By: Danar Hadinata

hari ini coba gogling2 bt ente yang mu instal pf di free bsd
kalo mu kopas in here.............

Pertama-tama konfigurasi kernel anda agar support pf :
#Packet Filter Options
device pf
device pflog
device pfsync
#Enabling ALTQ
options ALTQ
options ALTQ_CBQ # Class Bases Queuing (CBQ)
options ALTQ_RED # Random Early Detection (RED)
options ALTQ_RIO # RED In/Out
options ALTQ_HFSC # Hierarchical Packet Scheduler (HFSC)
options ALTQ_PRIQ # Priority Queuing (PRIQ)
options ALTQ_NOPCC # Required for SMP build
Berikut konfigurasi yg saya implementasikan pada box FreeBsd saya, buat para admin jaringan yang menggunakan box FreeBsd lossss cah ngerdon og,,,,,,,,,,,,,,,,,,,,,,,,,,,,
### macros
# internal and external interfaces (ketikan ‘ifconfig’ buat lihat interface)
int_if = “vr0″
ext_if = “rl0″
# Port Yang Boleh Diakses dari Luar Box silahkan sesuaikan
tcp_services = “{ 80, 110, 25, 53, 113, 21}”
udp_services = “{ 53, 1194 }”
# ping requests
icmp_types = “echoreq”
# Private Network, Yg Mau di Blok Traffiknya
priv_nets = “{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }”
### options
set block-policy return
set loginterface $ext_if
set skip on lo0
### Scrub
scrub in all
### nat/rdr
# NAT traffic dari Internal Ke External
nat on $ext_if from $int_if:network to any -> ($ext_if)
# Port Redirector untuk Transparent Proxy & Transparent FTP
rdr on $int_if proto tcp from any to any port 21 -> 127.0.0.1 port 8021
rdr on $int_if proto tcp from any to any port 80 -> 127.0.0.1 port 3128
### filter rules
block all
# Blok Traffik Dari Luar Yang Pake IP Private
block drop in quick on $ext_if from $priv_nets to any
# Blok Trafik dari Luar ke Internal
block drop out quick on $ext_if from any to $priv_nets
# Perbolehkan Akses ke TCP port tertentu
pass in on $ext_if inet proto tcp from any to ($ext_if) \
port $tcp_services flags S/SA keep state
# Perbolehkan Akses ke UDP port tertentu
pass in on $ext_if proto udp to any port $udp_services keep state
# Perbolehkan Akses FTP
pass in on $ext_if inet proto tcp from port 20 to ($ext_if) \
user proxy flags S/SA keep state
# Ping Reply OK
pass in inet proto icmp all icmp-type $icmp_types keep state
# Perbolehkan Traffik dari Internal ke Internal Interface
pass in on $int_if from $int_if:network to any keep state
pass out on $int_if from any to $int_if:network keep state
# Perbolehkan Traffik keluar melalui External Interface
pass out on $ext_if proto tcp all modulate state flags S/SA
pass out on $ext_if proto { udp, icmp } all keep state
Untuk ngecek nat dan konfigurasi anda silahkan gunakan perintah
# pfctl -Fn -Nf /etc/pf.conf
flush rules
# pfctl -f /etc/pf.conf
Dan untuk me-restart pf anda gunakan perintah
# pfctl -NORf /etc/pf.conf
Biar auto start, masukkan script berikut di rc.conf anda :
pf_enable=”YES” # Enable PF (load module if required)
pf_rules=”/etc/pf.conf” # rules definition file for pf
pf_flags=”” # additional flags for pfctl startup
pflog_enable=”YES” # start pflogd(8)
pflog_logfile=”/var/log/pflog” # where pflogd should store the logfile
pflog_flags=”” # additional flags for pflogd startup
gateway_enable=”YES” # Enable as LAN gateway

ywes ngu kui lah kenek ra kenek dongo ae sing akeh dhe.........

