transparent Squid 2.5Stable10 + FreeBSD 5.3

Ryan Rathje mrsharky at iastate.edu
Mon Jun 20 15:40:54 GMT 2005 

Here's my FreeBSD setup

Nic1 -> outside (123.456.789.10)
Nic2 -> internal (192.168.1.2)

Here's my client Win2k setup

IP: 192.168.1.5
MASK: 255.255.255.0
GW: 192.168.1.2

-------------------------------------

I have FreeBSD 5.3 installed with the modified kernel options

options         IPFILTER
options         IPFILTER_LOG
options         NMBCLUSTERS=32768
options         IPFIREWALL
options         IPFIREWALL_FORWARD
options         IPFIREWALL_DEFAULT_TO_ACCEPT

in a machine with 2 NICS ( NIC1 -> outside work; NIC2 -> interal network
(192.168.1.2).  I configured Squid with the ARG --enable-ipf-transparent, and
ths is what my options (/var/db/ports/squid/) file looks like for configuring Squid:

# This file is auto-generated by 'make config'.
# No user-servicable parts inside!
# Options for squid-2.5.10_1
_OPTIONS_READ=squid-2.5.10_1
WITHOUT_SQUID_LDAP_AUTH=true
WITHOUT_SQUID_DELAY_POOLS=true
WITHOUT_SQUID_SNMP=true
WITHOUT_SQUID_CARP=true
WITHOUT_SQUID_SSL=true
WITH_SQUID_PINGER=true
WITHOUT_SQUID_DNS_HELPER=true
WITHOUT_SQUID_HTCP=true
WITHOUT_SQUID_VIA_DB=true
WITHOUT_SQUID_CACHE_DIGESTS=true
WITH_SQUID_WCCP=true
WITH_SQUID_UNDERSCORES=true
WITH_SQUID_CHECK_HOSTNAME=true
WITHOUT_SQUID_STRICT_HTTP=true
WITH_SQUID_IDENT=true
WITHOUT_SQUID_USERAGENT_LOG=true
WITHOUT_SQUID_ARP_ACL=true
WITHOUT_SQUID_PF=true
WITH_SQUID_IPFILTER=true
WITH_SQUID_FOLLOW_XFF=true
WITHOUT_SQUID_AUFS=true
WITHOUT_SQUID_COSS=true
WITHOUT_SQUID_LARGEFILE=true
WITHOUT_SQUID_STACKTRACES=true
WITH_SQUID_RCNG=true

In the squid.conf file I've made (what I think) are the appropriate changes: 
 
http_port 3128
httpd_accel_host virtual 
httpd_accel_port 80 
httpd_accel_with_proxy on 
httpd_accel_uses_host_header on 

and lastly, this is what my rc.conf looks like:

hostname="Gohan"

squid_enable="YES"

firewall_enable="YES"
firewall_type="open" 
firewall_quiet="NO"  
firewall_logging="YES"

# IPFILTER enabled
ipfilter_enable="YES"
ipfilter_program="/sbin/ipf"
ipfilter_rules="/etc/ipf.rules"
ipfilter_flags=""

ipfw add allow all from any to 192.168.1.2 80
ipfw add fwd 192.168.1.2 tcp from any to 192.168.1.2 3128
ipfw add fwd 192.168.1.2,3128 tcp from any to any 80,82,3128 out recv
192.168.1.2 xmit 129.186.215.57

---------------------------------------------------------

I ran ethereal on the client machine (192.168.1.5) that is behind Squid, and it
appears that the client hits the 192.168.1.2 but doesn't forward it onto the
Squird proxy, therefor never reaching the outside world.  I get the normal "Page
can not be displayed" message on the client.  I would have thought that if it
was hitting the Squid it would give a Squid error message.  

My gut feeling is it has something to do with my ipfw rules, any and ALL help
would get GREATLY appreciated.  thanks

More information about the freebsd-net mailing list