Free BSD Router with PPPOE Dial

Friday, January 4, 2008

source from sentot
a. Device Configutarion
> cat /etc/rc.conf
sshd_enable="YES"
fsck_y_enable="YES"
gateway_enable="YES"
natd_interface="tun0"
ifconfig_xl0="up"
ifconfig_xl1="inet 192.168.10.10 netmask 255.255.255.0"
hostname="router.yourhostname"
ppp_enable="YES"
ppp_mode="ddial"
ppp_profile="speedy"
ppp_nat="YES"
b. Firewall, IDS, Deamon Configuration
> cat /etc/rc.local
/usr/local/bin/portsentry -tcp
/usr/local/bin/portsentry -udp
/sbin/ipfw add deny tcp from any to any 135-137/sbin/ipfw add deny udp from any to any 135-137
/sbin/ipfw add deny tcp from any to any 6257/sbin/ipfw add deny udp from any to any 6257
/sbin/ipfw add deny tcp from any to any 6699/sbin/ipfw add deny udp from any to any 6699
/sbin/ipfw add deny tcp from any to any 2754/sbin/ipfw add deny udp from any to any 2754
/sbin/ipfw add deny tcp from any to any 2535/sbin/ipfw add deny udp from any to any 2535
/sbin/ipfw add deny tcp from any to any 4661-4672/sbin/ipfw add deny udp from any to any 4661-4672
/sbin/ipfw add deny tcp from any to any 1214/sbin/ipfw add deny udp from any to any 1214
/sbin/ipfw add deny tcp from any to any 1024/sbin/ipfw add deny udp from any to any 1024
/sbin/ipfw add deny tcp from any to any 6881-6889/sbin/ipfw add deny udp from any to any 6881-6889
/sbin/ipfw add deny tcp from any to any 6346-6347/sbin/ipfw add deny udp from any to any 6346-6347
/sbin/ipfw add deny tcp from any to any 8000/sbin/ipfw add deny udp from any to any 8000
/sbin/ipfw add deny tcp from any to any 8372/sbin/ipfw add deny udp from any to any 8372
/sbin/ipfw add deny tcp from any to any 8360/sbin/ipfw add deny udp from any to any 8360
/usr/local/squid/sbin/squid -D
/sbin/ipfw add 350 fwd 192.168.10.10,3128 tcp from 192.168.10.0/24 to any www
c. Simple squid configuration
> cat squid.conf
http_port 192.168.10.10:3128
icp_port 3130
icp_query_timeout 0
maximum_icp_query_timeout 5000
mcast_icp_query_timeout 2000
dead_peer_timeout 10 seconds
hierarchy_stoplist cgi-bin ? js
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
cache_mem 8 MB
cache_swap_low 90
cache_swap_high 95
maximum_object_size 4096 KB
minimum_object_size 0 KB
maximum_object_size_in_memory 8 KB
ipcache_size 1024ipcache_low 90
ipcache_high 95
cache_replacement_policy lru
memory_replacement_policy lru
cache_dir diskd /cache 3000 16 256 Q1=72 Q2=64
cache_access_log /usr/local/squid/var/logs/access.log
cache_log /usr/local/squid/var/logs/cache.log
cache_store_log none
emulate_httpd_log off
log_ip_on_direct on
ftp_user areksitiung@yahoo.com
wais_relay_port 0
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
quick_abort_min 16 KB
quick_abort_max 16 KB
quick_abort_pct 95
negative_ttl 5 minute
positive_dns_ttl 6 hour
negative_dns_ttl 5 minute
range_offset_limit 0 KB
acl porn url_regex "/usr/local/squid/etc/bokep.txt"
acl noporn url_regex "/usr/local/squid/etc/nobokep.txt"
acl all src 0.0.0.0/0.0.0.0
acl manager proto
cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl handikanet src 192.168.10.0/24
acl SSL_ports port 443 563
acl irc_ports port 6667
acl Safe_ports port 80
acl Safe_ports port 21
acl Safe_ports port 443 563
acl Safe_ports port 70
acl Safe_ports port 210
acl Safe_ports port 1025-65535
acl Safe_ports port 280
acl Safe_ports port 488
acl Safe_ports port 591
acl Safe_ports port 777
acl CONNECT method CONNECT
http_access deny porn !noporn
http_access allow manager localhost
http_access allow handikanet
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow CONNECT !irc_ports
http_access deny all
icp_access allow all
connect_timeout 2 minute
peer_connect_timeout 30 seconds
read_timeout 15 minute
request_timeout 30 second
client_lifetime 5 day
pconn_timeout 120 second
shutdown_lifetime 30 second
cache_mgr yourmail@yahoo.com
cache_effective_user squid
cache_effective_group squid
visible_hostname proxy.yourhostname.com
logfile_rotate 10
forwarded_for on
log_icp_queries off
icp_hit_stale off
minimum_direct_hops 4
minimum_direct_rtt 400
store_avg_object_size 13 KB
store_objects_per_bucket 20
client_db offnetdb_low 900net
db_high 1000net
db_ping_period 5 minutes
query_icmp on
test_reachability on
nonhierarchical_direct off
prefer_direct on
ignore_unknown_nameservers on
high_memory_warning
0store_dir_select_algorithm round-robin
ie_refresh on
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
#acl magic_words1 url_regex -i 192.168.10.
#acl magic_words2 url_regex -i .update .ftp .torrent .exe .vqf .rpm .zip .rar
.tar.gz .iso .mpeg .mp3 .mpe .mpg .qt .ram .rm .raw .wav .wmv .mov .avi .gp3
.fla .dat
delay_pools 3
delay_class 1 2
delay_parameters 1 -1/-1 -1/-1
delay_access 1 allow magic_words1
delay_class 2 2delay_parameters 2 8000/80000 8000/80000
delay_access 2 allow magic_words2

Labels: ,