Yes, firstly, setup an internal machine to run squid. Then install either squidguard or Dans Guardian on the same box (all you need to know is at the squid, squidguard and DG website and to tie in these applications together). It will take a little time configuring this.
I wouldn't recommend that you do your filtering on the firewall (IMHO firewalls should be just that, not fully blown application proxies, plus you're adding unnecessary load to the firewall) Discussion about squid and DG may not fall within the remit of this discussion group.
Then configure your squid box to point use your astaro box so it can get web content. When you have this loop working, then you can filter the content via the internal squid box. When this works, you can point your internal users to the internal squid box. (it might be a good idea to setup a host in dns called webproxy/proxy/www-cache.domain.com, and fix the ip of your internal squid box.
This is something that I have done which works very well. (its fast too)
