FreeBSD Wi-Fi Open Access Content Filter
ipfw is a FreeBSD IP packet filter
and traffic accounting control program. With ipfw, it is possible to
assemble a tranparent proxy for Wi-Fi. The transparent proxy can send
moderated content to remote clients with content filtering software. A
WiFi hotspot open access Control Filter is made up of five or maybe six
parts. The access point with crossover cable and network card; ipfw
squid, dansguardian, ISC dhcpd, and ISC bind. You would need a client to
access the hotspot, but nothing is stopping you from waiting for client
machines to connect. For example you could provide anonymous internet
access to a nighborhood, a resturant & bar, an apartment building,
cafe or whatever you like; the distance an access point can cover is
fairly large.
Bind and dhcpd is the most widely used software on the internet, an
both are fairly difficult to configure correctly; but we’ll use a few
shortcuts and some good luck. First we need some inexpensive hardware. A
Wireless – G router, an extra network card and a crossover cable. If
you use a router, chances are you will get a broader wireless area
connection. Most network cards are supported by the hardware
compatiblity list, if your card is not; it is recommended that you get
one that is on the harware compatiblity list.
Firmly seat the network card, and connect an rj-45 crossover cable
directly to the router. Boot normally, if the card is on the harware
compatibility list, it will be available to ifconfig.
Type:
ifconfig
fxp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=9<RXCSUM,VLAN_MTU>
ether 00:90:27:ac:85:d4
inet 10.1.10.172 netmask 0xffffff00 broadcast 10.1.10.255
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
xl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=9<RXCSUM,VLAN_MTU>
ether 00:04:76:e8:99:3c
fxp1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=9<RXCSUM,VLAN_MTU>
ether 00:90:27:ac:90:85
inet 192.168.0.1 netmask 0xffffff00 broadcast 192.168.0.255
media: Ethernet autoselect (100baseTX)
status: active
plip0: flags=108810<POINTOPOINT,SIMPLEX,MULTICAST,NEEDSGIANT> metric 0 mtu 1500
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5
inet6 ::1 prefixlen 128
inet 127.0.0.1 netmask 0xff000000
Above, xl0 is the unconfigured device:
vi /etc/rc.conf
Strike the ESC key
:ins
ifconfig_xl0=”inet 172.16.0.1 netmask 255.255.255.0″
Strike CRTL-C
Strike the ESC key
:wq!
Next compile the kernel with ip options. Make a copy of the GENERIC kernel and add these lines
to the GENERIC file in /usr/src/sys/i386/conf/
cp /usr/src/sys/i386/conf/GENERIC /usr/src/sys/i386/conf/SQUIRREL
vi /usr/src/sys/i386/conf/SQUIRREL
options IPFIREWALL
options IPDIVERT
options IPFIREWALL_DEFAULT_TO_ACCEPT
options IPFIREWALL_VERBOSE
options IPFIREWALL_FORWARD
2. Change to the /usr/src directory:
cd /usr/src
3. Compile the kernel:
make buildkernel KERNCONF=SQUIRREL
While the kernel is compiling, do not interrupt the terminal
You can stop this process at anytime by pressing CTRL-C
Building a new kernel takes about two hours to complete with a quad 533mhz pentium III Xeon server. Don’t give up even though the terminal may look like it has stopped.
4. Install the new kernel:
make installkernel KERNCONF=SQUIRREL
Now edit the file /etc/rc.firewall
Add to the SIMPLE section:
${fwcmd} 1001 fwd 127.0.0.1,8080 tcp from any to any 80 in recv xl0
${fwcmd} add allow tcp from any to any in via fxp1
${fwcmd} add allow tcp from any to any in via fxp0
${fwcmd} add deny log tcp from 172.16.0.0/24 to 172.16.0.1
${fwcmd} add deny log tcp from 172.16.0.0/24 to 192.168.0.0/24
${fwcmd} add deny log tcp from 172.16.0.0/24 to 10.1.10.0/24
${fwcmd} add allow udp from 0.0.0.0 68 to 255.255.255.255 dst-port 67 out
${fwcmd} add allow udp from any 67 to me dst-port 68 in
${fwcmd} add allow udp from any 67 to 255.255.255.255 dst-port 68 in
${fwcmd} add allow icmp from any to any icmptypes 8
${fwcmd} add allow icmp from any to any icmptypes 3,4,11
This means add rule number 1001 and forward ALL tcp packets; port 80 to 127.0.0.1 port 8080 on the third interface, xl0. Allow tcp packets to pass on fxp1 and fxp0. Since the server is public, Deny and log anything from 172.16.0.0/24 to the server at 172.168.0.1. Anything to the internal network is non-routable or not on the same network segment as the crossover cable to the network card but if you’re also using natd to forward internet access, they will pass to the internal segment. The two following rules prevent anything passing to the xl0 interface. Next, uncomment allow dchp and imcp under the simple section of rc.firewall or add the five next rules to rc.firewall.
