Deploying Suse Linux Enterprise Server
 |
Purchase "Deploying Suse Linux Enterprise Server" at Lulu.com |
Configuring the Firewall
- Firewall Yast Module
- Masquerading and Port Forwarding
- Utilizing a Proxy Server
- Internet Filtering and Reporting
Internet Filtering with SquidGuard
With your Squid Proxy Server configured, you may now want to implement a way to block access to certain "undesireable" websites. To accomplish this you can use the "squidGuard" program to complement your Squid installation.
To install SquidGuard, simply issue the command "yast -i squidGuard" to install the package. Now you will need to get a list of sites that you wish to block. There are many sites that offer "Blacklists" to utilize with SquidGuard, for instance:
- http://www.shallalist.de/
- http://squidguard.mesd.k12.or.us/blacklists.tgz
- http://urlblacklist.com/ - Requires Subscription
Once you download a list, extract it into the "/var/lib/squidGuard/db" directory. For instance, if using the blacklists.tgz file:
cd /var/lib/squidGuard/db tar zxf /home/serveradmin/blacklists.tgz
Now, once you have the list downloaded, you must now create/edit the "/etc/squidguard.conf" file. A good example using the above list would be:
logdir /var/log/squidGuard
dbhome /var/lib/squidGuard/db
dest porn{
domainlist blacklists/porn/domains
urllist blacklists/porn/urls
}
dest spyware{
domainlist blacklists/spyware/domains
urllist blacklists/spyware/urls
}
dest white{
domainlist whitelist/domains
urllist whitelist/urls
}
acl {
default {
pass white !porn !spyware all
redirect 302:http://www.google.com/
}
}
Once you have a basic squidguard.conf file, you can generate the databases for squidguard with the following commands:
squidGuard -C all chown squid /var/lib/squidGuard/db/* -R
Now you can tell Squid to utilize SquidGuard by editing the "/etc/squid/squid.conf" file and adding "redirect_program /usr/sbin/squidGuard", then restart Squid.
A few Notes:
Any changes made to the squidguard.conf file, or any of the lists, you must recreate the databases and restart Squid in order for the changes to have any effect.
In the above example I include a "Whitelist" that will allow the user to access the site reguardless if the site is listed in one of the other lists. You will probably want to create this "Whitelist" as well a custom "Blacklist" that you can manually maintain for your site.
Also, you can see that I simply used http://www.google.com/ as a redirect site, you will probably want to use a custom page that informs your users why the site is blocked. A few examples can be found in the SquidGuard documentation. Alternatively, you can utilize the configuration I use, which can be downloaded from:
http://www.pcc-services.com/files/squidguard_stuff.tar.gz
or http://files.pcc-services.com/files/SLES10/.
Squid Cache and Network Traffic Reporting
To take full advantage of your Proxy Server you really need to implement some type of reporting for your Internet stats. In this section I will cover a few of these solutions to see if they could be useful for your network. In many cases you may want to implement a few of these since they all have their own strengths and weaknesses.
CacheManager - This is a cgi web page that displays the memory usage and other information from the running Squid Process. If you have Apache configured on your server, you can install the CacheManager by issuing the following command.
install -m 0755 /usr/share/doc/packages/squid/scripts/cachemgr.cgi /srv/www/cgi-bin/cachemgr
Then simply go to "http://your_server/cgi-bin/cachemgr" to view the stats.
The Cachemgr and Calamaris Web Pages
Calamaris - This is a script that will "convert" the squid log files into a nice HTML page to allow you to easily view detailed statistics from your Squid server. To generate the page simply run the following command (this makes a nice daily cron job).
cat /var/log/squid/access.log | calamaris -a -F 'html' > /srv/www/htdocs/calamaris.html
Squid Analysis Report Generator - http://sarg.sourceforge.net/
Although this report generator is not available on the Suse Linux Enterprise installation media, this is definately worth the download as it allows you to keep track of every site that each user on your network.
To install this application, go to it's website and download the Suse RPM, then install it with "rpm -Uvh sarg*". Then edit the "/etc/squid/sarg/sarg.conf" file for your enviornment (especially the output directory). Finally, simply run "sarg" to generate the reports (best to create a daily cron job for this).
Example SARG Pages
Note: If you wish to monitor this page remotely, you must adjust the Apache <Directory> directive for Sarg within the /etc/apache2/conf.d/sarg.conf file.
Multi-Router Traffic Grapher - This tool monitors your network interfaces on your server and provides a web page detailing the traffic generated through your server.
MRTG utilizes the SNMP data from your server to capture the data it needs to process. So, in order to use MRTG, you must configure and start the SNMP Daemon. Basic configuration of SNMP is quite simple, all you need to do is specify a "user" that has Read-Only access to the resources. To do this edit the /etc/snmp/snmpd.conf file and add something similar to:
rocommunity fwuser
Now start snmpd, test it to make sure it works, then add it to the runlevel:
/etc/init.d/snmpd start snmpwalk -v1 -c fwuser localhost system chkconfig snmpd on
Now you will want to install mrtg, create the relevant directories and configure it.
yast -i mrtg mkdir /etc/mrtg mkdir /srv/www/htdocs/mrtg cfgmaker --output=/etc/mrtg/mrtg.cfg \ --global "workdir:/srv/www/htdocs/mrtg" fwuser@localhost
Note - This is a very simple MRTG configuration that should get you started. You will definitely want to adjust the configuration to provide more or better information for your environment. Check the man page for cfgmaker for more information. Also note that you can simply edit the /etc/mrtg/mrtg.cfg file directly instead of re-running cfgmaker.
Once MRTG is configured, you will now need to run it at least 3 times in order for the errors to correct themselves (to create log files, etc). To run MRTG issue the following command:
env LANG=C /usr/bin/mrtg /etc/mrtg/mrtg.cfg
Now that it works correctly, you need to "prep" the webpage using the following command:
indexmaker --output=/srv/www/htdocs/mrtg/index.html /etc/mrtg/mrtg.cfg
MRTG needs to be ran periodically to collect all the data it needs to process. In order to do this, add the command above as a cron job (have it run every 5 minutes or so) by using "crontab -e" or simply adding the following to the /etc/crontab file:
*/5 * * * * root env LANG=C /usr/bin/mrtg /etc/mrtg/mrtg.cfg
Of course, it will take quite a while for enough data to be captured in order for your graphs to populate, but once all of these steps are taken, MRTG will definitely be a tool you will be glad you implemented on your firewall/router.
The MRTG Index Page and Detailed Graphs from a Firewall
For those that are total control freaks, there are few other applications available to use in managing the Internet Traffic on your website (such as ntop and etherape). Although for more advanced network monitoring, I recommend that you simply look into the "Network Information and Monitoring Applicance". This is a VMWare Virtual Machine I created specifically for this purpose, you can find it at: http://www.pcc-services.com/NIMA/
|
Purchase "Deploying Suse Linux Enterprise Server" at Lulu.com |
