UNIX proxy server w/ Privoxy (and maybe ClamAV?) [long]

Okay... Here is the situation. My home network incorporates a bunch of rather exotic computers:
- A Windows 2000 desktop, which badly needs an upgrade and hopefully won't choke on Windows 7's grotesque commit charge
- Several legacy Macintoshes running OS 9 or thereabouts, mostly useless for browsing
- A few Linux machines

And because I'm a compulsive experimenter, I've ditched Noscript on my netbook and am currently using Opera and Privoxy. I'm fairly impressed with the results; Hotmail for instance loads much faster, and I'm getting far fewer cookies. It's not as flexible or powerful as Noscript for JS blocking, but it seems to be quite good enough for my purposes.

But Privoxy can be used as a server proxy (is that the correct terminology?). So I was thinking, instead of having a bunch of separate Privoxy sessions running on the machines that support Privoxy, maybe I could set up a dedicated computer as a proxy server, and consolidate all the filtering there. With the right configuration, that would offer a bit more security for the Windows and Linux machines, and probably make the Macs much more useful online.

What's generally considered the best sort of setup for this?

Starting with the basics:

- I want a server setup that won't be compromised easily, and requires minimal maintenance. The server would definitely stay behind my NAT router, but even so... What OS do you think would be most suitable? I'm leaning towards a BSD...

- Privoxy has a nice web interface, and all the users on my home network are trusted. Would it be reasonable to open up the web interface?

- Would it be better to use Privoxy alone, or with a caching proxy?

Also I was thinking of throwing in ClamAV (or possibly F-Prot, I think the UNIX version of that is freeware); it seems like a good idea to cover as many bases as possible re malware. What would be the most sensible way to deploy an antivirus this way?

Also, I have to ask... If I'm going to go to all this trouble, would it perhaps be better to also integrate in a firewall, and just replace my NAT router? That might increase the attack surface; OTOH, I think using a PC as a router/gateway might allow me to scan *all* unencrypted traffic with ClamAV, not just HTTP.

Speaking of which - what about encrypted traffic? I assume there's nothing to be done this way about malicious content transmitted over HTTPS, since it's only decrypted on the destination machines? Could this be a problem, seeing as fake antivirus websites are sometimes use "genuine" SSL certificates?

 

If I could make a couple suggestions, if you're just looking for a lighter browser than Firefox why not give Seamonkey a try? I like it because you can still use NoScript with it.

If you're going to go with a firewall give pfSense a shot. It uses the OpenBSD pf firewall and you can try it with a Live CD. I'm using it and like it a lot but am running it behind my router. It comes with packages you can optionally install, like Snort, and has a AV program you can use but it's not Clam and I'm not familiar with it.

 

Hmm. I think it might also be nice to integrate Snort into this project as a way of filtering malware, as indicated here:

+http://www.darkreading.com/blog/227700734/squashing-malware-with-snort-in-line.html

Though that might be going a bit far just to deal with worms and drive-by installs; I really don't expect any calculated intrusion attempts, only the usual web hazards. Given that (I think?) Snort would have to be deployed on a gateway, I'm not sure it's worth the trouble.

Anyway - I'm currently trying to configure Privoxy and clamd on a Linux testbed. Privoxy is easy, not sure about clamd though - what's the best way to configure it? I don't want to use HAVP because it's not been updated since 2010; can I just use a caching proxy like Polipo instead, and point clamd at the proxy's disk cache?

 

Several reasons:
- Noscript is a bit of a pain to manage, and also not really suitable for novice users.
- Noscript is strictly local. It can't sanitize web content for a bunch of legacy Macs. (And mind, I'd love to get the Macs off the network, but that ain't happening any time soon. )
- Noscript is not centralized.

An AV other than Clam? Interesting. Thanks for mentioning this.

 

I don't have Snort or any other of the packages installed since I'm behind the router, and I've got Clamav installed on my boxes. I was just mentioning it was among the packages. It's got one that will watch for portscans and run an nMap scan on the IP that scanned you too.

I did have the pfblocker running to block countries, but till you modify the ruleset the default pf rules are are to:

Code:

block in all

pass out all keep state

Your rules will take precedence but I can go with just those.

As for Clam, somebody else will have to advise you on the configuration you're going to be using.

Edit: I checked it out and it's got HAVP HTTP AV Proxy that does run ClamAV, can run with Squid, in a parent and transparent mode and "aims for continious non-blocking downloads and smooth scanning of dynamic and password protected HTTP traffic."