EnGenius MiniPCI EMP-8602 Plus-S

Having high output power is always a great bonus (up to 600mW 28dBm), when designing your embedded application. Introducing EnGenius Technologies' answer, the EMP-8602S. Using the latest in technology expertise, EnGenius has fine tuned the mini-PCI to be the longest, and most powerful RF module in the market today. The slim form factor allows for small physical applications. Your all-in-one solution encompassing 802.11a, 802.11b, and 802.11g networking technology will be the last mini-PCI high powered solution you will ever need.

• 600mW transmission power for superior range, signal strength, recieve sensitivity
• Powered by Atheros, supports 802.11a/b/g
• 802.11e standards supported for Wireless Multimedia Enhancements QoS

EnGenius MiniPCI EMP-8602 Plus

Having high output power is always a great bonus (up to 400mW 26dBm), when designing your embedded application. Introducing EnGenius Technologies' answer, the EMP-8602. Using the latest in technology expertise, EnGenius has fine tuned the mini-PCI to be the longest, and most powerful RF module in the mraket today. The slim form factor allows for small physical applications. Your all-in-one solution encompassing 802.11a, 802.11b, and 802.11g networking technology will be the last mini-PCI high powered solution you will ever need.

• Up to 400mW transmission power for maximum range, throughput speeds, and signal strength


• Complete IEEE802.1x client support with EAP-TLS, EAPTTLS supplicants


• 802.11e standards supported for Wireless Multimedia Enhancements QoS

EnGenius MiniPCI EMP-3602

Having high output power is always a great bonus (up to 250mW 24dBm), when designing your embedded application. Introducing EnGenius Technologies' answer, the EMP-3602. Using the latest in technology expertise, EnGenius has fine tuned the mini-PCI to be the longest, and most powerful RF module in the market today. The slim form factor allows for small physical applications. Your all-in-one solution encompassing 802.11b/g networking technology will be the last mini-PCI high powered solution you will ever need.

• Up to 250mW transmission power for superior range, signal strength, recieve sensitivity
• Support 802.11b/g
• Support for draft IEEE 802.11e, h, i and j standards

EnGenius ECB-8610S

Ushering in the next generation of indoor client bridges with access point functionality is the ECB-8610S by EnGenius. With the quality and functionality expected of an EnGenius product, the ECB-8610S provides up to 600mW of high wireless output power and also adds advanced features such as SNMP management, Wireless Distribution System (WDS), and Power-over-Ethernet (PoE) capability. The ECB-8610S is the perfect solution for any application you might have.

• 600mW RF output power for greater range
• Powered by Atheros, 802.11a/b/g wireless Client
• Bridge/Access Point/WDS
• Latest security with WEP, WPA/WPA2
• Power-over-Ethernet (PoE) capability

EnGenius ECB-3610S

Ushering in the next generation of indoor client bridges with access point functionality is the ECB-3610S by EnGenius. With the quality and functionality expected of an EnGenius product, the ECB-3610S provides up to 600mW of high wireless output power and also adds advanced features such as SNMP management, Wireless Distribution System (WDS), and Power-over-Ethernet (PoE) capability. The ECB-3610S is the perfect solution for any application you might have.

• 600mW RF output power for greater range


• Powered by Atheros, 802.11b/g wireless Client


• Bridge/Access Point/WDS


• Latest security with WEP, WPA/WPA2


• Power-over-Ethernet (PoE) capability

EnGenius ECB-3220

Ushering in the next generation of indoor client bridges with access point functionality is the ECB-3220 by EnGenius. With the quality and functionality expected of an EnGenius product, the ECB-3220 provides up to 400mW of high wireless output power and also adds advanced features such as SNMP management, Wireless Distribution System (WDS), and Power-over-Ethernet (PoE) capability. The ECB-3220 is the perfect solution for any application you might have.

• 400mW RF output power for greater range


• Latest security with WEP, WPA/WPA2


• 802.11b/g wireless client bridge/Access Point


• PoE capable for flexible deployment

EnGenius EOC-8610S

Pushing outdoor range and functionality to its limits, EnGenius offers the latest in outdoor multipurpose Access Point / Client Bridge devices, the EOC-8610S- EXT. The EOC-8610S series brings you the maximum range with its 600mW high wireless output power, and the flexibility you need for adaptable deployments such as industrial grade outdoor enclosure, antenna options, and 802.3af Power-over-Ethernet (PoE) certification. Features such as 802.1x, WEP, and WPA, WPA2 provide security. Experience the best in outdoor wireless connectivity today with the EOC-8610S- EXT.

• 600mW RF output power for greater range


• 802.11a/b/g wireless Client Bridge/Access Point/WDS


• Latest security with WEP, WPA/WPA2 4dBi removeable antenna, RP-SMA connector


• IP67 rated enclosure for high resistance against dust, water, and weather conditions

EnGenius EOC-3220

Pushing outdoor range and functionality to its limits, EnGenius offers the latest in outdoor multipurpose Access Point / Client Bridge devices, the EOC-3220. The EOC-3220 series brings superior range with its 400mW high wireless output power, and the flexibility you need for adaptable deployments such as industrial grade outdoor enclosure, antenna options, and 802.3af Power-over-Ethernet (PoE) certification. Features such as 802.1x, WEP, and WPA2 provide security. Experience the best in outdoor wireless connectivity today with the EOC-3220.

• 400mW RF output power for greater range
• Integrated 9dBi directional patch antenna
• 802.3af PoE compatible for flexible deployment
• 802.11 b/g wireless Client Bridge/Access Point
• IP67 rated enclosure for high resistance against dust, water, and weather conditions

RouterBOARD 1000

The heart of this device is a new state of the art PowerPC networking processor which makes the RB1000 faster than any other MikroTik product. Our tests have shown that it can throughput up to 400000pps or 3.2Gbps full duplex! Two Compact Flash slots for web proxy cache and configuration backups of the User Manager data base or The Dude server are also present. RB1000 includes RouterOS - the operating system, which turns this powerful system into a highly sophisticated router/ firewall/ bandwidth manager.The unstopabble power of RouterOS and RouterBOARD combined, we bring you the fastest MikroTik router yet.

.

CPU PPC8547 1333MHz network processor Memory SODIMM DDR Slot, 512MB installed Boot loader RouterBOOT, 1Mbit Flash chipData storage Onboard NAND memory chipEthernet Four 10/100/1000 Mbit/s Gigabit Ethernet with Auto-MDI/XminiPCI noneCompact Flash Two CompactFlash slot (TrueIDE Microdrive supported)Serial port One DB9 RS232C asynchronous serial portBeeper PresentPower options Power jack: 12V DC (includes power supply)Fan Dual fan with failover supportCase Desktop case includedDimensions 14 cm x 16 cmOperating System MikroTik RouterOS v3, Level6 license

RouterBOARD 600

The high performance wireless platform. It has four miniPCI slots and three giga bit ethernet ports and it is the fastest wireless board that MikroTik has ever made.The heart of this device is the new state of the art Power PC networking processor which makes the RB600 faster than any other MikroTik product, introducing a whole new class to the RouterBOARD brand.Two Compact flash slots for web proxy cache and configuration backups of the User Manager data base or The Dude server. B600 includes RouterOS - the operating system, which will turn this powerful system into a highly sophisticated router/ firewall/ bandwidth manager or hotspot. And all this power - at a very affordable price.

