transparent Squid + pf

dharam paul exiaf_radar_guy38 at yahoo.co.in
Thu Feb 8 10:51:03 UTC 2007 

System: 
P-IV 3.06 GHz with Intel Original motherboard.
Hard Disk: SATA 80 GB.

Squid runs on this system nicely in non-transparent
mode.

I am trying Transparent Squid with FreeBSD 6.2.
The two NICs are rl0 and dc0.
rl0 is configured as : 192.168.x.x 255.255.255.0 #  my
internal interface for pf
dc0 is configured as : DHCP                      #  my
external interface for pf

The squid configuration is :


http_port 127.0.0.1:3128

dns_nameserver x.x.x.x x.x.x.x

visible_hostname xxxxxx


Kernel options that I have applied, recompiled and
installed are:

options INET
device  bpf
device  pf
device  pflog
device  pfsync


I can ping my internal internal interface and
interface (when external interface is assigned an IP
address). Kernel 

gives message: 

kernel:arp: 192.168.1.X is on rl0 but got reply from
xx:xx:xx:xx:xx on dc0.

Squid gives error :

ipcache_init: DNS name lookup tests failed

I tried to ping my dns server. I get error:
ping: no route to host.

I read at "http://freebsdonline.com" to allow squid to
access pf device, following commands are to be given,

chgrp _squid /dev/pf
chmod g+rw /dev/pf

Out of this the fist command does not work as it is,
it has worked as under;

chgrp squid /dev/pf

Her is  my pf.conf. and rc.conf for perusal please. I
am in no hurry, please advise me to set the things
right.

My "/etc/rc.conf": 
_________________

# -- sysinstall generated deltas -- # Fri May  5
07:17:11 2006
# Created: Fri May  5 07:17:11 2006
# Enable network daemons for user convenience.
# Please make all changes to this file, not to
/etc/defaults/rc.conf.
# This file now contains just the overrides from
/etc/defaults/rc.conf.
#REMOVED: ifconfig_rl0="inet 192.168.1.1  netmask
255.255.255.0"
#defaultrouter="192.168.1.1"
gateway_enable="YES"
hostname="wildcat.dishs.net"
ifconfig_rl0="inet 192.168.1.13  netmask 255.255.255.0
media 10baseT/UTP"
ipv6_enable="YES"
keymap="us.iso"
linux_enable="YES"
moused_enable="YES"
sshd_enable="YES"
usbd_enable="YES"
pf_enable="YES"
pf_rules="/etc/pf.conf"
pf_flags=""
pflog_enable="YES"
pflog_logfile="var/log/pflog"
pflog_flags=""
# -- sysinstall generated deltas -- # Mon Feb  5
19:43:03 2007
ipv6_enable="YES"
media 10baseT/UTP" # external interface
ifconfig_dc0="DHCP"
#defaultrouter="192.168.1.1"
hostname="wildcat.dishs.net"

My "pf.conf":
_____________

# Macros: define common values, so they can be
referenced and changed easily.
ext_if="dc0"    # replace with actual external
interface name i.e., dc0
int_if="rl0"    # replace with actual internal
interface name i.e., dc1

tcp_services = "{ 22, 443 }"

# define our networks
inet = "{ 192.168.1.0/16 }"
extaddr = "1.2.3.4"
icmp_types = "echoreq"
natone = int_if
allproto = " {tcp, udp, ipv6, icmp, esp, ipencap }
privnets = "{ 127.0.0.0/8, 192.168.0.0/16 172.16.0.12,
10.0.0.0/8 }"

set loginterface $ext_if

scrub on ext_if from $int_if:network to any ->
($ext_if)

#HTTP, HTTPS, to natone
rdr on $ext_if proto tcp from any to any port 80 ->
$natone

#ssh to natone
rdr on $ext_if proto tcp from any to any port 22 ->
$natone

#internal_net="10.1.1.1/8"
#external_addr="192.168.1.1"

# Tables: similar to macros, but more flexible for
many addresses.
#table <foo> { 10.0.0.0/8, !10.1.0.0/16,
192.168.0.0/24, 192.168.1.18 }

