The SmoothWall GPL project was founded in the summer of 2000 by Lawrence Manning (Principle Code Author) and Richard Morrell (Project Manager). Their goal was to create a Linux distribution that could convert a redundant PC into a hardened internet firewall device. With help from other early contributors; John Faulty and Tom Ellils, the first SmoothWall Firewall was posted to sourceforge.net at the end of August 2000.
The project was immediately popular and grew rapidly. Within weeks, thousand of copies had been downloaded and SmoothWall was appearing regularly on magazine cover CDs in the UK and overseas. Many more developers joined the team and new versions were released almost weekly, incorporating new features based on software contributions from all round the world.
Version 0.9.9 was a major milestone for the project team, who perceive it as the point at which the project “grew up”. Released in September 2001, this version incorporated a web-based multi-language GUI so the firewall could be used and administered by non-Linux people. It also included the Snort Intrusion Detection System (IDS) and support for ADSL modems and PPPoE connections.
December 2003 saw the release of SmoothWall Express 2.0 and an array of comprehensive written documentation. By June 2004, Express 2.0 had seen over 200,000 installations.
The alpha version of Express 3 (code-named Koala) was released in September 2005. Based on the Linux 2.6 kernel, this test version featured new open architecture, designed to make it easy for developers to produce their own security components. With the benefit of software contributions from around the world, a Beta version followed in 2007. This version was code named “Degu”, in remembrance of one of our team’s pets, who sadly died during development. (Admittedly though this was not much of a surprise given the length of time it took us to get to beta!) A current, final and stable version of Express 3.0 (code-named Sammy) is currently available on the download page.
Over the years, the project team has changed and the SmoothWall community has grown to include almost 17,000 forum members.
The goals of the project can be summed up as:
- Be simple enough to be installed by home users with no knowledge of Linux
- Support a wide variety of network cards, modems and other hardware
- Work with many different connection methods and ISPs from across the world
- Manage and configure the software using a web browser
- Run efficiently on older, cheaper hardware
- Develop a supportive user community
- Use sponsorship from SmoothWall Limited to further these goals
The SmoothWall Open Source Project is funded and supported by SmoothWall Limited. All program code and other works are the copyright of their respective authors unless assigned and noted otherwise by the author. The Project in essence belongs to the community that contributes to it.
http://www.youtube.com/smoothwalltv#p/u/0/lJ9gxoVqaSM
Cofiguring Squid
[This modification has been verified to work with Smoothwall Express 2.0.]
This page describes how to filter web traffic using Squid ACLs, and also covers various other Squid configuration elements. Squid is the web proxy software used on Smoothwall.
Requirements:
You'll need:
- A Smoothwall Express 2.0 installation (obviously...).
- A way of getting a command-line prompt on your Smoothwall box (either by logging directly onto your Smoothwall box, using a SSH client such as PuTTY or SSH Secure Shell, or via the Smoothwall web interface).
A Web Proxy?
Squid is the most popular web proxy software available, and Smoothwall comes with Squid pre-installed.
There are a number of reasons why you might want to use a web proxy:
Cache Web Page Content:
The primary purpose of a web proxy is to cache web content locally. This provides a number of benefits, including faster web browsing, and less bandwidth usage.
Whether you're using a dialup account or a fast ADSL account, reducing the amount of data that needs to be retrieved from the source webserver will provide you with a faster web browsing experience. This is particularly true if multiple users on your green network visit the same pages, or if you frequent a web-based forum or bulletin board, as all images will be cached by the proxy server.
Restrict Web Page Access:
If PCs on your green network are configured to use the web proxy, you can restrict access to specified sites, only allow access to specified sites, restrict PCs to only have web access during specified time periods, etc.
Block Advertisements:
If all web traffic is going through the web proxy, you can block advertisements that are displayed on web pages. For more information on doing this, see my page on
Ad Zapping with Squid.
Blocking webpage advertisements can also provide additional benefits on slower internet connections, as the volume of data is reduced, due to the advertisements not being loaded from the originating webserver.
Update multiple PCs from Microsoft's Windows Update site through a web proxy also means the patches are only downloaded once, and cached locally by the web proxy.
Monitor Web Sites Being Visited:
All web pages that are accessed through the web proxy are logged to the Squid access log. You can then use this data to monitor exactly which users are visiting which sites. See my
Web Proxy Log Analysis Reports for more information on generating reports from the Squid access log.
Log Timestamp Correction:
The timestamps in the Squid access log on Smoothwall Express 2.0 are in GMT format.
This is because the strict access permissions on the /var/smoothwall/ directory prevent Squid from reading the timezone information.
To correct this, and get Smoothwall's Squid access log using the local time for all timestamps, execute the following from a command prompt on your Smoothwall:
chmod 701 /var/smoothwall/
/usr/local/bin/restartsquid
This will adjust the permissions on the /var/smoothwall/, and restart the web proxy to make the change take effect.
Using Smoothwall's Web Proxy:
Smoothwall's web proxy can be configured to run in transparent mode, or in non-transparent mode.
In transparent mode, all web traffic going through Smoothwall will automatically be redirected to go through the proxy, without requiring any proxy configuration in the web browsers on the PCs on your green network.
This effectively forces all web browsing from PCs on your green network to go through Smoothwall's web proxy.
In non-transparent mode, all web browsers on your green network must be configured to use Smoothwall's green IP address on port 800 as a web proxy.
If you want to use Smoothwall's web proxy as a way of blocking some websites and/or some users, you should run the web proxy in transparent mode, to ensure users are not bypassing the proxy.
Any user who is blocked by any ACLs which you configure will see a Squid error page, indicating that their web access is being blocked by Smoothwall.
the default access denied page
Editing the Config File:
Smoothwall's Squid configuration is stored in /var/smoothwall/proxy/squid.conf.
