Transparent Proxy with IPFW + Squid 2.7
Tom Marchand
m0rchand at comcast.net
Sun Nov 23 14:45:06 PST 2008
On Nov 23, 2008, at 2:30 PM, Cagri Ersen wrote:
> Hi there,
>
> I want to configure a transparent proxy with IPFW and Squid.
> I enabled IPFW on a FreeBSD 7.0 and also install squid 2.7
>
> this is content of my squid.conf:
>
> acl manager proto cache_object
> acl localhost src 127.0.0.1/32
> acl to_localhost dst 127.0.0.0/8
> acl all src all
> acl localnet src 192.168.12.0/24
> acl SSL_ports port 443
> acl Safe_ports port 80 # http
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 443 # https
> acl Safe_ports port 70 # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535 # unregistered ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
> acl CONNECT method CONNECT
> http_access allow manager localhost
> http_access deny manager
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access allow localnet
> icp_access allow localnet
> icp_access deny all
> http_port 3128 transparent
> hierarchy_stoplist cgi-bin ?
> access_log /usr/local/squid/logs/access.log squid
> refresh_pattern ^ftp: 1440 20% 10080
> refresh_pattern ^gopher: 1440 0% 1440
> refresh_pattern (cgi-bin|\?) 0 0% 0
> refresh_pattern . 0 20% 4320
> icp_port 3130
> coredump_dir /usr/local/squid/cache
>
>
> And this is base IPFW rules.
>
> $cmd 00500 fwd 127.0.0.1,3128 $log tcp from any to any 80 in recv
> $lanif
> $cmd 02000 allow $log all from any to any
>
> As you can see, all packages which is destination port 80 forwarding
> to the
> squid's port (3128). with this configuration everything seems work
> fine.
>
> however if i deny all traffic on the last rule and then open desired
> ports
> or connections one by one then squid isn't work.
>
> Sample base denying rule set like this:
>
> $cmd 00010 allow all from any to any via lo0
> $cmd 00015 check-state
> $cmd 00020 allow tcp from any to any established .
> $cmd 00021 deny all from any to any frag in via $adslif
> $cmd 00025 allow all from me to any keep-state
> $cmd 00050 allow tcp from "table()" to any keep-state
>
> $cmd 00500 fwd 127.0.0.1,3128 $log tcp from any to any 80 in recv
> $lanif
>
> $cmd 00600 allow all from $lan to any 53
> $cmd 00602 allow udp from any 53 to any out via $lanif
> $cmd 00603 allow udp from any 53 to any in via $adslif
>
> $cmd 01500 allow all from $lan to any 443,25,110 keep-state
> $cmd 02000 deny $log all from any to any
>
> As i said, if i run IPFW with this rules, my client doesn't surf on
> the
> internet. And also i didn't seen anything about denying on the ipfw
> log
> file. Also there is no activity on squid log files. I think
> forwarding rule
> didn't work with that conf.
>
> So please can somebody tell me what's wrong in this situation ?
> Thanks in advance for your help.
>
>
> --
> Cagri Ersen
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "freebsd-questions-unsubscribe at freebsd.org
> "
Don't you need a rule allow connections to port 80?
More information about the freebsd-questions
mailing list