Transparent Proxy using Squid and PF
Reza Muhammad
rezmuh at cbn.net.id
Wed Feb 8 06:33:28 PST 2006
Hey guys, I need a little help on setting up transparent proxy with
Squid and PF in FreeBSD 5.4-RELEASE.
In the beginning I think I forgot to install Squid with PF Support, so I
did "make deinstall", and then I deleted the
/var/db/ports/squid/options, and then I did "make config", and choose
the support for PF, and then "make install".
But then it still didn't work. When I tried basic config file, and
then I set the client's browser's proxy using to the router (which is
also the squid server), it worked okay. So the problem seems like PF
doesn't redirect the incoming connection from internal network to squid.
Here's my pf.conf:
ext_if="rl0"
int_if="rl1"
rdr on $int_if inet proto tcp from any to any port www -> 127.0.0.1 port
3128
pass in on $int_if inet proto tcp from any to 127.0.0.1 port 3128 keep state
pass out on $ext_if inet proto tcp from any to any port www keep state
and here's my squid.conf:
http_port 127.0.0.1:3128
cache_mem 20 MB
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_reply_access allow all
icp_access allow all
coredump_dir /var/squid/cache
http_access deny to_localhost
acl our_networks src 192.168.0.0/24
#####################
# block porn sites ##
#####################
#acl porn1 url_regex -i
(adultos|adultsight|adultsite|adultsonly|adultweb|blow-?job|bondage|centerfold|cumshot|cyberlust|cybercore|hardcore|incest|masturbat|obscene|pedophil|pedofil|playmate|pornstar|sexdream|showgirl|softcore|striptease)
#acl porn2 url_regex -i
(^|[-.\?+=/_0-9])(all|big|cute|cyber|fake|firm|hard|huge|little|mega|mini|naughty|new|old|pure|real|small|serious|soft|super|tiny|young)?(anal|babe|bharath|boob|breast|busen|busty|clit|cum|cunt|dick|fetish|fuck|hooter|lez|lust|naked|nude|oral|orgy|porno?|pupper|pussy|rotten|sex|shit|smutpump|teen|tit|topp?les|vixen|xxx)s?(cafe|site|surf|surfing|web|website)?([-.\?+=/_0-9]|$)
#acl porn3 url_regex -i
(^|[-.\?+=/_0-9])(all|big|cute|cyber|fake|firm|hard|huge|little|mega|mini|naughty|new|old|pure|real|small|serious|soft|super|tiny|young)(girl|virgin)s?(cafe|site|surf|surfing|web|website)?([-.\?+=/_0-9]|$)
#acl pornWeb url_regex "/usr/local/etc/squid/porn/domains"
#http_access deny porn1
#http_access deny porn2
#http_access deny porn3
#http_access deny pornWeb
########################
# block advertisement ##
########################
acl ads dstdomain "/usr/local/etc/squid/ads/domains"
acl ads2 dst "/etc/squid/ads/ip"
deny_info ERR_NO_ADS ads
http_access deny ads
http_access deny ads2
http_access allow our_networks
http_access deny all
visible_hostname blowfish
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
Now the thing is, this configuration works fine on OpenBSD. So I think
I didn't compile Squid in a right way. Can someone help me out? I'm
fairly new to FreeBSD.
Thanks in advance.
More information about the freebsd-questions
mailing list