Saturday, June 2, 2012

My #OpenBSD Adventure: Part 3

Life is very disrespectful of projects isn't it?

For those just joining the program, I currently have my OpenBSD machine with base PF rules (pass all) and a D-Link WiFi-N base station. I have two major points on the todo list, hoping to achieve at least one today.
1. Install Squid ( http://www.squid-cache.org ) and set up as a transparant proxy, with ad/spam blocking.
2. Install and enable third NIC to separate the WiFi segment.

Tackling the first point, I've downloaded the Squid source. I'm going to use

./configure --enable-pf-transparent 

I have a feeling I'm going to need to use --enable-auth-helpers="(something)" in the future for the captive portal part of the project, but for now I will just try to get things running.

I forgot how long things take to compile from source. Even on a fairly hefty machine, Squid took about 20 minutes start to finish. There seems to be an issue on OpenBSD. The Squid user by default does not have write access to the var/log or var/cache directories.

Appending the lines


pass in on em0 proto tcp from any to any port 80 rdr-to 127.0.0.1 port 3128


pass in on em0 inet proto tcp from any to 127.0.0.1 port 3128 keep state
pass out on xl0 inet proto tcp from any to any port www keep state


forced all the web traffic from my machines through Squid, which I was able to verify by way of an ACL in squid.conf that blocked reddit. It is worth noting here that in the newest PF, the syntax has changed quite a bit. The old way was to

rdr on $if ....

and the new way is

pass in on $if ....rules... rdr-to ....

This had me scratching my head for a while this afternoon, as every guide for exactly transparent Squid/PF was using the old syntax.

In squid.conf, I put these lines

acl badurls url_regex "/usr/local/squid/etc/block.txt"
http_access deny badurls


/usr/local/squid/etc/block.txt contained the single line of "reddit" for now, I will be filling this with ad/annoying web urls at a later time.

Right now, if the browser is set to use 10.0.0.1/3128 as the proxy, all works well. If browser has no proxy set, Squid returns an error about malformed URLs. For now, I have disabled the rdr line.
Well that was easy as reading a little bit. Adding "transparent" to the line in squid.conf got it up and running.

http_port 3128 transparent

Next up, tackling the authentication bits. Plan is to have the WiFi segment require authentication and have rules based on device/user, and the hard wired lan be open. (Only people I know will be plugging in)


Posted by at
Labels: , , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)