Home arrow Guides arrow Transparent HTTP Antivirus Scan in Bridge Mode With HAVP and Clamav
Transparent HTTP Antivirus Scan in Bridge Mode With HAVP and Clamav PDF
Wednesday, 15 June 2011
This tutorial helps you build a filtering brige for HTTP traffic. The idea is not to use a router but to add a filtering bridge between our ADSL router and our LAN.

Step 1 Configure the bridge
---------------------------------

Edit /etc/rc.conf and add there (asuming your network cards are em0 and em1):

/etc/rc.conf
defaultrouter="10.0.0.1"
hostname="bridge"

sshd_enable="YES"

cloned_interfaces="bridge0"
ifconfig_bridge0="addm em0 addm em1 up"
ifconfig_bridge0_alias0="inet 10.0.0.2 netmask 255.255.255.0"
ifconfig_em0="up"
ifconfig_em10="up"

Please note that 10.0.0.2, which is the IP of the bridge is just for maintenance purpose. Both em0 and em1 have no IP configured.

Set the following sysctl variable to 1:

  sysctl -w net.link.bridge.pfil_member=1

or edit /etc/sysctl.conf add next line:

  net.link.bridge.pfil_member=1


Step 2. Configure the firewall
----------------------------------------
The following PF config will redirect all HTTP traffic to 127.0.0.1 where we will run a Squid process (later about squid configuration).

Create a file: /etc/pf.conf with the following content:

/etc/pf.conf
ext_if="em0"
int_if="em1"

rdr on $int_if inet proto tcp from any to any port www -> 127.0.0.1 port 8080

pass in quick on $int_if route-to lo0 inet proto tcp from any to 127.0.0.1 port 8080 keep state

Edit /etc/rc.conf and add the following lines (to activate PF firewall at boot):

/etc/rc.conf
pf_enable="YES"
pf_rules="/etc/pf.conf"

Before activating PF we must load the kernel module:

  kldload pf

Then activate PF firewall and load config from /etc/pf.conf:

  pfctl -e
  pfctl -f /etc/pf.conf


Also edit /etc/devfs.conf and add the following lines:

  own     pf      root:squid
  perm    pf      0640

Squid will need that rights later.

Step 3. Install Clamav
-------------------------

We will install Clamav: 

  cd /usr/ports/security/clamav
  make install clean

Then we will add to /etc/rc.conf the following lines:

  clamav_clamd_enable="YES"
  clamav_freshclam_enable="YES"

And we will start clamav-clamd and clamav-freshclam:
 
  /usr/local/etc/rc.d/clamav-clamd start
  /usr/local/etc/rc.d/clamav-freshclam start



Step 4. Install Squid
-----------------------

We will install now Squid 3.1 from ports. Make sure after you've run make install to check Transparent Proxy with PF option:

  cd /usr/ports/www/squid31
  make install clean

Now we will configure squid to work on port 8080 on 127.0.0.1. Your squid config file is located in /usr/local/etc/squid/squid.conf:

/usr/local/etc/squid/squid.conf
acl manager proto cache_object
acl localhost src 127.0.0.1/32 ::1
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1

acl localnet src 10.0.0.0/8     # RFC1918 possible internal network
acl localnet src 172.16.0.0/12  # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7       # RFC 4193 local private network range
acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged) machines

acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT

http_access allow manager localhost
http_access deny manager

http_access deny !Safe_ports

http_access deny CONNECT !SSL_ports

http_access allow localnet
http_access allow localhost

http_access deny all

hierarchy_stoplist cgi-bin ?
coredump_dir /var/squid/cache

refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|?) 0     0%      0
refresh_pattern .               0       20%     4320

# custom
http_port 127.0.0.1:8080 transparent

#for HAVP
cache_peer 127.0.0.1 parent 8082 0 no-query no-digest no-netdb-exchange default


After that add the following line to /etc/rc.conf:

  squid_enable="YES"

and start squid proxy server:

  /usr/local/etc/rc.d/squid start


Step 5. Install HAVP
------------------------

We will install HAVP from ports and we will configure it to run on port 8082:

  cd /usr/ports/www/havp
  make install clean

Now some minor configs (create whitelist and blacklist files and copy templates from HAVP examples):

  touch /usr/local/etc/havp/whitelist
  touch /usr/local/etc/havp/blacklist
  mkdir /usr/local/etc/havp/templates /usr/local/etc/havp/templates/en
  cp -R /usr/local/share/examples/havp/templates/en/ /usr/local/etc/havp/templates/en

And now we will create /usr/local/etc/havp/havp.config with the following content:

/usr/local/etc/havp/havp.config
USER havp
GROUP havp

DAEMON true
PIDFILE /var/run/havp/havp.pid
SERVERNUMBER 10
MAXSERVERS 100
ACCESSLOG /var/log/havp/access.log
ERRORLOG /var/log/havp/havp.log

LOG_OKS true
LOGLEVEL 1
SCANTEMPFILE /var/tmp/havp/havp-XXXXXX
TEMPDIR /var/tmp
TRANSPARENT false
PARENTPROXY localhost

PARENTPORT 8080
X_FORWARDED_FOR true
PORT 8082
BIND_ADDRESS 127.0.0.1

TEMPLATEPATH /usr/local/etc/havp/templates/en

STREAMUSERAGENT Player Winamp iTunes QuickTime Audio RMA/ MAD/ Foobar2000 XMMS

SCANIMAGES true
KEEPBACKTIME 5

ENABLECLAMLIB true
ENABLECLAMD false

ENABLEFPROT false
ENABLEAVG false
ENABLEAVESERVER false
ENABLESOPHIE false
ENABLETROPHIE false
ENABLENOD32 false
ENABLEAVAST false
ENABLEARCAVIR false
ENABLEDRWEB false

Then we add an entry in /etc/rc.conf for HAVP service to start at boot:

  havp_enable="YES"

and we start the service:

  /usr/local/etc/rc.d/havp start

Tips
-----
If you want to add support for bridge in the kernel, recompile the kernel with the following option:

device if_bridge


Debuging Tips
-----------------

- Clamav log files are located in /var/log/clamav. You can look there for clamd.log and freshclam.log.

Last Updated ( Sunday, 06 November 2011 )
 
< Prev   Next >

Other BSD Systems

OpenBSD

Misc

Solaris

Polls

Best BSD firewall?