transparent Squid + pf
dharam paul
exiaf_radar_guy38 at yahoo.co.in
Thu Feb 8 10:51:03 UTC 2007
System:
P-IV 3.06 GHz with Intel Original motherboard.
Hard Disk: SATA 80 GB.
Squid runs on this system nicely in non-transparent
mode.
I am trying Transparent Squid with FreeBSD 6.2.
The two NICs are rl0 and dc0.
rl0 is configured as : 192.168.x.x 255.255.255.0 # my
internal interface for pf
dc0 is configured as : DHCP # my
external interface for pf
The squid configuration is :
http_port 127.0.0.1:3128
dns_nameserver x.x.x.x x.x.x.x
visible_hostname xxxxxx
Kernel options that I have applied, recompiled and
installed are:
options INET
device bpf
device pf
device pflog
device pfsync
I can ping my internal internal interface and
interface (when external interface is assigned an IP
address). Kernel
gives message:
kernel:arp: 192.168.1.X is on rl0 but got reply from
xx:xx:xx:xx:xx on dc0.
Squid gives error :
ipcache_init: DNS name lookup tests failed
I tried to ping my dns server. I get error:
ping: no route to host.
I read at "http://freebsdonline.com" to allow squid to
access pf device, following commands are to be given,
chgrp _squid /dev/pf
chmod g+rw /dev/pf
Out of this the fist command does not work as it is,
it has worked as under;
chgrp squid /dev/pf
Her is my pf.conf. and rc.conf for perusal please. I
am in no hurry, please advise me to set the things
right.
My "/etc/rc.conf":
_________________
# -- sysinstall generated deltas -- # Fri May 5
07:17:11 2006
# Created: Fri May 5 07:17:11 2006
# Enable network daemons for user convenience.
# Please make all changes to this file, not to
/etc/defaults/rc.conf.
# This file now contains just the overrides from
/etc/defaults/rc.conf.
#REMOVED: ifconfig_rl0="inet 192.168.1.1 netmask
255.255.255.0"
#defaultrouter="192.168.1.1"
gateway_enable="YES"
hostname="wildcat.dishs.net"
ifconfig_rl0="inet 192.168.1.13 netmask 255.255.255.0
media 10baseT/UTP"
ipv6_enable="YES"
keymap="us.iso"
linux_enable="YES"
moused_enable="YES"
sshd_enable="YES"
usbd_enable="YES"
pf_enable="YES"
pf_rules="/etc/pf.conf"
pf_flags=""
pflog_enable="YES"
pflog_logfile="var/log/pflog"
pflog_flags=""
# -- sysinstall generated deltas -- # Mon Feb 5
19:43:03 2007
ipv6_enable="YES"
media 10baseT/UTP" # external interface
ifconfig_dc0="DHCP"
#defaultrouter="192.168.1.1"
hostname="wildcat.dishs.net"
My "pf.conf":
_____________
# Macros: define common values, so they can be
referenced and changed easily.
ext_if="dc0" # replace with actual external
interface name i.e., dc0
int_if="rl0" # replace with actual internal
interface name i.e., dc1
tcp_services = "{ 22, 443 }"
# define our networks
inet = "{ 192.168.1.0/16 }"
extaddr = "1.2.3.4"
icmp_types = "echoreq"
natone = int_if
allproto = " {tcp, udp, ipv6, icmp, esp, ipencap }
privnets = "{ 127.0.0.0/8, 192.168.0.0/16 172.16.0.12,
10.0.0.0/8 }"
set loginterface $ext_if
scrub on ext_if from $int_if:network to any ->
($ext_if)
#HTTP, HTTPS, to natone
rdr on $ext_if proto tcp from any to any port 80 ->
$natone
#ssh to natone
rdr on $ext_if proto tcp from any to any port 22 ->
$natone
#internal_net="10.1.1.1/8"
#external_addr="192.168.1.1"
# Tables: similar to macros, but more flexible for
many addresses.
#table <foo> { 10.0.0.0/8, !10.1.0.0/16,
192.168.0.0/24, 192.168.1.18 }
# Options: tune the behavior of pf, default values are
given.
