Instalasi dan Setting Proxy Smoothwall

Instalasi dan Setting Proxy Smoothwall

by admin ·

Smoothwall apaan ya?
Smoothwall adalah suatu routerOS yang sudah dilengkapi dengan berbagai fitur termasuk webGUI yang digunakan untuk mengontrol semua konfigurasi,

Hal yang perlu diperhatikan:
1. sebelumnya kita samakan persepsi tentang topologi jaringan dulu (dipilih karena kebanyakan warnet di Lamongan pakai topologi sederhana seperti ini):

Kutip

| Inet/Cloud |——-| Modem/Wireless Radio |—–| Smoothwall |——| Switch |——-| LAN |

2. Ada baiknya untuk komputer yang akan digunakan sebagai webproxy memiliki spesifikasi, memory minimum 256 MB lebih dari itu lebih baik dianjurkan untuk memakai 1 GB. untuk Processor tidak terlalu signifikan. Untuk hardisk sebaiknya memakai SATA atau SCSI, dikarenakan untuk squid webproxy kekuatan dan kecepatan dari hardisk sangat menentukan “efek speed” dari browsing client. jikalau tidak ada SATA atau SCSI maka apa boleh buat memakai hardisk PATA.

3. Download ISO-nya dari smoothwall

Next Instalasinya:

Setelah ISO smoothwall diunduh kemudian di burning ke cd .
Atur Bios Komputer yang akan diinstall Smoothwall agar dapat booting awal langsung dari CDROM, kemudian masukan cd Smoothwallnya.
Tampilan awal Installasi Smoothwall :

Setelah di ENTER maka akan muncul :

lalu

Tekan OK, lalu tekan enter dua kali sehingga akan muncul…

Jika anda sebelumnya pernah menginstall smoothwall dan menyimpan backup config-nya kedalam floopydisk, maka ketika tampilan dibawah ini muncul masukan floopy disk backup dan tekan yes.
Jika untuk pertama kali menginstall smoothwall maka cukup tekan tombol No.

kemudian pilih keyboard mapping dan isikan nama dari smoothwall anda (hostname). Tahap selanjutnya adalah memilih “security policy”. pilih Half-Openuntuk mengeblok port-port yang tidak aman dari internet dengan default smoothwall. atau jika anda merasa bisa melakukan konfigurasi sendiri pilih sajaopen.

kemudian masuk ke pemilihan topologi smoothwall

pilih green(LAN) + red(WAN)

Kemudian muncul tampilan konfirmasi untuk mengubah config network

klik OK, lakukan probe untuk mendeteksi secara otomatis kartu jaringan anda

Setelah semua kartu jaringan terdeteksi, kemudian kita berikan IP-nya

Untuk kasus saya ini IP untuk GREEN adalah 192.168.0.20/255.255.255.0 dan RED 192.168.1.11/255.255.255.0

Kemudian ….

Isikan DNS dan default gatewaynya, untuk default gateway isikan ip MODEM (dalam kasus saya adalah 192.168.1.1). Untuk DNS bisa memakai IP MODEM juga dengan alasan untuk menghemat request ke DNS agar tidak terlalu banyak trafficnya.

Untuk selanjutnya akan muncul screen…

Lakukan konfigurasi sesuai kebutuhan anda, tapi kebanyakan tidak diperlukan, kecuali DHCP Server. Jika anda tidak ada konfigurasi secara khusus pilih saja Finished.

Isikan password yang anda inginkan untuk mengakses smoothwall melalui web browser (user: admin)

Isikan password yang anda inginkan untuk mengakses smoothwall melalui terminal (user: root).

Installasi telah selesai, singkirkan CD instalasi dan pilih OK untuk reboot.

