Difference between revisions of "Bering-uClibc 4.x - User Guide - Advanced Topics - Setting Up a HTTP Anti Virus Proxy"
(add notes about shorewall setup l) |
m (typos) |
||
Line 32: | Line 32: | ||
tbd | tbd | ||
==== Shorewall setup ==== | ==== Shorewall setup ==== | ||
− | The virtualized proxy guest is, as the host system, connected to the Internet with a LEAF router runnning a shorewall firewall. This the reason I just opened every connection from the net (which is in fact the host system) to the firewall and vice versa. | + | The virtualized proxy guest is, as the host system, connected to the Internet with a LEAF router runnning a shorewall firewall. This is the reason, I just opened every connection from the net (which is in fact the host system) to the firewall and vice versa. |
− | The changes are made <code class="filename">/etc/shorewall/policy</code> on the virtualized LEAF box: | + | The changes are made in <code class="filename">/etc/shorewall/policy</code> on the virtualized LEAF box: |
net fw ACCEPT | net fw ACCEPT | ||
fw net ACCEPT | fw net ACCEPT | ||
− | You may adjust your shorewall setup more seriously, if you use | + | You may adjust your shorewall setup more seriously, if you use the box in production. |
+ | You don't need to change anything on your main router/firewall. | ||
=== Testing the setup === | === Testing the setup === |
Revision as of 18:41, 29 October 2011
Advanced Topics - Setting Up Backup to Remote Server | ||
---|---|---|
Prev | Bering-uClibc 4.x - User Guide | Next |
Contents
Preface
The purpose of this chapter is to setup a LEAF box with a http proxy that scans your web traffic for Trojans, viruses, malware and other malicious threats. As scanner ClamAV is used, as proxy HAVP.
havp
can be used with squid
or standalone, but only the standalone version is described here. havp
provides no content caching, therefor you'll need squid.lrp
, it supports multiple virus scanners, but only clamav is provided as lrp package. It has no support for ipv6 and does not scan ssl-protected page (https), but the setup will not block these pages.
Running a http anti virus proxy goes the typical usage of a LEAF Bering-uClibc box, which usually is used as a router and firewall. This is shown by the fact that the harwdare requirements are a lot more advanced than for a LEAF router. It requires at least 265MB RAM and a writable storage of more than 200MB, or at least 512MB RAM, if you run the proxy completly in RAM, and even than a fixed storage is recommended to reduce time-to-work, after a reboot.
Most of the resources are needed for clamav
, which requires at least 100MB RAM to start, and 100MB for the virus database plus daily updates. havp
requires a minimum of 5MB fixed storage or RAM for a virtual disk.
If you add a content-caching proxy like squid
, even more is needed.
But with a virtualized LEAF box RAM, and even more disk space, is cheap, so I used a Bering-uClibc 4.x i686-isoimage as virtualbox guest with 768MB RAM and no harddisk as testbed. You may want to change it, to use a (virtual) harddisk as permament storage, that way you can virtualize a LEAF-based http anti-virus proxy.
Note: The setup given here is mainly targeted for home usage and testing, for a more advanced usage a decent hardware and a configuration with squid
is recommended. Also the way ssl-protected pages are tunneled is not as efficient, as you may like to have it in a professional environment.
Status: The packages clamav.lrp
and havp.lrp
are already committed to git and will be available with Bering-uClibc 4.1.
Setting up LEAF Bering-uClibc in a Virtualbox environment
tbd
Setting up the virus scanner clamav
tbd
Setting up the anti virus proxy hvap
tbd
Shorewall setup
The virtualized proxy guest is, as the host system, connected to the Internet with a LEAF router runnning a shorewall firewall. This is the reason, I just opened every connection from the net (which is in fact the host system) to the firewall and vice versa.
The changes are made in /etc/shorewall/policy
on the virtualized LEAF box:
net fw ACCEPT fw net ACCEPT
You may adjust your shorewall setup more seriously, if you use the box in production. You don't need to change anything on your main router/firewall.
Testing the setup
tbd
Additional reading and acknowledgment
Useful clamav links:
Useful havp links:
How to use havp with squid as caching proxy (though it's based on an outdated squid version).
The original packages for havp.lrp
and clamav.lrp
have been contributed by Alejandro Dguez for LEAF Bering-uClibc 3.x. Based on his work it was easy, to adjust the buildtool setup for LEAF Bering-uClibc 4.x.
Prev | Up | Next |