CS & IT Solutions

First we will compile kernal

proxy # cd / usr/src/sys/i386/conf /

backup your kernel configuration file used to it:

Proxy # cp GENERIC GENERIC-BAK

edit GENERIC file with your favorite editor

Proxy#nano GENERIC

and add these below options

its is optional for telling your kernal about cpu

cpu I686_CPU

#For optimizing squid #

options SYSVMSG
options MSGMNB=32768
options MSGMNI=164
options MSGSEG=8196
options MSGSSZ=512
options MSGTQL=2048

Add these lines below device

# For PF #

device pf
device pflog
device pfsync
options ALTQ
options ALTQ_CBQ # Class Bases Queuing (CBQ)
options ALTQ_RED # Random Early Detection (RED)
options ALTQ_RIO # RED In / Out
options ALTQ_HFSC # Hierarchical Packet Scheduler (HFSC)
options ALTQ_PRIQ # Priority Queuing (PRIQ)
options ALTQ_NOPCC # Required for SMP build

after that

Proxy # config GENERIC
proxy # cd .. / .. / compile / GENERIC

or some times if you have installed standard installation then

proxy # cd .. / compile / GENERIC
proxy # make & & make depend
proxy # make & & make install

Install Squid

we need perl

proxy# cd /usr/ports/lang/perl5.10/
proxy# make install clean

Create group and user that will be used to run the squid:

proxy# pw group add squid -g 100
proxy# pw user add squid -u 100 -g squid -s /usr/sbin/nologin -d /usr/local/squid
proxy# chown -Rv squid:squid /cache
proxy# cd /usr/local/
proxy# fetch http://www.squid-cache.org/Versions/v3/3.0/squid-3.0.STABLE23.tar.bz2
proxy# tar -zxvf squid-3.0.STABLE23.tar.bz2
proxy# cd squid-3.0.STABLE23

proxy# ./configure -prefix=/usr/local/squid \
–enable-gnuregex \
–enable-async-io=24 –with-pthreads –with-aio –with-dl –with-aufs-threads=24 –with-pthreads \
-enable-pf-transparent \
–enable-ipfw-transparent \
-enable-storeio=aufs \
-enable-removal-policies=heap \
-enable-delay-pools \
-enable-underscores \
–enable-http-violations \
–enable-unlinkd \
-enable-snmp \
-enable-useragent-log \
-enable-htcp \
-enable-ssl \
-enable-icmp \
–enable-poll \
-enable-arp-acl \
-enable-cache-digests \
-enable-kill-parent-hack \
-enable-large-cache-files \
-enable-follow-x-forwarded-for \
-enable-default-err-languages=English \
-enable-err-languages=English \
-disable-ident-lookups \
-disable-hostname-checks \
-disable-wccpv2 \
-disable-wccp && “Successful Done”

proxy# make && make install

After that edit the squid.conf is in accordance with the needs

proxy# ee /usr/local/squid/etc/squid.conf

acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32
acl localnet src 192.168.10.0/27
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localnet
http_access allow localhost
http_access deny all
http_port 8080 transparent
hierarchy_stoplist cgi-bin ?

cache_mem 6 MB
maximum_object_size_in_memory 32 KB
memory_replacement_policy heap LFUDA

cache_replacement_policy heap GDSF
cache_dir aufs /cache 10000 24 256
maximum_object_size 128 MB
cache_swap_low 90
cache_swap_high 95

access_log /var/log/squid/logs/access.log
cache_log /var/log/squid/logs/cache.log

coredump_dir /cache
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320

cache_mgr webmaster@domainku.com-(0752-xxxxxx)
cachemgr_passwd squid-cache password
cache_effective_user squid
cache_effective_group squid

proxy# squid -z
2009/05/10 16:38:37| Creating Swap Directories

first lets check the configuration with the command:

proxy # / usr / local / squid / sbin / squid-k parse
proxy # / usr / local / squid / sbin / squid-NCd1

once considered sufficient, a squid path:

proxy # / usr / local / squid / sbin / squid

and to run the config change, can be a command

proxy # / usr / local / squid / sbin / squid-k reconfigure

let me restart the streets every time the input parameters to the / etc / rc.conf

squid_enable = “YES”
pf_enable = “YES”

or enter the command /usr/local/squid/sbin/squid to /etc/rc.local

then add in / etc/ rc.local

chgrp squid /dev/pf & & chmod g+rw /dev/ pf

Howto setup a ipfw stateful firewall on FreeBSD with a simple ruleset and explain certain details, including natd interaction.

Introduction

Why have protection? Computers on the internet run the risk of being damaged or hijacked. Firewall software is a very powerful tool in fighting this. Having FreeBSD firewall software doesn’t mean that your safe. You will still have to update your system in order to fix security bugs and check for viruses. Although the later isn’t much of a problem for Unix like computers at the time of writing.

The goal of this howto is to setup a simple firewall for FreeBSD and explain certain details of the ipfw firewall, from the user point of view, while doing so. At the end of this howto you will have a firewall for FreeBSD with a simple ruleset. The questions this article will give anwsers to are:

• How packet’s are checked against the rules.
• Howto natd effects the rules and howto deal with those effects.
• Howto setup statefull rules and why the can not be used with natd.

Related howto’s

• Firewall Setup – A more complex firewall setup for FreeBSD, that also includes a traffic shaper and network address translation (NAT). This particular howto lays the basis for the next howto.
• Traffic Reports – Howto create traffic graphs with MRTG, IPA and IPFW.

Notes

The newer versions of FreeBSD can load the ipfw firewall software when this is requires. Older versions of FreeBSD don’t have this ability and need to have a kernel compiles. You also need to do this with the newer version when you like to create more advanced rules, like logging of traffic shaping.

Summary Read the rest of this entry »

So if you want PF to do only one thing, and that is to block particular ip’s here is how you do it. Keep in mind, this configuration is a horrible idea for a traditional firewall. So first begin with creating /etc/pf.conf, I use vi, you can use whatever.

ext_if=”re0″ # External interface

#Block all Ip’s in the banned table
table { 192.168.1.1 }
block quick from to any
block quick from any to

pass out keep state
pass in quick on ext_if

conf if your looking for a traditional firewall, this is for the sole purpose of blocking a single IP or IP ranges.

You will need to replace re0 with your interface name and put your IP’s to be blocked in the banned table.

You can put entire classes of IP’s if you want like: 204.152.64.0/23
and the table should be comma seperated so something like:

table { 192.168.1.1, 204.152.64.0/23 }

Also to get pf.conf to start(FreeBSD, anyway), you need to put this in the rc.conf:

pf_enable=”YES”
pf_rules=”/etc/pf.conf”
pf_flags=”"
pflog_enable=”YES”
pflog_logfile=”/var/log/pflog”
pflog_flags=”"

I’ll go more in depth on more stuff you can do with pf in the next post, or wait, maybe a powershell post, I don’t know. I am not promising anything.

source here