# squid, dansguardian and shorewall

## thecooptoo

I want to test the above prior to putting it on my sisters NW ( kids age 12 and 9)

Ive got squid running on my server and  and can connect through it by pointing a client browser and 192.168.0.1:3128 . and tail -f /var/log/.... shows the access

Im not clear on the relationship between squid and dansguradian and possible config changes in shorewall 

trying to start dansguardia i get   

```

grenada ~ # /etc/init.d/dansguardian start

 * Starting DansGuardian ...

Error connecting to parent proxy                         

```

I'm confused about the order of stuff 

does it go  ?

client ->DG->Squid->shorewall ->www

so in DG.conf  the listening port will be  the one the browser is pointing at ?

how do I tell DG to pass the stuff on to Squid (both on localhost)?

and how do i tell squid to listen to the stuff coming out of DG ?

and what then goes in shorewall (same machine) . Currently its letting all tcp port 80 connections through 

```
ACCEPT  all             all             tcp     80

```

Do I block 80 and only let through stuff from fw ( ie coming out of squid) on port  ????

To save reconfiguring all browsers can I *think* I can use shorewall to redirect   lan:80  to localhost:DG port 

and then add a config to let connections from localhost through ?

once ive got in my mind how the 3 will go together I may not  waste as many hours . i couldnt find a howto .

----------

## bexamous2

well i don't know about shorewall but it should go client->dg->squid-> internet somehow

to set up DG edit /etc/dansguardian/dansguardian.conf

it is pretty well documented but important changes are with:

filterip = 192.168.0.1 (or empty and it will listen on all ips)

filterport = 3129  (or any port you choose)

proxyip = 192.168.0.1 (where squid is running)

proxyport = 3128 (squid's port)

now clients should connect to 192.168.0.1:3129 (DG's port)

you can watch /var/log/dansguardian/access.log and watch all connecitons from clients

and then also watch /var/log/squid/access.log where you will be seeing connections from localhost, not the client)

there are alot of other DG settigns you can do related to filtering, i forget how i set it up

one thing you might want to do with squid is block any connections other than 192.168.0.1/localhost, so users cannot bypass DG and connect directly to squid

I would go though DG's conf, there are 2 i believe, they are well documented and tons of settings you can change about what to block.

----------

## thecooptoo

```
grenada dansguardian # grep ^[A-Za-z0-9] /etc/squid/squid.conf

http_port 3128

hierarchy_stoplist cgi-bin ?

acl QUERY urlpath_regex cgi-bin \?

no_cache deny QUERY

auth_param basic children 5

auth_param basic realm Squid proxy-caching web server

auth_param basic credentialsttl 2 hours

auth_param basic casesensitive off

refresh_pattern ^ftp:           1440    20%     10080

refresh_pattern ^gopher:        1440    0%      1440

refresh_pattern .               0       20%     4320

acl all src 0.0.0.0/0.0.0.0

acl manager proto cache_object

acl localhost src 127.0.0.1/255.255.255.255

acl to_localhost dst 127.0.0.0/8

acl SSL_ports port 443 563

acl Safe_ports port 80          # http

acl Safe_ports port 21          # ftp

acl Safe_ports port 443 563     # https, snews

acl Safe_ports port 70          # gopher

acl Safe_ports port 210         # wais

acl Safe_ports port 1025-65535  # unregistered ports

acl Safe_ports port 280         # http-mgmt

acl Safe_ports port 488         # gss-http

acl Safe_ports port 591         # filemaker

acl Safe_ports port 777         # multiling http

acl Safe_ports port 901         # SWAT

acl purge method PURGE

acl CONNECT method CONNECT

http_access allow manager localhost

http_access deny manager

http_access allow purge localhost

http_access deny purge

http_access deny !Safe_ports

http_access deny CONNECT !SSL_ports

http_access deny to_localhost

acl our_networks src 192.168.0.0/24

http_access allow our_networks

http_access allow localhost

http_access deny all

http_reply_access allow all

icp_access allow all

cache_effective_user squid

cache_effective_group squid

forwarded_for off

coredump_dir /var/cache/squid

grenada dansguardian # grep ^[A-Za-z0-9] /etc/dansguardian/dansguardian.conf

reportinglevel = 3

languagedir = '/etc/dansguardian/languages'

language = 'ukenglish'

loglevel = 2

logexceptionhits = on

logfileformat = 1

filterip =192.168.0.1

filterport=3129

proxyip = 192.168.0.1

proxyport = 3128

accessdeniedaddress = 'http://YOURSERVER.YOURDOMAIN/cgi-bin/dansguardian.pl'

nonstandarddelimiter = on

usecustombannedimage = 1

custombannedimagefile = '/etc/dansguardian/transparent1x1.gif'

filtergroups = 1

filtergroupslist = '/etc/dansguardian/filtergroupslist'

bannediplist = '/etc/dansguardian/bannediplist'

exceptioniplist = '/etc/dansguardian/exceptioniplist'

banneduserlist = '/etc/dansguardian/banneduserlist'

exceptionuserlist = '/etc/dansguardian/exceptionuserlist'

showweightedfound = on

weightedphrasemode = 2

urlcachenumber = 1000

urlcacheage = 900

phrasefiltermode = 2

preservecase = 0

hexdecodecontent = 0

forcequicksearch = 0

reverseaddresslookups = off

reverseclientiplookups = off

createlistcachefiles = on

maxuploadsize = -1

maxcontentfiltersize = 256

usernameidmethodproxyauth = on

usernameidmethodntlm = off # **NOT IMPLEMENTED**

usernameidmethodident = off

preemptivebanning = on

forwardedfor = off

usexforwardedfor = off

logconnectionhandlingerrors = on

maxchildren = 120

minchildren = 8

minsparechildren = 4

preforkchildren = 6

maxsparechildren = 32

maxagechildren = 500

ipcfilename = '/tmp/.dguardianipc'

urlipcfilename = '/tmp/.dguardianurlipc'

nodaemon = off

nologger = off

softrestart = off

grenada dansguardian #                                        
```

