You are not logged in.

#1 2009-03-25 09:00:22

brazzmonkey
Member
From: between keyboard and chair
Registered: 2006-03-16
Posts: 818

firewall, proxies, filtering... a few server questions

Hi everyone,

I recently turned an old computer into a firewall/server. At the moment it uses shorewall for firewall and dnsmasq as a server for DNS resolution.

I'd like to use it as a proxy as well (mainly for privacy and filtering, but also for caching).

1) Proxies
I checked out Squid on the wiki, it looks nice but a bit harsh to configure, it takes a long time to start and even a longer time to stop (my server is turned on/off once to twice a day). So I'd like to find something lighter.

Privoxy looks nice, but it does not support caching. I've read many times it's quite slow as well. Is it true from your experience?
Polipo proxy has caching feature. I suppose it would be non-sense to stack several proxies (Privoxy + Polipo...) in order to get their features, wouldn't it?

2) DNS look up
When it comes to DNS resolution, I already use dnsmasq, but I have the feeling that its functionalities are somewhat redundant with those of Squid, Privoxy, etc. Would you advise to keep dnsmasq or let the proxy manage DNS resolution (and DNS cache)?

3) Blocklist (blacklist)
Eventually, I'd like to implement a blocklist such as the ones that can be found for P2P. What would you recommend?
Firewall could take care of that, but I've read shorewall isn't meant to handle big blacklists (http://www.shorewall.net/blacklisting_support.htm). I've read about moblock which seems to do just what I'm looking for, but it uses iptables (so does shorewall), and I fear some incompatibility may occur between the two of them.

Thanks for sharing your experiences/points of view.


what goes up must come down

Offline

#2 2009-03-25 11:18:33

fukawi2
Ex-Administratorino
From: .vic.au
Registered: 2007-09-28
Posts: 6,217
Website

Re: firewall, proxies, filtering... a few server questions

I can only speak from my experience, but...

brazzmonkey wrote:

I checked out Squid on the wiki, it looks nice but a bit harsh to configure, it takes a long time to start and even a longer time to stop (my server is turned on/off once to twice a day). So I'd like to find something lighter.

I use Squid and don't really have any complaints about it's speed. It's vertainly not lightning, but I don't think I'm ever sitting around going "hurry up". Then again, my proxy runs 24/7 too...

brazzmonkey wrote:

2) DNS look up

If you have no real need for it (like being a master for your own internal zone such as brazz.local or something), just use your ISP's and let Squid / the proxy cache it.

brazzmonkey wrote:

Eventually, I'd like to implement a blocklist such as the ones that can be found for P2P. What would you recommend?

You can use the Redirector feature of Squid to pass off to an external 'rating' engine.

Offline

#3 2009-03-25 12:20:41

silvik
Member
From: Bucharest/Romania
Registered: 2006-11-08
Posts: 110

Re: firewall, proxies, filtering... a few server questions

privacy and caching dont really go well together... do you really need caching? caching works on busy networks, with many clients connected to the same proxy. for a home network i doubt that caching will improve something... internet connections are fast these days. for privacy and filtering i'd use privoxy, it was built for that

1) a few months ago i used polipo http://aur.archlinux.org/packages.php?ID=14579 for bypassing some firewall restrinctions and it worked ok for me. simple, fast, easy to configure. if i remember well you can tweak the settings to get stealthier, but if you go too far some sites won't work
2) doesn't really matter... in both cases the dns queries will point at you. if you want them to point at the proxy you have to use a socks proxy, not a http one (check this, i'm not a guru)
3) moblock is what you want. probably any iptables frontend will reset previous rules, so you may end up writing your own fw script. just for bittorrent you can use bluetack block list (i use it in ktorrent).

