Linux - ServerThis forum is for the discussion of Linux Software used in a server related context.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I finally got squid/dansguardian working ( I guess the
Server side ) but can not find any doc's that tell me
how to make the other pc's ( two windows machines ) on
the same network filter.
" I'm sorry if the above sounds stupid "
Maybe this would clear things up... I have got
Slackware setup and installed squid & dansguardian
on my main pc that's hard wired to my LinkSys router
which is connected to my cable modem. Now, theres two
other machines both with windows on them that are
wireless. They work, but will let my kids get on any
website they wish but I want to stop that. Dansguardian
is working great on the linux pc.
If it's filtering the servers (my main pc) should it
not be doing the same on all pc's since the rules work
on the server ?....
unless you have specifically configured a transparent proxy then you'll need to make the clients use squid as their explicit proxy in whatever browsers you are using. if you are already doing this then please provide some useufl information such as your squid.conf file.
In order to filter traffic, the server has to see the traffic -- it's not clear from your verbal description if the wireless traffic is passing through the Slack/Squid box.
So, in order to use squid and dansguardian on a LAN I must
change the way the hardware works like your second drawing.
I know that several tutorials mentioned that configuration
( like the second drawing)but the one I was using said nothing
about that but it also did not state that they were on a LAN
either.
Before I start changing everything and start over I would like
to make sure that the first drawing just won't work or if theres
a hack to make it work. Also,what's the drawback.
Thanks for the compliment. It's not hard in KWrite.
Quote:
Originally Posted by davimint
My system is set up like your first drawing.
So, in order to use squid and dansguardian on a LAN I must
change the way the hardware works like your second drawing.
Yes.
Quote:
Originally Posted by davimint
I know that several tutorials mentioned that configuration
( like the second drawing)but the one I was using said nothing
about that but it also did not state that they were on a LAN
either.
No comment, probably n/a.
Quote:
Originally Posted by davimint
Before I start changing everything and start over I would like
to make sure that the first drawing just won't work or if theres
a hack to make it work.
AFAIK, no way -- the server just can't filter packets/traffic not going through it.
Now, I don't use SOHO routers for security -- I have a dedicated firewall ("FW") (currently running SmoothWall Express 2.0) -- so I can't advise you if your model LinkSys can do any of the things you need. See next . . .
Quote:
Originally Posted by davimint
Also,what's the drawback.
Really good Q.
The drawback is that your server (Slack/Squid) will now be directly exposed to all the crackers & script kiddies out the "Big Bad, Wild & Wooly, West(ern) Web" (tm). Whether you are aware of it or not, & my apologies you you already know this, the router shares your public IP address by NAT'ing, & NAT'ing provides a lot of inherent protection. Steve Gibson (grc.com) of SpinRite & SheildsUP! fame has said on his "Security Now" webcast that a simple IP sharing (NAT'ing) router provides about 90% of the protection of a dedicated FW.
So, to be safe, you must do 1 of these things:
(Unlikely) Dig into the capabilities of your LinkSys, & use it do the access control. I suspect if your LinkSys could do this, we wouldn't be having this discussion.
Turn Slack/Squid into a FW as well as server. Not easy, nor perhaps desirable -- FW's need to run a minimum of services & checking them is a PITA.
Find an old "door stop" or "boat anchor" & install one of the specialty FW distros on it (SmoothWall Express, IPCop, etc.) & put it between the LinkSys & the cable modem. It most likely has Squid already, so just transfer your rules.
Get a 2nd SOHO router -- wireless not necessary -- & put it between the LinkSys & the cable modem.
Appreciate the info very much. People like yourself here on LQ help
us newbies out so much.
I liked the second router Idea the best since the PC that I have
slackware/squid/dansguardian installed on is my best PC and it has a
onboard NIC and also a NIC card. I also looked at IPCop, although I
have a old PC that I could use it does not have any NIC's and according
to IPCops hardware info you need something better than I have to run
squid as a caching web proxy. I don't really want to give up one
one of my other PC's to just run IPCop.
