pf + squid

Greg Donald destiney at gmail.com
Wed May 18 09:26:39 PDT 2005


I am following this howto:
http://www.benzedrine.cx/transquid.html


I added pf and pflog to my kernel.  After rebooting I did chgrp squid
/dev/pf and chmod g+rw /dev/pf.  I also restarted squid several times.
 When I try to access a remote web server it times out.  I'm not
getting any errors in /var/log/pflog or /var/log/messages.


My config files look like this:

> cat /etc/pf.conf |grep -v ^#

ext_if="dc0"    # replace with actual external interface name i.e., dc0
int_if="dc1"    # replace with actual internal interface name i.e., dc1
internal_net="10.0.0.1/8"
external_addr="24.159.59.97"

rdr on $int_if inet proto tcp from any to any port www -> 127.0.0.1 port 3128
pass in on $int_if inet proto tcp from any to 127.0.0.1 port 3128 keep state
pass out on $ext_if inet proto tcp from any to any port www keep state


> cat /usr/local/etc/squid/squid.conf |grep -v ^#           
acl all src 0.0.0.0/0.0.0.0
acl our_networks src 10.0.0.0/8
acl to_localhost dst 127.0.0.0/8
http_port 127.0.0.1:3128
http_access deny to_localhost
http_access allow our_networks
visible_hostname gateway.localdomain
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on


I am using ipfw to create my NAT, I don't know if that matters, but
here are my config files for that as well:

> cat /etc/rc.firewall |grep -v ^#                              

ipfw -f flush

ipfw pipe 10 config bw 12KBytes/s
ipfw add 50 pipe 10 ip from 10.0.0.2 to any via dc1

ipfw pipe 11 config bw 24KBytes/s
ipfw add 51 pipe 11 ip from 10.0.0.3 to any via dc1

ipfw pipe 12 config bw 12KBytes/s
ipfw add 52 pipe 12 ip from 10.0.0.4 to any via dc1
ipfw pipe 13 config bw 64KBytes/s
ipfw add 53 pipe 13 ip from any to 10.0.0.4 via dc1

ipfw add 200 pass all from any to any via lo0
ipfw add 201 deny ip from any to 127.0.0.0/8

ipfw add 500 divert natd all from any to any via dc0


> cat /etc/natd.conf |grep -v ^#               
interface dc0
dynamic
use_sockets
unregistered_only
punch_fw 2000:50
redirect_port tcp 10.0.0.2:20-21 20-21
redirect_port tcp 10.0.0.2:22 22
redirect_port tcp 10.0.0.2:80 80
redirect_port tcp 10.0.0.2:113 113

redirect_port tcp 10.0.0.2:3333 3333
redirect_port tcp 10.0.0.2:2010-2020 2010-2020


Any ideas?  TIA.


-- 
Greg Donald
Zend Certified Engineer
http://destiney.com/


More information about the freebsd-questions mailing list