#set timeout { interval 10, frag 30 }
#set timeout { tcp.first 120, tcp.opening 30,
tcp.established 86400 }
#set timeout { tcp.closing 900, tcp.finwait 45,
tcp.closed 90 }
#set timeout { udp.first 60, udp.single 30,
udp.multiple 60 }
#set timeout { icmp.first 20, icmp.error 10 }
#set timeout { other.first 60, other.single 30,
other.multiple 60 }
#set timeout { adaptive.start 0, adaptive.end 0 }
#set limit { states 10000, frags 5000 }
#set loginterface none
#set optimization normal
#set block-policy drop
#set require-order yes
#set fingerprints "/etc/pf.os"
# Normalization: reassemble fragments and resolve or
reduce traffic ambiguities.
#scrub in all
# Queueing: rule-based bandwidth control.
#altq on $ext_if bandwidth 2Mb cbq queue { dflt,
developers, marketing }
#queue dflt bandwidth 5% cbq(default)
#queue developers bandwidth 80%
#queue marketing bandwidth 15%
# Translation: specify how addresses are to be mapped
or redirected.
# nat: packets going out through $ext_if with source
address $internal_net will
# get translated as coming from the address of
$ext_if, a state is created for
# such packets, and incoming packets will be
redirected to the internal address.
nat on $ext_if from $internal_net to any -> ($ext_if)
# rdr: packets coming in on $ext_if with destination
$external_addr:1234 will
# be redirected to 10.1.1.1:5678. A state is created
for such packets, and
# outgoing packets will be translated as coming from
the external address.
# my rules start here
rdr on $int_if inet proto tcp from any to any port www
-> 127.0.0.1 port 3128
pass in on $int_if inet proto tcp from any to
127.0.0.1 port 3128 keep state
pass out on $ext_if inet proto tcp from any to any
port www keep state
#rdr pass on $int_if inet proto tcp to any port 80 ->
port 3128
block log
pass quick on lo0 all
block drop in $ext_if from $privnets to any
block drop in on $ext_if from any to $privnets
#Webserver, HTTPS, 8000
pass in on $int_if proto tcp from any to any port 80
flags S/SA
pass in on $ext_if proto tcp from any to any port
$tcp_services flags S/SA
#####
##BAsic rules
###
pass in inet proto icmp all icmp-type $icmp_types keep
state
# lets keep the local net free
pass in on $int_if from $int_if:network to any keep
state
#Allow fw to establish connections to internal net
pass out on $int_if from any to $int_if:network keep
state
# Pass out TCP UDP, ICMP and ipv6
pass out on $ext_if proto ipv6 all
# Pass out on $ext_if proto ( tcp, udp, icmp } all
keep state
pass out on $ext_if all keep state
#DNS Server
pass in on $ext_if proto {tcp, udp} from any to any
port 53
# my rules end here
# spamd-setup puts addresses to be redirected into
table <spamd>.
#table <spamd> persist
#no rdr on { lo0, lo1 } from any to any
#rdr inet proto tcp from <spamd> to any port smtp ->
127.0.0.1 port 8025
# Filtering: the implicit first two rules are
#pass in all
#pass out all
# block all incoming packets but allow ssh, pass all
outgoing tcp and udp
# connections and keep state, logging blocked packets.
#block in log all
#pass in on $ext_if proto tcp from any to $ext_if
port 22 keep state
#pass out on $ext_if proto { tcp, udp } all keep
state
# pass incoming packets destined to the addresses
given in table <foo>.
#pass in on $ext_if proto { tcp, udp } from any to
<foo> port 80 keep state
pass in on $int_if inet proto tcp from any to
127.0.0.1 port 3128 keep state
# pass incoming ports for ftp-proxy
#pass in on $ext_if inet proto tcp from any to $ext_if
port > 49151 keep state
# Alternate rule to pass incoming ports for ftp-proxy
# NOTE: Please see pf.conf(5) BUGS section before
using user/group rules.
#pass in on $ext_if inet proto tcp from any to $ext_if
user proxy keep state
# assign packets to a queue.
#pass out on $ext_if from 192.168.0.0/24 to any keep
state queue developers
#pass out on $ext_if from 192.168.1.0/24 to any keep
state queue marketing
pass out on $ext_if inet proto tcp from any to any
port www keep state
I want to achieve transparent proxying without NAT
facility, though I want to be able to achive NAT
capability also.
(NAT will be done by my router).
Squid is compiled with pf support
[B]--enable-pf-transparent[/B]
I need your help/hints, Gurus.
Thanks
__________________________________________________________
Yahoo! India Answers: Share what you know. Learn something new
http://in.answers.yahoo.com/
More information about the freebsd-questions
mailing list