Persiapkan tool-tool di bawah ini untuk melakukan tuning pada smoothwall proxy:
1. WinScp (tanya mbah google atau om bing)
2. Putty (tanya mbah google atau om bing)
3. Adv-Proxy klik di sini

Basic Setup:

1. Masuk ke webGUI melaui browser dengan cara masukkan alamat ip_smoothwall:81. Masukkan username admin dan password (sesuai saat instalasi)
2. Pilih menu service ==> remote access, ceklist bagian ssh, kemudian save.
3. Pilih menu Maintenance ==> Update, ini berguna untuk melakukan patch dari bug smoothwall. Klik Update untuk melakukan patch.
4. Setelah proses Update selesai lakukan reboot. Caranya klik menu shutdown, dan pilih reboot.
5. Setelah proses reboot selesai, masuk lagi ke webGUI dan masuk menu service ==> webproxy. biarkan default dan klik save.
6. Tutup webGUI.

Instalasi advanced Proxy:

1. Pastikan anda telah mendownload semua tool yang ada, kemudian upload file Adv-Proxy melalui winscp ke smoothwall (rubah port 22 menjadi 222 pada winscp). untuk memudahkan upload saja ke direktori /tmp.
2. Masuklah ke console smoothwall melalui putty, dan setelah masuk jalankan perintah-perintah di bawah ini

Kutip

cd /tmp
tar -xzf swe3-32-advproxy-3.0.3.tar.gz
cd smoothwall-advproxy
./install

3. Setelah proses selesai, masuk webGUI kembali. dan lihat menu web proxy tadi telah berubah menjadi advanced proxy.

Sesuaikan option yang diceklist, silahkan melihat gambar di atas, untuk proxy port bisa memakai 8080 atau 3128 (port standar untuk webproxy, walaupun memakai yang lainnya juga tidak apa-apa. Akan tetapi demi keamanan lebih baik memakai satu diantara dua port tadi).

Kutip

Option lain yang perlu diperhatikan:
memory cache size (MB) = 8
Minimal object size (KB) = 0
Hardisk cache size (MB) = 10000 ( hardisk yang saya pake 80 GB SATA dengan 256MB RAM)
Maximum object size (KB) = 128000
memory replacement policy = heap GDSF
cache replacement policy = heap LFUDA

(JANGAN DI-SAVE DULU)

4. Masuklah winSCP lagi. Untuk memastikan semua berjalan lancar, gunakan winSCP untuk masuk ke direktori /usr/etc/ dan klik kanan di area kosong dan buatlah new link arahkan link tadi ke file /var/smoothwall/proxy/squid.conf
5. Kembali ke webGUI, pada advanced proxy tadi klik save and restart.
6. TIdak diperlukan (tapi untuk memastikan reboot smoothwall anda)

Dikutip dari http://krangkang.blogspot.com (teman-teman KoslA)

Share:

Read More

Smoothwall

Cofiguring Squid

[This modification has been verified to work with Smoothwall Express 2.0.] 

This page describes how to filter web traffic using Squid ACLs, and also covers various other Squid configuration elements. Squid is the web proxy software used on Smoothwall.

Requirements:
You'll need: 

• A Smoothwall Express 2.0 installation (obviously...).
• A way of getting a command-line prompt on your Smoothwall box (either by logging directly onto your Smoothwall box, using a SSH client such as PuTTY or SSH Secure Shell, or via the Smoothwall web interface).

A Web Proxy?
Squid is the most popular web proxy software available, and Smoothwall comes with Squid pre-installed.

There are a number of reasons why you might want to use a web proxy:

Cache Web Page Content:
The primary purpose of a web proxy is to cache web content locally. This provides a number of benefits, including faster web browsing, and less bandwidth usage.
Whether you're using a dialup account or a fast ADSL account, reducing the amount of data that needs to be retrieved from the source webserver will provide you with a faster web browsing experience. This is particularly true if multiple users on your green network visit the same pages, or if you frequent a web-based forum or bulletin board, as all images will be cached by the proxy server.

Restrict Web Page Access:
If PCs on your green network are configured to use the web proxy, you can restrict access to specified sites, only allow access to specified sites, restrict PCs to only have web access during specified time periods, etc.