CPU MPC8343E 266/400MHz network processor
Memory 64MB DDR SDRAM onboard memory
Boot loader RouterBOOT, 1 Mbit Flash chip
Data storage 64MB onboard NAND memory chip
Ethernet Three 10/100/1000 Mbit/s Gigabit Ethernet with Auto-MDI/X
miniPCI Four MiniPCI Type IIIA/IIIB slots
Expansion Daughterboard support, including RB500 daughterboards
Compact Flash Two independent CompactFlash slots (TrueIDE Microdrive supported)
Serial port One DB9 RS232C asynchronous serial port
Speaker Mini PC-Speaker
Power options IEEE802.3af PoE: 38..56V DC including over datalines.
Power jack: 10..56V DC
Fan control Two 5V DC fan power output headers with rotation sensor and automatic
fan switching (maximum output current - 300mA total)
Dimensions 14 cm x 20 cm (5.51 in x 7.87 in), 227 g (8 oz)
Power consumption ~9W without extension cards, maximum – 35+ W
Operating System MikroTik RouterOS v3, Level4 license

RouterBOARD 433AH

RouterBOARD 433 Series

RouterBOARD 433AH The RB433AH is a more powerful version of the standard RB433. The 128MB DDR will be capable of supporting new RouterOS features coming. The microSD slot supports an additional memory card that can be used for a Dude data base and other features to be announced in during Spring ‘08.The 680MHz Atheros MIPs 24K CPU, that can be overclocked to 800MHz, with a 64KB/32KB instruction/data cache is probably the fastest CPU used in low cost wireless access points.The three Ethernets and mpci slots give you ample data interfaces to put the big CPU power to work.The RB433 and RB433AH replace the RB133 and RB333 positions of our product line.

CPU Atheros AR7161 680MHz network processor (Tested at 800MHz)Memory 128MB DDR SDRAM onboard memoryBoot loader RouterBOOTData storage 64MB onboard NAND memory chip and microSDEthernet Three 10/100 Mbit/s Ethernet ports with Auto-MDI/XminiPCI Three MiniPCI Type IIIA/IIIB slotsExtras Reset switch, BeeperSerial port One DB9 RS232C asynchronous serial portLEDs Power, NAND activity, 5 user LEDsPower options Power over Ethernet: 10..28V DC (except power overdatalines). Power jack: 10..28V DC. Voltage monitor.Dimensions 10.5 cm x 15 cm, 137 gramsPower consumption ~3W without extension cards, maximum – 25 W, 16W output to cardsOperating System MikroTik RouterOS v3, Level5 license

Bluetooth Laser Virtual Keyboard

Like many people on the planet, you've probably got a hectic schedule and are always on the go. With many modern conveniences such as cell phones and PDA's with Internet and emailing capabilities, you can find information and communicate from almost anywhere. These gadgets are great to have, however, one disadvantage is that they are so small and can sometimes be difficult to see and can be a pain to type on. But this new gadget, the Bluetooth Laser Virtual Keyboard, may be a solution to that problem.The Bluetooth Laser Virtual Keyboard is a tiny device that uses lasers to project a keyboard on to any flat surface. You can then use the 63 key, full-size keyboard to type an email on any Bluetooth enabled PDA or cell phone. With simulated key click sounds and the capability of handling typing speeds of a standard keyboard, the virtual keyboard will make it easier to type on your small electronics. A little larger than a matchbook, this gadget fits nicely in your pocket or purse. The rechargeable battery will last up to 120 minutes.

http://www.gadgetfind.com/

PC with total liquid submersion cooling technology

Developed for hardcore computer users such as gamers, graphic artists, audiophiles, industrial designers, engineers, medical imaging technicians and military technologists, Reactor was designed for performance and quality with patented technologies and innovations never before available in a desktop system.
Hardcore Computer submerged all of the heat-producing components — the CPU, motherboard, video card, memory and power supplies — in a custom dielectric fluid they have name Core Coolant, eliminating heat-related computing limitations. Reactor incorporates the benefits of liquid submersion cooling with twin additive and redundant server-class 650Watt power supplies; audiophile-quality Creative Labs X-Fi, EAX, 7.1-channel Dolby digital surround sound embedded on the motherboard; three on-board SATA solid-state drives configured in an ultra-fast RAID 0 array; and two truly hot-swappable external hard drives.
Form following function, Reactor has a distinctive look. Locating the majority of I/O on the top of the case for easy access resulted in the unique Spinal Cord cable management system, another industry first for a desktop system. Also on the case top are optional, dual, diversity Wi-Fi antennas. The system chassis incorporates handles that serve as a means for transporting Reactor™. The handles also aid in the removal of the system core, which includes all of the computer’s active components, from the liquid for maintenance or upgrades. Over-clocking enthusiasts will appreciate a CMOS battery and BIOS reset switch located on the lid, inside a push-push access hatch door. Reactor™ also sports user-selectable internal tank and chassis base lights.
The result is a cool and quiet state-of-the-art system that provides full-throttle processing, sustained over-clocking, HD/3D realism with maximum frame rates, an easily upgradable modular design and a rugged custom chassis. The liquid submersion technology also ensures stable, 24/7/365 hardware reliability.
“Based on market research and early adopter feedback, we’re certain that anyone that requires or demands a system with fast boot and application loads, reliability, cool and quiet operation and over-the-top benchmarks will appreciate the innovations that Hardcore Computer put into Reactor™,” said Al Berning, CEO, Hardcore Computer. “We have taken a quantum leap in computing technology by offering features never before seen in a desktop system.

http://blog.pcnews.ro

Aleratec DVD/CD Flash Copy Tower

Aleratec has launched its new DVD/CD Flash Copy Tower that copies flash memory cards and USB flash drives directly to DVD/CD and it is also a 1:3 DVD/CD Duplicator, all without a computer.
The DVD/CD Flash Copy Tower supports disc spanning to four drives so the user can copy full 16GB flash memory cards commonly used by professional photographers. It copies files and images from volatile flash memory devices to secure and non-erasable DVDs or CDs for safe keeping. The DVD/CD Flash Copy Tower supports most popular flash memory cards, including CompactFlash, MemoryStick/Pro/Duo, SD Card, MiniSD, MicroSD and USB flash drives.

http://blog.pcnews.ro

Nokia New Year Grand Three: Arte, Sapphire Arte & Carbon Arte 8800 series

There is less than a month left until the New Year's Day, which is when a sort of best present's and gift's showdown is being held. Of course, the best present is the one personaly made or usually bought nevertheless with love and care towards the one for whom the gift is prepared. But we can't do everything that we want to present with our own hands, don't we? And most of us are willing to get something very precious to our beloved relatives and friends. Here is when big vendors come up on the stage. They offer some attractive gadgets for even more attractive prices. One them is Nokia, of course, but, accept for Nokia December Bargains, they are offering some really exclusive mobile phone gadgets of 8800 series.There are three different redesigned Nokia 8800 mobile phones, each has its unique visual features, by which everyone who had ever seen them just once, will be capable to tell one from another. The smartphones are: Nokia 8800 Arte, Nokia 8800 Sapphire Arte and Nokia 8800 Carbon Arte. They all have different price tags depending obviously on what materials were used for their bodies. Nokia 8800 Arte is the cheapest one of three – 689 pounds. Looking not so fancy, probably, as the Sapphire Arte and Carbon Arte, but more balanced and plain in good meaning of the words. Body panels are of finest natural materials by its description, mostly of polished glass and metal painted black. 8800 Sapphire Arte is of a deep brawn color and has a piece of smooth leather on the sliding panel. In the combination with a real sapphire in the "OK" button, it raises price to 979 pounds. But this is still 100 pounds less than 8800 Carbon Arte. Yes, it costs over 1000 pounds – 1079 pounds to be accurate. As the name sais, Carbone Arte does have carbon fibre insertion pieces and titanium felloes.In due course shouldn’t features be forgotten. Actually they are not what will drive a person to buy one of these as they would be chosen by heart, not by mind. Nevertheless feature package is quite solid, and same, basically, for all there devices of the 8800 series, speaking of which:
Slide form factor with numeric keypad
2.0 inch 320 x 240 Mpix QVGA OLED display, 16 millions of colors
USB 1.2, Bluetooth 2.0
WCDMA and GSM networks
Internal memory 4 GB, expandable
HTML, WML, XHTML, HTTP, TCP / IP protocol browsing
Camera 3.2 Mpix, 2048 x 1536 res, x 8 digital zoom, autofocus
Video recording in portrait / landscape modes; QCIF, H.263 codecs

http://www.gadgets-reviews.com

What is OpenBSD?

