Mike Petersen

Network Admin, Technical Writer, Programmer, GNU/Linux Fan, etc.

• Home Page
• Documents
  • Deploying Suse Linux Enterprise Server
  • Samba Server Information & Guides
  • GNU/Linux Guides
  • Networking Related Guides
  • Misc Articles I wrote
• Downloads
  • Custom Built GNU/Linux Packages
  • NIMA Virtual Machine
  • Windows SPE Templates for Samba
  • Various Network Utilities I created
  • Misc Code
• Misc / FAQS
  • Contact Information
  • GNU/Linux FAQs
  • Network Admin FAQs
  • My Resume

Mandrake 10.1 as a Firewall

Download this entire article as a PDF

• Introduction and Overview
• Installation
• Configuration Using the Web Interface
• Basic Web Services
• Testing and Enhancing Your Firewall

Basic Web Services

So far we have setup a basic firewall that allows you to share the Internet connection, as well as protect your network from Internet traffic. Now we will enhance the Firewall with Services that will allow for easy client setup, improve your Internet speed and filter out undesirable web pages or content that you may wish to remove. Ordinarily, companies charge quite a bit of money to provide these services (especially for content filtering), but here I will discuss how to setup these services using Mandrake Linux and it's web interface.

DHCP and Caching DNS

To automate the configuration of your network clients, you can enable the DHCP server service available on the firewall. DHCP (Dynamic Host Configuration Protocol) allows you to have the firewall automatically send the computers on your LAN the correct IP configuration values during bootup. So, instead of going to each machine and entering a separate IP address, subnet, DNS server and gateway machine, you can have the LAN computers get this information from your firewall. To set this service up, click on DHCP and enter the relevant information, it is pretty self explanatory.

Settings for DHCP Services and Caching DNS

To alleviate excess DNS lookups over your Internet connection, you can setup the firewall to act as a DNS server for your LAN. Doing this will enable the firewall to "cache" all of the nameserver lookups, so if multiple clients try to find the IP address for the same domain name, such as http://www.google.com/, the firewall will send the correct information without needing to access your Internet Service Provider's DNS server.

To enable the Caching DNS service, you simply need to enter the IP address of a forwarding DNS server. This will allow the firewall to query that DNS server if it does not have the information in it's cache. If for some reason the DNS service fails to start or gets mis-configured, simply shut off the service, login to the firewall and move the /etc/named.conf file to something else, such as /etc/named.bak and re-enable the service. The software will re-create a correct /etc/named.conf file to allow the service to work again.

Note: If you run a network utilizing Microsoft Active Directory, Microsoft Exchange Server, or any other newer Microsoft Server, you must utilize Microsoft's DHCP and DNS Services, otherwise you will have severe network slowdowns and communication errors.

Web Proxy and Filtering

One way to really speed up your Internet service is to provide a way to "cache" web pages at the firewall so that if multiple users go to the same sites, most of the images and other information will be retrieved from the firewall instead of the remote Web Server. Also when you implement a proxy or "caching" service, you can also utilize a site/content filter to deny access to certain remote sites, such as pornography or content, such as ads. Many companies produce products that will do this type of filtering, however, these products are quite expensive and IMO are no better than what the OSS community offers with these tools.

Another benefit of a Proxy or "Caching" Server is the ability to only provide Internet Access to people "authenticated" to use the Internet. Mandrake offers the ability to provide a "transparent" proxy, manual proxy or manual "authenticating" proxy using either locally created usernames, an LDAP user database or a SMB (Windows Domain) user database.

The "transparent" settings are just about the same as a "manual" setting, except that it simply adds a "Redirect" to port 3328 rule to your Shorewall settings for traffic coming from the LAN. So, I guess you could even have a "transparent authenticating" proxy if you really need one.

Squid Authentication Settings and Transparent Squid Settings

Using the web interface it is quite easy to enable the proxy server, simply click on the Web Proxy settings, then select the type of proxy, either manual, manual authenticating or transparent. The easiest is "transparent" because you will not have to adjust any settings on your clients to be able to use the proxy server, it will simply "just work".

Final Squid Settings, notice settings for web filtering

Once you setup and enable the Web Proxy, you will notice that you now have the opportunity to configure both a URL Filter (SquidGuard) and a Content Filter (Dansguardian). When you start to implement each of these services, it is best to do things a step at a time, any misconfiguration could lead to your LAN computers not being able to access the Internet at all.

Squidguard site blocking and Dansguardian Content Filtering

For those wishing to enable Squidguard here are a few tips. First, make sure you add your local network to the authorized network list (i.e. 192.168.0.0/24). If you plan to block quite a few sites, do not use the web based tools, instead go to a command line and manually add whatever you want to the database through simple text files. An easy way to do this would be to download an updated blacklists file from squidguard.org. Then, once these are downloaded, uncompress them in the root (/root) directory and add the contents of whatever list you want to ban to one the following files:

/usr/share/squidGuard-1.2.0/db/advertising/urls
/usr/share/squidGuard-1.2.0/db/advertising/domains
/usr/share/squidGuard-1.2.0/db/banneddestination/urls
/usr/share/squidGuard-1.2.0/db/banneddestination/domains
/usr/share/squidGuard-1.2.0/db/banneddestination/expressions

you can do this with vi by "reading" the file in using the ":r /path/to/filename" command. The advertising directory will replace advertising content with a small dot(so an annoying error box will not show up), while the banneddestination directory will deny all access to the specified sites. Once this is done, you must change these text files to a SquidGuard database by issuing:

squidGuard -C all

One more thing, make sure that squid is both the owner and group of these files by executing the following command:

chown squid.squid /usr/share/squidGuard-1.2.0/db -R

Your Proxy Server will now block these sites (after you restart squid). Unfortunately, there is another bug we must fix, so the "denied page" is not an access denied to the squidguard.cgi file, but instead the nice, somewhat informative blue/green Mandrake denied page.

To fix this you must edit the "/etc/httpd/conf/commonhttpd2-naat.conf" file. Toward the end of the file, it will list the "/var/www-naat/cgi-bin" directory. You must add the following so the web server will have permission to use the SquidGuard cgi-bin directory.

<Directory /var/www-naat/squidGuard>
	AllowOverride All
	Options ExecCGI
	<IfModule mod_access.c>
		Order allow,deny
		Allow from all
	</IfModule>
</Directory>

Finally, if you ever (accidentally) go back to the banned destination configuration page through the web interface, you must once again recreate the databases and change the ownership manually. As for configuring Dansguardian, please visit their website at http://www.dansguardian.org. In my experience, SquidGuard seems to be enough of a deterrent that Dansguardian is not needed.

Intrusion Detection

Using the web interface, you can enable both Snort and Prelude Intrusion Detection Systems. These IDS services work quite well, unfortunately, when you have an IDS on a computer directly connected to the Internet you will get quite a few false positives. So, weeding through the logfiles can quickly become a fulltime job. If you do plan on enabling the IDS on the firewall, it is best to also use a "helper" application that will allow you to just view "threats" on your machine, such as logwatch.

Optimally, if you do have a large network, it is best to place an IDS server somewhere on your LAN so you can monitor for any suspicious activity that somehow makes it through your firewall. For more information on how to do this, there are two books available from the Bruce Peren's Open Source series at http://phptr.com/perens. The titles are "Open Source Security Tools" and "Intrusion Detection with Snort".

Next->