Installation of Squidwall
| i18n |
|---|
| English |
| Deutsch |
Contents |
Installation
Setup the Redirector
Version
This article describes version 0.4b of squidwall ... please note, that version 0.5 is a unstable developer version!
Notes
These notes may be a bit rough for now. I'm in the process of trying to figure out how to make squidwall work. Note the discussion page for my questions and theories.
Dependancies
Most disributions doesn't seem to include libowfat, one of the dependancies.
The library is needed as part of the compilation process. To compile the application you will need the packages "gcc" and "make" installed on your system. These two packages are included in all distributions.
The first step will be to ensure that "libowfat" is appropriately prepped. To do this, issue the "make" command from the directory that you've extracted the .bz2 file to.
mycache:~/packages/libowfat/libowfat-0.24/make
Next we need to ensure that the library is linked to a place expected by the squidwall make script.
cd ~/packages/squidwall/ ln -s ~/packages/libowfat/libowfat-0.24 libowfat
Compiling squidwall
Then we compile squidwall.
cd squidwall-0.4b make make install cp contrib/squidwall.sh /usr/bin/
If you have an error like " __you_tried_to_link_a_dietlibc_object_against_glibc ", you should edit the Makefile
and replace the next three lines (install from gentoo)
DIET = /usr/bin/diet
CFLAGS = -Os -Wall -pipe -I/usr/include/libowfat
LDFLAGS = /usr/lib/libowfat.a
Squid Configuration
Add the following to /etc/squid/squid.conf
redirect_program /usr/bin/squidwall.sh redirect_children 5 redirector_bypass off redirector_access deny localhost acl requireIdent ident REQUIRED http_access allow requireIdent
This presumes the use of the packages default ident-based user identification. For Windows XP you can use Retina Scan's identd running as a service on each desktop.
Configuring Squidwall
In the startscript /usr/bin/squidwall.sh there is a diverse set of variables that can be set to configure Squidwall. It should look something like this:
#!/bin/sh SERVER="192.168.100.6" NETWORK="testing" exec env -i \ LOG_FILE="/var/log/squid/squidwall.log" \ PROXY="127.0.0.1:3128" \ CLAMD="127.0.0.1:3310" \ MAX_SIZE="50000" \ PFILTER_MAX="100" \ REDIR_BADUSER="http://$SERVER/inet/deny.php?network=$NETWORK&reason=user&" \ REDIR_BADHOST="http://$SERVER/inet/deny.php?network=$NETWORK&reason=host&" \ REDIR_BADCONT="http://$SERVER/inet/deny.php?network=$NETWORK&reason=cont&" \ REDIR_BADURL="http://$SERVER/inet/deny.php?network=$NETWORK&reason=url&" \ REDIR_VIRUSFOUND="http://$SERVER/inet/deny.php?network=$NETWORK&reason=virus&" \ REDIR_BANNERFOUND="http://$SERVER/inet/img/t.png" \ REDIR_SAFESITE="http://$SERVER/" \ REDIR_WEBINTERFACE="http://$SERVER/inet/" \ /usr/sbin/squidwall
Web Interface Setup
Get the latest "web interface" package from Milksys Homepage. Change directory to "/etc" and extract the package into that directory with something like "tar -jxvf 2006-07-03.tar.bz2"
It will create /etc/squidwall with everything it needs under there.
Open /etc/squidwall/webinterface/CONFIG and ensure that the following settings are correct:
$denypath (change to your server's IP address) $logpath (change that to your favorite logpath) $lang (english/german) $P_EXP="/inet"; /* access the webinterface via http://servername/inet/ */ $P_EXP=""; /* access the webinterface via http://squidwall - preferred */
Move the directory /etc/squidwall/inet to the place where the your inet directory is setup. This /inet/ will be used for the webinterface and the deny.php pages.
Ensure that the following directories and any files under them are user or group owned by the web server and have their permissions set to allow the web server to read and write (and execute for the directories).