1 - Introduction to OpenBSD

---

Table of Contents

• 1.1 - What is OpenBSD?
• 1.2 - On what systems does OpenBSD run?
• 1.3 - Is OpenBSD really free?
• 1.4 - Why might I want to use OpenBSD?
• 1.5 - How can I help support OpenBSD?
• 1.6 - Who maintains OpenBSD?
• 1.7 - When is the next release of OpenBSD?
• 1.8 - What is included with OpenBSD?
• 1.9 - What is new in OpenBSD 4.4?
• 1.10 - Can I use OpenBSD as a desktop system?
• 1.11 - Why is/isn't ProductX included?

---

1.1 - What is OpenBSD?

The OpenBSD project produces a freely available, multi-platform 4.4BSD-based UNIX-like operating system. Our goals place emphasis on correctness, security, standardization, and portability. OpenBSD supports binary emulation of most binaries from SVR4 (Solaris), FreeBSD, Linux, BSDI, SunOS, and HPUX.

This FAQ specifically covers only the most recent release of OpenBSD, version 4.4.

1.2 - On what systems does OpenBSD run?

OpenBSD 4.4 runs on the following platforms:

• alpha - FTP only
• amd64 - Available on CD
• armish - FTP only
• hp300 - FTP only
• hppa - FTP only
• i386 - Available on CD
• landisk - FTP only
• mac68k - FTP only
• macppc - Available on CD
• mvme68k - FTP only
• mvme88k - FTP only
• sgi - FTP only
• socppc - FTP only
• sparc - FTP only
• sparc64 - Available on CD
• vax - FTP only
• zaurus - FTP only

Available on CD means the official CD set includes that platform and a number of packages. Base system CD ISO images can also be downloaded for most other platforms.

More information on OpenBSD platforms can be found on the Platforms page.

People sometimes ask why we support so many "odd" machines. The short answer is, "because we want to". If enough skilled people (sometimes, "enough" is only one really skilled person!) wish to maintain support for a platform, it will be supported. There are practical benefits to keeping OpenBSD multi-platform: when new platforms come out, the code tree is relatively free of portability-breaking bugs and design flaws. The OpenBSD platforms include 32 bit and 64 bit processors, little and big endian machines, and many different designs. And yes, supporting "unusual" platforms has helped produced a higher-quality code base for more "common" platforms.

1.3 - Is OpenBSD really free?

OpenBSD is all free. The binaries are free. The source is free. All parts of OpenBSD have reasonable copyright terms permitting free redistribution. This includes the ability to REUSE most parts of the OpenBSD source tree, either for personal or commercial purposes. OpenBSD includes NO further restrictions other than those implied by the original BSD license. Software which is written under stricter licenses cannot be included in the regular distribution of OpenBSD. This is intended to safeguard the free use of OpenBSD. For example, OpenBSD can be freely used for personal use, for academic use, by government institutions, by non-profit making organizations and by commercial organizations. OpenBSD, or parts of it, can also be freely incorporated into commercial products.

People sometimes ask if it bothers us that our free work is put into commercial products. The answer is, we would prefer that our good code be widely used than that commercial software vendors reimplement and create badly coded incompatible alternative solutions to already solved problems. For example, it is likely that SSH is a widely used protocol due to this freedom, much more widely used than if restrictions had been placed on how people used the OpenSSH code.

This isn't to say we would object to financial or hardware support in thanks. In fact, it is stunning how little support of any kind comes from companies that depend upon OpenBSD for their products, but there is no requirement of compensation.

For further reading on other popular licenses read: OpenBSD Copyright Policy.

The maintainers of OpenBSD support the project largely from their own pockets. This includes the time spent programming for the project, equipment used to support the many ports, the network resources used to distribute OpenBSD to you, and the time spent answering questions and investigating users' bug reports. The OpenBSD developers are not independently wealthy and even small contributions of time, equipment, and resources make a big difference.

1.4 - Why might I want to use OpenBSD?

New users frequently want to know whether OpenBSD is superior to some other free UNIX-like operating system. That question is largely unanswerable and is the subject of countless (and useless) religious debates. Do not, under any circumstances, ask such a question on an OpenBSD mailing list.

Below are some reasons why we think OpenBSD is a useful operating system. Whether OpenBSD is right for you is a question that only you can answer.

• OpenBSD runs on many different hardware platforms.
• OpenBSD is thought of by many security professionals as the most secure UNIX-like operating system, as the result of a never-ending comprehensive source code security audit.
• OpenBSD is a full-featured UNIX-like operating system available in source form at no charge.
• OpenBSD integrates cutting-edge security technology suitable for building firewalls and private network services in a distributed environment.
• OpenBSD benefits from strong ongoing development in many areas, offering opportunities to work with emerging technologies with an international community of programmers and end-users.
• OpenBSD attempts to minimize the need for customization and tweaking. For the vast majority of users, OpenBSD "Just Works" on their hardware for their application. Not only is tweaking and customizing rarely needed, it is actively discouraged.

1.5 - How can I help support OpenBSD?

We are greatly indebted to the people and organizations that have contributed to the OpenBSD project. They are acknowledged by name on the donations page.

OpenBSD has a constant need for several types of support from the user community. If you find OpenBSD useful, you are strongly encouraged to find a way to contribute. If none of the suggestions below are right for you, feel free to propose an alternative by sending e-mail to donations@openbsd.org.

• Buy an OpenBSD CD set. It includes the current full release of OpenBSD, and is bootable on many platforms. It also generates revenue to support the OpenBSD project, and reduces the strain on network resources used to deliver the distribution via the Internet. This inexpensive three-CD set includes full source. Remember, your friends need their own copy!
• Donate money. The project has a constant need for cash to pay for equipment, network connectivity, and expenses relating to CD publishing. Manufacturing CDs requires an up-front out-of-pocket investment for the OpenBSD developers, without guaranteed return. Send e-mail to donations@openbsd.org to find out how to contribute. Even small donations make a profound difference.
• Donate equipment and parts. The project has a constant need for general and specific hardware. Items such as IDE and SCSI disks, and various types of RAM are always welcome. For other types of hardware such as computer systems and motherboards, you should inquire as to current need. Write to donations@openbsd.org to arrange for shipment.
• Donate your time and skills. Programmers who enjoy writing operating systems are naturally always welcome, but there are literally dozens of other ways that people can be useful. Follow mailing lists and help answer new-user questions.
• Help maintain documentation by submitting new FAQ material (to faq@openbsd.org). Form a local user group and get your friends hooked on OpenBSD. Make a case to your employer for using OpenBSD at work. If you're a student, talk to your professors about using OpenBSD as a learning tool for Computer Science or Engineering courses. It's also worth mentioning one of the most important ways you should not try to "help" the OpenBSD project: do not waste your time engaging in operating system flame wars. It does not help the project to find new users and can cause substantial harm to important relationships that developers have with other developers.

1.6 - Who maintains OpenBSD?

OpenBSD is maintained by a development team spread across many different countries. The project is coordinated by Theo de Raadt, located in Canada.

1.7 - When is the next release of OpenBSD?

The OpenBSD team makes a new release every six months, with target release dates in May and November. More information on the development cycle can be found here.

1.8 - What is included with OpenBSD?

OpenBSD is distributed with a number of third-party software products, including:

• X.org 7.3, the X Window environment, with local patches. Installed with the x*.tgz install file sets.
• GCC versions 2.95.3 and 3.3.5. GNU C Compiler. The OpenBSD team has added the Propolice stack protection technology, enabled by default, and used throughout the OpenBSD userland and by default on applications compiled on OpenBSD. Installed as part of the comp44.tgz file set.
• Perl 5.8.8, with patches and improvements from the OpenBSD team.
• Our improved and secured version of the Apache 1.3 web server. The OpenBSD team has added default chrooting, privilege revocation, and other security-related improvements. Also includes mod_ssl and DSO support.
• OpenSSL 0.9.7j, with patches and improvements from the OpenBSD team.
• Groff 1.15 text processor.
• Sendmail 8.14.3 mail server, with libmilter.
• BIND 9.4.2-P2 (plus patches) DNS server. OpenBSD has implemented many improvements in chroot operation and other security-related issues.
• Lynx 2.8.5rel.4 text web browser. With HTTPS support added, plus patches from the OpenBSD team.
• Sudo v1.6.9p17, allowing users to run individual commands as root.
• Ncurses 5.2
• KAME IPv6
• Heimdal 0.7.2 with patches
• Arla 0.35.7
• Binutils 2.15 with patches
• gdb 6.3 with patches
• OpenSSH 5.1
• OpenNTPD Secure and simple Network Time Protocol implementation
• OpenBGPD and OpenOSPFD routing applications

As can be seen, the OpenBSD team often patches third-party products (typically) to improve the security or quality of the code. In some cases, the user will see no difference in operation, in other cases, there ARE operational differences which may impact some users. Keep these enhancements in mind before blindly adding different versions of the same software. You may get a bigger version number, but a less secure system.

Of course, additional applications can be added through the OpenBSD packages and ports system.

1.9 - What is new in OpenBSD 4.4?

The complete list of changes made to OpenBSD 4.3 to create OpenBSD 4.4 can be found on plus44.html, and highlights on the OpenBSD 4.4 Information page, however here are a few changes the OpenBSD team anticipate will require or warrant some special note to people upgrading or installing OpenBSD 4.4 who are familiar with older versions:

• OpenBSD/sparc64:
  Machines using the UltraSPARC IV/T1/T2 and Fujitsu SPARC64-V/VI/VII are now supported.

• New sysmerge(8) tool:
  Derived from the Mergemaster port, makes it much easier to merge configuration file changes during the upgrade process.

• hostname.* files now installed with mode 600
  to help keep your wireless keys and other configuration info secret.

• dhcpd(8)
  now supports synchronizing the leases file across multiple servers for redundancy. dhcpd(8) also no longer uses the dhcpd.interfaces file, use an entry in rc.conf.local.

1.10 - Can I use OpenBSD as a desktop system?

This question is often asked in exactly this manner -- with no explanation of what the asker means by "desktop". The only person who can answer that question is you, as it depends on what your needs and expectations are.

While OpenBSD has a great reputation as a "server" operating system, it can be and is used on the desktop. Many "desktop" applications are available through packages and ports. As with all operating system decisions, the question is: can it do the job you desire in the way you wish? You must answer this question for yourself.

It might be worth noting that a large amount of OpenBSD development is done on laptops.

1.11 - Why is/isn't ProductX included?

People often ask why a particular product is or isn't included with OpenBSD. The answer is based on two things: the wishes of the developers and compatibility with the goals of the project. A product will not be included simply because it is "neat" -- it must also be "free" for use, distribution and modification by our standards. A product must also be stable and secure -- a bigger version number does not always mean a better product.

License is often the biggest problem: we want OpenBSD to remain usable by any person anywhere in the world for any purpose.

Another major consideration is the wishes of the developers. The OpenBSD developers are the ultimate judges of what does and doesn't go into the project. Just because an application is "good" doesn't mean the OpenBSD project wishes to devote the resources needed to maintaining it, or that they will share other's enthusiasm about its place in OpenBSD.

Some commonly asked questions about third-party products:

• Why is Sendmail included, it is "known insecure"?!
  Sendmail has had an imperfect security record, however the Sendmail authors and maintainers have been very receptive to reworking their code to make it much more secure (and this is a sadly uncommon response). The recent security history of Sendmail is not much different than some of the supposedly "more secure" alternatives.
• Why isn't Postfix included?
  The license is not free, and thus can not be considered.
• Why isn't qmail or djbdns included?
  Neither program is what many Unix users "expect" out of a mail or DNS application.
• Why is Apache included? It isn't needed by many people!
  Because the developers want it.
• Why isn't a newer version of Apache included?
  The license on newer versions is unacceptable.
• Why isn't bzip2 included instead of gzip?
  Performance is horrible, and benefit is minimal. Impact on slower platforms, such as m68k or VAX would be unacceptable.
• Why isn't there a graphical or curses(3) based installer?
  For a number of reasons, including the goal of keeping the installation boot media able to be a single floppy disk, the fact that one installer can be used on all platforms in all configurations, and the fact that after the second or third OpenBSD install, most users find the OpenBSD installation system among the fastest and easiest installers of any OS. Most developers and users greatly prefer the speed, power, and ease of use of the current installer to any of the more "colorful" or "pretty" installers on some other platforms.

In most cases, these topics have been discussed in painful detail on the mail lists, please see archives if you need more information.

Of course, If you wish to use one of these packages and your use is compatible with the license of the products, no one will stop you (that wouldn't be very free if we tried, would it?). However, your needs may change -- you may not want to develop a "Killer Application" that you can't sell, distribute, or get rich from because you incorporated non-free software into it.

The Squid and the Blowfish

OpenBSD is a free, multi-platform 4.4BSD-based UNIX-like operating system. Its priorities are portability, standardization, correctness, proactive security and integrated cryptography, thus making it one of the most secure and reliable OSes around.

Table of contents

• 1. Introduction
• 2. Squid
  • 2.1 Installation
  • 2.2 Base configuration
  • 2.3 Starting Squid
• 3. Further Squid configuration
  • 3.1 More on Access Control Lists
  • 3.2 Http-accelerator mode (reverse proxy)
  • 3.3 Transparent caching
  • 3.4 SNMP
• 4. Content filtering with SquidGuard
  • 4.1 Installation
  • 4.2 Configuration
• 5. Virus scanning with SquidClamav
  • 5.1 Installation
  • 5.2 Configuration
• 6. Ad zapping with AdZapper
  • 6.1 Installation
  • 6.2 Configuration
• 7. Appendix
  • 7.1 SSL tunnel through Squid
    • 7.1.1 Server-side configuration
    • 7.1.2 Client-side configuration
  • 7.2 References
  • 7.3 Bibliography

1. Introduction

1. Introduction

We have grown so much accustomed to internet access on our work computers, that we can hardly imagine what people ever did all day long on their workplace before!

By providing access to a virtually endless amount of information, the Internet has quickly turned into an essential working tool; so essential that most companies can't do without it anymore. But besides providing a huge amount of information, the Internet has also turned into the main virus vehicle (together with e-mail) and doesn't exclusively provide content in line with corporate policies. That's why a proxy server is often as necessary as the Internet connection.

The main benefits of web proxying are:

• content filtering: the proxy can be configured to filter out virus files, ad banners and requests to unwanted websites;
• network bandwidth conservation: cached pages are served by the proxy itself, thus saving bandwidth and offering faster access times;
• authentication: Internet access can be authorized (and filtered) based on username/password, IP address, domain name and much more.

The following is the list of the pieces of software we will use:

OpenBSD

a robust, security-oriented operating system, with only two remote holes in the default install, in more than 10 years!;

Squid

a caching proxy for the Web supporting HTTP, HTTPS, FTP, and more;

SquidGuard

a combined filter, redirector and access controller plugin for Squid;

ClamAV

an open source (GPL) anti-virus toolkit for UNIX;

SquidClamav

a Clamav Antivirus Redirector for Squid;

AdZapper

a redirector for squid that intercepts advertising (banners, popup windows, flash animations, etc), page counters and some web bugs (as found).

The choice of using free software prevented me from using DansGuardian, an Open Source web content filter, running on many OSes and filtering the actual content of pages based on many methods including phrase matching, PICS filtering and URL filtering. Fine and dandy, but it isnot free for commercial use.

A good knowledge of OpenBSD is assumed, since we won't delve into system management topics such as OS installation and base configuration, packages/ports installation or PF syntax.

2. Squid

• Previous
• Up
• Next
• Home

The Squid and the Blowfish

Previous: 1. Introduction  Up: Table of contents  Next: 3. Further Squid configuration

---

2. Squid

Squid is a fully-featured HTTP/1.0 proxy and it offers a rich access control, authorization and logging environment to develop web proxy and content serving applications.

2.1 Installation

Let's start with the location of the cache server in the network: according to the documentation, the most suitable place is in the DMZ; this should keep the cache server secure while still able to peer with other, outside, caches (such as the ISP's).

The documentation also recommends setting a DNS name for the cache server (such as "cache.mydomain.tld" or "proxy.mydomain.tld") as soon as possible: a simple DNS entry can save many hours further down the line. Configuring client machines to access the cache server by IP address is asking for a long, painful transition down the road.

Squid installation is as simple as it can be; you only have to add the Squid package. Available flavors are "transparent" (if you're interested in transparent proxying) and "snmp" (includingSNMP support).

# export PKG_PATH=/path/to/your/favourite/OpenBSD/mirror # pkg_add squid-x.x.STABLExx-transparent-snmp.tgz squid-x.x.STABLExx-transparent-snmp: complete --- squid-x.x.STABLExx-transparent-snmp ------------------- NOTES ON OpenBSD POST-INSTALLATION OF SQUID x.x  The local (OpenBSD) differences are: configuration files are in              /etc/squid sample configuration files are in       /usr/local/share/examples/squid error message files are in              /usr/local/share/squid/errors sample error message files are in       /usr/local/share/examples/squid/errors icons are in                            /usr/local/share/squid/icons sample icons are in                     /usr/local/share/examples/squid/icons the cache is in                         /var/squid/cache logs are stored in                      /var/squid/logs the ugid squid runs as is               _squid:_squid  Please remember to initialize the cache by running "squid -z" before trying to run Squid for the first time.  You can also edit /etc/rc.local so that Squid is started automatically:      if [ -x /usr/local/sbin/squid ]; then         echo -n ' squid';       /usr/local/sbin/squid     fi  # 

2.2 Base configuration

Squid configuration relies on several dozens of parameters, and thus can quickly turn into a very tricky task. Therefore, the best approach is probably starting with a very basic configuration and then tweaking the options, one by one, to meet your specific needs, while still making sure that everything keeps working as expected.

Actually, only a few parameters need to be set to get Squid up and running (theoretically, you could even run Squid with an empty configuration file): for all the options you don't explicitly set, the default values are assumed. Anyway, at least one setting must certainly be changed: the default configuration file denies access to all browsers; and this may sound a bit ...too strict!

Our first configuration will be very simple: we will place our proxy server in the DMZ (172.16.240.0/24, this is the network layout) and allow only requests from the LAN (172.16.0.0/24). No ISP's parent proxy is taken into account.

The main Squid configuration file is /etc/squid/squid.conf. Let's have a look at it.

The http_port option sets the port(s) that Squid will listen on for incoming HTTP requests. There are three forms: port alone (e.g. "http_port 3128"), hostname with port (e.g. "http_port proxy.kernel-panic.it:3128"), and IP address with port (e.g. "http_port 172.16.240.151:3128"); you can specify multiple socket addresses, each on a separate line. If your Squid machine is multi-homed and directly accessible from the internet, it is strongly recommended that you force Squid to bind the socket to the internal address. This way, Squid will only be visible from the internal network and won't proxy the whole world! Squid's default HTTP port is 3128, but many administrators prefer using a port which is easier to remember, such as 8080.

http_port   3128 

The cache_dir parameter allows you to specify the path, size and depth of the directories where the cache swap files will be stored. Squid allows you to have multiple cache_dir tags in your config file.

cache_dir   ufs /var/squid/cache 100 16 256 

The above line sets the cache directory pathname to /var/squid/cache, with a size of 100MB and 16 first-level subdirectories, each containing 256 second-level subdirectories. The cache directory must exist and be writable by the Squid process and its size can't exceed the 80% of the whole disk. For further details, please refer to the documentation.

The cache_mgr parameter contains the e-mail address of the Squid administrator, which will appear at the end of the error pages; e.g.:

cache_mgr   webmaster@kernel-panic.it 

The cache_effective_user and cache_effective_group options, allow you to set the UID and GID Squid will drop its privileges to once it has bound to the incoming network port. The package installation has already created the _squid user and group.

cache_effective_user    _squid cache_effective_group   _squid 

The ftp_user option sets the e-mail address that Squid will use as the password for anonymous FTP login. It's a good practice to use an existing address:

ftp_user    webmaster@kernel-panic.it 

The following options set the paths to the log files; the format of the access log file, which logs every request received by the cache, can be specified by using a logformat directive (please refer to the documentation for a detailed list of the available format codes):

# Define the access log format logformat squid  %ts.%03tu %6tr %>a %Ss/%03Hs %# Log client request activities ('squid' is the name of the log format to use) access_log       /var/squid/logs/access.log squid  # Log information about the cache's behavior cache_log        /var/squid/logs/cache.log # Log the activities of the storage manager cache_store_log  /var/squid/logs/store.log 

And now we come to one of the most tricky parts of the configuration: Access Control Lists. The simplest way to restrict access is to only accept requests from the internal network. Such a basic access control can be enough in small networks, especially if you don't wish to use features like username/password authentication or URL filtering.

ACLs are usually split into two parts: acl lines, starting with the acl keyword and definingclasses, and acl operators, allowing or denying requests based on classes. Acl-operators are checked from top to bottom and the first matching wins. Below is a very basic ruleset:

# Classes acl  all           src    0.0.0.0/0.0.0.0   # Any IP address acl  localhost     src    127.0.0.0/8       # Localhost acl  lan           src    172.16.0.0/24     # LAN where autorized clients reside acl  manager       proto  cache_object      # Cache object protocol acl  to_localhost  dst    127.0.0.0/8       # Requests to localhost acl  SSL_ports     port   443               # https port acl  Safe_ports    port   80 21 443         # http, ftp, https ports acl  CONNECT       method CONNECT           # SSL CONNECT method  # Only allow cachemgr access from localhost http_access  allow  manager localhost http_access  deny   manager  # Deny requests to unknown ports http_access  deny   !Safe_ports  # Deny CONNECT to other than SSL ports http_access  deny   CONNECT !SSL_ports  # Prevent access to local web applications from remote users http_access  deny   to_localhost  # Allow access from the local network http_access  allow  lan  # Default deny (this must be the last rule) http_access  deny   all 

2.3 Starting Squid

Now our cache server is almost ready for a first run, just one last step to go. We first need to create the cache-swap directories where Squid will store cached pages. The "squid -z" command will create all the required directories, according to the cache_dir parameter insquid.conf (see above), as the user and group specified by the cache_effective_user andcache_effective_group parameters.

# /usr/local/sbin/squid -z 2007/12/11 18:04:35| Creating Swap Directories # 

We are now ready to start Squid. Starting it in debug mode (-d 1 flag) and in foreground (-Nflag) will make it easier to see if everything is working fine.

# /usr/local/sbin/squid -d 1 -N 2007/12/11 18:05:19| Starting Squid Cache version 2.6.STABLE13 for i386-unknown-openbsd4.2... [ ... ] 2007/12/11 18:05:19| Accepting proxy HTTP connections at 0.0.0.0, port 3128, FD 10. 2007/12/11 18:05:19| Accepting ICP messages at 0.0.0.0, port 3130, FD 11. 2007/12/11 18:05:19| Accepting SNMP messages on port 3401, FD 12. 2007/12/11 18:05:19| WCCP Disabled. 2007/12/11 18:05:19| Ready to serve requests. 2007/12/11 18:05:22| Done scanning /var/squid/cache (0 entries) 2007/12/11 18:05:22| Finished rebuilding storage from disk. 2007/12/11 18:05:22|         0 Entries scanned 2007/12/11 18:05:22|         0 Invalid entries. 2007/12/11 18:05:22|         0 With invalid flags. 2007/12/11 18:05:22|         0 Objects loaded. 2007/12/11 18:05:22|         0 Objects expired. 2007/12/11 18:05:22|         0 Objects cancelled. 2007/12/11 18:05:22|         0 Duplicate URLs purged. 2007/12/11 18:05:22|         0 Swapfile clashes avoided. 2007/12/11 18:05:22|   Took 2.9 seconds (   0.0 objects/sec). 2007/12/11 18:05:22| Beginning Validation Procedure 2007/12/11 18:05:22|   Completed Validation Procedure 2007/12/11 18:05:22|   Validated 0 Entries 2007/12/11 18:05:22|   store_swap_size = 0k 2007/12/11 18:05:22| storeLateRelease: released 0 objects  

Once we get the "Ready to serve requests" message, we should be able to use the cache server. Once it is up and running, Squid reads the cache store: the first time you should see all zeros, as above, because the cache store is empty.

