|
|
一,OpenBSD-4.3安装和准备
安装方法精化贴上很多,这里不作重复介绍。
准备设备:BSD服务器一台、负载均衡测试服务器3台、压力测试服务器2台
BSD服务器选购了Lenovo R515 1U机架式服务器
CPU:4核 *2
内存:1G *4
硬盘:73G 1.5K转速 * 3 (做raid 6)
测试服务器均为Dell GX620个人电脑
二,OpenBSD系统优化
1,关闭无用服务,如sendmail,inetd等
修改rc.conf关闭不需要启动的服务
#vi /etc/rc.conf
sendmail_flags=NO
inetd=NO
其他如yp也可以关闭。
2,优化系统内核参数(参考,视自身情况而定)
#vi /etc/sysctl.conf
打开forwarding
net.inet.ip.forwarding=1
net.inet.ip.mforwarding=1
net.inet6.ip6.forwarding=1
net.inet6.ip6.mforwarding=1
优化内核参数
#*** Edit by sunwaylove *****#
#net.inet.ip.sourceroute=0
net.inet.tcp.drop_synfin=1
kern.maxvnodes=32768
kern.shminfo.shmall=32768
kern.somaxconn=65535
kern.sominconn=2048
kern.maxproc=65535
kern.maxfiles=65535
kern.maxclusters=32768
#kern.securelevel=3
net.inet.tcp.sendspace=65535
net.inet.tcp.recvspace=65535
net.inet.udp.sendspace=65535
net.inet.udp.recvspace=65535
三,系统安全配置
1,安装SSH2
安装最新的SSH2,替换自带OpenSSH
#tar zxf ssh-3.2.9.1.tar.gz
#cd ssh-3.2.9.1
#./configure
#make
#make install
2,配置sshd2服务
禁止root用户登录,修改端口为2222。
#cd /etc/ssh2;vi sshd2_config
Port 2222
PermitRootLogin nopwd
配置sshd2为默认启动
#vi /etc/rc
if [ X"${sshd_flags}" != X"NO" ]; then
echo -n ' sshd2'; /usr/local/sbin/sshd2 ${sshd_flags};
fi
重起后,上传个人证书,修改为只允许证书方式登陆
#vi /etc/ssh2/sshd2.conf
AllowedAuthentications publickey
四,PF防火墙+NAT负载均衡
网络介绍:
内网均衡设备(3台)----------em0| OpenBSD |em1---------外网测试设备(2台)
内网均衡设备:{ 10.1.222.95, 10.1.222.97, 10.1.222.98 } port 7777
外网测试设备:{ 192.168.251.10, 192.168.251.11 }
OpenBSD—内网卡em0:10.1.222.105
OpenBSD—外网卡em1:192.168.251.6
外网均衡地址:192.168.251.2 绑定在em1网卡上
测试的应用名称为webjy 端口为 7777
配置外网卡多IP
bash-2.04# vi /etc/hostname.em1
inet 192.168.251.6 255.255.255.0 NONE
inet alias 192.168.251.2 255.255.255.255
inet alias 192.168.251.3 255.255.255.255
inet alias 192.168.251.4 255.255.255.255
inet alias 192.168.251.5 255.255.255.255
设置rc.conf中pf为yes
配置pf
#vi pf.conf
# ******************************************** #
# Edit By Sunwaylove #
# Support:010-8513XXXX #
# Mail:sunwaylove@163.com #
# ******************************************** #
# ********* Start Configure ******************* #
ext_if="em1"
int_if="em0"
ext_tc50="192.168.251.2"
tc50_hosts="{ 10.1.222.95, 10.1.222.97, 10.1.222.98 }"
table { 10.1.222.0/24 }
table { 10.1.0.0/16 }
# ********* Better pf-network ******************* #
set timeout {interval 3,frag 10}
set timeout {tcp.first 10,tcp.opening 2,tcp.established 600}
set timeout {tcp.closing 20,tcp.finwait 10,tcp.closed 10}
set timeout {udp.first 20,udp.single 10,udp.multiple 10}
set timeout {icmp.first 10,icmp.error 5}
set timeout {other.first 20,other.single 10,other.multiple 20}
set timeout {adaptive.start 0,adaptive.end 0}
set limit states 1000000
set limit frags 1000000 #此处为单个node(IP)并发数量,测试需要,正常单一IP不会有那么大连接数
set limit src-nodes 1000000
set limit tables 100000
set limit table-entries 1000000
set optimization aggressive
set block-policy drop
set require-order yes
set debug none
set skip on lo
scrub in all