/etc/squidwall/filters /etc/squidwall/hosts /etc/squidwall/redirects /etc/squidwall/users /etc/squidwall/webinterface/sessions
Variables for user reporting
The following variables are passed from Squidwall to the referal page as an http get parameter:
$version - current version of squidwall $url - the requested URL $ip - the client's IP address $host - the hostname requested by the client $user - the user associated with the client $method - the request method: GET, HOST, CONNECT, etc.
$clamd - version of ClamAV $virus - name of the virus found $filter - information regarding why the site was blocked
Available Filter Mechanisms
Host-defined Filtering
By default, every existing filter is applied to all hosts accessing the filter, however, filtering definitions may be applied on a per-host basis. Per-host filtering may be accomplished by creating a file named after the IP address or resolvable hostname. By editing the file, the administrator may choose to apply only certain filters to the host casino deutschland..
Filtering on a per-host basis may be turned on by appending a "?" to the beginning of the filename, while appending a "!" to the filename gives the host unfiltered access. Finally appending a "-" to the front of the filename completely blocked the host from being able to access the Internet.
Per-User Defined Filtering
If authentication has been configured with squid, per-user defined filtering may be applied to individual users. By default, all users are filtered against every defined filter. By creating a file with the name of the authenticated user and editing the file, it is possible to turn off or on certain filters. As with host-defined filtering, appending a "?", "-" or "!" to the front of the filename enables, disables or allows un-filtered access to the Internet.
Advertising Filter
This filter replaces adverts or banners with a 1 x 1 pixel picture, thus blocking the advert
+b,Filter1,Filter2,Filter3 -b disable banner filtering
Banner filter, based on regex.7 expression
+B,Filter1,Filter2,Filter3 -B disable regex banner filtering
Banner filter, using regex.7 expression on the HTTP-Header
+a,Filter1,Filter2,Filter3 -a disable regex banner filtering
URL black list
URL blocking, based on case insensitive check
+u,Filter1,Filter2,Filter3 -u disable url Filterung
URL blocking, based on regex.7 check
+U,Filter1,Filter2,Filter3 -U disable regex url Filterung
URL blocking, based on MD5 hash of the domain
+m,Filter1,Filter2,Filter3 -m disable md5 url Filterung
URL blocking, based on SHA1 hash of the domain
+s,Filter1,Filter2,Filter3 -s disable sha1 url Filterung
URL white list
URL-based white list, allowing access based on a case insensitive check
+w,Filter1,Filter2,Filter3 -w disable url filtering
URL-based white list, allowing access based on a regex-based check
+W,Filter1,Filter2,Filter3 -W disable regex url filtering
content filtering
content filtering, using a simple case insensitive string comparison
+c,Filter1,Filter2,Filter3 -c disable content filtering
content filtering, using regex.7 expressions
+C,Filter1,Filter2,Filter3 -C disable regex content filtering
phrase filtering (like cfilter, but with hitpoints for each matched word)
+p,Filter1,Filter2,Filter3 -p disable content filtering
antivirus scanning
+V -V disable antivirus scanning
Access Control
Squidwall User ACL's
- $P_USERS/+user1
- user 'user1' can use the internet, without any restrictions
- but: if the user is on a restricted host, he has restrictions!
- $P_USERS/?user2
- user 'user2' can use filtered/scanned internet
- $P_USERS/-user3
- user 'user3' can NOT use the internet
- $P_USERS/!
- squidwall rereads the directory only, if the mtime of '!' has changed
- this file also contains the default filter options for all users
Eg: If the user "foo" must not get internet access, do the following:
touch /etc/squidwall/users/-foo touch /etc/squidwall/users/!
Web Interface User ACL's
The web interface users are defined in /etc/squidwall/webinterface/users.csv. The file contains a brief explanation of how it needs to be setup and also shows a default admin user:
format of this file: user:hash:perm user -> username hash -> sha1(user:pass) perm -> a=admin u=user sample: - username = adminuser - password = 12345 - permissions = admin -> result: 'adminuser:b810a5905bae88fd4cbbd94639d56b3ae0c43613:a'