# Options: tune the behavior of pf, default values are
given.

#set timeout { interval 10, frag 30 }
#set timeout { tcp.first 120, tcp.opening 30,
tcp.established 86400 }
#set timeout { tcp.closing 900, tcp.finwait 45,
tcp.closed 90 }
#set timeout { udp.first 60, udp.single 30,
udp.multiple 60 }
#set timeout { icmp.first 20, icmp.error 10 }
#set timeout { other.first 60, other.single 30,
other.multiple 60 }
#set timeout { adaptive.start 0, adaptive.end 0 }
#set limit { states 10000, frags 5000 }
#set loginterface none
#set optimization normal
#set block-policy drop
#set require-order yes
#set fingerprints "/etc/pf.os"

# Normalization: reassemble fragments and resolve or
reduce traffic ambiguities.
#scrub in all

# Queueing: rule-based bandwidth control.
#altq on $ext_if bandwidth 2Mb cbq queue { dflt,
developers, marketing }
#queue dflt bandwidth 5% cbq(default)
#queue developers bandwidth 80%
#queue marketing  bandwidth 15%

# Translation: specify how addresses are to be mapped
or redirected.
# nat: packets going out through $ext_if with source
address $internal_net will
# get translated as coming from the address of
$ext_if, a state is created for
# such packets, and incoming packets will be
redirected to the internal address.
nat on $ext_if from $internal_net to any -> ($ext_if)

# rdr: packets coming in on $ext_if with destination
$external_addr:1234 will
# be redirected to 10.1.1.1:5678. A state is created
for such packets, and
# outgoing packets will be translated as coming from
the external address.

# my rules start here
rdr on $int_if inet proto tcp from any to any port www
-> 127.0.0.1 port 3128
pass in on $int_if inet proto tcp from any to
127.0.0.1 port 3128 keep state
pass out on $ext_if inet proto tcp from any to any
port www keep state
#rdr pass on $int_if inet proto tcp to any port 80 ->
port 3128
block log
pass quick on lo0 all
block drop in $ext_if from $privnets to any
block drop in on $ext_if from any to $privnets


#Webserver, HTTPS, 8000
pass in on $int_if proto tcp from any to any port 80
flags S/SA
pass in on $ext_if proto tcp from any to any port
$tcp_services flags S/SA
#####
##BAsic rules
###
pass in inet proto icmp all icmp-type $icmp_types keep
state
# lets keep the local net free
pass in on $int_if from $int_if:network to any keep
state
#Allow fw to establish connections to internal net
pass out on $int_if from any to $int_if:network keep
state
# Pass out TCP UDP, ICMP and ipv6
pass out on $ext_if proto ipv6 all
# Pass out on $ext_if proto ( tcp, udp, icmp } all
keep state
pass out on $ext_if all keep state
#DNS Server
pass in on $ext_if proto {tcp, udp} from any to any
port 53

# my rules end here
# spamd-setup puts addresses to be redirected into
table <spamd>.
#table <spamd> persist
#no rdr on { lo0, lo1 } from any to any
#rdr inet proto tcp from <spamd> to any port smtp ->
127.0.0.1 port 8025

# Filtering: the implicit first two rules are
#pass in all
#pass out all

# block all incoming packets but allow ssh, pass all
outgoing tcp and udp
# connections and keep state, logging blocked packets.
#block in log all
#pass  in  on $ext_if proto tcp from any to $ext_if
port 22 keep state
#pass  out on $ext_if proto { tcp, udp } all keep
state

# pass incoming packets destined to the addresses
given in table <foo>.
#pass in on $ext_if proto { tcp, udp } from any to
<foo> port 80 keep state
pass in on $int_if inet proto tcp from any to
127.0.0.1 port 3128 keep state
# pass incoming ports for ftp-proxy
#pass in on $ext_if inet proto tcp from any to $ext_if
port > 49151 keep state

# Alternate rule to pass incoming ports for ftp-proxy
# NOTE: Please see pf.conf(5) BUGS section before
using user/group rules.
#pass in on $ext_if inet proto tcp from any to $ext_if
user proxy keep state

# assign packets to a queue.
#pass out on $ext_if from 192.168.0.0/24 to any keep
state queue developers
#pass out on $ext_if from 192.168.1.0/24 to any keep
state queue marketing
pass out on $ext_if inet proto tcp from any to any
port www keep state
I want to achieve transparent proxying without NAT
facility, though I want to be able to achive NAT
capability also. 

(NAT will be done by my router).

Squid is compiled with pf support
[B]--enable-pf-transparent[/B]

I need your help/hints, Gurus. 
Thanks


		
__________________________________________________________
Yahoo! India Answers: Share what you know. Learn something new
http://in.answers.yahoo.com/

More information about the freebsd-questions mailing list