Saturday, November 14, 2009

Free BSD: Squid & custom kernel compilation

I wrote the below document many years back after installation of Free BSD and squid on it, now uploading it here:

Using FreeBSD cant be easier than that! Using this guide you can:

Install and condifure FreeBSD machine.
Install your own custom Kernel as per your requirement.
Install and configure Squid with cache replacement policies.
Make your system more secure than ever
Note: if you are upgrading the system,

shift all the load to any other proxy
Note IPs of all the interfaces ifconfig > ip
Take copy of running crontab
Insert bootable cd disc into cdrom and boot system from cdrom and follow these steps.

Skip Kernel config and continue with installation.
Standard
Ok
Disk Partitioning ‘A’ Use entire Disc



‘C’ Create Slice.
For all the remaining blocks press ‘Ok’.
Type of Partition 165.
Select the slice
‘S’ set bootable.
‘Q’ finish.
Boot manager (*) Standard.
Same for Disk 2.
Don’t set bootable (*) leave the boot message.
After creating the slices we need to create partitions.
‘C’ Create Partition.
After creation of Partitions Select /cache 1,2,3 & /var and press “S” for soft updates.(note: In version FreeBSD 4.7 soft updates automatically applied when we create partitions)
Choose Distribution > Kernel-Developer > User
Installation media CD ROM
Network Interface Give appropriate addresses.
Configure as A Gateway
Security Profile Medium (Moderate security settings (Default))
Note : (Moderate security settings have been selected Sendmail and SSHd jave been enabled, securelevels are disabled, and NFS server setting have been left intact.PLEASE NOTE that this still does not save you from having to properly secure your system in other ways or exercise due diligence in your administration, this simply picks a standard set of out-of-box defaults to start with.To change any of these settings later, edit /etc/rc.conf )

Setting Time Zone (PKT)
Linux Compatiability
Select Ports/Packages to Install
Free BSD Configuration menu-Distribution.
Src > Sys (Source for everything)

Custom Kernel Compilation
cd /usr/src/sys/i386/conf

Mkdir /root/kernels

cp GENERIC /root/kernels/ALI

ln –s /root/kernels/ALI

Edit MYKERNEL file and customize

Machine i386
Max users 254
Options MSGMNB = 8192
Options MSGMNI = 80
Options MSGSEG = 512
Options MSGSSZ = 64
Options MSGTQL = 3075
Options SMP (For multi processor machines only.)
Options APIC _IO
Options IPFIREWALL
Options IPFIREWALL_Forward
Options IPFILTER
Scsi Controller

Device ahc
Scsi Peripheral

Device scbus
Build the kernel

/usr/sbin/config ALI

cd ../../compile/ALI

make depend

make

make install

now do ipfw –f flush.





Squid Installation
Note :For FreeBSD 4.7 ver (cd /usr/src/sys/contrib/ipfilter/netinet/)

And copy these three files “ip_compat.h” , “ip_fil.h” and “ip_nat.h” into /usr/include/) and then must restart system. These files needed to squid work as a transparent proxy.


Setenv cflags =’-g –wall’ (Note no space between = and ‘-g –wall’)
Untar the Squid stable tarball

Tar –zxvf squid-xx.stable.tar.gz

Cd squid-xx.stable

And configure as

./configure --enable–removal-policies = “lru,heap” -- enable-async-io \ --enablestoreio=”diskd,ufs” --enable–snmp -- enable–underscores \

-- enable–ipf-transparent

make

make install

Squid configuration file

Now edit squid.conf

Vi /usr/local/squid/etc/squid.conf

And set the parameters as per your requirement & create cache dir which you defined in cache_dir and set the permission nobody:nobody to cache_dir and do

/usr/local/squid/bin/squid -z

If we want to use LFUDA then in squid .conf will be as below

cache_replacement_policy heap LFUDA

memory_replacement_policy heap LUFDA

otherwise

cache_replacement_policy heap

memory_replacement_policy heap

Other packages to be install and configure

SNMP

Apache

Ntpdate

Cron Jobs

System Security

Lesser Packages

Stop Inet Daemon & all Unnecessary Daemons

Unnecessary Users Delete (user toor = root)

Edit etc / services and block Unnecessary ports

Secure Squid

Secure snmp

Secure Named

Secure Firewall (copy etc/trproxy from backup server)

Secure Apache (Run of different port and ip restricted access)

ssh enable (telnet should b disabled)

Optimization

IP assignments on Ethernet Interfaces

Copy tcp and udp configurations in /etc/rc.conf

Log rotation (squid,dansguardian) Messages is automatically being rotated

/etc/fstab (noatime,async,rw) for cache & /var partitions

Static routes for internal ips in /etc/static-routes

Static routes for bandwidth /software/scripts/bwmanager-scripts

Configuration of soft updates on partitions

(Note : first check is already soft updates applied or not use command

tunefs –p partition name

eg tunefs –p /var

if soft updates not set could be set by giving following no. of commands

(note: on which partition we going to apply soft updates should’nt be in use first unmount that partition in single user mode. Like following

umount /var
tunefs –n enable /var)
now verify is it applied or not by giving above mentioned command tunefs –p /var and then restart machine.)

1 comment:

  1. thanks for sharing this site. you can download lots of ebook from here

    http://feboook.blogspot.com

    ReplyDelete