Article ID20010612A
SubjectSEI Data Internet Appliance Build
ConceptA buildup of a FreeBSD based Filtering Proxy Server Appliance
OSFreeBSD



Background
The ISP that I work for recently started providing content filtering to subscribers who requested it. We were already using a squid cache system for our entire customer base with pretty good luck. A couple of local schools and libraries that had dedicated lines (not through us) wanted a simular services, but also wanted total control on the content that was being filtered. While setting up a filtering cache server was not a big chore, they also did not want to have to do any administration of the box, *and* on top of that, cost was to be kept to a minimal. There are products available in stand alone configurations that do this, but all proved to be too expensive. As the solution provider, we also wanted a configuration that was flexible enough for different configurations, ie a intranet server, email, or even a router. We decided on using a web-interface for the post installation configuration, using already available open-source GPL software. The only cost to us, was the hardware itself.


The Hardware
The appliance needed to be a small footprint and be able to work for the most part, without keyboard and monitor. We looked at several configuration options available to us and cost/performance options. For the prototype, we settled for an AMD based server with IDE hard drive. We also priced a comparable Intel configuration for comparison. By getting the parts from OEM dealers, we were able to get the parts for just under $400.00 (minus shipping costs). Here is the parts list:


AMDIntel
ProcessorAMD Duron 750Intel Celeron 700
MotherboardGigabyte GA-7ZMMAsus CUSI-FX
Ram128mb PC133
HardDriveWestern Digital 20gig 7200rpm 2mb
Network Cards3Com 3C905C-TX
CaseDirectron BookPC-Flex ATX Case


Notes
1. CDROM/Floppy not needed, as this will be an appliance and can be attached as needed.
2. Video/Audio is onboard for both motherboards, but will be configured for serial console.


The Hardware Build
The case has a very small footprint (15"x12"x3.5") so only a micro-atx board will fit. The biggest problem we had, was the fact that the case takes low profile cards. Unlike 1U or 2U rackmount cases that use a riser card so that pci cards go in horizontally, this case uses the "low-profile" standard. Up to this time, I have not ever encountered low-profile cards and a quick search on the web (via google) located only one recognized named manufacturer that makes low-profile pci 10/100 ethernet cards, which happens to be IBM. While the cards seem nice, there was not any unix support that I could find, just WinNT and Novell. Also at $100.00 a pop, was too expensive for this project. We had some new 3Com 3c905C-tx cards that where had a small PCB, so we "engineered" the brackets to fit the case. A pair of good tin-snips,a dremel (a must have), and about 10 minutes of work, and viola! a low-profile 3Com ethernet card. Keep in mind that the Intel configuration's motherboard had one ethernet on-board, so we only need one additional card. Here is a picture comparing the standard sized 3Com and my "chopped" version:



The rest of the installation was a typical computer build, put parts where they belonged and tidy up the cables all nice and neat (I have a reputation, you know?). Here are some pics of the prototype box:

Picture of the back panel. Note the ethernet cards, onboard video, and optional on-board ethernet slot (above USB ports, for the Intel configuration). Also keep in mind that the case is only 3.5 inches tall and 12" wide.



Here is a picture of the inside. Things are pretty cramped, and not a lot of room. Expandability was not an option and the case only allows a CDROM, floppy, and a hard drive, or basically two 3.5" devices and one 5.25" device.



This picture shows the device frame that sits over the hard drive, allowing the mounting of a floppy drive (right) and cdrom drive (left). One of the concerns was heat buildup in the case, but after several days of testing, all of the onboard sensors indicated normal operating temperatures.



This is shot of the finished, closed-up box. Kinda bland looking even in the black case. One of the things we looked at was the addition of a two line, 16 character backlit LCD that would be fitted into the 5.25" slot. Using linux's LCDProc program, we could show uptime, date/time, load-average, etc on the LCD. The bad thing is, this would tie up our only serial port that was intended for the serial console. The ideal kit is from CrystalFontz (www.crystalfontz.com) part # SKD162632SGLG.






The Software Install
For the OS, there was only one real choice, FreeBSD. We run it, and so should you :). No, really we could have ran linux or FreeBSD, as the software we are using is available for both. Being a FreeBSD shop, we chose it simply because we are more familiar with the OS and feel that it is a lot easier to maintain than linux. There were other reasons for choosing the OS, but those two were the biggies. Note for the uneducated, both are free so no licensing fees apply.

We did a CUSTOM install of FreeBSD selecting the minimal package set. After installation, we installed all of the compat libs, all source, ports, and finally the cvsup-bin package. After setting root password and getting the network cards configured for the net, we rebooted and cvsup'd the source and ports, did a make buildworld as root user. We then built a custom kernel, installed world, and ran a mergemaster to get all of the configs up to date. I wont go into more detail that this because there are *so* many better sources on how to do this, (www.freebsd.org/handbook for starters). We reboot again so that the new kernel and code is running.
We add a wheel user that SEI Data can use if we need it. At this point, we only need two accounts, root and the on-site technical access user. We disable all services with the exception of secure shell (ssh), by editing /etc/inetd.conf and rc.conf. We install the squid and squidguard packages, along with the webmin package. The webmin package will be our html configuration interface.

So our list of packages as follows:
o Squid Cache Software - www.squid-cache.org - Web Caching
o SquidGuard Software - www.squidguard.org - Filtering the Cache
o Webmin Software - www.webmin.com - HTML Administration Console

All of the above packages are part of the FreeBSD Ports Collection.


Back to Articles





©2004-2020 Paul Boehmer