# ********** NAT Configure ******************* #
#rdr-anchor "relayd/*"
#nat on $ext_if inet from any to $ext_tc50 -> 10.1.222.97
rdr on em1 proto tcp from any to $ext_tc50 port 7777 -> $tc50_hosts port 7777
# 以下NAT只是测试方便远程操作和传输文件方便而设置 正式场合无意义#
rdr on em1 proto tcp from any to $ext_tc50 port 139 -> 10.1.222.97 port 139
rdr on em1 proto tcp from any to $ext_tc50 port 445 -> 10.1.222.97 port 445
rdr on em0 proto tcp from any to $int_if port 3389 -> 192.168.251.10 port 3389
rdr on em0 proto tcp from any to $int_if port 3399 -> 192.168.251.11 port 3389
# ********** PF Configure ******************* #
# ***** Deny all *****
block in all
block out all
# ***** Default Allow *****
pass quick on lo0 all
antispoof quick for { lo, $int_if }
pass in on $ext_if inet proto 47 all
pass in on $ext_if inet proto udp from any to any port 500
pass in on $ext_if inet proto icmp from any to any
pass out on $ext_if inet proto 47 all
pass out on $ext_if proto tcp all modulate state flags S/SA
pass out on $ext_if proto { udp, icmp } all keep state
# ***** Allow testhost to pass *****
pass in on $int_if inet from to any
pass out on $int_if inet from any to
#pass on $int_if inet from any to any
# ***** Allow sunwaylove to pass *****
pass in quick on $int_if inet from 10.1.242.123 to any
pass in quick on $int_if inet from 10.1.29.138 to any
pass out quick on $int_if inet from any to 10.1.242.123
pass out quick on $int_if inet from any to 10.1.29.138
# ***** Allow Proc port to pass *****
pass in on $ext_if inet proto tcp from 218.247.130.0 to any port 2222 flags S/SA keep state
pass in on $ext_if inet proto tcp from any to any port 7777
pass in on $ext_if inet proto tcp from any to any port 139
pass in on $ext_if inet proto tcp from any to any port 445
测试PF-NAT均衡
rdr on em1 proto tcp from any to $ext_tc50 port 7777 -> $tc50_hosts port 7777
2台测试机发送方:连接数最后各为10000,总共20000
3台测试机接收方:均衡后连接数各为6666左右。
这时OpenBSD的性能状态:
#top
load averages: 0.08, 0.10, 0.08 19:08:15
16 processes: 1 running, 14 idle, 1 on processor
CPU0 states: 0.0% user, 0.0% nice, 0.0% system, 1.3% interrupt, 98.7% idle
CPU1 states: 0.0% user, 0.0% nice, 0.0% system, 0.0% interrupt, 100% idle
CPU2 states: 0.0% user, 0.0% nice, 0.0% system, 0.0% interrupt, 100% idle
CPU3 states: 0.0% user, 0.0% nice, 0.0% system, 0.0% interrupt, 100% idle
CPU4 states: 0.0% user, 0.0% nice, 0.0% system, 0.0% interrupt, 100% idle
CPU5 states: 0.0% user, 0.0% nice, 0.0% system, 0.0% interrupt, 100% idle
CPU6 states: 0.0% user, 0.0% nice, 0.0% system, 0.0% interrupt, 100% idle
CPU7 states: 0.0% user, 0.0% nice, 0.0% system, 0.0% interrupt, 100% idle
Memory: Real: 5804K/74M act/tot Free: 2943M Swap: 0K/1028M used/tot
PID USERNAME PRI NICE SIZE RES STATE WAIT TIME CPU COMMAND
32611 root 28 0 1460K 1792K run/0 - 0:00 0.00% sshd2
29775 root 2 0 532K 428K idle netio 0:00 0.00% pflogd
23989 sunwei 10 0 584K 1196K idle wait 0:00 0.00% bash
16629 _syslogd 2 0 384K 748K sleep/0 poll 0:00 0.00% syslogd
