Northern Virginia Information Technology Association

Saturday, March 06, 2010

FreeBSD Wi-Fi Open Access Content Filter

CLICK PLAY TO LISTEN TO PODCAST1.MP3

ipfw is a FreeBSD IP packet filter and traffic accounting control program. With ipfw, it is possible to assemble a tranparent proxy for Wi-Fi. The transparent proxy can send moderated content to remote clients with content filtering software. A WiFi hotspot open access Control Filter is made up of five or maybe six parts. The access point with crossover cable and network card; ipfw squid, dansguardian, ISC dhcpd, and ISC bind. You would need a client to access the hotspot, but nothing is stopping you from waiting for client machines to connect. For example you could provide anonymous internet access to a nighborhood, a resturant & bar, an apartment building, cafe or whatever you like; the distance an access point can cover is fairly large.

Bind and dhcpd is the most widely used software on the internet, an both are fairly difficult to configure correctly; but we'll use a few shortcuts and some good luck. First we need some inexpensive hardware. A Wireless - G router, an extra network card and a crossover cable. If you use a router, chances are you will get a broader wireless area connection. Most network cards are supported by the hardware compatiblity list, if your card is not; it is recommended that you get one that is on the harware compatiblity list.

Firmly seat the network card, and connect an rj-45 crossover cable directly to the router. Boot normally, if the card is on the harware compatibility list, it will be available to ifconfig.

Type:

ifconfig

fxp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=9<RXCSUM,VLAN_MTU>
        ether 00:90:27:ac:85:d4
        inet 10.1.10.172 netmask 0xffffff00 broadcast 10.1.10.255
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active
xl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=9<RXCSUM,VLAN_MTU>
        ether 00:04:76:e8:99:3c
fxp1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=9<RXCSUM,VLAN_MTU>
        ether 00:90:27:ac:90:85
        inet 192.168.0.1 netmask 0xffffff00 broadcast 192.168.0.255
        media: Ethernet autoselect (100baseTX)
        status: active
plip0: flags=108810<POINTOPOINT,SIMPLEX,MULTICAST,NEEDSGIANT> metric 0 mtu 1500
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5
        inet6 ::1 prefixlen 128
        inet 127.0.0.1 netmask 0xff000000

Above, xl0 is the unconfigured device:

vi /etc/rc.conf

Strike the ESC key

:ins

ifconfig_xl0="inet 172.16.0.1 netmask 255.255.255.0"

Strike CRTL-C

Strike the ESC key

:wq!

Next compile the kernel with ip options. Make a copy of the GENERIC kernel and add these lines
to the GENERIC file in /usr/src/sys/i386/conf/

cp /usr/src/sys/i386/conf/GENERIC /usr/src/sys/i386/conf/SQUIRREL

vi /usr/src/sys/i386/conf/SQUIRREL

options IPFIREWALL

options IPDIVERT
options IPFIREWALL_DEFAULT_TO_ACCEPT

options IPFIREWALL_VERBOSE
options IPFIREWALL_FORWARD

2. Change to the /usr/src directory:

cd /usr/src

3. Compile the kernel:

make buildkernel KERNCONF=SQUIRREL

While the kernel is compiling, do not interrupt the terminal

You can stop this process at anytime by pressing CTRL-C

Building a new kernel takes about two hours to complete with a quad 533mhz pentium III Xeon server. Don't give up even though the terminal may look like it has stopped.

4. Install the new kernel:

make installkernel KERNCONF=SQUIRREL

Now edit the file /etc/rc.firewall

Add to the SIMPLE section:

${fwcmd} 1001 fwd 127.0.0.1,8080 tcp from any to any 80 in recv xl0

${fwcmd} add allow tcp from any to any in via fxp1
${fwcmd} add allow tcp from any to any in via fxp0
${fwcmd} add deny log tcp from 172.16.0.0/24 to 172.16.0.1

${fwcmd} add deny log tcp from 172.16.0.0/24 to 192.168.0.0/24
${fwcmd} add deny log tcp from 172.16.0.0/24 to 10.1.10.0/24

${fwcmd} add allow udp from 0.0.0.0 68 to 255.255.255.255 dst-port 67 out
${fwcmd} add allow udp from any 67 to me dst-port 68 in
${fwcmd} add allow udp from any 67 to 255.255.255.255 dst-port 68 in
${fwcmd} add allow icmp from any to any icmptypes 8
${fwcmd} add allow icmp from any to any icmptypes 3,4,11

