BSD DevCenter
oreilly.comSafari Books Online.Conferences.


Network Filtering by Operating System
Pages: 1, 2, 3

Content Filtering with squidGuard

This step is optional for those who wish to do content filtering. I use squidGuard to filter content on my home network, in order to prevent my young children from running into sites I feel are unsuitable. The possible applications for this are endless, as squidGuard offers blacklists for ads, adult content, drugs, gambling sites, hate sites, and more.

Installing and configuring squidGuard

Install squidGuard with the command:

% cd /usr/ports/www/squidguard && make install clean

Next to Squid, squidGuard is very simple to configure--which is probably a good thing, as you spent the last two hours configuring Squid, right?

Copy /usr/local/etc/squid/squidGuard.conf.sample to /usr/local/etc/squid/squidGuard.conf and open it in your editor of choice. If you wish to filter by time of day, read the Configuring squidGuard guide. For now, the filters should always be enabled. Remove the existing source sample-clients block, and create a new block in its place with your own network range:

source localnet {

At the end of the file, replace the existing acl block with a new block:

acl {
    default {
            pass !ads !drugs !gambling !porn all
            redirect http://YOUR_WEBSERVER/cgi-bin/squidGuard.cgi? \

Note: Do not include the line break in the redirect line.

This ACL will deny access to any URLs listed in the ads, drugs, gambling, and porn databases. Other databases are also available; there is a list in the configuration file before the acl blocks from which to choose. Pay particular attention to the redirect statement, which makes reference to a CGI. In the event that a user visits a restricted site, squidGuard will redirect the request to this URL. A sample squidGuard.cgi is available for you to download. Place this on a web server and alter the redirect to change YOUR_WEBSERVER to the name of your web server.

You must also configure Squid to use squidGuard with the redirect_program directive in /usr/local/etc/squid/squid.conf. Open this file one last time and search for the line:

#  TAG: redirect_program

Below this, add the command:

redirect_program /usr/local/bin/squidGuard

Configuring pf and altq

The time has come to bring all the installed programs and changes together by configuring the packet filter and bandwidth shaper. By default, FreeBSD keeps pf's configuration in /etc/pf.conf. The sample configuration file is very well documented. To start, consider an example of filtering with Network Address Translation (NAT). This example assumes an internet connection with available bandwidth of 3Mb downstream and 512Kb upstream:

ext_if        =  "fxp0"
external_addr =  ""
int_if        =  "fxp1"
internal_net  =  ""
proxy_server  =  ""
altq on $ext_if bandwidth 512Kb cbq queue { windows_out, trusted_out }
queue windows_out bandwidth 20%
queue trusted_out bandwidth 80%
altq on $int_if bandwidth 3Mb cbq queue { windows_in, trusted_in }
queue windows_in bandwidth 20%
queue trusted_in bandwidth 80%

rdr on $int_if inet proto tcp from $internal_net os "Windows" to any \
  port www -> $proxy_server port 3128
nat on $ext_if from $internal_net to any -> ($ext_if)

pass out quick on $ext_if inet proto tcp from $proxy_server \
  to any port www keep state queue windows_out
pass out quick on $ext_if inet proto tcp from $internal_net os "Windows" \
  to any keep state queue windows_out
pass out quick on $ext_if inet proto tcp from $internal_net os "unknown" \
  to any keep state queue windows_out
pass out on $ext_if inet proto tcp from $internal_net \
  to any keep state queue trusted_out
pass out quick on $int_if proto tcp from any to $proxy_server \
   queue windows_in
pass out on $int_if proto tcp from any to $internal_net queue trusted_in

The first five lines declare variables that the rule set will use repeatedly. Variables are quite helpful in configuration files. By using them correctly, you can save much time in the future if you need to change IP addresses, network interfaces, protocols, or almost anything else. When you declare a variable in your rules file, access it later as $variable_name.

The six altq configuration lines that follow set the amount of available bandwidth. Bandwidth is controlled on the interface where packets leave the router. Packets going from the network to the internet leave the router on $ext_if, so we set $ext_if to 512Kb. Similarly, packets coming into the network from the internet leave the router in $int_if, so the rules set $int_if to 3Mb. pf understands b, Kb, Mb, and Gb, which represent bits, kilobits, megabits, and gigabits per second, respectively.

Pages: 1, 2, 3

Next Pagearrow

Sponsored by: