Any security issues with running pound and privoxy on my pfsense box?

Cino

I know the ports are not supported by the pfsense team and i'm on my own if they cause issues. I've been looking for a reverse proxy for a while. I've gave up trying to run one on my windows 2003 box since I couldn't find any that were free to use. I couldn't get the package 'Proxy Server with mod_security' to work either. For years i've been using http headers within IIS6 so it would pick the correct web site. As I've adding devices to my household, I've been using Port-Forwarding from lets say port WAN 8088 to port 80 for the device I want to access via the internet. This is good but sometimes I forget the port numbers.

I came across pound and figure I would give it a try. I've attach my pound config and a jpg of my nat/fw rules, is there any security issues that I should be concern with? Any known hacks/break-ins while using pound?


######################################################################
## global options:

User		"nobody"
Group		"nobody"
RootJail	"/var/jail/pound/"

## Logging: (goes to syslog by default)
##	0	no logging
##	1	normal
##	2	extended
##	3	Apache-style (common log format)
LogLevel	1
LogFacility deamon

## check backend every X secs:
Alive		30

## use hardware-accelleration card supported by openssl(1):
#SSLEngine	""

######################################################################
## listen, redirect and ... to:

## HTTP Listener
ListenHTTP
	Address 127.0.0.1
	Port    9080
	LogLevel 0
End

## HTTPS Listener
ListenHTTPS
	Address 127.0.0.1
	Port    9443
	Cert    "/var/jail/pound/host.domain.net.pem"
	LogLevel 0
End

	Service
		HeadRequire "Host: ted5000.host.domain.net"

		BackEnd
			Address 192.168.0.x
			Port    80
		End
	End
	Service
		HeadRequire "Host: nasbox.host.domain.net"

		BackEnd
			Address 192.168.0.x
			Port    80
		End
	End
	Service
		HeadRequire "Host: mrtg.host.domain.net"

		BackEnd
			Address 192.168.0.x
			Port    9191
		End
	End
	Service
		HeadRequire "Host:.*host.domain.net.*"

		BackEnd
			Address 192.168.0.x
			Port    80
		End
	End

Any issues with running privoxy on the LAN IP address port 8118? I don't foresee using it a lot. I'm able to OpenVPN into my home network from work and plan to use privoxy to keep my browsing private when its needed. Since privoxy doesn't have account base security I will not give the WAN access to it as I don't want it to become a free-proxy server for all to use..I could bind it to the loopback address and setup a LAN port-forward rule for it but I didn't see the need for that with my current setup.

P.S I'm usually running latest 2.0 Snapshot.

poundsetup.JPG_thumb

I don't have the need for a reverse proxy, so I'm not entirely familiar with it. But squid does support reverse proxy, have you looked into configuring squid in such a way to simplify it?

Cino

@heavy1metal:

I don't have the need for a reverse proxy, so I'm not entirely familiar with it. But squid does support reverse proxy, have you looked into configuring squid in such a way to simplify it?

In the case on how i'm using Reverse Proxy, it allows me redirect HTTP/HTTPS traffic to different backend servers all using the same public IP and single port. It also always me to have the reverse proxy deal with the HTTPS connection but its HTTP to the backend servers.

Lets say you have www.domain1.com and www.domain2.com. They are pointed to my single public IP of 123.123.123.123. The reverse proxy looks at the http header info and sends www.domain1.com traffic to 192.168.0.10, www,domain2.com traffic to 192.168.0.11.

Never thought of using squid as a reverse proxy… May have to install that package on a test box and see if the gui has any configuration for it. If not, pound was so easy to setup.

I'm pretty sure the pfsense gui for squid doesn't offer it, at least I don't see the option. Also just read squid is a "horrible" reverse proxy. I was reading a post earlier where somebody was asking for a method of doing exactly what you're doing.
http://forum.pfsense.org/index.php/topic,33488.0.html

Very cool that it's able to read the http headers, that does greatly simplify everything when you have separate web servers. Using apache I do the same thing, but it's all hosted under that 1 box, which I know doesn't fit every scenario.

