PF and SQUID

eculp eculp at encontacto.net
Mon Jun 23 23:37:09 UTC 2008 

Quoting Miguel Alcántara <miguel.alc at gmail.com>:

> Hi everybody, I'm having a problem for a week. I have to setup PF + SQUID in
> a P2 machine, with 128RAM and 6GB hard disk and just one nic. I virtualized
> an interface with an ip 192.168.1.80 and it has squid, the nic has
> 192.168.1.60 and all the lan is 192.168.1.0/24.
>
> My problem is that I can´t browse some sites the must be permitted.
>
> pf.conf
>
> #rules for firewall
> ext_nic = "dc0"
> yo = "192.168.1.0/24"

As Max suggested, it might be easier for Miguel in his native language  
but we aren't sure which language that is but I'm going to take a shot  
in Spanish and see if that helps.  Apologies to the list and Miguel  
can take other questions offline should he feel more comfortable in  
Spanish.

Hola Miguel,

Por tu nombre, tal vez será más fácil apoyarte en español.  Te acabo  
de hacer una configuracion basica para squid y otro para pf que espero  
que te ayudan.  Los tome de una configuración mía pero eliminando lo  
que no tiene que ver con un firewall basico o la operación de squid.   
Espero que te ayuda.

http://encontacto.net/SHARE/pf.conf.BASICA.txt
http://encontacto.net/SHARE/squid.conf.BASICA.txt

Agregé unos # comentarios que espero que sean utiles.

Suerte y saludos,

ed

>
> table <dns_cautivo> {208.67.220.220, 208.67.222.222}
> #SQUID CONFIGURATION
> rdr pass on $ext_nic inet proto tcp from $yo to any port www ->
> 192.168.1.80port 3128
> nat on $ext_nic from $yo to any -> ($ext_nic)
> #FILTER
> block all
> #pass in on $ext_nic from $yo
> pass out on $ext_nic from any to <dns_cautivo>
>
> squid.conf
>
> #Recommended minimum configuration:
> acl all src 0.0.0.0/0.0.0.0
> acl manager proto cache_object
> acl localhost src 127.0.0.1/255.255.255.255
> acl to_localhost dst 127.0.0.0/8
> acl SSL_ports port 443
> acl Safe_ports port 80          # http
> acl Safe_ports port 21          # ftp
> acl Safe_ports port 443         # https
> acl Safe_ports port 70          # gopher
> acl Safe_ports port 210         # wais
> acl Safe_ports port 1025-65535  # unregistered ports
> acl Safe_ports port 280         # http-mgmt
> acl Safe_ports port 488         # gss-http
> acl Safe_ports port 591         # filemaker
> acl Safe_ports port 777         # multiling http
> acl CONNECT method CONNECT
> #/////////
> acl special_client src 192.168.1.0/24
> #acl lista_permitidos url_regex "/usr/local/etc/squid/free.squid"
>
> #acl special_url url_regex ucci
> acl hotmail dstdomain .hotmail.com
> acl mail dstdomain .blu134.mail.live.com
> acl mailhot dstdom_regex -i mail
> acl hotmail_mail dstdomain .hotmail.msn.com
> acl passport dstdomain .passport.net
> acl msn dstdomain .msn.com
> acl ie6 browser MSIE[[:space:]]6
> acl permitidos url_regex "/usr/local/etc/squid/free.squid"
> acl palabra urlpath_regex -i login.srt
> acl numconn maxconn 80
> acl browse_hotmail url_regex www.hotmail.com
> acl browse_ulima url_regex www.ulima.edu.pe
> acl browse_yahoo url_regex www.yahoo.com
>
> http_access allow manager localhost
> http_access deny manager
> # Deny requests to unknown ports
> http_access deny !Safe_ports
> # Deny CONNECT to other than SSL ports
> http_access deny CONNECT !SSL_ports
> ##http_access allow special_client lista_permitidos
> ##http_access allow special_client hotmail
> ##http_access allow special_client mailhot
> ##http_access allow special_client mail
> #http_access deny special_url
> #http_access allow special_client
>
> http_access allow special_client permitidos
> http_access allow special_client hotmail
> http_access allow special_client mail
> http_access allow special_client mailhot
> http_access allow special_client Safe_ports
> http_access allow special_client hotmail_mail
> http_access allow special_client palabra
> http_access allow special_client browse_hotmail
> http_access allow special_client browse_ulima
> http_access allow special_client browse_yahoo
> #http_access allow special_client special_url
> http_access deny all
>
>
> Well, it doens`t work, when I try to surf in any domain name listed above in
> squid squid sends me a message:
>
> ERROR The requested URL could not be retrieved
> ------------------------------
>
> While trying to retrieve the URL: http://www.yahoo.com/
>
> The following error was encountered:
>
>    - * Connection to Failed *
>
>  The system returned:
>
> *    (1) Operation not permitted*
>
>  The remote host or network may be down. Please try the request again.
>
> Your cache administrator is webmaster.
> ------------------------------
>  Generated Thu, 27 Dec 2007 13:12:36 GMT by pf (squid/2.6.STABLE16)
>
>
> *Then in logs from squid I can see an 503 error TCP_MISS.
>
> I use FBSD 7 and SQUID 2.6, obviously with PF. Ah!, squid was compiled with
> pf habilities or something like that.
>
> Plz, what I am doing wrong.
> *
>
>
> --
> Atte.
>
> Miguel Alcántara A.
>

More information about the freebsd-pf mailing list