OpenBSD/DG/Squid HowTo

I’ve had several people ask me recently how to setup Dan’s Guardian (DG) with Squid as a transparent proxy. I’ve been using DG for a couple of years now and I’ve set it up for some others as well. I’ve always used OpenBSD as my OS of choice for my router/firewall/content filter(RFCF) because OpenBSD is the most secure Operating System in the world. “Only two remote holes in the default install, in more than 10 years!” It says so right on their website. I was first turned on to OpenBSD by my good friend DarkUncle who helped me setup my first OpenBSD RFCF with Squid and DG as an alternative to SonicWall.

Download and Run Dans Gaudian from this VM

I’ve run through this setup in a virtual machine and will make the VM available to anyone who wants it. Download VM here. I don’t suggest that you run your RFCF from the VM. It is only available for your reference. As far as hardware goes you don’t need much. We’re going to install OpenBSD without the X-Server, so it will run well even on older hardware. DG does need a little more to analyze all your traffic and filter it on the fly. I’ve run it on a PIII 700MHz with 128MB of RAM with a 40GB HDD without any problems. You could use a lot smaller hard drive without any problems. I’m currently only using 5GB of my HDD space and 4.4GB of that is Squid’s cache. The one thing you will need is 2 NIC’s. One NIC for your WAN and one for your LAN. If you are hosting any services such as a website or hosting your own email, I would also suggest setting up a DMZ using a third NIC. It makes configuring pf much easier.

Let's Get Started -- Install OpenBSD

We’ll start by installing OpenBSD. First you need to download the installation CD. I got the necessary ISO from ftp://ftp.openbsd.org/pub/OpenBSD/version/i386/. As of the writing of this document 4.1 was the latest release of OpenBSD. So I download ftp://ftp.openbsd.org/pub/OpenBSD/4.1/i386/cd41.iso, then make a CD from the ISO from your favorite CD burning software. Let’s talk a minute about partitions. BSD partitions are a little different than linux partitions. You will use fdisk to create one BSD partition on your hard drive, then you’ll create BSD partitions inside that partition. For a more detailed discussion read http://en.wikipedia.org/wiki/BSD_disklabel. As far as the sizes of the partitions, the following is what I’ll setup on my VM with a 4GB HDD.

Partition	Size	Mount point
a	400M	/
d	200M	/tmp
e	1.5G	/usr
f	200M	/var
g	The rest	/var/squid

We don’t need a lot of space in / or /tmp. The /usr partition will be where most of your software is installed to, as well as the location of the ports is you choose to use them. On a larger drive I usually create other partitions for /usr/local (software installs to this directory), /usr/ports (for the ports tree) and /usr/src (for the kernel source). The /var partition will hold all our log files and /var/squid will hold squids cache which will become quite large. I usually create another partition for /home as well, but there’s not much space on this VM and users won’t actually be logging into this system so that’s not quite so important.

The following is my partition table on the RFCF I’m currently using:

Filesystem	Size	Used	Avail	Capacity	Mounted on
/dev/wd0a	1006M	227M	730M	24%	/
/dev/wd0d	502M	6.0K	477M	0%	/tmp
/dev/wd0e	4.9G	13.0M	4.7G	0%	/home
/dev/wd0f	1006M	835M	122M	87%	/usr
/dev/wd0g	1006M	2.0K	956M	0%	/usr/obj
/dev/wd0h	3.0G	43.2M	2.8G	2%	/usr/local
/dev/wd0j	4.9G	121M	4.6G	3%	/usr/ports
/dev/wd0i	4.9G	579M	4.1G	12%	/usr/src
/dev/wd0k	24.6G	162M	23.2G	1%	/var
/dev/wd0l	27.6G	4.4G	21.8G	17%	/var/squid

Boot off the CD you made and let’s begin installing OpenBSD. For this tutorial I’ll display the prompt you are given in italics and your response in bold.