BTW, there is presentation on dedicated FW boxen coming up at HLUG ("H" as in Houston, TX). I believe it will be on Sept. 23, the 4th Sat. of the month. It is likely that it will be streamed over the Web.
While it is still in planning stages, the tentative agenda looks like this:
The main (Impress) presentation will be done by Brandon Napier. He will also do an IPCop install.
I will demonstrate a SmoothWall Express 2 install.
Pete Jameson, the group leader, will show off Devil Linux.
If you're in Houston, however unlikely, you are welcome to attend. Also, I will try to blog or calendar the event here at LQ.
You've got me interested in the "IPCop" distro just to
see how it works in linux. So, I've already got a few
questions if you don't mind.
The system spec's on the old door stop are as follows
which may be good enough I hope to run IPCop using
squid.
Intel 733 MHZ Celeron processor
20GB hard drive
64MB of ram ( may not be enough )
I've already robbed one nic card so I've got the
internet working on it. I've booted a liveCD to make
sure everything was good. I know I'll need at least one
more nic card if not two according to the info I'm
reading which is the reason for my second question.
I don't quite understand why they are listing the
"blue" and "green" interfaces like they are with the
amount of "wireless routers" in the home market. Is
there a big security reason why I should not use the
four wired ports on my LinkSys WRT54GS.
My plans If I decide to "JUMP into the FIRE" is to
install my system like this. "Sorry no cool drawings".
Cable Modem > server with IPCop > router > one wired &
Two wireless PC's
I already mentioned the planned HLUG IPCop/FW event in Sept., but tomorrow night we are doing a test install or 2. Particularly, Brandon plans to do IPCop on some kind of "boat anchor", so this thread is very topical.
733 MHz is more than enough CPU. I believe 64 MB of RAM is plenty for a basic installation, but may not be enough for heavy proxy-ing. I believe I started w/ 32 or 64, but now have 128. Depending on the proxy load, fill it to the mobo's max. I am lucky that there are always friends around w/ old RAM, not to mention my own collection.
As to NIC's, same situation as w/ RAM: if my own collection isn't enough, some one I know will have one. But even new ones, 10/100 anyway, are cheap.
I read "1.2. Decide On Your Configuration" &, based on my experience w/ SmoothWall Express, it all seemed clear. (Note: IPCop forked from SmoothWall a few years back.) To answer your Q:
Yes, there are security reasons for not letting the wireless router also be the wired switch. Wireless security will probably always be weaker than wired security. If your wireless router is new enough to be capable of WAP 2, then the risk may be acceptable. Don't forget, all the computers you plan to connect through it must have the same capability. If, at the other extreme, the wireless router is only capable of the now easily cracked WEP, then there is no way you want it on the GREEN net. In fact, maybe you should consider junking it. At the very least, it should be on the ORANGE net, perhaps even the RED (if possible).
I assume the reason you ask, is that it seems a shame to let its switching capability go to waste. One possibility is to ignore its WAN port & connect it to the IPCop FW through 1 of its LAN ports. If you do this, you will need a crossover cable, unless its new enough to auto sense. You would also need to disable its DHCP server.
There are practical reasons for doing it this way & letting the IPCop box handle all DHCP service -- centralization & flexibility. IPCop uses dnsmasq for DNS & DHCP, it is very powerful, yet simple enough to learn to administer easily. Some of its features:
Fixed IP address assignment by MAC address. This is almost the same as using static IP's, but w/o the hassle of having to set them up on each individual box.
Its own hosts file becomes part of your network's DNS resources. The info in it is served to every box on your LAN. In effect, it becomes a "master" hosts file.
Its own config file can blanket block whole domains w/o having to enumerate all the hosts found on them. Compare to host by host blocking using the hosts file.
In the past this was used mostly for ad blocking, I think in the future, we will see more & more blocking of malicious web sites using this or similar mechanisms.