However, you should never edit this file directly, as it's re-written each time changes are made to the web proxy configuration, or the proxy is restarted through the web interface.
Instead, you should always add your new configuration to /var/smoothwall/proxy/acl.
Applying Your Changes:
Any changes made to this file will take effect when you restart the web proxy through Smoothwall's web interface. This will cause Smoothwall to re-write /var/smoothwall/proxy/squid.conf, and include the contents of /var/smoothwall/proxy/acl.
As with any modifications to your Smoothwall, make a backup copy of this file before making any changes to it, so you can easily revert back to a known working version.
Only Allow Specific PCs:
If you only want to allow some PCs to use Smoothwall's web proxy, you can add one or more ACLs to limit this access.
Edit /var/smoothwall/proxy/acl, and before the line containing
http_access deny all
insert the following lines:
acl ok_users src 192.168.0.2
acl ok_users src 192.168.0.3
http_access allow ok_users
and add another acl line for each PC you want to allow.
You'll also need to comment out the following line (it's the second last line):
http_access allow localnet
by inserting a # character at the beginning of the line.
Restart the web proxy through Smoothwall's web interface (by clicking the "Save" button) to make your changes take effect.
Block Specific Sites:
To block access to specific websites, edit /var/smoothwall/proxy/acl, and just before the line containing
http_access allow localnet
insert the following lines:
acl blocked_sites url_regex
www.xxx.com
acl blocked_sites url_regex
www.yyy.com
acl blocked_sites url_regex
Main Page - Internet Communcations
http_access deny blocked_sites
Restart the web proxy through Smoothwall's web interface (by clicking the "Save" button) to make your changes take effect.
Note that if you have a longer list of sites you want to block, it may be easier to list the websites in a text file, and then just reference the text file in the Squid configuration file.
Assuming you have created a text file called /var/smoothwall/proxy/badsites.txt, containing a single URL on each line, use the following in /var/smoothwall/proxy/acl:
acl blocked_sites url_regex "/var/smoothwall/proxy/badsites.txt"
http_access deny blocked_sites
If you make any changes to the contents of /var/smoothwall/proxy/badsites.txt, you'll need to restart the web proxy to make your changes take effect.
Time Restrictions:
You can also use Squid ACLs to restrict web browsing to specific times.
To allow a specific PC on your green network to only access the web during lunchtime on weekdays, edit /var/smoothwall/proxy/acl, and immediately before the line containing
http_access allow localnet
insert the following:
acl clients src 192.168.0.3
acl lunchtime time MTWHF 12:00-13:00
http_access allow clients lunchtime
http_access deny clients
where the following day abbreviations can be used: S Sunday MMonday TTuesday WWednesday HThrusday FFriday ASaturday
Note that all times need to be in GMT, as Smoothwall's Squid is configured to only use GMT (all logs are timestamped with GMT times too).
Restart the web proxy through Smoothwall's web interface (by clicking the "Save" button) to make your changes take effect.
Allow Another Network:
If you have another subnet behind your Smoothwall (ie, behind a router on the green network or similar), by default, this subnet will not be able to use Smoothwall's web proxy, but will receive an error message saying the requested URL cannot be retrieved from the cache due to access control configuration.
Assuming you already have a static route in place to allow the other network to communicate with Smoothwall, edit /var/smoothwall/proxy/acl, and just before the line containing
http_access allow localnet
insert the following line:
acl localnet src 192.168.2.0/255.255.255.0
and replace the network address and subnet mask with that of your other subnet.
Smoothwall already has an acl for localnet, allowing the green network, so here we're adding another subnet to the acl which defines the networks allowed access to the proxy.
Restart the web proxy through Smoothwall's web interface (by clicking the "Save" button) to make your changes take effect.
Customising Error Pages:
If you're blocking access to some websites and/or some users, you may want to customise the error messages displayed by Squid, to provide more meaningful messages to your users.
All of the Squid error pages are in /var/squid/smootherrors/, so just identify the error page you want to modify, modify it as required, and restart the web proxy through Smoothwall's web interface to make your changes take effect.
For example, the error page displayed when attempting to access a page that has been blocked by ACLs is /var/squid/smootherrors/ERR_ACCESS_DENIED
New Error Pages:
You can also define new error pages for specific ACLs, using the deny_info option.
For example, to display a new error page for the time-restricted user, create a new error page in the following location:
/var/squid/smootherrors/ERR_TIMERESTRICT
containing the error message you want to display to the user when they are denied access.
Then edit /var/smoothwall/proxy/acl, and immediately before the line containing
http_access allow localnet
insert the following:
acl clients src 192.168.0.3
acl lunchtime time MTWHF 12:00-13:00
deny_info ERR_TIMERESTRICT clients
http_access allow clients lunchtime
http_access deny clients
This will cause your new error page to be displayed whenever the specified PC attempts to access the web outside of the allowed time period.
The deny_info option can be used in a similar way with any other ACLs.
Restart the web proxy through Smoothwall's web interface (by clicking the "Save" button) to make your changes take effect.
Change The Cache Administrator Email:
Most of the Squid error pages report include a message mentioning the cache administrator. However, this message includes a non-existing and invalid email address of just webmaster.
It's easy to include a valid cache administrator email address on these error pages. To do so, add a line containing the following to the end of /var/smoothwall/proxy/acl:
cache_mgr
email@host.com
replacing
email@host.com with a valid email address of course!
Restart the web proxy through Smoothwall's web interface (by clicking the "Save" button) to make your changes take effect.
4سپاس
LinkBack URL
About LinkBacks