(I)nstall, (U)pgrade, or (S)hell? I

Terminal Type? [vt220] Hit Enter

kdb(8) mapping? (‘L’ for list) [none] us

Proceed with Install? [no] yes

Which one is the root disk? (or ‘done’) [wd0] hit Enter

Do you want to use all of wd0 for OpenBSD [no] yes

>d a

>a a

Offset: [63] Hit Enter

Size [8385867] 400M

Fs type: [4.2BSD] Hit Enter

Mount point: [none] /

>a d

Offset: [819504] Hit Enter

Size [7566426] 200M

Fs type: [4.2BSD] Hit Enter

Mount point: [none] /tmp

>a e

Offset: [1228752] Hit Enter

Size [7157178] 1.5G

Fs type: [4.2BSD] Hit Enter

Mount point: [none] /usr

>a f

Offset: [4374720] Hit Enter

Size [4011210] 200M

Fs type: [4.2BSD] Hit Enter

Mount point: [none] /var

>a g

Offset: [4783960] Hit Enter

Size [3601962] Hit Enter

Fs type: [4.2BSD] Hit Enter

Mount point: [none] /var/squid

>w

>q

Mount point for wd0d (size=204624k)? (or ‘none’ or ‘done’) [/tmp] done

Are you really sure that you’re ready to proceed? [no] yes

System hostname? (short form, e.g. ‘foo’) guardian

Configure the network? [yes] Hit Enter

Available interfaces are: pcn0 pcn1.

Which one do you wish to initialize? (or ‘done’) [pcn0] Type the name of the NIC you want to use, or if it is already selected just hit Enter

Symbolic (host) name for pcn0? [guardian] Hit Enter

Finish setting up the network based on your settings…

Password for root account? (will not echo) YOURPASSWORDHERE (p4ssw0rd in the VM)

Location of sets? (cd disk ftp http or ‘done’) [cd] ftp

HTTP/FTP proxy URL? (e.g. ‘http://proxy:8088’, or ‘none’) [none] Set for your network

Display the list of known ftp servers? [no} yes

Find an ftp server close to you

Server? (IP address, hostname, list$, ‘done’ or ‘?’) Type the list# of an ftp server close to you, I chose 67

Server? (IP address, hostname, list#, ‘done’ or ‘?’) [yourftpserverhere] Hit Enter

Does the server support passive mode ftp? [yes] Hit Enter

Server directory? [pub/OpenBSD/4.1/i386] Hit Enter

Login? [anonymous] Hit Enter

Set name? (or ‘done’) [bsd.mp] done

Ready to install sets? [yes] Hit Enter

Now wait for it to install. I chose to in stall only the default sets for security reasons. Keep in mind the default sets do NOT install X-Server. I manage my server via ssh so it’s not necessary. If you wish to install X-Server you should type ‘all’ at the ‘Set name?’ prompt(w/o the quotes), then type ‘done’ when all the sets are selected. Keep in mind that the claim on OpenBSD’s home page, “. “Only two remote holes in the default install, in more than 10 years!” refers only to the default installation. Installing more software increases the possibility of security holes.

If there are any errors during the install process chose another ftp server to install from. When the install is finished:

Location of sets? (cd disk ftp http or ‘done’) [done] Hit Enter

Start sshd(8) by default [yes] Hit Enter

Start ntpd(8) by default? [no] If you want ntpd running type ‘yes’ otherwise hit Enter

Do you expect to run the X Window System? [no] Hit Enter

Change the default console to com0 [no] Hit Enter

# halt

Congratulations, you’ve just installed OpenBSD. Now reboot and we’ll continue.

Setup OpenBSD

After you reboot you will need to login as root, then you should create a new user. This is the user you should login as most of the time. You should use sudo if you need to run anything as root. In the VM I created a user guardian with password gu4rdi4n. You will want to add this user to the wheel group, then modify /etc/sudoers and add the following line:

%wheel ALL=(ALL) ALL

This will allow the user guardian, and anyone else in the wheel group to issue commands with sudo. Now we want to setup our network. I’m setting up the VM using the following network settings:

WAN (pcn0)

IP Address	NetMask	Gateway	DNS1	DNS2
10.1.1.15	255.255.255.0	10.1.1.1	10.1.1.1	10.1.1.2

LAN (pcn1)

IP Address	NetMask
192.168.1.1	255.255.255.0

First I’ll setup pcn0 by creating/editing /etc/hostname.pcn0 as follows:

inet 10.1.1.15 255.255.255.0 10.1.1.255 media \

mediaopt full-duplex description "external"

Now I’ll setup pcn1 by creating/editing /etc/hostname.pcn1 as follows:

inet 192.168.1.1 255.255.255.0 192.168.1.255 \

mediaopt full-duplex description "internal"

Now let’s create/edit /etc/mygate:

10.1.1.1

I’m going to use this server as my DHCP server so edit /etc/dhcpd.conf:

