PF and SQUID
Miguel Alcántara
miguel.alc at gmail.com
Mon Jun 23 16:17:38 UTC 2008
Hi everybody, I'm having a problem for a week. I have to setup PF + SQUID in
a P2 machine, with 128RAM and 6GB hard disk and just one nic. I virtualized
an interface with an ip 192.168.1.80 and it has squid, the nic has
192.168.1.60 and all the lan is 192.168.1.0/24.
My problem is that I can´t browse some sites the must be permitted.
pf.conf
#rules for firewall
ext_nic = "dc0"
yo = "192.168.1.0/24"
table <dns_cautivo> {208.67.220.220, 208.67.222.222}
#SQUID CONFIGURATION
rdr pass on $ext_nic inet proto tcp from $yo to any port www ->
192.168.1.80port 3128
nat on $ext_nic from $yo to any -> ($ext_nic)
#FILTER
block all
#pass in on $ext_nic from $yo
pass out on $ext_nic from any to <dns_cautivo>
squid.conf
#Recommended minimum configuration:
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
#/////////
acl special_client src 192.168.1.0/24
#acl lista_permitidos url_regex "/usr/local/etc/squid/free.squid"
#acl special_url url_regex ucci
acl hotmail dstdomain .hotmail.com
acl mail dstdomain .blu134.mail.live.com
acl mailhot dstdom_regex -i mail
acl hotmail_mail dstdomain .hotmail.msn.com
acl passport dstdomain .passport.net
acl msn dstdomain .msn.com
acl ie6 browser MSIE[[:space:]]6
acl permitidos url_regex "/usr/local/etc/squid/free.squid"
acl palabra urlpath_regex -i login.srt
acl numconn maxconn 80
acl browse_hotmail url_regex www.hotmail.com
acl browse_ulima url_regex www.ulima.edu.pe
acl browse_yahoo url_regex www.yahoo.com
http_access allow manager localhost
http_access deny manager
# Deny requests to unknown ports
http_access deny !Safe_ports
# Deny CONNECT to other than SSL ports
http_access deny CONNECT !SSL_ports
##http_access allow special_client lista_permitidos
##http_access allow special_client hotmail
##http_access allow special_client mailhot
##http_access allow special_client mail
#http_access deny special_url
#http_access allow special_client
http_access allow special_client permitidos
http_access allow special_client hotmail
http_access allow special_client mail
http_access allow special_client mailhot
http_access allow special_client Safe_ports
http_access allow special_client hotmail_mail
http_access allow special_client palabra
http_access allow special_client browse_hotmail
http_access allow special_client browse_ulima
http_access allow special_client browse_yahoo
#http_access allow special_client special_url
http_access deny all
Well, it doens`t work, when I try to surf in any domain name listed above in
squid squid sends me a message:
ERROR The requested URL could not be retrieved
------------------------------
While trying to retrieve the URL: http://www.yahoo.com/
The following error was encountered:
- * Connection to Failed *
The system returned:
* (1) Operation not permitted*
The remote host or network may be down. Please try the request again.
Your cache administrator is webmaster.
------------------------------
Generated Thu, 27 Dec 2007 13:12:36 GMT by pf (squid/2.6.STABLE16)
*Then in logs from squid I can see an 503 error TCP_MISS.
I use FBSD 7 and SQUID 2.6, obviously with PF. Ah!, squid was compiled with
pf habilities or something like that.
Plz, what I am doing wrong.
*
--
Atte.
Miguel Alcántara A.
More information about the freebsd-pf
mailing list