19339 root 10 0 584K 1300K sleep/0 wait 0:00 0.00% bash
27134 root 2 0 564K 796K sleep/0 select 0:00 0.00% cron
32686 _pflogd 4 0 596K 340K sleep/0 bpf 0:00 0.00% pflogd
12036 root 3 0 320K 724K idle ttyin 0:00 0.00% getty
16870 root 3 0 404K 708K idle ttyin 0:00 0.00% getty
24894 root 3 0 288K 712K idle ttyin 0:00 0.00% getty
24227 root 3 0 356K 720K idle ttyin 0:00 0.00% getty
2902 root 28 0 516K 1416K onproc/0 - 0:00 0.00% top
14010 root 3 0 348K 716K idle ttyin 0:00 0.00% getty
1 root 10 0 404K 332K idle wait 0:00 0.00% init
5123 root 2 0 1292K 1144K idle select 0:00 0.00% sshd2
5822 root 2 0 340K 668K idle netio 0:00 0.00% syslogd
#vmstat –w 1
procs memory page disks traps cpu
r b w avm fre flt re pi po fr sr sd0 cd0 int sys cs us sy id
0 0 0 5520 3013824 7 0 0 0 0 0 0 0 839 49 16 0 0 100
0 0 0 5520 3013824 7 0 0 0 0 0 0 0 840 23 17 0 0 100
0 0 0 5520 3013824 7 0 0 0 0 0 0 0 855 23 12 0 0 100
0 0 0 5520 3013824 7 0 0 0 0 0 0 0 848 23 12 0 0 100
0 0 0 5520 3013824 7 0 0 0 0 0 0 0 838 23 12 0 0 100
0 0 0 5520 3013824 7 0 0 0 0 0 0 0 841 23 12 0 0 100
0 0 0 5520 3013824 7 0 0 0 0 0 0 0 836 23 13 0 0 100
0 0 0 5520 3013824 7 0 0 0 0 0 0 0 863 23 13 0 0 100
0 0 0 5520 3013824 7 0 0 0 0 0 0 0 828 23 12 0 0 100
CPU-8个内核 基本闲置
内存也基本闲置状态
测试成功!
五,Relayd负载均衡(3层)
1,配置PF的NAT策略
#vi /etc/pf.conf
将以上pf修改NAT规则,开启relayd的NAT,关闭原有RDR的均衡
# ********** NAT Configure ******************* #
rdr-anchor "relayd/*"
#nat on $ext_if inet from any to $ext_tc50 -> 10.1.222.97
#rdr on em1 proto tcp from any to $ext_tc50 port 7777 -> $tc50_hosts port 7777
2,配置relayd(3层)均衡功能
#vi /etc/relayd.conf
# ******************************************** #
# Edit By Sunwaylove #
# Support:010-8513XXXX #
# Mail:sunwaylove@163.com #
# ******************************************** #
#***** Macros *****
ext_addr="192.168.251.2"
tc50_hosts1="10.1.222.98"
tc50_hosts2="10.1.222.97"
tc50_hosts3="10.1.222.95"
#***** Global Options *****
interval 10
timeout 1000
prefork 5
# Each table will be mapped to a pf table.
table { $tc50_hosts1, $tc50_hosts2, $tc50_hosts3 }
table { 127.0.0.1 }
# Services will be mapped to a rdr rule.
redirect webjy {
# Run as a simple TCP relay
listen on $ext_addr port 7777
tag relayd
forward to check tcp
# forward to port 7777 mode roundrobin check tcp
# forward to check icmp
}
启动relayd
#relayd –f relayd.conf
观察启动状态
#relayctl show summary
bash-2.04# relayctl show summary
Id Type Name Avlblty Status
0 redirect webjy active
2 table webjy:7777 active (3 hosts up)
6 host 10.1.222.98 100.00% up
5 host 10.1.222.97 100.00% up
4 host 10.1.222.95 100.00% up
开启测试压力工具,连接并发数总共20000
这时候BSD状态:
#top
load averages: 0.12, 0.18, 0.15 19:20:55
32 processes: 1 running, 30 idle, 1 on processor
CPU0 states: 0.0% user, 0.0% nice, 0.0% system, 0.6% interrupt, 99.4% idle
CPU1 states: 0.0% user, 0.0% nice, 0.0% system, 0.0% interrupt, 100% idle
CPU2 states: 0.0% user, 0.0% nice, 0.0% system, 0.0% interrupt, 100% idle