Pound sounds like it would be a really awesome package for pfsense.

http://www.apsis.ch/pound

As this has peaked my interest lol, looking around the forums pfsense runs lighttpd which supports reverse proxy. (which you may already know, this is all new to me :-) )
http://forum.pfsense.org/index.php/topic,16761.0.html

oke doke pfsense does have a reverse proxy package through "modsecurity." Supports HTTP and HTTPS.
"Proxy Server with mod_security"

and last but not least, varnish is supported on the beta x64 version.

Cino

@heavy1metal:

As this has peaked my interest lol, looking around the forums pfsense runs lighttpd which supports reverse proxy. (which you may already know, this is all new to me :-) )
http://forum.pfsense.org/index.php/topic,16761.0.html

oke doke pfsense does have a reverse proxy package through "modsecurity." Supports HTTP and HTTPS.
"Proxy Server with mod_security"

and last but not least, varnish is supported on the beta x64 version.

I installed the package 'Proxy Server with mod_secuirty' a while ago but I couldn't get it to run on my box.. Never found a how-to on the forum, mod security website didn't seem very helpful either.

I've heard of varnish but didn't know there is package for it on the x64 version. I'm running an atom processor so I think I can install x64 version on it but haven't tried. Haven't played with 64 OSs yet because of hardware and drivers. I could be wrong but I believe varnish doesn't support SSL.

I can write a quick how-to if you like. I dont know how to use all the advance settings, just to get it to re-direct traffic to the boxes I want, SSL and setup a wildcard to my IIS6 box(which i use the http headers like you do on apache)

pound would be a great package for pfsense I think. Its really lightweight from what I can tell. Doesn't even need to access the harddrive after its running.

A write up would be awesome, everywhere I've read talks about re-compiling the kernal with it bundled in somehow. I read your other post about NAT'ing the ports for the mail server etc.. if you do this, could you let me know if there are any latency issues? I've read somewhere in the past that by adding a NAT vs just opening the port can cause a delay (more so when you have higher volumes).

Cino

Its a FreeBSD port so no compiling needed.

I used a mixed of command line and WinSCP to get this done:

from the command line type:

pkg_add -r pound

Now create this file with 0644 permissions, i did by using WinSCP:

/usr/local/etc/pound.cfg

I can't help create your pound.cfg as it unique to everyone setups but you can use mine as a base


######################################################################
## global options:

User		"nobody"
Group		"nobody"
RootJail	"/var/jail/pound/"

## Logging: (goes to syslog by default)
##	0	no logging
##	1	normal
##	2	extended
##	3	Apache-style (common log format)
LogLevel	1
LogFacility deamon

## check backend every X secs:
Alive		30

## use hardware-accelleration card supported by openssl(1):
#SSLEngine	""

######################################################################
## listen, redirect and ... to:

## HTTP Listener
ListenHTTP
	Address 127.0.0.1
	Port    9080
	LogLevel 0
End

## HTTPS Listener
ListenHTTPS
	Address 127.0.0.1
	Port    9443
	Cert    "/var/jail/pound/host.domain.net.pem"
	LogLevel 0
End

	Service
		HeadRequire "Host: ted5000.host.domain.net"

		BackEnd
			Address 192.168.0.x
			Port    80
		End
	End
	Service
		HeadRequire "Host: nasbox.host.domain.net"

		BackEnd
			Address 192.168.0.x
			Port    80
		End
	End
	Service
		HeadRequire "Host: mrtg.host.domain.net"

		BackEnd
			Address 192.168.0.x
			Port    9191
		End
	End
	Service
		HeadRequire "Host:.*host.domain.net.*"