and tail -f /var/log/.../access.log shows that 

a browser pointed at 192.168.0.1:3128 goes to squid and 

192.168.0.1:3129 goes to DG

 :D 

default shorewall 

```
ACCEPT  all             all             tcp     80

```

However when I change shorewall (same machine) to 

```
REDIRECT       loc     3129            tcp     80   

```

it goes through DG but fails at squid 

```

grenada dansguardian # tail -n2 /var/log/dansguardian/access.log

2005.12.16 16:41:37 - 192.168.0.12 http://www.dogpile.co.uk/  GET 1136

2005.12.16 16:41:38 - 192.168.0.12 http://www.dogpile.co.uk/favicon.ico  GET 1158

grenada dansguardian # tail -n2 /var/log/squid/access.log

1134751297.815      5 192.168.0.1 TCP_DENIED/400 1488 GET / - NONE/- text/html

1134751298.600      5 192.168.0.1 TCP_DENIED/400 1510 GET /favicon.ico - NONE/- text/html

grenada dansguardian #  

```

going directly to squid generates the same TCP_DENIED error 

```
1134751785.177      2 192.168.0.12 TCP_DENIED/400 1488 GET / - NONE/- text/html

```

----------

## bexamous2

Well I'm not sure but there are additional things you have to do to setup a transparent proxy (one where hte client is unaware of it).  Maybe someone else knows can help more but a start taken from http://tldp.org/HOWTO/TransparentProxy.html is in squid.conf:

* httpd_accel_host virtual

* httpd_accel_port 80

* httpd_accel_with_proxy on

* httpd_accel_uses_host_header on

There might be more settings you need to change but I don't know what, I've never tried.

----------

## bexamous2

http://www.squid-cache.org/Doc/FAQ/FAQ-17.html

that is another how-to which is more clear I believe...

starts off

"How can I make my users' browsers use my cache without configuring the browsers for proxying?"

which is exactly what you want to do...  some of their things are for a more complex setup...  i think those 4 lines might be all you need to add tho.

----------

## thecooptoo

```

httpd_accel_host virtual

        httpd_accel_port 80

        httpd_accel_with_proxy on

        httpd_accel_uses_host_header on

```

added to squid.conf seems to sort out the tranparent proxying

Ive now got 

client->port 3129 ->dansguardian ->port 3128->squid->www

adding to shorewall/rules

```
REDIRECT    loc     3129    tcp     80    #dansguardian

```

and I dont need to change the client browser settings   and tail /var/log/{squid|dansguardian}/access.log watches connections from the browser.

BUT Id like to bypass the filtering from one of the machines

adding 

```
ACCEPT          loc:192.168.0.12        all     tcp     80

```

 to shorewall/rules doesnt redirect connetions from 192.168.0.12 to bypass DG/Squid

 adding it to /etc/dansguardian/ipexceptionlist and restarting DG seems to work.

in testing  the rest of squid 

http://squid-docs.sourceforge.net/latest/html/x922.html

makes reference to 'client' running on the router  to test it . cant find the program . Is it part of portage ?

----------

## bexamous2

try /usr/bin/squidclient I believe that is the client program they talk about

----------