CPU3 states: 0.0% user, 0.0% nice, 0.0% system, 0.0% interrupt, 100% idle
CPU4 states: 0.0% user, 0.0% nice, 0.0% system, 0.0% interrupt, 100% idle
CPU5 states: 0.0% user, 0.0% nice, 0.0% system, 0.0% interrupt, 100% idle
CPU6 states: 0.0% user, 0.0% nice, 0.0% system, 0.0% interrupt, 100% idle
CPU7 states: 0.0% user, 0.0% nice, 0.0% system, 0.0% interrupt, 100% idle
Memory: Real: 12M/84M act/tot Free: 2933M Swap: 0K/1028M used/tot
PID USERNAME PRI NICE SIZE RES STATE WAIT TIME CPU COMMAND
32611 root 28 0 1460K 1792K run/0 - 0:00 0.00% sshd2
29775 root 2 0 532K 428K idle netio 0:00 0.00% pflogd
23989 sunwei 10 0 584K 1196K idle wait 0:00 0.00% bash
16629 _syslogd 2 0 384K 748K sleep/0 poll 0:00 0.00% syslogd
19339 root 10 0 584K 1304K sleep/0 wait 0:00 0.00% bash
27134 root 2 0 564K 796K idle select 0:00 0.00% cron
32686 _pflogd 4 0 596K 340K sleep/0 bpf 0:00 0.00% pflogd
27664 _relayd 2 0 712K 1208K idle kqread 0:00 0.00% relayd
20595 _relayd 2 0 712K 1292K idle kqread 0:00 0.00% relayd
31953 _relayd 2 0 708K 1256K sleep/0 kqread 0:00 0.00% relayd
9744 _relayd 2 0 604K 1204K idle kqread 0:00 0.00% relayd
12731 _relayd 2 0 604K 1320K idle kqread 0:00 0.00% relayd
19210 _relayd 2 0 1084K 1608K sleep/0 kqread 0:00 0.00% relayd
16058 _relayd 2 0 608K 1224K idle kqread 0:00 0.00% relayd
9807 _relayd 2 0 708K 1196K idle kqread 0:00 0.00% relayd
28725 _relayd 2 0 712K 1208K idle kqread 0:00 0.00% relayd
840 _relayd 2 0 604K 1288K sleep/0 kqread 0:00 0.00% relayd
18995 root 2 0 1032K 1536K sleep/0 kqread 0:00 0.00% relayd
22692 root 2 0 936K 1572K sleep/0 kqread 0:00 0.00% relayd
12036 root 3 0 320K 724K idle ttyin 0:00 0.00% getty
15104 root 28 0 620K 1400K onproc/0 - 0:00 0.00% top
#vmstat –w 1
procs memory page disks traps cpu
r b w avm fre flt re pi po fr sr sd0 cd0 int sys cs us sy id
0 0 0 7200 3011256 7 0 0 0 0 0 0 0 471 49 17 0 0 100
0 0 0 7200 3011256 7 0 0 0 0 0 0 0 477 129 29 0 0 100
0 0 0 7200 3011256 7 0 0 0 0 0 0 0 476 23 12 0 0 100
0 0 0 7200 3011256 7 0 0 0 0 0 0 0 468 23 12 0 0 100
0 0 0 7200 3011256 7 0 0 0 0 0 0 0 479 23 12 0 0 100
0 0 0 7200 3011256 7 0 0 0 0 0 0 0 459 26 14 0 0 100
0 0 0 7200 3011256 7 0 0 0 0 0 0 0 475 26 15 0 0 100
0 0 0 7200 3011256 7 0 0 0 0 0 0 0 475 23 12 0 0 100
CPU-8个内核 基本闲置
内存也基本闲置状态
测试成功!
六,Relayd负载均衡(7层)
1,配置PF的NAT策略
#vi /etc/pf.conf
将以上pf修改NAT规则,开启relayd的NAT,关闭原有RDR的均衡
# ********** NAT Configure ******************* #
rdr-anchor "relayd/*"
#nat on $ext_if inet from any to $ext_tc50 -> 10.1.222.97
#rdr on em1 proto tcp from any to $ext_tc50 port 7777 -> $tc50_hosts port 7777
2,配置relayd(7层)均衡功能
#vi /etc/relayd.conf
# ******************************************** #
# Edit By Sunwaylove #
# Support:010-8513XXXX #
# Mail:sunwaylove@163.com #
# ******************************************** #
# Macros
ext_addr="192.168.251.2"
tc50_hosts1="10.1.222.98"
tc50_hosts2="10.1.222.97"
tc50_hosts3="10.1.222.95"
