.3.so.2
启动apache,出现新的错误:
/libexec/ld-elf.so.1: Shared object "liblber-2.3.so.2" not found, required by "httpd"
再建立软链接:
ln -s liblber-2.4.so.2 liblber-2.3.so.2
apachectl start
现在就正常了,问题解决,虽然这可能不是根本的解决办法,至少能先启动服务了,此文章由ArthurXF倾情奉献,谢谢支持!
ln -s libldap-2.4.so.2 libldap-2.3.so.2
启动apache,出现新的错误:
/libexec/ld-elf.so.1: Shared object "liblber-2.3.so.2" not found, required by "httpd"
再建立软链接:
ln -s liblber-2.4.so.2 liblber-2.3.so.2
apachectl start
现在就正常了,问题解决,虽然这可能不是根本的解决办法,至少能先启动服务了,此文章由ArthurXF倾情奉献,谢谢支持!
现在ArthurXF本人正在搞PHP等技术培训,如果想学习的人可以跟我联系。另外培训的招生简章在这个网址,想了解的可以去看看。加我QQ:29011218交流也可。
PHP培训招生简章
