I’ve had several people ask me recently how to setup Dan’s Guardian (DG) with Squid as a transparent proxy. I’ve been using DG for a couple of years now and I’ve set it up for some others as well. I’ve always used OpenBSD as my OS of choice for my router/firewall/content filter(RFCF) because OpenBSD is the most secure Operating System in the world. “Only two remote holes in the default install, in more than 10 years!” It says so right on their website (http://www.openbsd.org). I was first turned on to OpenBSD by my good friend DarkUncle (http://darkuncle.net) who helped me setup my first OpenBSD RFCF with Squid and DG as an alternative to SonicWall.
I’ve run through this setup in a virtual machine and will make the VM available to anyone who wants it when this setup is finished here. I don’t suggest that you run your RFCF from the VM. It is only available for your reference. As far as hardware goes you don’t need much. We’re going to install OpenBSD without the X-Server, so it will run well even on older hardware. DG does need a little more to analyze all your traffic and filter it on the fly. I’ve run it on a PIII 700MHz with 128MB of RAM with a 40GB HDD without any problems. You could use a lot smaller hard drive without any problems. I’m currently only using 5GB of my HDD space and 4.4GB of that is Squid’s cache. The one thing you will need is 2 NIC’s. One NIC for your WAN and one for your LAN. If you are hosting any services such as a website or hosting your own email, I would also suggest setting up a DMZ using a third NIC. It makes configuring pf much easier.
We’ll start by installing OpenBSD. First you need to download the installation CD. I got the necessary ISO from ftp://ftp.openbsd.org/pub/OpenBSD/version/i386/. As of the writing of this document 4.1 was the latest release of OpenBSD. So I download ftp://ftp.openbsd.org/pub/OpenBSD/4.1/i386/cd41.iso, then make a CD from the ISO from your favorite CD burning software.
Let’s talk a minute about partitions. BSD partitions are a little different than linux partitions. You will use fdisk to create one BSD partition on your hard drive, then you’ll create BSD partitions inside that partition. For a more detailed discussion read http://en.wikipedia.org/wiki/BSD_disklabel. As far as the sizes of the partitions, the following is what I’ll setup on my VM with a 4GB HDD.
|
Partition
|
Size
|
Mount point
|
|
a
|
400M
|
/
|
|
d
|
200M
|
/tmp
|
|
e
|
1.5G
|
/usr
|
|
f
|
200M
|
/var
|
|
g
|
The rest
|
/var/squid
|
We don’t need a lot of space in / or /tmp. The /usr partition will be where most of your software is installed to, as well as the location of the ports is you choose to use them. On a larger drive I usually create other partitions for /usr/local (software installs to this directory), /usr/ports (for the ports tree) and /usr/src (for the kernel source). The /var partition will hold all our log files and /var/squid will hold squids cache which will become quite large. I usually create another partition for /home as well, but there’s not much space on this VM and users won’t actually be logging into this system so that’s not quite so important.
The following is my partition table on the RFCF I’m currently using:
Filesystem Size Used Avail Capacity Mounted on
/dev/wd0a 1006M 227M 730M 24% /
/dev/wd0d 502M 6.0K 477M 0% /tmp
/dev/wd0e 4.9G 13.0M 4.7G 0% /home
/dev/wd0f 1006M 835M 122M 87% /usr
/dev/wd0g 1006M 2.0K 956M 0% /usr/obj
/dev/wd0h 3.0G 43.2M 2.8G 2% /usr/local
/dev/wd0j 4.9G 121M 4.6G 3% /usr/ports
/dev/wd0i 4.9G 579M 4.1G 12% /usr/src
/dev/wd0k 24.6G 162M 23.2G 1% /var
/dev/wd0l 27.6G 4.4G 21.8G 17% /var/squid
Boot off the CD you made and let’s begin installing OpenBSD. For this tutorial I’ll display the prompt you are given in italics and your response in bold.