# Global Options
interval 10
timeout 1000
prefork 5
# Each table will be mapped to a pf table.
table { $tc50_hosts1, $tc50_hosts2, $tc50_hosts3 }
# Services will be mapped to a rdr rule.
protocol tc50 {
# The TCP_NODELAY option is required for "smooth" terminal sessions
tcp nodelay
}
relay webjy {
# Run as a simple TCP relay
listen on $ext_addr port 7777
protocol tc50
# Forward to the shared carp(4) address of an internal gateway
forward to port 7777 mode roundrobin check tcp
}
启动relayd
#relayd –f relayd.conf
观察启动状态
#relayctl show summary
bash-2.04# relayctl show summary
Id Type Name Avlblty Status
0 realy webjy active
2 table webjy:7777 active (3 hosts up)
6 host 10.1.222.98 100.00% up
5 host 10.1.222.97 100.00% up
4 host 10.1.222.95 100.00% up
开启测试压力工具,连接并发数总共20000
这时候BSD状态:
#top
load averages: 0.12, 0.18, 0.15 19:20:55
32 processes: 1 running, 30 idle, 1 on processor
CPU0 states: 0.0% user, 0.0% nice, 0.0% system, 0.4% interrupt, 99.6% idle
CPU1 states: 0.0% user, 0.0% nice, 0.0% system, 0.0% interrupt, 100% idle
CPU2 states: 0.0% user, 0.0% nice, 0.0% system, 0.0% interrupt, 100% idle
CPU3 states: 0.0% user, 0.0% nice, 0.0% system, 0.0% interrupt, 100% idle
CPU4 states: 0.0% user, 0.0% nice, 0.0% system, 0.0% interrupt, 100% idle
CPU5 states: 0.0% user, 0.0% nice, 0.0% system, 0.0% interrupt, 100% idle
CPU6 states: 0.0% user, 0.0% nice, 0.0% system, 0.0% interrupt, 100% idle
CPU7 states: 0.0% user, 0.0% nice, 0.0% system, 0.0% interrupt, 100% idle
Memory: Real: 12M/84M act/tot Free: 2933M Swap: 0K/1028M used/tot
PID USERNAME PRI NICE SIZE RES STATE WAIT TIME CPU COMMAND
32611 root 28 0 1460K 1792K run/0 - 0:00 0.00% sshd2
29775 root 2 0 532K 428K idle netio 0:00 0.00% pflogd
23989 sunwei 10 0 584K 1196K idle wait 0:00 0.00% bash
16629 _syslogd 2 0 384K 748K sleep/0 poll 0:00 0.00% syslogd
19339 root 10 0 584K 1304K sleep/0 wait 0:00 0.00% bash
27134 root 2 0 564K 796K idle select 0:00 0.00% cron
32686 _pflogd 4 0 596K 340K sleep/0 bpf 0:00 0.00% pflogd
27664 _relayd 2 0 712K 1208K idle kqread 0:00 0.00% relayd
20595 _relayd 2 0 712K 1292K idle kqread 0:00 0.00% relayd
31953 _relayd 2 0 708K 1256K sleep/0 kqread 0:00 0.00% relayd
9744 _relayd 2 0 604K 1204K idle kqread 0:00 0.00% relayd
12731 _relayd 2 0 604K 1320K idle kqread 0:00 0.00% relayd
19210 _relayd 2 0 1084K 1608K sleep/0 kqread 0:00 0.00% relayd
16058 _relayd 2 0 608K 1224K idle kqread 0:00 0.00% relayd
9807 _relayd 2 0 708K 1196K idle kqread 0:00 0.00% relayd
28725 _relayd 2 0 712K 1208K idle kqread 0:00 0.00% relayd
840 _relayd 2 0 604K 1288K sleep/0 kqread 0:00 0.00% relayd
18995 root 2 0 1032K 1536K sleep/0 kqread 0:00 0.00% relayd
22692 root 2 0 936K 1572K sleep/0 kqread 0:00 0.00% relayd
12036 root 3 0 320K 724K idle ttyin 0:00 0.00% getty
15104 root 28 0 620K 1400K onproc/0 - 0:00 0.00% top
#vmstat –w 1
procs memory page disks traps cpu
r b w avm fre flt re pi po fr sr sd0 cd0 int sys cs us sy id
0 0 0 7200 3011256 7 0 0 0 0 0 0 0 471 49 17 0 0 100
0 0 0 7200 3011256 7 0 0 0 0 0 0 0 477 129 29 0 0 100
0 0 0 7200 3011256 7 0 0 0 0 0 0 0 476 23 12 0 0 100
0 0 0 7200 3011256 7 0 0 0 0 0 0 0 468 23 12 0 0 100
0 0 0 7200 3011256 7 0 0 0 0 0 0 0 479 23 12 0 0 100
0 0 0 7200 3011256 7 0 0 0 0 0 0 0 459 26 14 0 0 100
0 0 0 7200 3011256 7 0 0 0 0 0 0 0 475 26 15 0 0 100
0 0 0 7200 3011256 7 0 0 0 0 0 0 0 475 23 12 0 0 100
0 0 0 7200 3011256 7 0 0 0 0 0 0 0 471 23 12 0 0 100
CPU-8个内核 基本闲置
内存也基本闲置状态
测试成功!