# DHCP server options.

# See dhcpd.conf(5) and dhcpd(8) for more information.=

#

# Network:              192.168.1.0/24

# Domain name:          my.domain

# Name servers:         192.168.1.1, 10.1.1.1, 10.1.1.2

# Default router:       192.168.1.1

# Addresses:            192.168.1.100 – 192.168.1.250

#

shared-network LOCAL-NET {

option domain-name "my.domain";

option domain-name-servers 192.168.1.1, 10.1.1.1, 10.1.1.2;

# 10.1.1.0/24 is for PC clients; add'l subnets to be added

subnet 192.168.1.0 netmask 255.0.0.0 {

deny bootp;

option routers 192.168.1.1;

range 192.168.1.100 192.168.1.250;

}

}

Now to get dhcpd to load on boot edit /etc/rc.conf. Change

dhcpd_flags=NO

To

dhcpd_flags=”pcn1”

Now reboot. After it reboots make certain you are online by pinging something like Google, then see if one of your workstations can successfully obtain dhcp info. Now let’s start installing software. First we’ll need to install squid as a transparent proxy. You can either get squid from ports or through pkg_add. Both procedures are described in detail at http://www.openbsd.org/faq/faq15.html. For simplicity I’m only going to work with pkg_add.

First we need to setup the PKG_PATH variable. Pick an ftp mirror close to you from the list at http://www.openbsd.org/ftp.html. I’m going to use the master site for simplicity. Then edit ~/.profile and add:

PKG_PATH=ftp://ftp.openbsd.org/pub/OpenBSD/4.1/packages/i386/

Export PKG_PATH

Install and Configure Packages

Squid As A Transparent Squid Proxy

Now logout and log back in. You can find a list of packages to install at http://www.openbsd.org/4.1_packages/i386.html. There are four squid packages. There’s just plain squid, there’s squid configured as a transparent proxy, squid with snmp, and squid configured as a transparent proxy with snmp. We want to use squid as a transparent proxy, and you may want to use snmp so I’ll use squid-2.6.STABLE9-transparent-snmp.tgz. The command to install this package is:

# sudo pkg_add squid-2.6.STABLE9-transparent-snmp.tgz

Pkg_add will download and install all the files we need, then it gives you some tips on getting things going.

Please remember to initialize the cache by running “squid –z” before trying to run Squid for the first time.

You can also edit /etc/rc.local so that Squid is started automatically:

if [ -x /usr/local/sbin/squid ]; then

echo –n ‘squid’; /usr/local/sbin/squid

fi

Do as it says. Edit /etc/rc.local to add the lines above. Then run:

# sudo /usr/local/sbin/squid –z

Install and Configure Dans Guardian

Now let’s install DG. Download DG from one of the mirrors at http://dansguardian.org/?page=download2. We’re going to install from source. We’ll download the source using wget, so we’ll have to install wget first. So follow these steps:

# sudo pkg_add wget

# wget http://usmirror.dansguardian.org/downloads/2/Stable/DansGuardian-2.8.0.6.source.tar.gz

# tar xvzf DansGuardian-2.8.0.6.source.tar.gz

# cd DansGuardian-2.8.0.6

Read README and INSTALL. INSTALL tells us that BSD users need bash installed first, so:

# sudo pkg_add bash

# ./configure –cgidir=/var/www/cgi-bin/ --sysconfdir=/usr/local/etc/DG/ --sysvdir=/usr/local/etc/rc.d/ --bindir=/usr/sbin/ --mandir=/usr/share/man/

# make

# sudo make install

Now that DG is installed we need a blacklist for DG to work with. The maker of DG no longer keeps a blacklist, instead he has passed the torch to URLBlacklist. The provide a script that downloads the blacklist and updates DG automagically. So:

# wget http://urlblacklist.com/downloads/UpdateBL

Now the script needs updates to work with OpenBSD. So change the first line from:

#!/bin/bash

To

#!/bin/sh

You will also need to read through the script and make a few changes for your environment. First change the BL_URL variable to point to the biglist. (It’s all in the script.) Now change BL_INFO_PATH, DB_PATH, and DG_PATH. If you’ve followed this tutorial just add /usr/local to the beginning of the first to, and change the last from /usr/sbin to /usr/local/sbin. I also had to comment out the http_proxy line. Please note that the blacklist is NOT free. You may download it once to try, but to keep it updated you need a subscription. Go to http://urlblacklist.com for more info. A once per month update is $70/year.