		BackEnd
			Address 192.168.0.x
			Port    80
		End
	End

You can comment out the RootJail but I configured it for added security. If you do want to use it make sure you create the below folders(they dont have to be /var/jail, but should be somewhere within /var).My permissions for the folders are 0755. If you do plan to use SSL, make sure you create the …pound/dev/urandom. Its needed only for SSL or it wont work. Also copying the localtime file over ensures pound will log based on your timezone and not GMT


mkdir /var/jail
mkdir /var/jail/pound
mkdir /var/jail/pound/dev
mkdir /var/jail/pound/etc
mknod /var/jail/pound/dev/urandom c 1 9
cp /etc/localtime /var/jail/pound/etc/localtime

For testing I would change the HTTP/HTTPS Listener LogLevel to 1. But change it back to 0 unless you want to see logs for every web page/image that is access(Use your web server logging for this, and make sure it can accept 'x-forwarded-for' because that's where the client IP will be at)

Create your NAT/Firewall rules base(Or see first post for a picture):
NAT:


WAN 	TCP 	* 	* 	WAN address 	80 (HTTP) 	127.0.0.1 	9080 	HTTP pound redirect  	
WAN 	TCP 	* 	* 	WAN address 	443 (HTTPS) 	127.0.0.1 	9443 	HTTPS pound redirect

Firewall:


IPv4 TCP 	* 	* 	127.0.0.1 	9080 	* 	none 	  	NAT HTTP pound redirect  	
IPv4 TCP 	* 	* 	127.0.0.1 	9443 	* 	none 	  	NAT HTTPS pound redirect

To start pound from the command line:

/usr/local/etc/rc.d/pound forcestart

To have to auto start on reboot. Add this to your config.xml under the system section:

<shellcmd>/usr/local/etc/rc.d/pound forcestart</shellcmd>

I think that's it…These were the steps I did to get it running... Hope it helps!

Cino

@heavy1metal:

A write up would be awesome, everywhere I've read talks about re-compiling the kernal with it bundled in somehow. I read your other post about NAT'ing the ports for the mail server etc.. if you do this, could you let me know if there are any latency issues? I've read somewhere in the past that by adding a NAT vs just opening the port can cause a delay (more so when you have higher volumes).

I only have an internal SMTP server. The internet doesn't have inbound access to it so I dont know if there are any latency issues with NAT.

emanuelebruno

@heavy1metal:

If you do plan to use SSL, make sure you create the …pound/dev/urandom. Its needed only for SSL or it wont work.

Hi heavy1metal, I'd like to use SSL in the future, can you explain to me exactly how can I create the pound/dev/urandom file? Thanks for all.
Sincerely,
Emanuele Bruno.

Cino

@emanuelebruno:

@heavy1metal:

If you do plan to use SSL, make sure you create the …pound/dev/urandom. Its needed only for SSL or it wont work.

Hi heavy1metal, I'd like to use SSL in the future, can you explain to me exactly how can I create the pound/dev/urandom file? Thanks for all.
Sincerely,
Emanuele Bruno.

Did you read my how-to? its in it, http://forum.pfsense.org/index.php/topic,33566.msg174126.html#msg174126

FlexyZ

Cino where can I grab the template package for pound?

thx

Cino

@FlexyZ:

Cino where can I grab the template package for pound?

thx

What do you mean by template package? There is no pfsense package for pound… This is a command-line install/how-to I did... You can take my how-to and create a package if you want. I don't know how to but will be looking into it but don't wait on me to build a package, could take a year or may never happen as I'm not a programmer.

FlexyZ

where did you get the "pound" package for the "pkg_add -r pound"

thx

Cino

@FlexyZ:

where did you get the "pound" package for the "pkg_add -r pound"

thx

From freebsd ports, it will go here to grab the port:

ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-8.1-release/Latest/pound.tbz

nutt318

Cino,

I am having the same issue getting modsecurity to work and thinking about using your solution with pound. Just wanted to see if you have tried anything else to get modsecurity to work?

Thanks,
Jake

Cino

i haven't tried modsecurity in months..