 By: Danar Hadinata

install via port

> cd /usr/ports/
> make search key=squid | grep Path -A 2
> cd /usr/ports/www/squid
> make fetch package install

Jangan lupa enablekan option berikut :

[X] SQUID_PF Enable transparent proxying with PF

Edit konfigurasi squid :

> cd /usr/local/etc/squid/

Configurasi Squid

1. Buat direktory Chache nya sesuai dengan script squid.conf atau sesuaikan dengan kapasitas hardisk sampean

root# mkdir /cache1 /cache2 /cache3 /cach4 /cache5

root# chown squid:squid /cache1

root# chown squid:squid /cache2

root# chown squid:squid /cache3

root# chown squid:squid /cache4

root# chown squid:squid /cache5

2. Tentukan dan file access.log dan cache.log << sesuaikan alamatnya pada scripty squid.conf

root# mkdir /var/log/squid

Root# cd /var/log/squid

Root# tuch –f access.log

Root# tuch –cache.log

Root# chown squid:squid /var/log/squid

3. Copy kan script ini ke file squid.conf yang berada di /usr/local/etc/squid

Root# ee squid.conf

http_port 3128

icp_port 3130



acl QUERY urlpath_regex cgi-bin \?

acl nocache-domain dstdomain .mail.yahoo.com .login.yahoo.com

no_cache deny QUERY

no_cache deny nocache-domain


#----------- disk management ---------- ##

cache_dir diskd /cache1 1500 64 256 Q1=72 Q2=64

cache_dir diskd /cache2 1500 64 256 Q1=72 Q2=64

cache_dir diskd /cache3 1500 64 256 Q1=72 Q2=64

cache_dir diskd /cache4 1500 64 256 Q1=72 Q2=64

cache_dir diskd /cache5 1500 64 256 Q1=72 Q2=64


cache_access_log /var/log/squid/access.log

cache_log /var/log/squid/cache.log

cache_store_log /dev/null

mime_table /usr/local/etc/squid/mime.conf

diskd_program /usr/local/libexec/squid/diskd

cache_dns_program /usr/local/libexec/squid/dnsserver

redirect_program /usr/local/libexec/adzap

redirect_program /usr/local/bin/squidGuard


log_icp_queries off

auth_param basic children 5

auth_param basic realm Squid proxy-caching web server

auth_param basic credentialsttl 2 hours

auth_param basic casesensitive off


emulate_httpd_log on

redirect_rewrites_host_header off

dead_peer_timeout 5 seconds

cache_replacement_policy heap LFUDA

memory_replacement_policy heap GDSF

half_closed_clients off

dns_children 16


#-----------transparent proxy -----------

httpd_accel_host virtual

httpd_accel_port 80

httpd_accel_with_proxy on

httpd_accel_uses_host_header on

#-------------------------------------------


acl dns src 202.134.1.10

acl sip src 192.168.1.0/30

acl net src 192.168.10.0/26

acl all src 0.0.0.0/0.0.0.0

acl localhost src 127.0.0.1/32



acl Safe_ports port 80 443 210 119 563 70 21 1025-65535

acl CONNECT method CONNECT

http_access allow localhost

http_access allow dns


http_access allow sip

http_access allow net

http_access deny !Safe_ports

http_access deny CONNECT

http_access deny all


#---------------- administration info ------------

cache_mgr \n admin@dije.co.cc

cache_effective_user squid

cache_effective_group squid

log_icp_queries off

cachemgr_passwd mypassword all

forwarded_for off

buffered_logs on

visible_hostname \dije.co.cc



#---------- HTTP accelerator --------------- #

cache_mem 6 MB

cache_swap_low 90

cache_swap_high 95

maximum_object_size 4096 KB

maximum_object_size_in_memory 2048 KB

ipcache_size 40000

ipcache_low 90

ipcache_high 99

fqdncache_size 512

memory_replacement_policy lru

store_avg_object_size 30 KB

half_closed_clients off


#====================================================================$

# MISCELLANEOUS

#=====================================================================$

##REFRESH PATTERN


request_header_max_size 14 KB

refresh_pattern ^ftp: 10080 95% 241920

refresh_pattern ^gopher: 1440 0% 1440

