Derek Neely

Part one of the OpenBSD Network Appliance is done. I’ve got all the hardware put together, everything is posting. RAM was seen. My biggest worry. A buddy of mine at work gave me 4 DIMMS of PC133 512MB. I was a little worried it wasn’t going to work. I thought the mo-bo used only PC100. Good news for me though! 2GB of RAM for this bad boy will be plenty!

Hardware Specs:

ASUS P3V4X Motherboard
Pentium Celeron 533MHz
2GB PC133 RAM (4 x 512MB)
6 NICs (3 x 100Mb 3COM – 3 x 100Mb Intel)
2 x 30GB Hard drives (RAID 1 intended)

Check out the gallery! Projects Home Page

While I enjoy using the SSH Tunnels to encrypt traffic out of the random local networks that I may be sitting on, sometimes there is a need to establish a more permanent proxy server. For instance, if you don’t have a means to use an SSH client or you have several machines that you would like to service without the need to establish dedicated SSH tunnels/forwards for each machine (administrative nightmare).

I chose Squid for just this function. It was extremely easy to setup and has worked like a charm! Below are some of the basic steps for setting up and using your Squid proxy.

Install Squid:

Gentoo:
#> emerge squid

Red Hat/CentOS:
#> yum install squid

Ubuntu/Debian:
#> apt-get install squid

OpenBSD:
#> export PKG_PATH=ftp://ftp.openbsd.org/pub/OpenBSD/4.4/packages/i386/
#> pkg_add squid

Basic Configuration for Transparent Proxy:

#> vi /etc/squid/squid.conf

Look for the sections listed below and modify accordingly. This is a sample of my ACLs and configurations outside of some of the defaults.

#/etc/squid/squid.conf
acl all src 0.0.0.0/0.0.0.0
acl trusted_hosts 192.168.1.0/255.255.255.0 10.0.1.0/255.255.255.0
acl localhost src 127.0.0.1/255.255.255.255
acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 443         # https
acl Safe_ports port 21         # ftp
acl CONNECT method CONNECT

# Deny requests to unknown ports
http_access deny !Safe_ports
# Deny CONNECT to other than SSL ports
http_access deny CONNECT !SSL_ports

http_access allow localhost
http_access allow trusted_hosts
http_access deny all

# Listening port (default 3128)
http_port 3128

# Visible Hostname (may not be needed but doesn’t hurt)
visible_hostname yourserverhostname

This is the basic configuration that should get you going. More advanced configuration options will be coming soon.

Start up Squid:

#> /etc/init.d/squid start

Set Squid to start on-boot (optional)

Gentoo:
#> rc-update add squid default

Red Hat/CentOS:
#> chkconfig squid on

Ubuntu/Debian:
#> update-rc.d squid defaults

OpenBSD:
#> vi /etc/rc.local
Code coming soon…

Configure your Browser:
This is an example Firefox setup. Preferences –> Advanced –> Network –> Connection –> Settings. Select ‘Manual proxy configuration:’ Set the HTTP Proxy: value to your Squid server’s IP (public or private depending on how you are going to use it and based on the ACLs above). Then select ‘Use this proxy server for all protocols’ if you want to go ahead and use this same proxy for all connections.  Setup any exceptions to not proxy (i.e. – locally connected servers). Here’s a screen shot of my configuration.

SSL Configuration:
Coming soon…

Advanced Configurations:
Coming soon…

SSH Proxying is one of my every day tools. Sitting at work with a Barracuda firewall looking, snooping, and possibly blocking everything that I do. Hanging at a coffee shop when you see a suspicious person most likely snooping your information out of the air. In the first case I’m primarily just trying to get around a hurdle. In both cases I want my traffic encrypted and hidden from 3rd parties.

What is SSH Proxying?
This is a means of setting up a Secure Shell (SSH) and then piping your various web requests across this pipe or tunnel.

I’ve got 2 different SSH Proxies that I use daily.

Web Traffic – SSH Tunnel/Proxy:

ssh -CqN -D 8080 [username]@[hostname]

For above tunnel I’m using the following:

-D: bind port – in this case 8080 locally
-C: enables compression
-q: quiet mode (suppresses any warnings)
-N: don’t execute any remote commands

The -CqN are just some bells and whistles I use for the connection but not required. Please see below on configuring your browser to use the newly established SSH Tunnel.

Various other traffic (IRC, VNC, Torrent, etc…) – SSH Port Forwarding

ssh -L 6667:irc.[hostname]:6667 [username]@[hostname]

In this example, I’m binding a local port (-L 6667) to a remote boxes port (6667) through the server I have SSH’ed into. You can also add some of the bells and whistles from the web proxy to this one as well. Please see below for using this port forward with and IRC client.

Configuring the Browser:
The general idea (for Firefox) is to go to: Preferences –> Advanced –> Network –> Connection –> Settings. Select ‘Manual proxy configuration’. Set SOCKS Host: localhost Port: 8080. Click OK/Save and you should be good to go.

Here’s a screen shot of my settings: