Wednesday, October 28, 2009

Squid on OpenBSD Gateway Firewall

Running Squid on an OpenBSD gateway firewall allows you a nice transparent client web proxy. Below are my notes for installation and configuration.

Installing

# pkg_add -v ftp://..../packages/i386/squid-2.7.STABLE6.tgz

Create the required swap directories

# squid -z

Start squid automatically upon boot. Add to /etc/rc.local

if [ -x /usr/local/sbin/squid ]; then
echo -n ' squid'; /usr/local/sbin/squid
fi


Configuration and File Locations

Configuration file (squid.conf) is located in /etc/squid

Log files (access.log*) are located in /var/squid/logs

Edit HTML error file (ERR_ACCESS_DENIED) is located in
/usr/local/share/squid/errors/English

Rotate the Squid log files once a day by adding the cron job. (sudo crontab -e)

0 0 * * * /usr/local/sbin/squid -k rotate

Redirect Rule for PF
rdr on $int_if proto tcp from $mynet to any port { 80 8080 } -> 127.0.0.1 port 3128

squid.conf settings

Network Settings
Port used by squid and mode (around line 930) http_port 127.0.0.1:3128 transparent

hostname for server (around line 3,000): visible_hostname mywebproxy.mydomain.net

Defining Access Lists (around line 500 of the squid.conf)

Remote domains
acl support.microsoft.com dstdomain support.microsoft.com
or for a list of domains in a text file (use .domain.com to get all sites in domain)
acl bad_sites dstdomain "/etc/squid/blocked_domains.txt"


Client IPs
acl labstation src XXX.XXX.3.3
acl local_net src XXX.XXX.3.0/24
or for a list of IPs in a text file
acl labstations src "/etc/squid/labstations.txt"

Destination IPs
acl badguy dst 156.17.17.19
or for a list of IPs in a text file
acl badguys dst "/etc/squid/badguys.txt"

Requested File Extensions
acl badfiletypes url_regex -i \.wmf$ \.exe$ \.zip$ \.bat$ \.msi$ \.vb$ \.vbs$ \.mde$ \.reg$

Client Access Rules (around line 650)
Rule logic is based upon first rule matching wins and allows or denies access

Allowing the safe_sites acl
http_access allow safe_sites

Denying the badfiletypes acl
http_access deny badfiletypes

Last two rules should allowing traffic for your clients acl and then block traffic from all others
http_access allow local_net
http_access deny all

Squid Commands

Reload the configuration file
# sudo squid -k reconfigure

Rotate the logs and cache
# sudo squid -k rotate
Posted by at 1 comment:
Subscribe to: Posts (Atom)