refresh_pattern . 120 95% 120960


refresh_pattern \.gif 4320 50% 43200

refresh_pattern \.jpg 4320 50% 43200

refresh_pattern \.tif 4320 50% 43200

refresh_pattern \.png 4320 50% 43200

refresh_pattern \.jpeg 4320 50% 43200

refresh_pattern http://.*\.kompas\.com/ 0 20% 4320

refresh_pattern http://.*\.mobstar\.cc/ 0 20% 4320

refresh_pattern -i ^http://.*\.yahoo\.com/ 0 20% 4320

refresh_pattern -i ^http://.*\.indosat\.net\.id/ 0 20% 4320

refresh_pattern -i ^http://.*\.friendster\.com/ 0 20% 4320

refresh_pattern -i ^http://.*\.google\.com/ 0 20% 4320

refresh_pattern -i ^http://.*\.jawapos\.com/ 0 20% 4320

refresh_pattern -i ^http://.*\.detik\.com/ 0 20% 4320

refresh_pattern -i ^http://.*\.telkom\.net/ 0 20% 4320

refresh_pattern -i ^http://.*\.plasa\.com/ 0 20% 4320

refresh_pattern -i ^http://.*\.mail.yahoo\.com/ 0 20% 4320

refresh_pattern -i ^http://.*\.mail.telkom\.net/ 0 20% 4320

refresh_pattern -i ^http://.*\.hotmail\.com/ 0 20% 4320

refresh_pattern -i ^http://.*\.sctv\.com/ 0 20% 4320

refresh_pattern -i ^http://.*\.liputan6\.com/ 0 20% 4320

refresh_pattern -i ^http://.*\.gmail\.com/ 0 20% 4320

refresh_pattern -i ^http://.*\.indosiar\.com/ 0 20% 4320

refresh_pattern -i exe$ 0 50% 999999

refresh_pattern -i zip$ 0 50% 999999

refresh_pattern -i tar\.gz$ 0 50% 999999

refresh_pattern -i tgz$ 0 50% 999999

logfile_rotate 10

icp_query_timeout 20000

extension_methods SEARCH PROPPATCH

forwarded_for on

digest_generation on

digest_bits_per_entry 10

digest_rebuild_period 30 minute

digest_rewrite_period 30 minute

digest_swapout_chunk_size 6000 bytes

client_persistent_connections on

server_persistent_connections on

pipeline_prefetch on

store_dir_select_algorithm round-robin

nonhierarchical_direct off

prefer_direct off

ie_refresh on

quick_abort_min 0 KB

quick_abort_max 0 KB

quick_abort_pct 98

positive_dns_ttl 1 hours

negative_dns_ttl 1 minute


connect_timeout 1 minute

read_timeout 60 minutes

request_timeout 1 minutes

persistent_request_timeout 5 minute

client_lifetime 1 day

half_closed_clients off

pconn_timeout 300 seconds

shutdown_lifetime 10 seconds

pipeline_prefetch on

vary_ignore_expire on


negative_ttl 2 minutes

buffered_logs on

ie_refresh off

nonhierarchical_direct on

prefer_direct off


## Blacklist -------------#

acl block1 url_regex -i "/etc/block1.txt"

acl block2 url_regex -i "/etc/block2.txt"

acl IpAddressOnly url_regex ^http://[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+/$

acl GETONLY method GET

acl exploit urlpath_regex winnt/system32/cmd.exe?

acl virus dst 204.177.92.204/32 64.191.99.145/32

acl gator dstdom_regex gator hot_indonesia.exe

acl BADPORTS port 7 9 11 19 22 23 25 110 119 513 514


http_access deny block1

http_access deny block2

http_access deny IpAddressOnly

http_access deny GETONLY

http_access deny exploit

http_access deny virus

http_access deny gator

http_access deny BADPORTS

http_access deny all



#############################################################

#acl limit url_regex -i ftp \.mp3$ \.zip$ \.ram$ \.rmi$ \.pdf$ \.tgz$ \.gz$ \.exe$ \.mov$ \.mpg$

#delay_pools 1

#delay_class 1 1

#delay_parameters 1 -1/-1 5000/32000

#delay_access 1 allow net limit

#delay_access 1 deny ALL

4. Buat direktori cache dengan ketik squid -z

5. Test dengan ketik squid –DF dan liat di TOP dah running apa belum, kalo udah berarti beres


6. Biar disaat start otomatis running masukkan perintah ini di /etc/rc.conf

Squid_enable=”YES”

Squid_flag=”-DF”

7. Test dengan browser dengan setting arahkan pada ip Proxy anda.

8. Untuk melihat aktivitas traffic :

root# tail-f /var/log/squid/access.log

Pastikan kalo di top udah running.