Now move UpdateBL? to a central location:

# mv ~/UpdateBL /usr/bin/

And change permissions:

# chmod 777 /usr/bin/UpdateBL

Then run the script

# sudo mkdir /usr/local/etc/dansguardian/blacklists

# sudo UpdateBL?

You will need to setup a cron job to regularly update the blacklist based on which subscription you choose. # su

# crontab –e

And add:

0   0   1   *   *   /usr/bin/UpdateBL

This will run the update script on the 1st of every month. Then add:

0   0   *   *   6   /usr/local/etc/dansguardian/logrotation

This will run the logrotation script every Saturday.

Now let’s finish setting up DG. Edit /usr/local/etc/dansguardian/dansguardian.conf. Change the “accessdeniedaddress” to the IP address of the server running DG. Now let’s set DG to load when the server starts by adding the following to /etc/rc.local: # Dan's Guardian

if [ -x /usr/sbin/dansguardian ]; then

= echo -n ' dansguardian'=; /usr/sbin/dansguardian >=/dev/null=

fi

Now let’s run a quick test. As root run:

# /usr/local/sbin/squid

# /usr/sbin/dansguardian

If you get no errors, everything is working!! Otherwise check the logs to see why things may not be working. Now for the final step we need to configure pf which is OpenBSD’s packet filter. Edit /etc/pf.conf to look like the following:

#   $OpenBSD: pf.conf,v 1.34 2007/02/24 19:30:59 millert Exp $

#

# See pf.conf(5) and /usr/share/pf for syntax and examples.

# Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1

# in /etc/sysctl.conf if packets are to be forwarded between interfaces.

ext_if="pcn0"

int_if="pcn1"

#table <spamd-white> persist

set skip on lo

scrub in

# needed for ftp-proxy

nat-anchor "ftp-proxy/*"

rdr-anchor "ftp-proxy/*"

# setup NAT

nat on $ext_if from !($ext_if) -> ($ext_if:0)

# redirect ftp traffic to ftp-proxy

rdr pass on $int_if proto tcp to port ftp -> 127.0.0.1 port 8021

# redirect www traffic to DansGuardian; change to 3128 to bypass DG and

# redirect directly to squid

rdr pass on $int_if proto tcp to port www -> 127.0.0.1 port 8080

#no rdr on $ext_if proto tcp from <spamd-white> to any port smtp

#rdr pass on $ext_if proto tcp from any to any port smtp \

#   -> 127.0.0.1 port spamd

# needed for ftp-proxy

anchor "ftp-proxy/*"

# Block all incoming traffic

block in

# Let everything go out for now

pass out

# Allow traffic from internal NET

pass quick on $int_if no state

antispoof quick for { lo $int_if }

# Allow external ssh

pass in on $ext_if proto tcp to ($ext_if) port ssh

#pass in log on $ext_if proto tcp to ($ext_if) port smtp

#pass out log on $ext_if proto tcp from ($ext_if) to port smtp

Now start pf by running:

# pfctl –f /etc/pf.conf

If you get no errors all is well, otherwise the error should tell you where your problem is. Now we need to configure ftp-proxy and pf to load on boot. Edit /etc/rc.conf so that the lines that read:

pf=NO

ftpproxy_flags=NO

Now reads:

pf=YES

ftpproxy_flags=

Finally, Setup IP Forwarding in Kernel

Finally we need to set the kernel option net.inet.ip.forward to '1' by un-commenting the appropriate line in /etc/sysctl.conf.

Now reboot, and you should be 100% functional. If you wish to tweak your filtering settings edit the files in /usr/local/etc/dansguardian/. DG log files can be found in /var/log/dansguardian. I normally use grep to browse the logs, but if you prefer a gui interface you can install Webmin(http://www.webmin.com). There is a DG module for Webmin(http://sourceforge.net/projects/dgwebminmodule/) that makes administering DG very simple, though as of the writing of this tutorial the latest version of DG wasn’t supported yet. So if you wish to use it you will need to install version 2.8 of DG. I’ve setup the latest DG and used the default Webmin modules to make things easier for a fellow admin. Te LogViewer? module can be configured to display DG logs, and you can use the File Explorer to browse and edit the config files. You can find some more tutorials at http://dansguardian.org/?page=documentation for other OS’s. There are also several add-ons available at http://dansguardian.org/?page=extras. I’ll write another tutorial using a Linux distro at some point in the future.

-- BrysonMedlock - 06 Jun 2007