This tip explains how to setup OpenBSD as a Firewall/NAT router acting as a transparent proxy using squid, and content filter using dansguardian.
This tip uses three network interfaces on the firewall, all of these interfaces are 3Com 3c515 Corkscrews: fxp0 (internal interface network 1 192.168.0.1) xl1 (internal interface network 2 192.168.2.1) xl0 (external interface 209.73.186.238) your interface names may vary. Substitute the IP addresses with your networks IP’s. The network 192.168.0.0/24 will be forced to use a content filter.
This example is running the following software versions:
- OpenBSD 3.7 i386
- Squid Cache: Version 2.5.STABLE9
- Dansguardian 2.8.0 STABLE
If OpenBSD is not set to act as a firewall yet do the following. Edit the following line in /etc/rc.conf :
pf=NO
change to:
pf=YES
Uncomment the following line in /etc/sysctl.conf:
net.inet.ip.forwarding=1 # 1=Permit forwarding (routing) of IPv4 packets
Reboot:
# reboot
Install squid using ports:
# cd /usr/ports/www/squid
# env FLAVOR=transparent make install clean
Now its time to configure squid, you can download a working example of a transparent squid.conf file [here] substituting your network information. Change the following lines in /etc/squid/squid.conf using your favorite text editor:
# vi /etc/squid/squid.conf
http_port 192.168.0.1:3128
acl our_networks src 192.168.0.0/24 192.168.2.0/24
http_access allow our_networks
httpd_accel_port 80
httpd_accel_host virtual
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
Next download, configure and install Dansguardian:
# wget http://dansguardian.org/downloads/2/Stable/DansGuardian-2.8.0-0.source.tar.gz
# tar xvzf DansGuardian-2.8.0-0.source.tar.gz
# cd DansGuardian-2.8.0-0
# ./configure --sysconfdir=/usr/local/etc/dansguardian/ --sysvdir=/usr/local/etc/rc.d/ --bindir=/usr/sbin/ --mandir=/usr/share/man/
# make && make install
Now we must configure dansguardian to work with squid, you can download a working example of a dansguardian.conf file [here] substituting your network information. Configure /usr/local/etc/dansguardian/dansguardian.conf as follows:
# vi /usr/local/etc/dansguardian/dansguardian.conf
reportinglevel = 3
languagedir = '/usr/local/etc/dansguardian/languages'
language = 'ukenglish'
loglevel = 1
filterip = 192.168.0.1
filterport = 8080
proxyip = 192.168.0.1
proxyport = 3128
The next step is to edit /etc/pf.conf to get the packet filter working with both squid and dansguardian. The pf.conf file has been commented for clarity.
# vi /etc/pf.conf
## SYSTEM VARIABLES
INT="fxp0" # Internal Network 1
INT_TWO="xl1" # Internal Network 2
EXT="xl0" # External Interface
EXT_IP="66.88.20.56" # External IP Address
INT_IP="192.168.0.0/22" # Internal Ip Block
## NAT STARTUP
nat on $EXT from $INT_IP to any -> $EXT_IP
## TRANSPARENT PROXY & DANSGUARDIAN CONTENT FILTER
rdr on $INT inet proto tcp from any to any port www -> 192.168.0.1 port 8080
## PASSES FOR TRANSPARENT PROXY
pass in on $INT inet proto tcp from any to 192.168.0.1 port 8080 keep state
pass out on $EXT inet proto tcp from any to any port www keep state
pass in all
Next we start squid, dansquardian and restart pf with the new rules in place.
For the initial start of squid issue the following:
# /usr/local/sbin/squid -z
(afterwards you can use /usr/local/sbin/squid the -z creates the swap directories)
Now start dansguardian:
# /usr/local/etc/rc.d/dansguardian.sh start
Restart pf to read the new rules in pf.conf:
# pfctl -f /etc/pf.conf
If everything started ok you should now be running OpenBSD as a firewall with transparent proxying and content filtering.
To start squid when the firewall reboots, add the following to /etc/rc.local:
#START SQUID
if [ -x /usr/local/sbin/squid ]; then
echo -n ' squid'; /usr/local/sbin/squid
fi
Although I like to start dansguardian manually you can also add dansguardian to the startup:
#START DANSGUARDIAN
if [ -x /usr/local/sbin/dansguardian ]; then
echo -n ' dansguardian'; /usr/local/sbin/dansguardian
fi