Now all packets that are destined for port 80 are transparently passed to port 8080 the proxy port.
shutdown -r now
There are several different content filtering software packages though dansguardian is free to use. However first we need a caching proxy server to pass information to the content filtering software. Squid is a web cache server and is easy to install if access control lists are used correctly.
Get the latest version of squid here:
http://www.squid-cache.org/Versions/
type:
gunzip squid*.tar.gz
tar -xvf squid*.tar
cd squid-3.0.STABLE24
./configure –enable-ipfw-transparent
gmake
make install
After squid is installed it can be found in /usr/local/squid. First we need to edit a file named squid.conf:
vi /usr/local/squid/etc/squid.conf
Squid conf is a huge configuration file, go to around line 1000:
Strike the ESC key
:set nu
Strike the ESC key
:879
Strike the ESC key
:ins
http_port 3128 transparent
Strike CRTL-C
Delete the previous http_port directive by alligning the cursor with the arrow keys.
Strike the ESC key
:del
Now edit the access control lists, since squid is usually behind a firewall firstly, we will use open directives:
Strike the ESC key
:592
Strike the ESC key
:ins
acl localnet src 127.0.0.0/8
Strike CRTL-C
Scroll down to # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
Add:
Strike the ESC key
:ins
http_access allow localnet
http_access allow localhost
http_access allow to_localhost
http_access allow all
Strike CRTL-C
Strike the ESC key
:wq!
Now that the squid portion of the installation is complete, we can install dansguardian. The latest version can be found at http://www.dansguardian.com unzip and install:
type:
gunzip dansguardian*.tar.gz
tar -xvf dansguardian*.tar
cd dansguardian-2.10.1.1
./configure
gmake
make install
There is one option with dansguardian to change the warnings template.
The warnings template can be used once dansguardian is restarted.
/usr/local/share/dansguardian/languages/ukenglish/template.html
Now type:
/usr/local/squid/sbin/squid
/usr/local/sbin/dansguardian
To configure a Wi-Fi windows workstation to use a NATD FIREWALL, follow these instructions:
Left click “My Network Places” on the Windows workstation “desktop” such that it appears to turn BLUE in color. Next, right click the highlighted area. A “drop down menu” will appear.
Left click “Properties”
Next, Left click “Local Area Connection” such that it appears to turn BLUE in color. Next, right click the highlighted area. A “drop down menu” will appear.
Left click “Properties”
A “Dialogue” Box will appear:
Left click “Internet Protocol TCP/IP” such that it appears to turn BLUE in color. Next, right click the properties box. A “Dialogue box” will appear.
Click obtain an IP address automatically, click Obtain DNS server address automatically and click ok. Then click apply, ok.
The next part of the project is to install a dhcp server and a dns server on the gateway machine 172.16.0.1; or xl0. Download, unzip, make and install from http://www.isc.org
vi /usr/local/etc/dhcpd.conf
Strike the ESC key
:ins
option domain-name “nvita.org”;
option domain-name-servers 172.16.0.1;
default-lease-time 86400;
max-lease-time 86400;
authoritative;
ddns-update-style none;
subnet 172.16.0.0 netmask 255.255.255.0 {
range 172.16.0.5 172.16.0.250;
option routers 172.16.0.1;
}
Strike CRTL-C
:wq!