This means add rule number 1001 and forward ALL tcp packets; port 80 to 127.0.0.1 port 8080 on the third interface, xl0. Allow tcp packets to pass on fxp1 and fxp0. Since the server is public, Deny and log anything from 172.16.0.0/24 to the server at 172.168.0.1. Anything to the internal network is non-routable or not on the same network segment as the crossover cable to the network card but if you're also using natd to forward internet access, they will pass to the internal segment. The two following rules prevent anything passing to the xl0 interface. Next, uncomment allow dchp and imcp under the simple section of rc.firewall or add the five next rules to rc.firewall.

Now all packets that are destined for port 80 are transparently passed to port 8080 the proxy port.

shutdown -r now

There are several different content filtering software packages though dansguardian is free to use. However first we need a caching proxy server to pass information to the content filtering software. Squid is a web cache server and is easy to install if access control lists are used correctly.

Get the latest version of squid here:

http://www.squid-cache.org/Versions/

type:

gunzip squid*.tar.gz

tar -xvf squid*.tar

cd squid-3.0.STABLE24

./configure --enable-ipfw-transparent

gmake

make install

After squid is installed it can be found in /usr/local/squid. First we need to edit a file named squid.conf:

vi /usr/local/squid/etc/squid.conf

Squid conf is a huge configuration file, go to around line 1000:

Strike the ESC key

:set nu

Strike the ESC key

:879

Strike the ESC key

:ins

http_port 3128 transparent

Strike CRTL-C

Delete the previous http_port directive by alligning the cursor with the arrow keys.

Strike the ESC key

:del

Now edit the access control lists, since squid is usually behind a firewall firstly, we will use open directives:

Strike the ESC key

:592

Strike the ESC key

:ins

acl localnet src 127.0.0.0/8

Strike CRTL-C

Scroll down to # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS

Add:

Strike the ESC key

:ins

http_access allow localnet
http_access allow localhost
http_access allow to_localhost
http_access allow all

Strike CRTL-C

Strike the ESC key

:wq!

Now that the squid portion of the installation is complete, we can install dansguardian. The latest version can be found at http://www.dansguardian.com unzip and install:

type:

gunzip dansguardian*.tar.gz

tar -xvf dansguardian*.tar

cd dansguardian-2.10.1.1

./configure

gmake

make install

There is one option with dansguardian to change the warnings template. The warnings template can be used once dansguardian is restarted.

/usr/local/share/dansguardian/languages/ukenglish/template.html

Now type:

/usr/local/squid/sbin/squid
/usr/local/sbin/dansguardian

To configure a Wi-Fi windows workstation to use a NATD FIREWALL, follow these instructions:

Left click "My Network Places" on the Windows workstation "desktop" such that it appears to turn BLUE in color. Next, right click the highlighted area. A "drop down menu" will appear.

Left click "Properties"

Next, Left click "Local Area Connection" such that it appears to turn BLUE in color. Next, right click the highlighted area. A "drop down menu" will appear.

Left click "Properties"

A "Dialogue" Box will appear:

Left click "Internet Protocol TCP/IP" such that it appears to turn BLUE in color. Next, right click the properties box. A "Dialogue box" will appear.

        Click obtain an IP address automatically, click Obtain DNS server address automatically and click ok. Then click apply, ok.

The next part of the project is to install a dhcp server and a dns server on the gateway machine 172.16.0.1; or xl0. Download, unzip, make and install from http://www.isc.org

vi /usr/local/etc/dhcpd.conf

Strike the ESC key

:ins

option domain-name "nvita.org";
option domain-name-servers 172.16.0.1;

default-lease-time 86400;
max-lease-time 86400;

authoritative;
ddns-update-style none;

subnet 172.16.0.0 netmask 255.255.255.0 {
    range 172.16.0.5 172.16.0.250;
    option routers 172.16.0.1;
}

Strike CRTL-C

:wq!

