PF and SQUID

[Miguel Alcántara]

Hi everybody, I'm having a problem for a week. I have to setup PF + SQUID in
a P2 machine, with 128RAM and 6GB hard disk and just one nic. I virtualized
an interface with an ip 192.168.1.80 and it has squid, the nic has
192.168.1.60 and all the lan is 192.168.1.0/24.

My problem is that I can´t browse some sites the must be permitted.

pf.conf

#rules for firewall
ext_nic = "dc0"
yo = "192.168.1.0/24"

table <dns_cautivo> {208.67.220.220, 208.67.222.222}
#SQUID CONFIGURATION
rdr pass on $ext_nic inet proto tcp from $yo to any port www ->
192.168.1.80port 3128
nat on $ext_nic from $yo to any -> ($ext_nic)
#FILTER
block all
#pass in on $ext_nic from $yo
pass out on $ext_nic from any to <dns_cautivo>

squid.conf

#Recommended minimum configuration:
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT
#/////////
acl special_client src 192.168.1.0/24
#acl lista_permitidos url_regex "/usr/local/etc/squid/free.squid"

#acl special_url url_regex ucci
acl hotmail dstdomain .hotmail.com
acl mail dstdomain .blu134.mail.live.com
acl mailhot dstdom_regex -i mail
acl hotmail_mail dstdomain .hotmail.msn.com
acl passport dstdomain .passport.net
acl msn dstdomain .msn.com
acl ie6 browser MSIE[[:space:]]6
acl permitidos url_regex "/usr/local/etc/squid/free.squid"
acl palabra urlpath_regex -i login.srt
acl numconn maxconn 80
acl browse_hotmail url_regex www.hotmail.com
acl browse_ulima url_regex www.ulima.edu.pe
acl browse_yahoo url_regex www.yahoo.com

http_access allow manager localhost
http_access deny manager
# Deny requests to unknown ports
http_access deny !Safe_ports
# Deny CONNECT to other than SSL ports
http_access deny CONNECT !SSL_ports
##http_access allow special_client lista_permitidos
##http_access allow special_client hotmail
##http_access allow special_client mailhot
##http_access allow special_client mail
#http_access deny special_url
#http_access allow special_client

http_access allow special_client permitidos
http_access allow special_client hotmail
http_access allow special_client mail
http_access allow special_client mailhot
http_access allow special_client Safe_ports
http_access allow special_client hotmail_mail
http_access allow special_client palabra
http_access allow special_client browse_hotmail
http_access allow special_client browse_ulima
http_access allow special_client browse_yahoo
#http_access allow special_client special_url
http_access deny all


Well, it doens`t work, when I try to surf in any domain name listed above in
squid squid sends me a message:

ERROR The requested URL could not be retrieved
------------------------------

While trying to retrieve the URL: http://www.yahoo.com/

The following error was encountered:

   - * Connection to Failed *

 The system returned:

*    (1) Operation not permitted*

 The remote host or network may be down. Please try the request again.

Your cache administrator is webmaster.
------------------------------
 Generated Thu, 27 Dec 2007 13:12:36 GMT by pf (squid/2.6.STABLE16)


*Then in logs from squid I can see an 503 error TCP_MISS.

I use FBSD 7 and SQUID 2.6, obviously with PF. Ah!, squid was compiled with
pf habilities or something like that.

Plz, what I am doing wrong.
*


-- 
Atte.

Miguel Alcántara A.