Now, to make sure everything is working fine, we will configure our browser to use our fresh new proxy and we will try to access our favourite web site. In the /var/squid/logs/access.logfile, you should see something like:

/var/squid/logs/access.log

1179764464.435   6735 172.16.0.13 TCP_MISS/200 11810 GET http://www.kernel-panic.it/ - DIRECT/62.149.140.23 text/html 1179764712.536     14 172.16.0.13 TCP_HIT/200 11820 GET http://www.kernel-panic.it/ - NONE/- text/html [...] 

For a detailed description of each field in the access.log file, please refer to the documentation. Anyway, TCP_MISS means that the requested page wasn't stored in the cache (either it was not present or it had expired); TCP_HIT, instead, means that the page was served from the cache. The second field is the time (in milliseconds) that Squid took to service the request: as you can see, it is much shorter when the page is cached. The page size is the fifth field: cached pages may be a little larger because of the extra headers added by Squid.

If everything is working fine, we can stop Squid:

# /usr/local/sbin/squid -k shutdown 

and configure the system to start it on boot.

/etc/rc.local

if [ -x /usr/local/sbin/squid ]; then     echo -n ' squid'     /usr/local/sbin/squid fi 

You may also wish to start Squid through the RunCache script, which automatically restarts it on failure and logs both to the /var/squid/squid.out file and to syslog. Just remember to background it with an "&", or it will hang the system at boot time.

---

• Previous
• Up
• Next
• Home

The Squid and the Blowfish

Previous: 1. Introduction  Up: Table of contents  Next: 3. Further Squid configuration

3. Further Squid configuration

The Squid and the Blowfish
Previous: 2. Squid Up: Table of contents Next: 4. Content filtering with SquidGuard 
--------------------------------------------------------------------------------

3. Further Squid configuration
In many cases, the basic configuration we've seen in the previous chapter can be sufficient for accelerating web access and protecting the network, but Squid can do much more. Below are just a few of the many things Squid can do.

3.1 More on Access Control Lists
Though most people implement only very basic access control, Squid's access system is very powerful and flexible, allowing for in-depth filtering of access to cache resources. So far we have mainly dealt with ACLs that filter based on source IP address, but there are many other ACL types. In this paragraph, we will take a brief look at the main ones, just to get an idea of what Squid ACLs can do; for a more detailed and comprehensive description of Squid ACLs, please refer to the documentation.

A Squid ACL is made up of at least four fields: the acl keyword, followed by a (possibly descriptive) unique name, the ACL type and one or more decision strings. Thus, the overall syntax of Squid ACLs looks like:

acl name type (string|"filename") [string2] [string3] ["filename2"]

An ACL containing multiple decision strings will return true if any of the decision strings matches (i.e. decision strings are ORed together). To avoid cluttering the configuration file with hundreds of ACL lines, you can specify the full pathname of a file (in double quotes) containing the decision strings one per line.

Listed below are the most commonly used ACL types:

Source/Destination IP address 
Filtering based on source IP address (src type) or destination IP address (dst type). Both the traditional "IP/Netmask" and CIDR "IP/Bits" notations are allowed. E.g.: 
# "Traditional" notation
acl myNet1 src 192.168.0.0/255.255.255.0

# Address range with CIDR notation
acl myNet2 src 172.16.0.0-172.16.2.0/24

# Filtering on destination address
acl badNet dst 10.0.0.0/24

Source/Destination Domain 
Squid can allow/deny requests to or from specific domains (dstdomain and srcdomain types, respectively). If you want to deny access to a site, don't forget to also deny access to its IP address, or the rule will be easily bypassed. E.g.: 
# Match a specific site
acl badDomain dstdomain forbidden.site

# Match the IP address of "forbidden.site"
acl badDomainIP dst 1.2.3.4

Regular expressions can also be used for checking the source domain (srcdom_regex type) and destination domain (dstdom_regex type) of a request. E.g.: 
# Match domains containing the word "sex" and a ".com" TLD (the match is case
# insensitive because of the '-i' flag)
acl badSites dstdom_regex -i sex.*\.com$

Words in the requested URL 
Squid can use regular expressions to filter URLs matching specific patterns (url_regex type); if you don't care about the URL-type and the hostname, you can use the urlpath_regex type instead. 
# Match the most common video files extensions
acl movies urlpath_regex -i \.avi$ \.mpg$ \.mpeg$ \.wmv$ \.asf$ \.mov$

# Match JPG images from URLs containing the word "sex"
acl sexImg url_regex -i sex.*\.jpg$

Current day/time 
Squid can allow/deny access to specific sites by time. The syntax is: 
acl name time [day-list] [start_hour:minute-end_hour:minute]

where day-list is a list of single characters representing the days that the acl applies to (Sunday, Monday, Tuesday, Wednesday, THhursday, Friday, SAturday). E.g.: 
acl workhours time MTWHF 08:00-18:00
acl weekend time SA
acl morning time 07:00-13:00

Destination port 
Squid can filter based on destination ports. E.g: 
acl SSL_ports port 443 563
acl Safe_ports port 80 21 443 563 70 210 280 488 591 777 1024-65535

Protocol (FTP, HTTP, SSL) 
The proto acl type allows Squid to allow/deny access based on the request protocol. E.g.: 
acl www proto HTTP SSL
acl ftp proto FTP

Method (HTTP GET, POST or CONNECT) 
The method ACL type allows you to restrict access based on the request HTTP method, i.e. GET (used for downloading), POST (used for uploading) and CONNECT (used for SSL data transfers). E.g.: 
# Deny CONNECT to other than SSL ports
acl connect method CONNECT
http_access deny connect !SSL_ports

It is very important that you stop CONNECT type requests to non-SSL ports. The CONNECT method allows data transfer in any direction at any time, regardless of the transport protocol used. As a consequence, a malicious user could telnet(1) to a (very) badly configured proxy, enter something like: 
$ telnet bad.proxy.tld 3128
Trying 1.2.3.4...
Connected to bad.proxy.tld.
Escape character is '^]'.
CONNECT telnet.server.tld:23 HTTP/1.1


and end up connected to the remote server, as if the connection was originated by the proxy. 
Browser type 
The browser acl type allows you to specify a regular expression that can be used to allow/deny access based on the User-Agent header. E.g.: 
# Deny access to MS Internet Explorer
acl MSIE browser MSIE
http_access deny MSIE

Username/Password pair 
User authentication allows you to track Internet usage and collect per-user statistics. The simplest authentication scheme is the basic scheme, with username/password pairs stored in a file. To create this file, you can use the htpasswd(1) command: 
# /usr/bin/htpasswd -c /etc/squid/squid.passwd danix
New password: dAn1x
Re-type new password: dAn1x
Adding password for user danix
#

Authentication parameters are set using the auth_param tag; then, to actually activate authentication, you need to make use of ACLs based on login name in http_access (proxy_auth or proxy_auth_regex) or external_acl_type with %LOGIN used in the format tag. E.g.: 
# Configure traditional (basic) proxy authentication
auth_param basic program /usr/local/libexec/ncsa_auth /etc/squid/squid.passwd

# Number of authenticator processes to spawn
auth_param basic children 5

# Realm to be reported to the client
auth_param basic realm Squid proxy-caching web server

# Usernames are case insensitive
auth_param basic casesensitive off

# Credentials time to live
auth_param basic credentialsttl 12 hours

# Using REQUIRED will accept any valid username
acl AUTH proxy_auth REQUIRED

# Don't require authentication to localhost
http_access allow localhost

# Only allow authenticated requests coming from the LAN
http_access allow AUTH lan

# Default deny
http_access deny all

SNMP Community 
Squid can restrict SNMP queries based on the requested SNMP community. E.g.: 
# Address of the cache administrator
acl snmpManager src 172.16.0.100

# Non-sensitive information
acl SNMPPublic snmp_community public

# Allow any request from the cache administrator
snmp_access allow snmpManager

# Clients on the LAN can only query non-sensitive information
snmp_access allow SNMPPublic lan

# Default deny
snmp_access deny all

3.2 Http-accelerator mode (reverse proxy)
According to the documentation, enabling Squid's Accelerator Mode can be useful only in a limited set of circumstances:

accelerating a slow server; 
replacing a combination cache/web server with Squid; 
transparent caching; 
protecting an insecure web server. 
Besides these cases, enabling accelerator mode is strongly discouraged. The configuration is very simple; below is a sample configuration of a Squid server accelerating requests to a slow web server.

/etc/squid/squid.conf
# In accelerator mode, Squid usually listens on the standard www port
http_port 80 accel vhost 

# Do the SSL work at the accelerator level. To create the certificates, run:
# openssl req -x509 -newkey rsa:2048 -keyout squid.key -out squid.crt \
# -days 365 -nodes
https_port 443 cert=/etc/ssl/squid.crt key=/etc/ssl/private/squid.key

# Accelerated server address and port
cache_peer 172.16.1.217 parent 80 0 no-query originserver

# Do not rewrite 'Host:' headers
url_rewrite_host_header off
# Process multiple requests for the same URI as one request
collapsed_forwarding on

# Allow requests when they are to the accelerated machine AND to the
# right port
acl webSrv dst 172.16.1.217
acl webPrt port 80
acl all src 0.0.0.0/0.0.0.0
http_access allow webSrv webPrt
http_access allow all
always_direct allow webSrv

3.3 Transparent caching
Transparent caching means having a filtering device, such as a router or a firewall, silently redirecting web traffic to the cache server. Clients ignore the presence of the proxy between them and the web server and think they're talking directly to the server.

As a consequence, transparent caching doesn't require any configuration on the client side, thus making maintenance much easier and faster. On the other hand, however, a transparently intercepting proxy can't use authentication or transparently proxy the HTTPS protocol.

Before configuring Squid, we will need to enable web traffic redirection on our firewalls (the involved firewalls are those between the LAN, where clients reside, and the DMZ, where the cache server is placed). Below are some sample rules for the pf.conf(5) file:

/etc/pf.conf
[...]
# LAN interface
lan_if = rl1

# Cache server and port
cache_srv = proxy.kernel-panic.it
cache_port = 3128

# Transparently redirect web traffic to the cache server
rdr on $lan_if proto tcp from $lan_if:network to any port www -> \
$cache_srv port $cache_port
[...]

Squid configuration is rather simple:

/etc/squid/squid.conf
# Port on which connections are redirected
http_port 3128 transparent

3.4 SNMP
SNMP is a set of protocols for network management and monitoring. If you installed the "snmp" flavor of the Squid package, the proxy will be able to serve statistics and status information via SNMP.

SNMP configuration is rather simple:

/etc/squid/squid.conf
# By default, Squid listens for SNMP packets on port 3401, to avoid conflicting
# with any other SNMP agent listening on the standard port 161.
snmp_port 3401

# Address to listen on (0.0.0.0 means all interfaces)
snmp_incoming_address 0.0.0.0

# Address to reply on (255.255.255.255 means the same as snmp_incoming_address)
# Only change this if you want to have SNMP replies sent using another address
# than where Squid listens for SNMP queries.
# snmp_incoming_address and snmp_outgoing_address can't have the same value
# since they both use port 3401.
snmp_outgoing_address 255.255.255.255

# Configuring access control is strongly recommended since some SNMP
# information is confidential
acl all src 0.0.0.0/0.0.0.0
acl lan src 172.16.0.0/24
acl snmpManager src 172.16.0.100
acl publicCommunity snmp_community public
snmp_access allow snmpManager
snmp_access allow publicCommunity lan
snmp_access deny all

You can test whether SNMP is working with the snmpwalk program (snmpwalk is part of the NET-SNMP project). E.g.:

# snmpwalk -c public -v 1 proxy.kernel-panic.it:3401 .1.3.6.1.4.1.3495.1.1
SNMPv2-SMI::enterprises.3495.1.1.1.0 = INTEGER: 356
SNMPv2-SMI::enterprises.3495.1.1.2.0 = INTEGER: 744
SNMPv2-SMI::enterprises.3495.1.1.3.0 = Timeticks: (540791) 1:30:07.91
#

Please refer to the documentation for a detailed explanation of the output from the snmpwalk command.


--------------------------------------------------------------------------------
Previous Up Next Home The Squid and the Blowfish

4. Content filtering with SquidGuard

The Squid and the Blowfish
Previous: 3. Further Squid configuration Up: Table of contents Next: 5. Virus scanning with SquidClamav 
--------------------------------------------------------------------------------

4. Content filtering with SquidGuard
SquidGuard is a combined filter, redirector and access controller plugin for Squid. We will use it to block access to specific categories of unwanted sites, based on IP addresses, URLs and regular expressions. SquidGuard comes with a very comprehensive list of commonly-banned web sites, divided into categories such as "porn", "drugs", "ads" and so on, making configuration rather simple and fast.

4.1 Installation
SquidGuard is available through OpenBSD's packages and ports system and requires the installation of the following packages:

db-x.x.x.tgz 
squidGuard-x.x.x.tgz 
The installation places a copy of the blacklists tarball (blacklists.tar.gz) in /usr/local/share/examples/squidguard/dest/. We will extract it into the /var/squidguard/db directory:

# cd /usr/local/share/examples/squidguard/dest/
# tar -zxvC /var/squidguard/db -f blacklists.tar.gz
[...]
#

4.2 Configuration
SquidGuard's configuration file is /etc/squidguard/squidguard.conf; it is logically divided into six sections (please refer to the documentation for a more in-depth look at squidGuard's configuration options):

Path declarations 
Specify the path to the logs and blacklists directories: 
logdir /var/squidguard/log
dbhome /var/squidguard/db

Time space declarations 
SquidGuard allows you to have different access rules based on time and/or date. A short example is probably the best way to illustrate the flexibility of these rules. 
time workhours {
weekly mtwhf 08:00-18:00
}

time night {
weekly * 18:00-24:00
weekly * 00:00-08:00
}

time holidays {
date *.01.01 # New Year's Day
date *.05.01 # Labour Day
date *.12.24 12:00-24:00 # Christmas Eve (short day)
date *.12.25 # Christmas Day
date *.12.26 # Boxing Day
}

Source group declarations 
SquidGuard allows you to filter based on source IP address, domain and user (users credentials are passed by Squid along with the URL); e.g.: 
src admin {
ip 172.16.0.12 # The administrator's PC
domain lan.kernel-panic.it # The LAN domain
user root administrator # The administrator's login names
}

src lan {
ip 172.16.0.0/24 # The internal network
domain lan.kernel-panic.it # The LAN domain
}

Destination group declarations 
One of the main features of SquidGuard is certainly its ability to filter based on destination address or domain. And this is where the pre-built databases we extracted before come in handy. The domainlist parameter specifies the path to a file containing a list of domain names (later we will see how to create the db files to speed up SquidGuard startup time): this must be a relative path rooted in the directory specified by the dbhome parameter. Similarly, the urllist and expressionlist parameters specify the (relative) path to files containing a list of URLs and regular expressions respectively. E.g.: 
dest porn {
domainlist blacklists/porn/domains
urllist blacklists/porn/urls
expressionlist blacklists/porn/expressions
# Logged info is anonymized to protect users' privacy
log anonymous dest/porn.log
}