Start the DCHP server on xl0:
/usr/local/etc/rc.d/isc-dhcpd start
or
dhcpd xl0
and if for some reason you decide to download the beta:
dhcpd -d -f xl0
Type
vi /var/named/etc/namedb/named.conf
Strike the ESC key
:ins
acl clients {
localnets;
::1;
};
options {
version “”; // remove this to allow version queries
listen-on { any; };
listen-on-v6 { any; };
allow-recursion { clients; };
};
logging {
category lame-servers { null; };
};
// Standard zones
//
zone “.” {
type hint;
file “standard/root.hint”;
};
zone “localhost” {
type master;
file “standard/localhost”;
allow-transfer { localhost; };
};
zone “127.in-addr.arpa” {
type master;
file “standard/loopback”;
allow-transfer { localhost; };
};
zone “0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa” {
type master;
file “standard/loopback6.arpa”;
allow-transfer { localhost; };
};
zone “com” {
type delegation-only;
};
zone “net” {
type delegation-only;
};
Strike CRTL-C
:wq!
mkdir standard
cd standard
Type
vi /var/named/etc/namedb/standard/root.hint
Strike the ESC key
:ins
. 3600000 IN NS A.ROOT-SERVERS.NET.
A.ROOT-SERVERS.NET. 3600000 A 198.41.0.4
;
; formerly NS1.ISI.EDU
;
. 3600000 NS B.ROOT-SERVERS.NET.
B.ROOT-SERVERS.NET. 3600000 A 192.228.79.201
;
; formerly C.PSI.NET
;
. 3600000 NS C.ROOT-SERVERS.NET.
C.ROOT-SERVERS.NET. 3600000 A 192.33.4.12
;
; formerly TERP.UMD.EDU
;
. 3600000 NS D.ROOT-SERVERS.NET.
D.ROOT-SERVERS.NET. 3600000 A 128.8.10.90
;
; formerly NS.NASA.GOV
;
. 3600000 NS E.ROOT-SERVERS.NET.
E.ROOT-SERVERS.NET. 3600000 A 192.203.230.10
;
; formerly NS.ISC.ORG
;
. 3600000 NS F.ROOT-SERVERS.NET.
F.ROOT-SERVERS.NET. 3600000 A 192.5.5.241
;
; formerly NS.NIC.DDN.MIL
;
. 3600000 NS G.ROOT-SERVERS.NET.
G.ROOT-SERVERS.NET. 3600000 A 192.112.36.4
;
; formerly AOS.ARL.ARMY.MIL
;
. 3600000 NS H.ROOT-SERVERS.NET.
H.ROOT-SERVERS.NET. 3600000 A 128.63.2.53
;
; formerly NIC.NORDU.NET
;
. 3600000 NS I.ROOT-SERVERS.NET.
I.ROOT-SERVERS.NET. 3600000 A 192.36.148.17
;
; operated by VeriSign, Inc.
;
. 3600000 NS J.ROOT-SERVERS.NET.
J.ROOT-SERVERS.NET. 3600000 A 192.58.128.30
;
; operated by RIPE NCC
;
. 3600000 NS K.ROOT-SERVERS.NET.
K.ROOT-SERVERS.NET. 3600000 A 193.0.14.129
;
; operated by ICANN
;
. 3600000 NS L.ROOT-SERVERS.NET.
L.ROOT-SERVERS.NET. 3600000 A 198.32.64.12
;
; operated by WIDE
;
. 3600000 NS M.ROOT-SERVERS.NET.
M.ROOT-SERVERS.NET. 3600000 A 202.12.27.33
; End of File
Strike CRTL-C
:wq!
Start the DNS server:
named
Although quite complicated, fxp1 operates without any restrictions, whereas xl0 has a content filter and cannot access the internal network other than the DNS server and the DHCP server, but can access any other server on the internet by squid and dansguardian!
HOWEVER:
Wireless access is limited. You probably also need one of these to cover at least 2 miles:
2.4 Ghz Hi-Gain 15dBi Outdoor Omni-Directional Antenna
Although the output from the card is very very low – the antenna design is extremely important. Finding a way to amplify the signal from the card that can reach long distances is very very well regulated. because its absolutely strange – what do you expect.