Offline

#4 2009-03-25 15:58:49

dschrute
Member
From: NJ, USA
Registered: 2007-04-09
Posts: 183

Re: firewall, proxies, filtering... a few server questions

Apache can act as a caching proxy.  I haven't used it for that in quite some time ( the 1.3.x series iirc ) but it's worth a look anyway.
For DNS, I would personally keep dnsmasq, especially since it's reasonably lit on resources.  I would think it may speed up name resolution on host, if not directly on any proxy "client" machines.  And it's easy enough to disable, then check performance of any machines.

Offline

#5 2009-03-25 21:48:36

brazzmonkey
Member
From: between keyboard and chair
Registered: 2006-03-16
Posts: 818

Re: firewall, proxies, filtering... a few server questions

First of all, thanks to the 3 of you.
Right now I'm still using dnsmasq, and I decided to give privoxy a shot. It's quite nice, even though it took me some time to get it working with shorewall. I still have to find out how I can use privoxy when I browse the Internet from my server computer (privoxy is effective when browsing from my LAN, not from my server).
As silvik mentioned, I'm not sure that caching is really relevant on a small home network (3-4 computers, more like 2 actually used simultaneously). So I'll probably won't implement caching right now (but maybe I'll try polipo in the near future).
I need to investigate how moblock could work in combination with shorewall.


what goes up must come down

Offline

#6 2009-03-25 23:19:33

fukawi2
Ex-Administratorino
From: .vic.au
Registered: 2007-09-28
Posts: 6,217
Website

Re: firewall, proxies, filtering... a few server questions

silvik wrote:

for a home network i doubt that caching will improve something...

My girlfriend spends far too much time on Facebook. Implementing caching had a noticable effect on my monthly traffic usage (which matters in Australia where we still have monthly limits).

Offline

#7 2009-03-26 08:04:33

brazzmonkey
Member
From: between keyboard and chair
Registered: 2006-03-16
Posts: 818

Re: firewall, proxies, filtering... a few server questions

No doubt it helps for bandwidth usage, but my concern is more about speed.


what goes up must come down

Offline

#8 2009-03-26 13:04:55

Gen2ly
Member
From: Sevierville, TN
Registered: 2009-03-06
Posts: 1,529
Website

Re: firewall, proxies, filtering... a few server questions

hey brazz.  I wrote the [url=]dnsmasq[/url] wiki so if it's set up correctly you'll have dns caching.  Dns caching is a good feature for busy dns servers and i think it helps quite a bit.  I've used privoxy before but I don't recommend it.  Every url in a webpage (and all their redirects) have to get processed and even on a fast computer it's not too fast.  The best thing you can to do to keep your network secure is a good firewall.  i've used shorewall before but firewalling is really for experts.  To get a good firewall you should follow a good guide from someone who knows what they are doing.


Setting Up a Scripting Environment | Proud donor to wikipedia - link

Offline

#9 2009-03-26 13:58:45

brazzmonkey
Member
From: between keyboard and chair
Registered: 2006-03-16
Posts: 818

Re: firewall, proxies, filtering... a few server questions

Yes, dnsmasq is quite nice. How don't know if DNS caching is really efficient, but it surely does no harm. My primary use for dnsmasq is DHCP server. Thanks for your wiki article btw.
I'm concerned about privoxy performance: it does the job, but my own experience is too short to criticize its speed (my server is quite old, but so far speed seems decent - although there might be a little latency for complex webpages).
I consider my firewall to be properly set up, although you can never be 100% sure which that kind of thing. Shorewall is much more easy to setup than iptables scripts, and I guess that for the average Joe (read: me), it is less prone to configuration errors.


what goes up must come down

Offline

#10 2009-03-26 16:08:25

Gen2ly
Member
From: Sevierville, TN
Registered: 2009-03-06
Posts: 1,529
Website

Re: firewall, proxies, filtering... a few server questions

Yeah, i like shorewall too, there are lots and lots of things though I didn't hear about firewall breaches until I got a basic one up.  Alot of firewall-programs expect a person to make a firewall from square one.  I like arno's firewal in aur from a guy who's had some experience doing firewalls.


Setting Up a Scripting Environment | Proud donor to wikipedia - link

Offline

Board footer

Powered by FluxBB