FreeBSD MPD PF Squid (with Qwest Actiontec Modem)

If you understand the title, you truly are a geek….just like me.
Since I am an uber geekster of the computer variety, I like to setup firewalls, operating systems, and other related nerdly stuff.
So I thought I’d post my processes of setting up a Squid proxy server, a Packet Filter (PF) firewall using MPD for the PPPoE (mine is really PPPoA) connection through Qwest’s Actiontec Modem on a FreeBSD (Unix) boxen.
Since there is no definitive or recent guide on how to do this, I thought I’d write up my findings.

Well, how do I begin???? This is no where complete, just a mere guideline. I wish I documented everything step by step, but it was/is an ongoing process.

So, install FreeBSD on an old computer. Just minimal so it can connect to the net. You can find out how to install FreeBSD somewhere else. It’s the easiest OS I’ve ever installed (base system anyways). Then it has also been the hardest with configuration, firewalls, other stuff, and junk.

Once connected, update your system, ports, etc. while behind an existing firewall of some sort.

Then:

pkg_add -r mpd
pkg_add -r squid

For the mpd and pf configuration I followed a lot of this tut here:
http://ezine.daemonnews.org/200406/mpd.html

Mind you, Qwest is my ISP, but the name really doesn’t matter. Instead of tonlinedsl, you could call it qwestdsl or the likes.

Here is my mpd.conf file:

default:
load tonlinedsl

tonlinedsl:
new -i ng0 tonlinedsl PPPoE
set iface addrs x.x.x.x.
set iface route default
set iface disable on-demand
set iface idle 0
set bundle disable multilink
set bundle authname [email protected]
set link no acfcomp protocomp
set link disable pap chap
set link accept chap
set link mtu 1492
set link keep-alive 10 60
set ipcp yes vjcomp
set ipcp ranges 0.0.0.0/0 0.0.0.0/0
set iface up-script /usr/local/etc/mpd/mpd_dsl.linkup
open iface

Here is my pf.conf file

#Macros
ext_if=”ng0”
int_if=”xl0”
priv_nets=”{x.x.x.x/24}”

tcp_services=”{53,113,3128}”
icmp_types=”echoreq”


# hosts that can use this system as a gateway
table const {x.x.x.x/24}

#options
set block-policy return
set loginterface $ext_if
set skip on {lo0,$int_if}

# Clean up fragmented and abnormal packets, defeat NAT detection too
# max-mss is needed due to MPD's poor MSS handling
scrub in all
scrub out all random-id max-mss 1440

# NAT section/Redirect
nat on $ext_if from $int_if:network to any -> ($ext_if)
rdr on $int_if proto tcp from any to ! ($int_if) port 21 -> 127.0.0.1 port 8021


#filter rules
block log all
block drop in quick on $ext_if from $priv_nets to any
block drop out quick on $ext_if from $ext_if to $priv_nets
pass in on $ext_if inet proto tcp from any to ($ext_if) port $tcp_services flag
s S/SA keep state
pass in on $ext_if inet proto tcp from port 20 to ($ext_if) user proxy flags S/
SA keep state
pass in inet proto icmp all icmp-type $icmp_types keep state
pass in on $int_if from $int_if:network to any keep state
pass out on $int_if from any to $int_if:network keep state

#Other
pass out on $ext_if proto tcp all modulate state flags S/SA
pass out on $ext_if proto {udp,icmp} all keep state
</span>

Then, I setup squid pretty much verbatim (other than the cache location, and local definable settings.) using this link:
http://www.bsdguides.org/guides/freebsd/networking/squid.php

I won’t post my squid.conf file since I just edited the original. You may want to just make yours like the Guide above.

On the Qwest modem, I changed it to “transparent bridge,” turned off DHCP server, and tried to turn off NAT, but it wouldn’t let me. I may need to mess with it some more.

Here is my rc.conf file:

# Enable network daemons for user convenience.
# Please make all changes to this file, not to /etc/defaults/rc.conf.
# This file now contains just the overrides from /etc/defaults/rc.conf.
hostname=”xxxx.xxxx.com”

sshd_enable=”YES”
usbd_enable=”YES”
mpd_enable=”YES”


natd_enable=”YES” #I don’t really know if this is necessary
natd_interface=”fxp0” #or this

#PF estuff
pf_enable=”YES”
pf_flags=”-d”
pflog_enable=”YES”
pflog_logfile=”/var/log/pflog”
pflog_flags=”“

gateway_enable=”YES”

# – sysinstall generated deltas – # Thu Jan 18 20:32:48 2007
ifconfig_xl0=”inet x.x.x.x netmask x.x.x.x”

squid_enable=”YES”

I have pf reloaded in a script due to what the mpd/pf guide said.

Now I just need to modify my pf.conf to route every http(s) request over the squid proxy. The proxy works, it just also allows the LAN to get out directly as well. I also need to figure out how to get ftp to work either/with the proxy and/or PF.

One of the hardest things for my mind to grasp is what is your external interface? It seems to be ng0, which is the interface that mpd creates. But the physical card is fxp0.

After much tinkering and messing around, I got this to work for me. Some people may ask why? I say….mmmmmmmmmmmmBecauseIcanmmmmmmmm. And next to setup is perhaps squidguard to block the nasty sites from the kid.

If you have any suggestions, enhancements, requests, please post here!



Update: I got squidGuard working on the system….!!!! The main thing I learned is to change ownership and group on everyting to squid:squid!