I wrote the below document many years back after installation of Free BSD and squid on it, now uploading it here:
Using FreeBSD cant be easier than that! Using this guide you can:
Install and condifure FreeBSD machine.
Install your own custom Kernel as per your requirement.
Install and configure Squid with cache replacement policies.
Make your system more secure than ever
Note: if you are upgrading the system,
shift all the load to any other proxy
Note IPs of all the interfaces ifconfig > ip
Take copy of running crontab
Insert bootable cd disc into cdrom and boot system from cdrom and follow these steps.
Skip Kernel config and continue with installation.
Standard
Ok
Disk Partitioning ‘A’ Use entire Disc
‘C’ Create Slice.
For all the remaining blocks press ‘Ok’.
Type of Partition 165.
Select the slice
‘S’ set bootable.
‘Q’ finish.
Boot manager (*) Standard.
Same for Disk 2.
Don’t set bootable (*) leave the boot message.
After creating the slices we need to create partitions.
‘C’ Create Partition.
After creation of Partitions Select /cache 1,2,3 & /var and press “S” for soft updates.(note: In version FreeBSD 4.7 soft updates automatically applied when we create partitions)
Choose Distribution > Kernel-Developer > User
Installation media CD ROM
Network Interface Give appropriate addresses.
Configure as A Gateway
Security Profile Medium (Moderate security settings (Default))
Note : (Moderate security settings have been selected Sendmail and SSHd jave been enabled, securelevels are disabled, and NFS server setting have been left intact.PLEASE NOTE that this still does not save you from having to properly secure your system in other ways or exercise due diligence in your administration, this simply picks a standard set of out-of-box defaults to start with.To change any of these settings later, edit /etc/rc.conf )
Setting Time Zone (PKT)
Linux Compatiability
Select Ports/Packages to Install
Free BSD Configuration menu-Distribution.
Src > Sys (Source for everything)
Custom Kernel Compilation
cd /usr/src/sys/i386/conf
Mkdir /root/kernels
cp GENERIC /root/kernels/ALI
ln –s /root/kernels/ALI
Edit MYKERNEL file and customize
Machine i386
Max users 254
Options MSGMNB = 8192
Options MSGMNI = 80
Options MSGSEG = 512
Options MSGSSZ = 64
Options MSGTQL = 3075
Options SMP (For multi processor machines only.)
Options APIC _IO
Options IPFIREWALL
Options IPFIREWALL_Forward
Options IPFILTER
Scsi Controller
Device ahc
Scsi Peripheral
Device scbus
Build the kernel
/usr/sbin/config ALI
cd ../../compile/ALI
make depend
make
make install
now do ipfw –f flush.
Squid Installation
Note :For FreeBSD 4.7 ver (cd /usr/src/sys/contrib/ipfilter/netinet/)
And copy these three files “ip_compat.h” , “ip_fil.h” and “ip_nat.h” into /usr/include/) and then must restart system. These files needed to squid work as a transparent proxy.
Setenv cflags =’-g –wall’ (Note no space between = and ‘-g –wall’)
Untar the Squid stable tarball
Tar –zxvf squid-xx.stable.tar.gz
Cd squid-xx.stable
And configure as
./configure --enable–removal-policies = “lru,heap” -- enable-async-io \ --enablestoreio=”diskd,ufs” --enable–snmp -- enable–underscores \
-- enable–ipf-transparent
make
make install
Squid configuration file
Now edit squid.conf
Vi /usr/local/squid/etc/squid.conf
And set the parameters as per your requirement & create cache dir which you defined in cache_dir and set the permission nobody:nobody to cache_dir and do
/usr/local/squid/bin/squid -z
If we want to use LFUDA then in squid .conf will be as below
cache_replacement_policy heap LFUDA
memory_replacement_policy heap LUFDA
otherwise
cache_replacement_policy heap
memory_replacement_policy heap
Other packages to be install and configure
SNMP
Apache
Ntpdate
Cron Jobs
System Security
Lesser Packages
Stop Inet Daemon & all Unnecessary Daemons
Unnecessary Users Delete (user toor = root)
Edit etc / services and block Unnecessary ports
Secure Squid
Secure snmp
Secure Named
Secure Firewall (copy etc/trproxy from backup server)
Secure Apache (Run of different port and ip restricted access)
ssh enable (telnet should b disabled)
Optimization
IP assignments on Ethernet Interfaces
Copy tcp and udp configurations in /etc/rc.conf
Log rotation (squid,dansguardian) Messages is automatically being rotated
/etc/fstab (noatime,async,rw) for cache & /var partitions
Static routes for internal ips in /etc/static-routes
Static routes for bandwidth /software/scripts/bwmanager-scripts
Configuration of soft updates on partitions
(Note : first check is already soft updates applied or not use command
tunefs –p partition name
eg tunefs –p /var
if soft updates not set could be set by giving following no. of commands
(note: on which partition we going to apply soft updates should’nt be in use first unmount that partition in single user mode. Like following
umount /var
tunefs –n enable /var)
now verify is it applied or not by giving above mentioned command tunefs –p /var and then restart machine.)
No comments:
Post a Comment