Access control rule declarations 
Finally, we can combine all the previous rules to build Access Control Lists: 
acl {
admin within workhours {
# The following rule allows everything except porn, drugs and
# gambling sites during work hours. '!' is the NOT operator.
pass !porn !drugs !gambling all
} else {
# Outside of work hours drugs and gambling sites are still blocked.
pass !drugs !gambling all
}
lan {
# The built-in 'in-addr' destination group matches any IP address.
pass !in-addr !porn !drugs !gambling all
}
default {
# Default deny to reject unknown clients
pass none
redirect http://www.kernel-panic.it/error.html&ip=%a&url=%u
}
}

The redirect rule declares the URL where to redirect users requesting blocked pages. SquidGuard can include some useful information in the URL by expanding the following macros: 
%a: the IP address of the client. 
%n: the domain name of the client or "unknown" if not available. 
%i: the user ID or "unknown" if not available. 
%s: the matched source group or "unknown" if no groups were matched. 
%t: the matched destination group or "unknown" if no groups were matched. 
%u: the requested URL. 
%p: the path and the optional query string of %u but without the leading "/". 
%%: a single "%". 
Now that squidGuard is configured, we can build the Berkeley DB files for domains, URLs and regular expressions with the command:

# squidGuard -u -C all
# chown -R _squid /var/squidguard/

You can test that squidGuard configuration is working properly by simulating some Squid requests from the command line; squidGuard expects a single line on stdin with the following format (empty fields are replaced with "-"):

URL client_ip/fqdn user method urlgroup

and returns the configured redirect URL (if the site is blocked) or an empty line; for example:

# echo "http://www.blocked.site 1.2.3.4/- user GET -" | squidGuard -c /etc/squidguard/squidguard.conf -d
[ ... ]
2007-12-14 09:57:04 [27349] squidGuard ready for requests (1197622624.065)
http://www.kernel-panic.it/error.html&ip=1.2.3.4&url=http://www.blocked.site 1.2.3.4/- user GET
2007-12-14 09:57:04 [27349] squidGuard stopped (1197622624.067)
# echo "http://www.good.site 1.2.3.4/- user GET -" | squidGuard -c /etc/squidguard/squidguard.conf -d
[ ... ]
2007-12-14 10:30:24 [12046] squidGuard ready for requests (1197624624.421)

2007-12-14 10:30:24 [12046] squidGuard stopped (1197624624.423)

If everything is working as expected, we can configure Squid to use squidGuard as the redirector, by editing a few parameters in the /etc/squid/squid.conf file.

/etc/squid/squid.conf
# Path to the redirector program
url_rewrite_program /usr/local/bin/squidGuard

# Number of redirector processes to spawn
url_rewrite_children 5

# To prevent loops, don't send requests from localhost to the redirector
url_rewrite_access deny localhost

and reload Squid configuration:

# squid -k reconfigure


--------------------------------------------------------------------------------
Previous Up Next Home The Squid and the Blowfish
Previous: 3. Further Squid configuration Up: Table of contents Next: 5. Virus scanning with SquidClamav

5. Virus scanning with SquidClamav

The Squid and the Blowfish
Previous: 4. Content filtering with SquidGuard Up: Table of contents Next: 6. Ad Zapping with AdZapper 
--------------------------------------------------------------------------------

5. Virus scanning with SquidClamav
SquidClamav is a ClamAV antivirus redirector for Squid. It will help us filter out malicious software from web traffic.

5.1 Installation
We already covered the installation procedure of the Clam AntiVirus in a previous document, so we won't dwell on this topic now and proceed directly to the installation of SquidClamav. We will assume that ClamAV resides on the same machine as Squid, though you may wish to create a separate antivirus server, possibly serving both the cache and the mail servers.

SquidClamav relies on the cURL library to download the files to scan, so we need to add the following packages first:

gettext-x.x.x.tgz 
libidn-x.x.tgz 
curl-x.xx.x.tgz 
Then we can download, extract and compile the SquidClamav tarball:

$ tar -zxvf squidclamav-x.x.tar.gz
[...]
$ cd squidclamav
$ env LDFLAGS=-L/usr/local/lib/ CPPFLAGS=-I/usr/local/include/ ./configure
[...]
$ make
[...]
$ su
Password:
# make install
[ ... ]
# cp squidclamav.conf.dist /etc/squidclamav.conf
# touch /var/log/squidclamav.log
# chown _squid /var/log/squidclamav.log

5.2 Configuration
The configuration file is /etc/squidclamav.conf. SquidClamav can be configured to scan or ignore requests based on regular expressions. The regex and regexi keywords allow you to specify the files you want to scan (the former is case-sensitive while the latter is not). E.g:

# Check against the ClamAV antivirus all files with case insensitive
# extension .exe, .com or .zip
regexi ^.*\.exe$
regexi ^.*\.com$
regexi ^.*\.zip$

The abort and aborti keywords, instead, tell SquidClamav to skip checking files matching specific paterns. You may also use the whitelist keyword to ignore a given URL or domain. E.g.:

# Don't virus scan .gif, .png and .jpg images and .html and .htm documents
aborti ^.*\.gif$
aborti ^.*\.png$
aborti ^.*\.jpg$
abort ^.*\.html$
abort ^.*\.htm$

# Don't virus scan trusted web sites
whitelist www.kernel-panic.it

The content keyword allows virus scanning based on the request content type. E.g.:

# Scan all files with a media type of "application"
content ^.*application\/.*$

Below is a sample configuration file:

/etc/squidclamav.conf
# IP address and port of the Squid proxy
proxy http://127.0.0.1:3128/

# Path to the log file
logfile /var/log/squidclamav.log

# URL where to redirect a request when a virus is found. SquidClamav will
# append the original URL and the virus name to this URL.
redirect http://www.kernel-panic.it/viruswarn.php

# Timeout when downloading files
timeout 60

# Set this to '1' for more verbose logging
debug 0

# Set this to '1' to force virus scan of URLs whose content-type can't be
# determined by libcurl
force 1

# Set this to '1' to show time statistics of URL processing
stat 0

# IP address and port of the clamd daemon
clamd_ip 127.0.0.1
clamd_port 3310
# Uncomment if you're using the unix socket to communicate with clamd
#clamd_local /tmp/clamd

# Check rules
aborti ^.*\/cgi-bin\/.*$
aborti ^.*\.pdf$
aborti ^.*\.html$
aborti ^.*\.css$
aborti ^.*\.xml$
regexi ^.*\.exe
regexi ^.*\.zip
regexi ^.*\.gz
content ^.*application\/.*$
whitelist www.kernel-panic.it

# Call another redirector (usually squidGuard) before the antivirus scanner
squidguard /usr/local/bin/squidGuard

As you can see, the squidguard parameter allows you to chain SquidClamav with another redirector, typically squidGuard; the chained program is called before the antivirus scanner.

Now we only have to modify the value of the url_rewrite_program parameter in Squid's configuration file:

/etc/squid/squid.conf
url_rewrite_program /usr/local/bin/squidclamav

and reload Squid.

# squid -k reconfigure

Note: to scan a file, SquidClamav needs to download it first; so make sure your Squid ACLs allow localhost to access the web:

/etc/squid/squid.conf
http_access allow localhost

You can check that everything is working fine by trying to download the Eicar anti-virus test file. In the log file, you should get something like:

/var/log/squidclamav.log
[...]
Fri Dec 14 19:26:49 2007 [29028] DEBUG received from Clamd: stream: Eicar-Test-Signature FOUND
Fri Dec 14 19:26:49 2007 [29028] LOG Redirecting URL to: http://www.kernel-panic.it/viruswarn.php?
url=http://www.eicar.org/download/eicar.com.txt&source=192.168.1.14/-&user=-&virus=stream:+
Eicar-Test-Signature+FOUND
Fri Dec 14 19:26:49 2007 [29028] DEBUG End reading clamd scan result.
Fri Dec 14 19:26:49 2007 [29028] DEBUG Virus found send redirection to Squid.


--------------------------------------------------------------------------------
Previous Up Next Home The Squid and the Blowfish
Previous: 4. Content filtering with SquidGuard Up: Table of contents Next: 6. Ad Zapping with AdZapper