![首頁 Logo Keith ]p !!](/themes/mytheme/logo.png){kind=logo}
更新時間: 2013/04/6
ESXi Install
** SCSI Controller = LSI Logic Parellel
** NIC Adapter type = E1000
VMware Tools
- better memory management
- improved network and disk performance.
- useful feature: shutdown or reboot a virtual machine without needing to log in to it directly
- allow you to have the clock of the pfSense virtual machine synchronized with the clock of the ESXi host.
Pfsense firewall
PF(Packet Filter) <-- stateful packet filter
license: BSD licensed
Tips:
Vsersion: pfsense 2.0.1
Tip1: serial port
啟用 serial port 需要 reboot pfsense 才生效 !!
當啟用 serial port console 後, 選單只會在 serial port 上出現 !!
Dual PPPOE
Failover
pfsense 上的 failover 協定是 Pfsync
當時 pfsense 的時間
$ date
Sun Mar 24 19:42:46 GMT+8 2013
Tested Hardware Configure
Delta Green Power 300W EX(80plus) $280
Kingston KVR1333D3N9/4G $159
Asus P8H61-M LX B3, H61, MATX, LGA1155(pci-ex3) $460
PCI-E Giga-Lan (3 x $90) $270
2THE MAX 627B (黑色) ATX Case $180
Intel Celeron G530 $360
Team Group CF 133X 4GB $70 + Adapter: $15 $85
============================================
$1709
P.S.
Onboard 的 Lan 是用不到的
CF2IDE_Adapter
CF2SATA Adapter
Mini PC
Seagate ST9320320AS HK$305
OR
EagleTec PRO CF CARD 2GB 52X $30
CF2SATA Adapter $40
MINIX™ MINI HD PC HK$880
Samsung 2GB DDR3-1066 HK$150
(for Notebook)
Total HK$1335
Configure:
Intel Atom D2550 (1.86GHz, Dual Core, HT)
Broadcom 57788 Gigabit Ethernet
PCI-Express x1
1 組 2.5 吋 SATA 裝置
DDR3-800 及 DDR3-1066 SO-DIMM(支援至最高 8GB)
dual gw loadbancing and failover
pfsense版本: 2.0.1-RELEASE (i386)
在 Load Balancing 及 Failover 的情況下, 必須要有以下兩個設定
Allow defualt gateway switching <--- for FailOver
Use sticky connections <-- for Load Balancing
而且要指定每個 DNS 的出口 (for failover)
設置:
在 Gateways 上設置 default 用那個 Wan 出
FailOver 後會用返原來的 default Wan
把兩個 Wan 組成一 Group
之後選成同 Tier (for load balancing)
設定何時不使用另一條 Link
最後可以進行 Testing (Disconnect 條 Link)
整個 FailOver 須時 1 min
Sshlockout
The sshlockout table provides a list of IP addresses that have been blacklisted due to SSH dictionary attacks. If an attacker attempts to SSH into your pfSense server and does more than 10 wrong attempts at guessing a username and password, the attackers IP will be added to this table. Any subsequent SSH attempts from this IP will be blocked by pfSense.
Note:
Entries that exist in this table, that are equal to or older than 3600 seconds, will be expired every hour.
No checks are made to distinguish between local IP addresses, local networks or prior good logins.
under diagnostic->tables and remove the blocked ip from
config.xml this: usr/bin/nice -n20 /usr/local/sbin/expiretable -v -t 3600 sshlockout
pfctl -t sshlockout -T flush
rule
block drop in log quick proto tcp from <sshlockout> to (self) port = 22222 label "sshlockout"
pass in quick on em1 proto tcp from any to (em1) port = 22222 flags S/SA keep state label "anti-lockout rule"
pass in quick on em0 reply-to (em0 x.x.x.x) inet proto tcp from <admin_ip> to 203.194.130.54 port = 22222 flags S/SA keep state label "USER_RULE"
TroubleShoot
問題: "CPU doesn't support long mode"?
原因: CPU / VM 沒有 64-bit x86 Extension (AMD64, EM64T) 的支援
解決: 用 pfSense-LiveCD-2.0.2-RELEASE-i386.iso 即可