(I)nstall, (U)pgrade, or (S)hell? I
…
Terminal Type? [vt220] Hit Enter
…
kdb(8) mapping? (‘L’ for list) [none] us
…
Proceed with Install? [no] yes
…
Which one is the root disk? (or ‘done’) [wd0] hit Enter
…
Do you want to use *all* of wd0 for OpenBSD [no] yes
…
>d a
>a a
Offset: [63] Hit Enter
Size [8385867] 400M
Fs type: [4.2BSD] Hit Enter
Mount point: [none] /
>a d
Offset: [819504] Hit Enter
Size [7566426] 200M
Fs type: [4.2BSD] Hit Enter
Mount point: [none] /tmp
>a e
Offset: [1228752] Hit Enter
Size [7157178] 1.5G
Fs type: [4.2BSD] Hit Enter
Mount point: [none] /usr
>a f
Offset: [4374720] Hit Enter
Size [4011210] 200M
Fs type: [4.2BSD] Hit Enter
Mount point: [none] /var
>a g
Offset: [4783960] Hit Enter
Size [3601962] Hit Enter
Fs type: [4.2BSD] Hit Enter
Mount point: [none] /var/squid
>w
>q
Mount point for wd0d (size=204624k)? (or ‘none’ or ‘done’) [/tmp] done
…
Are you really sure that you’re ready to proceed? [no] yes
…
System hostname? (short form, e.g. ‘foo’) guardian
Configure the network? [yes] Hit Enter
Available interfaces are: pcn0 pcn1.
Which one do you wish to initialize? (or ‘done’) [pcn0] Type the name of the NIC you want to use, or if it is already selected just hit Enter
Symbolic (host) name for pcn0? [guardian] Hit Enter
Finish setting up the network based on your settings…
Password for root account? (will not echo) YOURPASSWORDHERE (p4ssw0rd in the VM)
Location of sets? (cd disk ftp http or ‘done’) [cd] ftp
HTTP/FTP proxy URL? (e.g. ‘http://proxy:8088’, or ‘none’) [none] Set for your network
Display the list of known ftp servers? [no} yes
Find an ftp server close to you
Server? (IP address, hostname, list$, ‘done’ or ‘?’) Type the list# of an ftp server close to you, I chose 67
Server? (IP address, hostname, list#, ‘done’ or ‘?’) [yourftpserverhere] Hit Enter
Does the server support passive mode ftp? [yes] Hit Enter
Server directory? [pub/OpenBSD/4.1/i386] Hit Enter
Login? [anonymous] Hit Enter
Set name? (or ‘done’) [bsd.mp] done
Ready to install sets? [yes] Hit Enter
Now wait for it to install. I chose to in stall only the default sets for security reasons. Keep in mind the default sets do NOT install X-Server. I manage my server via ssh so it’s not necessary. If you wish to install X-Server you should type ‘all’ at the ‘Set name?’ prompt(w/o the quotes), then type ‘done’ when all the sets are selected. Keep in mind that the claim on OpenBSD’s home page, “. “Only two remote holes in the default install, in more than 10 years!” refers only to the default installation. Installing more software increases the possibility of security holes.
If there are any errors during the install process chose another ftp server to install from. When the install is finished:
Location of sets? (cd disk ftp http or ‘done’) [done] Hit Enter
Start sshd(8) by default [yes] Hit Enter
Start ntpd(8) by default? [no] If you want ntpd running type ‘yes’ otherwise hit Enter
Do you expect to run the X Window System? [no] Hit Enter
Change the default console to com0 [no] Hit Enter
# halt
Congratulations, you’ve just installed OpenBSD. Now reboot and we’ll continue.
After you reboot you will need to login as root, then you should create a new user. This is the user you should login as most of the time. You should use sudo if you need to run anything as root. In the VM I created a user guardian with password gu4rdi4n. You will want to add this user to the wheel group, then modify /etc/sudoers and add the following line:
%wheel ALL=(ALL) ALL
This will allow the user guardian, and anyone else in the wheel group to issue commands with sudo.
Now we want to setup our network. I’m setting up the VM using the following network settings:
WAN (pcn0)
|
IP Address
|
NetMask
|
Gateway
|
DNS1
|
DNS2
|
|
10.1.1.15
|
255.255.255.0
|
10.1.1.1
|
10.1.1.1
|
10.1.1.2
|
LAN (pcn1)
|
IP Address
|
NetMask
|
|
192.168.1.1
|
255.255.255.0
|
First I’ll setup pcn0 by creating/editing /etc/hostname.pcn0 as follows:
inet 10.1.1.15 255.255.255.0 10.1.1.255 media \
mediaopt full-duplex description “external”
Now I’ll setup pcn1 by creating/editing /etc/hostname.pcn1 as follows:
inet 192.168.1.1 255.255.255.0 192.168.1.255 \
mediaopt full-duplex description “internal”
NOTE: pcn1 is Gigabit
Now let’s create/edit /etc/mygate:
10.1.1.1
I’m going to use this server as my DHCP server so edit /etc/dhcpd.conf:
# DHCP server options.
# See dhcpd.conf(5) and dhcpd(8) for more information.
#
# Network: 192.168.1.0/24
# Domain name: my.domain
# Name servers: 192.168.1.1, 10.1.1.1, 10.1.1.2
# Default router: 192.168.1.1
# Addresses: 192.168.1.100 – 192.168.1.250
#
shared-network LOCAL-NET {
option domain-name “my.domain”;
option domain-name-servers 192.168.1.1, 10.1.1.1, 10.1.1.2;
# 10.1.1.0/24 is for PC clients; add’l subnets to be added
subnet 192.168.1.0 netmask 255.0.0.0 {
deny bootp;
option routers 192.168.1.1;
range 192.168.1.100 192.168.1.250;
}
}
Now to get dhcpd to load on boot edit /etc/rc.conf. Change
dhcpd_flags=NO
To
dhcpd_flags=”pcn1”
Now reboot. After it reboots make certain you are online by pinging something like Google, then see if one of your workstations can successfully obtain dhcp info. Now let’s start installing software. First we’ll need to install squid as a transparent proxy. You can either get squid from ports or through pkg_add. Both procedures are described in detail at http://www.openbsd.org/faq/faq15.html. For simplicity I’m only going to work with pkg_add.
First we need to setup the PKG_PATH variable. Pick an ftp mirror close to you from the list at http://www.openbsd.org/ftp.html. I’m going to use the master site for simplicity. Then edit ~/.profile and add:
PKG_PATH=ftp://ftp.openbsd.org/pub/OpenBSD/4.1/packages/i386/
Export PKG_PATH
Now logout and log back in. You can find a list of packages to install at http://www.openbsd.org/4.1_packages/i386.html. There are four squid packages. There’s just plain squid, there’s squid configured as a transparent proxy, squid with snmp, and squid configured as a transparent proxy with snmp. We want to use squid as a transparent proxy, and you may want to use snmp so I’ll use squid-2.6.STABLE9-transparent-snmp.tgz. The command to install this package is:
# sudo pkg_add squid-2.6.STABLE9-transparent-snmp.tgz
Pkg_add will download and install all the files we need, then it gives you some tips on getting things going.
Please remember to initialize the cache by running “squid –z” before trying to run Squid for the first time.
You can also edit /etc/rc.local so that Squid is started automatically:
if [ -x /usr/local/sbin/squid ]; then
echo –n ‘squid’; /usr/local/sbin/squid
fi
Do as it says. Edit /etc/rc.local to add the lines above. Then run:
# sudo /usr/local/sbin/squid –z
Now let’s install DG. Download DG from one of the mirrors at http://dansguardian.org/?page=download2. We’re going to install from source. We’ll download the source using wget, so we’ll have to install wget first. So follow these steps:
# sudo pkg_add wget
# wget http://usmirror.dansguardian.org/downloads/2/Stable/DansGuardian-2.8.0.6.source.tar.gz
# tar xvzf DansGuardian-2.8.0.6.source.tar.gz
# cd DansGuardian-2.8.0.6
Read README and INSTALL. INSTALL tells us that BSD users need bash installed first, so:
# sudo pkg_add bash
# ./configure –cgidir=/var/www/cgi-bin/ \
–sysconfdir=/usr/local/etc/DG/ \
–sysvdir=/usr/local/etc/rc.d/ \
–bindir=/usr/sbin/ \
–mandir=/usr/share/man/
# make
# sudo make install
Now that DG is installed we need a blacklist for DG to work with. The maker of DG no longer keeps a blacklist, instead he has passed the torch to URLBlacklist. The provide a script that downloads the blacklist and updates DG automagically. So:
# wget http://urlblacklist.com/downloads/UpdateBL
Now the script needs updates to work with OpenBSD. So change the first line from:
#!/bin/bash
To
#!/bin/sh
You will also need to read through the script and make a few changes for your environment. First change the BL_URL variable to point to the biglist. (It’s all in the script.) Now change BL_INFO_PATH, DB_PATH, and DG_PATH. If you’ve followed this tutorial just add /usr/local to the beginning of the first to, and change the last from /usr/sbin to /usr/local/sbin. I also had to comment out the http_proxy line.
