Firewalls, IP aliasing and proxies
Proxy servers
For some purposes, a good alternative or adjunct to a packet filtering firewall and NAT is a proxy server that converts requests for specific protocols. In the example in the previous section, which was accessing a web server, we could also have run a proxy server on presto. Particularly in conjunction with web servers, a proxy server has the advantage that it can cache data locally, thus reducing network load.
There are a couple of other differences between NAT and proxy servers: natd does not know much about the data it passes. Proxy servers know a lot about it. This makes proxy servers less suitable as a general security or address translation mechanism. In addition, the client must know about the proxy server, whereas it does not need to know anything about NAT and firewalls. A typical connection looks like this:
This looks very similar to Figure 22-1 . The only thing that appears to have changed is the port number on presto's xl0 interface. In fact, there's more than that: in Figure 22-1, andante establishes a connection with http://www.FreeBSD.org. Here it establishes a connection with http://presto.example.org.
Installing squid
A good choice of web proxy server is squid, which is available in the Ports Collection. Install it in the normal manner:
cd /usr/ports/www/squid make install
squid is not the easiest thing in the world to set up, and it's hampered by sub-standard documentation. The man page is squid(8), but most of the information is in the configuration file /usr/local/etc/squid/squid.conf. By default, it is set up to do nothing. It has over 3,000 lines of mostly comments. I suggest the following changes:
- Set the value http_proxy to the number of the port you want to use. By default, squid uses port 3128, but many proxies use port 8080, and that's the port that most web browsers expect too. If you are not running a web server on the machine, you can also use the http port, 80. Add:
http_port 8080 80
- The variable http_access defines who can access the web server. By default, it denies all requests except from the local manager, so you must set it if you expect to get any results from the server. An appropriate setting might be:
acl local src 192.168.27.0/255.255.255.0 acl exampleorg src 223.147.37.0/24 http_access allow local http_access allow exampleorg
This defines two access control lists, one for the NAT network we looked at in the previous section (local), and one for the globally visible network 223.147.37.0 (exampleorg). The first acl statement specifies the network in the form address/netmask, while the second specifies it with the number of significant bits in the net mask. The http_access statements then allow access for each of them.
- If you're using the ftp proxy, it's probably a good idea to change the default name with which squid performs anonymous ftp. By default it's Squid@, but that looks silly. Change it by setting:
ftp_user squid@example.org
-
squid doesn't expect any line of the ftp file listing to be more than 32 characters long. That's pretty conservative. You can make it larger like this:
ftp_list_width 120
- By default, squid caches any object less than 4 MB in size on disk. If you're doing a lot of ftp work, this can seriously degrade the cache performance for http. You can reduce it to, say, 256 kB with:
maximum_object_size 256 KB
- The system starts squid as user root, which is not the best for security: proxy servers are a popular target for intruders on the Internet. You should change it to run as user and group www:
cache_effective_user www cache_effective_group www
Starting squid
Before you can start squid, you must first create the cache directories. If not, you can start it, and it doesn't complain, but it doesn't run either. Later you might find something like this in the log file /var/log/messages:
Dec 21 15:26:51 presto squid[23800]: Squid Parent: child process 23802 started Dec 21 15:26:53 presto (squid): Failed to verify one of the swap directories ,Check cache.log for details. Run 'squid -z' to create swap directories if needed, or if running Squid for the first time. Dec 21 15:26:53 presto kernel: pid 23802 (squid), uid 65534: exited on signal 6 Dec 21 15:26:53 presto squid[23800]: Squid Parent: child process 23802 exited due to signal 6 Dec 21 15:26:56 presto squid[23800]: Squid Parent: child process 23805 started
The log files are in /usr/local/squid/log, and the cache files should be in /usr/lo-cal/squid/cache. To create them, enter:
# squid -z 2002/12/21 15:30:35| Creating Swap Directories
# squid
On system restart, squid will be started automatically from the script in /usr/lo-cal/etc/rc.d/squid.sh.
Browser proxy configuration
As mentioned earlier, proxies aren't transparent to the application. You have to set up your software to talk to the proxy. To do that, you need to configure the web browser accordingly. For example, with galeon you select Settings —> Preferences —> Advanced —> Network and get the following screen:
squid understands the individual protocols that it supports, so it can tell the difference between, say, an http request on port 8080 and an ftp request on the same port. Nevertheless, consider whether it's a good idea to use squid for ftp. It doesn't speed up access the first time you fetch the file, and if you access each file only once, you don't have any gain through using squid. On the other hand, the ftp data can pollute the cache.
Setting proxy information for ftp
ftp understands proxies, and uses them for non-interactive connections only. Put the following statement in your .profile file:
export http_proxy=presto.example.org:8080 export ftp_proxy=presto.example.org:8080