Block Advertisements:
If all web traffic is going through the web proxy, you can block advertisements that are displayed on web pages. For more information on doing this, see my page on Ad Zapping with Squid.
Blocking webpage advertisements can also provide additional benefits on slower internet connections, as the volume of data is reduced, due to the advertisements not being loaded from the originating webserver.
Update multiple PCs from Microsoft's Windows Update site through a web proxy also means the patches are only downloaded once, and cached locally by the web proxy.

Monitor Web Sites Being Visited:
All web pages that are accessed through the web proxy are logged to the Squid access log. You can then use this data to monitor exactly which users are visiting which sites. See my Web Proxy Log Analysis Reports for more information on generating reports from the Squid access log.

Log Timestamp Correction:
The timestamps in the Squid access log on Smoothwall Express 2.0 are in GMT format.
This is because the strict access permissions on the /var/smoothwall/ directory prevent Squid from reading the timezone information.

To correct this, and get Smoothwall's Squid access log using the local time for all timestamps, execute the following from a command prompt on your Smoothwall:

chmod 701 /var/smoothwall/
/usr/local/bin/restartsquid

This will adjust the permissions on the /var/smoothwall/, and restart the web proxy to make the change take effect.

Using Smoothwall's Web Proxy:
Smoothwall's web proxy can be configured to run in transparent mode, or in non-transparent mode.

In transparent mode, all web traffic going through Smoothwall will automatically be redirected to go through the proxy, without requiring any proxy configuration in the web browsers on the PCs on your green network.
This effectively forces all web browsing from PCs on your green network to go through Smoothwall's web proxy.

In non-transparent mode, all web browsers on your green network must be configured to use Smoothwall's green IP address on port 800 as a web proxy.

If you want to use Smoothwall's web proxy as a way of blocking some websites and/or some users, you should run the web proxy in transparent mode, to ensure users are not bypassing the proxy.

Any user who is blocked by any ACLs which you configure will see a Squid error page, indicating that their web access is being blocked by Smoothwall.


the default access denied page
Editing the Config File:
Smoothwall's Squid configuration is stored in /var/smoothwall/proxy/squid.conf.
However, you should never edit this file directly, as it's re-written each time changes are made to the web proxy configuration, or the proxy is restarted through the web interface.

Instead, you should always add your new configuration to /var/smoothwall/proxy/acl.

Applying Your Changes:
Any changes made to this file will take effect when you restart the web proxy through Smoothwall's web interface. This will cause Smoothwall to re-write /var/smoothwall/proxy/squid.conf, and include the contents of /var/smoothwall/proxy/acl.

As with any modifications to your Smoothwall, make a backup copy of this file before making any changes to it, so you can easily revert back to a known working version.

Only Allow Specific PCs:
If you only want to allow some PCs to use Smoothwall's web proxy, you can add one or more ACLs to limit this access.

Edit /var/smoothwall/proxy/acl, and before the line containing

http_access deny all

insert the following lines:

acl ok_users src 192.168.0.2
acl ok_users src 192.168.0.3
http_access allow ok_users

and add another acl line for each PC you want to allow.
You'll also need to comment out the following line (it's the second last line):

http_access allow localnet

by inserting a # character at the beginning of the line.

Restart the web proxy through Smoothwall's web interface (by clicking the "Save" button) to make your changes take effect.

Block Specific Sites:
To block access to specific websites, edit /var/smoothwall/proxy/acl, and just before the line containing

http_access allow localnet

insert the following lines:

acl blocked_sites url_regex www.xxx.com
acl blocked_sites url_regex www.yyy.com
acl blocked_sites url_regex www.zzz.com
http_access deny blocked_sites

Restart the web proxy through Smoothwall's web interface (by clicking the "Save" button) to make your changes take effect.