Etc., etc., etc. (W/ fond memories of Yul Brynner)
Did I ever ask what model Linksys you have & for a link to its specs. & info.?
My own LAN is something like this:
Hub* | DSL "Modem" | SME FW* | switch*
I have an old Linksys BEFW1154 that I can connect at any the places marked '*'. (I can even put on the hub because my ISP gives me 3 IP addresses). It only does WEP, so I only connect it when someone bring a laptop over, & then not inside my LAN (== GREEN == at the switch).
It looks like I've got some reading to do. This afternoon
I slipped out of work to get that second nic card for this
old door stop of computer. Anyway after reading the
install guide and downloading smoothwall 2.0 It was
time to see what I could break.
My configuration is as follows.
Cable-Modem > SW-Server/firewall > wired computer
As you can see I dropped out the modem for now because
I was having problems and could not understand why
smoothwall was not getting anything other than 192.168.0.1
address on the RED interface. It turns out that I needed
to reset my cable-modem for some reason. By the way that's
not in the install instructions.
The router is new it's a WRT54GS with WAP2 so I will
probably try to get it working tomorrow night.
Is there anything you can think of that needs to be
changed in the wireless router that you can give me
advise on? I like advise.
Also, since I'm this deep into this deal. The reason
I started this project was to get dansguardian working
with squid and control all the PC's in my network from
all the bad stuff on the internet.
I noticed when I updated smoothwall that squid has
been updated. Considering I'm a newbie who has not
read all the doc's I probably have a silly question.
If the server was tucked under my shelf with no screen
attached is there anyway to use the smoothwall:81
interface to install & configure dansguardian on it.
From my first working with the interface I didn't see
anyway to do that sort of thing.
Glad to hear you got SmoothWall Express working. If I had known you were going to use it &~ IPCop, I would have mentioned the "SP1" d/l which includes all the updates.
Just because I am still using SmoothWall Express, doesn't mean I recommend it. -- I am seriously considering moving to IPCop.
It's serendipitous that Brandon, a current IPCop user, came along when he did.
Glad you sprang for the 2nd NIC. Eventually I think you will want a 3rd one also. I currently believe that the best way to include wireless in your LAN is w/ a BLUE network. If, however, you can:
leave the wireless router's WAN port unused,
connect the FW & all wired computers through its LAN ports,
shut down its wired DHCP, &
leave its wireless DHCP active;
then I think the 3rd NIC may be unnecessary. I will try to remember to raise this issue at the Workshop tonight.
That's a good beginning configuration -- get it working & then add to it.
Feel free to post edited vers. of my "drawings". An easy way is to (temporarily) quote my post, then paste the "Code:" block into KWrite or other text editor & have at it. A tip: make a duplicate & remove the "Color:" coding, do your edits, then replace the color if you want.
Good router, I hear. Good luck w/ it. Unfortunately, I do very little wireless, so I can't really give specific advice. However, I do have a lot of friends here in HLUG that I can ask if the answers aren't readily available on LQ or the 'Net at large.
While I believe dansguardian was developed by a SmoothWall team member, I am not sure if it is part of the default install for SmoothWall Express, or if it is easily added. Remember, SmoothWall Express is the community ver. of the distro. -- something like the relationship between FC & RHEL.
One of the reasons for my considering the move to IPCop is that it is a purely community project, & therefore easier to modify -- I think. An example is fail-over dial-up: This feature is part of the commercial ver. of SmoothWall, but (probably for marketing reasons) it is deliberately omitted from SmoothWall Express.
Furthermore, I haven't felt the need for dansguardian (yet).
My next FW "project" is Squid ACL's so that when an ad or malicious site is blocked, a nice, user-friendly, notice appears.
I don't think you can use the smoothwall:81 interface to install & configure dansguardian, but you can use:
Code:
ssh -p 222 root@smoothwall
Just remember, it's a different password
I have pipe dreams of remotely administering Linux FW's for people. Updates, Ad Blocking, Squid ACL's, maybe even Dan's Guardian; maybe even for money.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.