FreeBSD gateway sharing Telewest cable modem - anyone?

Stuart Henderson stu at spacehopper.org
Sun Oct 7 14:18:09 BST 2001


> Web filtering - prob going to use squid+squidguard - anyone using these?

Yep. squidGuard is as good as you're going to get for running a
blocklist. Very very fast. (squidGuard on a P2-450 ran probably about
10x the speed in about 10% the RAM of a commercial blocking program
on a fast SGI Origin).

Look at the links from squidguard.org, there's a French site which
maintains blocklists, which has links to related projects, one of which
is a UK-written filter which looks for keywords. (This filter won't
connect to web servers directly, it must chain through a proxy server,
so it would have to sit in front of squid, probably on a different
port, which would mean you vcan't use squidGuard's IP address
configuration to allow unblocked access through squid from the
other machines -- I think you could however do this using ipfw fwd
so that connections from the filtered machine are sent to a
different port number <rebuild kernel with IPFIREWALL_FORWARD
and something like 'ipfw a fwd 127.1,3129 tcp from 11.22.33.44 to
me 3128').

If you can do some funky URL rewriting (can't remember if you
can do this in squidGuard as it stands, maybe with patching) there's
tricks like rewriting google/altavista URLs to use their family
filtering.

You won't get rid of *anything and everything* slightly dodgy.
But you will catch probably 90% and you'll catch it with a warning
in the log files which gives you an indication there's something
to talk about. (obviously gotta watch out for giving anyone a
blasting based on banner ads though :) You will get some false
positives too. But it's usually liveable with.

I'd also recommend proxomitron on the windows box, it does a
great job of filtering banner ads which would acccount for a lot
of the accidental exposure through sites supported by adult
banners. Far better at it than anything unix-side I've seen.
(junkbuster has *nothing* on proxomitron).

squid servers don't need too much. It doesn't do too badly on a
16mb 486 for low load. I would suggest turning the size of cache
right down, maybe 5-10mb if the box is slow (build it yourself
and use --enable-heap-replacement, see the ports Makefile, and
turn on replacement_policy GDSF, to get the best object hit-
ratio). The more objects stored on disk, the more RAM is used
for keeping track - if you keep the number of objects on disk
fairly low you can use more RAM for caching which is a lot
faster. 

If you can connect to blueyonder's NetCache's as a proxy
connection rather than using them as transparent caches, you
will get better speed since the HTTP/1.1 connections will
stay open most of the time, no TCP/IP setup delay, whereas
if they are transparently proxying, each hostname accessed
will need a new HTTP connection.

Set squidGuard to use pre-built databases if possible, it's
a pain having each squidGuard process build them all on startup.
You'll probably want to run 2 or 3 squidGuard processes at
first and check the logs after a day or two to see if you need
any more.

For fetching mail, fetchmail has already been suggested, there's
another option in ports/mail too - getmail - I haven't tried it, I'm
just mentioning it for completeness.

Personally I like Maildir for storing mailboxes, it has fewer problems
than mailbox files (although they're not as much a problem with clients
connected over LAN - they can be quite a pain for dialup users
especially if a connection gets dropped and the mailbox locks).
The easiest way to use Maildir is probably Postfix (if you use the
more recent version which is in ports, it autoconfigures things like
relay controls, you can probably get away with just adding
"home_mailbox=Maildir/" to use Maildirs). Courier-IMAPd includes
POP3 and IMAP servers (including SSL variants) which work with
Maildir.

-Stu





More information about the Ukfreebsd mailing list