七,总结与Q&A
目前测试OpenBSD-4.3防火墙功能基本成功。
1,为什么要用做此次防火墙负载均衡试验?
原因是 目前大多数主机托管业务IDC,均采用前端部署:一台硬件级防火墙 Juniper NS1000 (配置光纤模块后 单台 20万人民币)+硬件负
载均衡 F5 (配上光纤模块 单台30万)。而且是不做HA的情况下,如果2台设备作HA,那就是总共2套4台设备,100万成本预算。
对于拥有多个IDC机房的金融企事业单位来说,每个站点光部署网络防火墙和负载均衡就需要投入50W~100W成本预算。而现在X86服务器
+OpenBSD,成本才3~4万。
此次测试的目的,是对现有硬件防火墙+负载均衡设备(standby,非HA的情况下)进行灾备准备。本人不赞成对正式环境,高并发量的情况下
采用此方案,毕竟还不是很稳定、成熟,没有正式使用的先例,不确定因素太多。
2,为什么采用OpenBSD做此次方案的?
原因是OpenBSD相对linux、Unixware、Unix来说,其内核代码是最稳定、整洁的,而且是开源的。OpenBSD安全漏洞也是最少的操作系统,近
10年来查到的漏洞数总共才2个。对于内核级防火墙来说,安全性、和稳定性是排在首位的。并且最新的OpenBSD4.3推出新的负载均衡功能
relayd,正好适用于此次测试。因此在开始测试前就选定OpenBSD为主选防火墙操作系统。
3,OpenBSD中的负载均衡功能 NAT 、relayd(3层模式redirect)、relayd(7层模式relays)有什么区别?
以下分别作说明:
a,pf的NAT-RDR负载均衡是基于PF下的NAT模式,基于network-3层结构上(4层也涉及),pf基于OpenBSD 内核级,因此效率理论上相对其他
方式来说应该是最高的,但是这种模式的均衡系统无法检测后台系统的状况,也无法调整负载均衡的参数,优化负载均衡的功能。因此该模式
,对于负载均衡要求不高的情况下可以满足,但对于后台负载设备很多,高网络流量的情况下,其负载均衡功能无法满足需求。
b,Relayd 分为2种模式:3层和7层,效率来说 redirect模式基于3层,效率要比7层的relays高,比较适合简单的TCP应用负载均衡,提高效
率。Relays模式基于7层,对HTTP/HTTPS/SSL等协议,有着多种方案的检验机制,功能更强更安全,适合HTTP 的网络负载均衡需求,相应的其
开销要比3层模式多,效率较低。
4,最后总结
此次测试,由于OpenBSD所安装的设备过于强大,测试机的数量不多,连接数压力并发最多也就2万,以上测试下来,BSD服务器开销均不大。
因此,本方案说明,仅供参考,待日后正式考证。
结论:如果是考虑实现防火墙+负载均衡功能,本人推荐首选OpenBSD4.3的 pf + relayd(3层模式redirect)方式。
(谢谢)
good.
请问楼主, 对于pf的优化值有什么依据吗?
set limit states 1000000
set limit frags 1000000 #次数为单个node(IP)并发数量
set limit src-nodes 1000000
set limit tables 100000
set limit table-entries 1000000
回复 #7 5sky 的帖子
这个也是看自身网络需求而定的,我现在设置的是比较高,对于单个ip的连接设置了100万,允许100万node(IP)连接。
实际测试才压到了2万!
因为是压力测试,所以往高处设置,且我的BSD服务器配置也比较高,如果是正式场合,请自行判断,但我估计10万级应该不成问题。 |
|
IP卡
狗仔卡
发表于 2010-12-21 10:09:03
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡
楼主