Web filter

From securityrouter.org, an OpenBSD-based firewall
Jump to: navigation, search

In an attempt to encourage administrators to minimize their router/firewall's vulnerability surface, the security router does not currently provide a web filter. However, it's possible to use Squid in combination with for example DansGuardian if you find it absolutely necessary by following these steps. It requires root access and uses skeleton files. This is not officially supported, and might not be possible in future software versions.

Start by enabling root access and log in using SSH.

Installation

Begin by installing Perl, in order for pkg_add to work. Then follow one of the two guides below.

Simple method

This method re-installs the web filter on each boot, and is therefore results in a considerably slower boot. We generally recommend the more ambitious method below instead. Anyway, if you just want to get started as fast as possible, simply create a file such as /cfg/squid.sh (using for example vi) with the following contents

mount -uw /
pkg_delete -D repair squid dansguardian
pkg_add -D repair squid-3.4.2p0 dansguardian
/etc/rc.d/squid start
/etc/rc.d/dansguardian start

and make it start on boot by running

echo "sh /cfg/squid.sh" >> /cfg/skel/rc.local

and reboot.

Ambitious method

Begin by installing Perl. Then install the web filter by running

mount -uw /
pkg_add -D repair squid-3.4.2p0 dansguardian

and make the configuration files persistent by running

cp -r /etc/squid /cfg/
cp -r /etc/dansguardian /cfg/
mkdir /cfg/rc.d/
cp /etc/rc.d/squid /cfg/rc.d/  
cp /etc/rc.d/dansguardian /cfg/rc.d/ 

You may now edit the configuration files in /cfg folder (if you like to). Then make the installed files persistent to reboots and updates by crating a file such as /cfg/squid.sh (using for example vi) with the following contents

mount -uw /
[ ! -e /usr/local/sbin/squid ] && pkg_add -D repair squid-3.4.2p0 dansguardian
cp -r /cfg/dansguardian /etc/
cp -r /cfg/squid /etc/
cp /cfg/rc.d/* /etc/rc.d/
useradd _squid
groupadd _squid
useradd _dansguardian
groupadd _dansguardian
mkdir /var/log/dansguardian/
chown _dansguardian /var/log/dansguardian/
chown _squid /var/squid/
/etc/rc.d/squid start
/etc/rc.d/dansguardian start

and make it start on boot by running

echo "sh /cfg/squid.sh" >> /cfg/skel/rc.local

Forcing clients on the LAN to use the web filter

There are many ways to configure a web filter proxy; but one of the most simple ways is to add a firewall rule such as

pass in quick on wan proto tcp to port 80 rdr-to 127.0.0.1 port 8080

to the very top of the firewall configuration.