Please note that the blacklist is NOT free. You may download it once to try, but to keep it updated you need a subscription. Go to http://urlblacklist.com for more info. A once per month update is $70/year.
Now move UpdateBL to a central location:
# mv ~/UpdateBL /usr/bin/
And change permissions:
# chmod 777 /usr/bin/UpdateBL
The run the script
# sudo mkdir /usr/local/etc/dansguardian/blacklists
# sudo UpdateBL
You will need to setup a cron job to regularly update the blacklist based on which subscription you choose.
# su
# crontab –e
And add:
0 0 1 * * /usr/bin/UpdateBL
This will run the update script on the 1st of every month. Then add:
0 0 * * 6 /usr/local/etc/dansguardian/logrotation
This will run the logrotation script every Saturday.
Now let’s finish setting up DG. Edit /usr/local/etc/dansguardian/dansguardian.conf. Change the “accessdeniedaddress” to the IP address of the server running DG.
Now let’s set DG to load when the server starts by adding the following to /etc/rc.local:
# Dan’s Guardian
if [ -x /usr/sbin/dansguardian ]; then
echo -n ‘ dansguardian’; /usr/sbin/dansguardian >/dev/null
fi
Now let’s run a quick test. As root run:
# /usr/local/sbin/squid
# /usr/sbin/dansguardian
If you get no errors, everything is working!! Otherwise check the logs to see why things may not be working.
Now for the final step we need to configure pf which is OpenBSD’s packet filter. Edit /etc/pf.conf to look like the following:
# $OpenBSD: pf.conf,v 1.34 2007/02/24 19:30:59 millert Exp $
#
# See pf.conf(5) and /usr/share/pf for syntax and examples.
# Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1
# in /etc/sysctl.conf if packets are to be forwarded between interfaces.
ext_if=”pcn0″
int_if=”pcn1″
#table persist
set skip on lo
scrub in
# needed for ftp-proxy
nat-anchor “ftp-proxy/*”
rdr-anchor “ftp-proxy/*”
# setup NAT
nat on $ext_if from !($ext_if) -> ($ext_if:0)
# redirect ftp traffic to ftp-proxy
rdr pass on $int_if proto tcp to port ftp -> 127.0.0.1 port 8021
# redirect www traffic to DansGuardian; change to 3128 to bypass DG and
# redirect directly to squid
rdr pass on $int_if proto tcp to port www -> 127.0.0.1 port 8080
#no rdr on $ext_if proto tcp from to any port smtp
#rdr pass on $ext_if proto tcp from any to any port smtp \
# -> 127.0.0.1 port spamd
# needed for ftp-proxy
#anchor “ftp-proxy/*”
# Block all incoming traffic
block in
# Let everything go out for now
pass out
# Allow traffic from internal NET
pass quick on $int_if no state
antispoof quick for { lo $int_if }
# Allow external ssh
pass in on $ext_if proto tcp to ($ext_if) port ssh
#pass in log on $ext_if proto tcp to ($ext_if) port smtp
#pass out log on $ext_if proto tcp from ($ext_if) to port smtp
Now start pf by running:
# pfctl –f /etc/pf.conf
If you get no errors all is well, otherwise the error should tell you where your problem is. Now we need to configure ftp-proxy and pf to load on boot. Edit /etc/rc.conf so that the lines that read:
pf=NO
ftpproxy_flags=NO
Now reads:
pf=YES
ftpproxy_flags=
Finally we need to set the kernel option net.inet.ip.forward to ‘1? by un-commenting the appropriate line in /etc/sysctl.conf.
Now reboot, and you should be 100% functional. If you wish to tweak your filtering settings edit the files in /usr/local/etc/dansguardian/. DG log files can be found in /var/log/dansguardian. I normally use grep to browse the logs, but if you prefer a gui interface you can install Webmin(http://www.webmin.com). There is a DG module for Webmin(http://sourceforge.net/projects/dgwebminmodule/) that makes administering DG very simple, though as of the writing of this tutorial the latest version of DG wasn’t supported yet. So if you wish to use it you will need to install version 2.8 of DG. I’ve setup the latest DG and used the default Webmin modules to make things easier for a fellow admin. Te LogViewer module can be configured to display DG logs, and you can use the File Explorer to browse and edit the config files. You can find some more tutorials at http://dansguardian.org/?page=documentation for other OS’s. There are also several add-ons available at http://dansguardian.org/?page=extras. I’ll write another tutorial using a Linux distro at some point in the future.
…bamed