Note that if you have a longer list of sites you want to block, it may be easier to list the websites in a text file, and then just reference the text file in the Squid configuration file.

Assuming you have created a text file called /var/smoothwall/proxy/badsites.txt, containing a single URL on each line, use the following in /var/smoothwall/proxy/acl:

acl blocked_sites url_regex "/var/smoothwall/proxy/badsites.txt"
http_access deny blocked_sites

If you make any changes to the contents of /var/smoothwall/proxy/badsites.txt, you'll need to restart the web proxy to make your changes take effect.

Time Restrictions:
You can also use Squid ACLs to restrict web browsing to specific times.

To allow a specific PC on your green network to only access the web during lunchtime on weekdays, edit/var/smoothwall/proxy/acl, and immediately before the line containing

http_access allow localnet

insert the following:

acl clients src 192.168.0.3
acl lunchtime time MTWHF 12:00-13:00
http_access allow clients lunchtime
http_access deny clients

where the following day abbreviations can be used:

S	Sunday
M	Monday
T	Tuesday
W	Wednesday
H	Thrusday
F	Friday
A	Saturday

Note that all times need to be in GMT, as Smoothwall's Squid is configured to only use GMT (all logs are timestamped with GMT times too).

Restart the web proxy through Smoothwall's web interface (by clicking the "Save" button) to make your changes take effect.

Allow Another Network:
If you have another subnet behind your Smoothwall (ie, behind a router on the green network or similar), by default, this subnet will not be able to use Smoothwall's web proxy, but will receive an error message saying the requested URL cannot be retrieved from the cache due to access control configuration.

Assuming you already have a static route in place to allow the other network to communicate with Smoothwall, edit /var/smoothwall/proxy/acl, and just before the line containing

http_access allow localnet

insert the following line:

acl localnet src 192.168.2.0/255.255.255.0

and replace the network address and subnet mask with that of your other subnet.

Smoothwall already has an acl for localnet, allowing the green network, so here we're adding another subnet to the acl which defines the networks allowed access to the proxy.

Restart the web proxy through Smoothwall's web interface (by clicking the "Save" button) to make your changes take effect.

Customising Error Pages:
If you're blocking access to some websites and/or some users, you may want to customise the error messages displayed by Squid, to provide more meaningful messages to your users.

All of the Squid error pages are in /var/squid/smootherrors/, so just identify the error page you want to modify, modify it as required, and restart the web proxy through Smoothwall's web interface to make your changes take effect.

For example, the error page displayed when attempting to access a page that has been blocked by ACLs is/var/squid/smootherrors/ERR_ACCESS_DENIED

New Error Pages:
You can also define new error pages for specific ACLs, using the deny_info option.

For example, to display a new error page for the time-restricted user, create a new error page in the following location:

/var/squid/smootherrors/ERR_TIMERESTRICT

containing the error message you want to display to the user when they are denied access.

Then edit /var/smoothwall/proxy/acl, and immediately before the line containing

http_access allow localnet

insert the following:

acl clients src 192.168.0.3
acl lunchtime time MTWHF 12:00-13:00
deny_info ERR_TIMERESTRICT clients
http_access allow clients lunchtime
http_access deny clients

This will cause your new error page to be displayed whenever the specified PC attempts to access the web outside of the allowed time period.

The deny_info option can be used in a similar way with any other ACLs.

Restart the web proxy through Smoothwall's web interface (by clicking the "Save" button) to make your changes take effect.

Change The Cache Administrator Email:
Most of the Squid error pages report include a message mentioning the cache administrator. However, this message includes a non-existing and invalid email address of just webmaster.

It's easy to include a valid cache administrator email address on these error pages. To do so, add a line containing the following to the end of /var/smoothwall/proxy/acl:

cache_mgr email@host.com

replacing email@host.com with a valid email address of course!

Restart the web proxy through Smoothwall's web interface (by clicking the "Save" button) to make your changes take effect.









Install Smootwall

Share:

Read More