Start the DCHP server on xl0:

/usr/local/etc/rc.d/isc-dhcpd start

or

dhcpd xl0

and if for some reason you decide to download the beta:

dhcpd -d -f xl0

Type

vi /var/named/etc/namedb/named.conf

Strike the ESC key

:ins

acl clients {
        localnets;
        ::1;
};

options {
        version "";     // remove this to allow version queries

        listen-on    { any; };
        listen-on-v6 { any; };

        allow-recursion { clients; };
};

logging {
        category lame-servers { null; };
};

// Standard zones
//
zone "." {
        type hint;
        file "standard/root.hint";
};

zone "localhost" {
        type master;
        file "standard/localhost";
        allow-transfer { localhost; };
};

zone "127.in-addr.arpa" {
        type master;
        file "standard/loopback";
        allow-transfer { localhost; };
};

zone "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" {
        type master;
        file "standard/loopback6.arpa";
        allow-transfer { localhost; };
};

zone "com" {
        type delegation-only;
};

zone "net" {
        type delegation-only;
};

Strike CRTL-C

:wq!

mkdir standard

cd standard

Type

vi /var/named/etc/namedb/standard/root.hint

Strike the ESC key

:ins

.                        3600000 IN NS    A.ROOT-SERVERS.NET.
A.ROOT-SERVERS.NET.      3600000      A     198.41.0.4
;
; formerly NS1.ISI.EDU
;
.                        3600000      NS    B.ROOT-SERVERS.NET.
B.ROOT-SERVERS.NET.      3600000      A     192.228.79.201
;
; formerly C.PSI.NET
;
.                        3600000      NS    C.ROOT-SERVERS.NET.
C.ROOT-SERVERS.NET.      3600000      A     192.33.4.12
;
; formerly TERP.UMD.EDU
;
.                        3600000      NS    D.ROOT-SERVERS.NET.
D.ROOT-SERVERS.NET.      3600000      A     128.8.10.90
;
; formerly NS.NASA.GOV
;
.                        3600000      NS    E.ROOT-SERVERS.NET.
E.ROOT-SERVERS.NET.      3600000      A     192.203.230.10
;
; formerly NS.ISC.ORG
;
.                        3600000      NS    F.ROOT-SERVERS.NET.
F.ROOT-SERVERS.NET.      3600000      A     192.5.5.241
;
; formerly NS.NIC.DDN.MIL
;
.                        3600000      NS    G.ROOT-SERVERS.NET.
G.ROOT-SERVERS.NET.      3600000      A     192.112.36.4
;
; formerly AOS.ARL.ARMY.MIL
;
.                        3600000      NS    H.ROOT-SERVERS.NET.
H.ROOT-SERVERS.NET.      3600000      A     128.63.2.53
;
; formerly NIC.NORDU.NET
;
.                        3600000      NS    I.ROOT-SERVERS.NET.
I.ROOT-SERVERS.NET.      3600000      A     192.36.148.17
;
; operated by VeriSign, Inc.
;
.                        3600000      NS    J.ROOT-SERVERS.NET.
J.ROOT-SERVERS.NET.      3600000      A     192.58.128.30
;
; operated by RIPE NCC
;
.                        3600000      NS    K.ROOT-SERVERS.NET.
K.ROOT-SERVERS.NET.      3600000      A     193.0.14.129
;
; operated by ICANN
;
.                        3600000      NS    L.ROOT-SERVERS.NET.
L.ROOT-SERVERS.NET.      3600000      A     198.32.64.12
;
; operated by WIDE
;
.                        3600000      NS    M.ROOT-SERVERS.NET.
M.ROOT-SERVERS.NET.      3600000      A     202.12.27.33
; End of File

Strike CRTL-C

:wq!

Start the DNS server:

named

Although quite complicated, fxp1 operates without any restrictions, whereas xl0 has a content filter and cannot access the internal network other than the DNS server and the DHCP server, but can access any other server on the internet by squid and dansguardian!

HOWEVER:

Wireless access is limited. You probably also need one of these to cover at least 2 miles:

2.4 Ghz Hi-Gain 15dBi Outdoor Omni-Directional Antenna

Saturday, March 06, 2010 8:23:18 AM (Eastern Standard Time, UTC-05:00)

Comments [0] -

Name
E-mail
Home page

	Remember Me
Comment (Some html is allowed: `a@href@title, strike`) where the @ means "attribute." For example, you can use <a href="" title=""> or <blockquote cite="Scott">.
Enter the code shown (prevents robots):
Live Comment Preview

›
News