Transparent Squid and traffic control
Julian Elischer
julian at freebsd.org
Tue Jan 4 17:28:30 UTC 2011
On 1/4/11 5:01 AM, Fazal Ahmed Malik wrote:
> Hi,
>
> I have problem in running transparent squid along with dummynet on FreeBSD 7. I have mpd5 for dialin pppoe which is working perfect along with ipfw dummynet traffic control. Now i want to setup transparent squid using ipfw fwd rule. if i place fwd rule before dummynet rule transparent squid start working but than traffic is not being controlled. Than i placed fwd rule after the dummynet pipe here traffic controlled but transparent squid stop working.Any body have experience in such configuration where both work simultaneously please gave me some hints.
>
> Best regards,
>
>
> Fazal Ahmed
> _______________________________________________
> freebsd-ipfw at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
> To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe at freebsd.org"
>
in your ipfw rules separate out the incoming and outgoing work on each
inteface to different sets of rules..
As a simple example I attach a copy of a sanitased ipfw ruleset that
does that with mpd..
Noteh that there are two different NAT points.. one for incoming and
one for outgoing data
You may do your forwarding at the appropriate point for each direction
independently.
In fact you probably should do it so that you forward incoming packets
on both the local and remote interfaces
and never forward outgoing packets..
this means you would add a new set of rules for the local interface
that are not in
my file but you should get the idea..
when you say 'transparent squid, do you mean transparent to the client
or the server, or both?
basically you should do fwds on incoming packets (fwd to squid locally)
(incoming from the point of view of the firewall itself.)
-------------- next part --------------
#!/bin/sh
fwcmd="/sbin/ipfw"
# Suck in the configuration variables.
if [ -z "${source_rc_confs_defined}" ]; then
if [ -r /etc/defaults/rc.conf ]; then
. /etc/defaults/rc.conf
source_rc_confs
elif [ -r /etc/rc.conf ]; then
. /etc/rc.conf
fi
fi
# set these to your outside interface network and netmask and ip
oif="tun0"
onet="192.168.36.0"
omask="24"
oip="A.A.A.A"
# set these to your inside interface network and netmask and ip
iif="vr0"
inet="192.168.2.0"
imask="255.255.255.0"
iip="192.168.2.21"
# for not the natd target is us but change this if you
# change that in natd.conf
natd_target=${oip}
work_vpnserver=B.B.B.B
INCOMING=4000
OUTGOING=8000
sysctl net.inet.ip.fw.enable=0
${fwcmd} -q flush
${fwcmd} -q table 1 flush
${fwcmd} -q table 2 flush
${fwcmd} -q table 3 flush
${fwcmd} -q table 4 flush
# Addresses we should never talk to outside our firewall
${fwcmd} table 1 add 10.0.0.0/8
${fwcmd} table 1 add 172.16.0.0/12
${fwcmd} table 1 add 192.168.0.0/16
# Stop draft-manning-dsua-03.txt (1 May 2000) nets (includes
# RESERVED-1, DHCP auto-configuration, NET-TEST, MULTICAST (class D),
# and class E) on the outside interface
${fwcmd} table 1 add 0.0.0.0/8
${fwcmd} table 1 add 169.254.0.0/16
${fwcmd} table 1 add 192.0.2.0/24
${fwcmd} table 1 add 224.0.0.0/4
${fwcmd} table 1 add 240.0.0.0/4
# add legit sources of ssh.. DNS is not up yet so use IPs
# could add to /etc/hosts I guess.
# frienly server
${fwcmd} table 2 add C.C.C.C
# work
${fwcmd} table 2 add D.D.D.D
# vps1
${fwcmd} table 2 add E.E.E>E
# add legit DNS tcp (zone) sources
# my.first.dns.server
${fwcmd} table 3 add F.F.F.F
# my.second.dns.server
${fwcmd} table 3 add G.G.G.G
# my.third.dns.server
${fwcmd} table 3 add H.H.H.H
# Add our local networks here
${fwcmd} table 4 add 192.168.2.0/24
${fwcmd} table 4 add 172.16.15.0/24
# common spoofing code
# --------------- ALL PACKETS START HERE. ------------
# Stop localhost spoofing
${fwcmd} add 100 pass all from any to any via lo0
${fwcmd} add 200 deny log all from any to 127.0.0.0/8
${fwcmd} add 300 deny log ip from 127.0.0.0/8 to any
# If we've already decided on it. keep our word.
${fwcmd} add check-state
#-------- Select direction and interface class
${fwcmd} add skipto ${INCOMING} ip from any to any in recv ${oif}
${fwcmd} add skipto ${OUTGOING} ip from any to any out xmit ${oif}
#-------- Internal traffic. generally don't care
# except to stop spoofing.
# make extra sure we don't block DHCP to our server
# as initial request will be from 0.0.0.0/0
${fwcmd} add allow udp from any to any 67 in recv ${iif}
${fwcmd} add allow udp from any 67 to any out xmit ${iif}
# other wise it has to be to and from a net we actually have.
${fwcmd} add deny log all from not "table(4)" to any in recv ${iif}
${fwcmd} add deny log all from any to not "table(4)" out xmit ${iif}
${fwcmd} add allow ip from any to any
#------- INCOMING
# don't allow packets from the wrong net!
${fwcmd} add ${INCOMING} deny log all from "table(4)" to any
# in fact don't accept packets that are not for this interface exactly
${fwcmd} add deny log ip from any to not ${oip}
# Allow access to our ssh from trusted places
# (work, friends, etc (sometimes))
${fwcmd} add pass tcp from "table(2)" to ${oip} 22 setup keep-state
# allow our DNS secondaries to get zone transfers
${fwcmd} add pass tcp from "table(3)" to ${oip} 53 setup keep-state
# allow DNS requests, since we are authoratitive
${fwcmd} add pass udp from any to ${oip} 53
# Allow setup of incoming email
# I, and root can start outgoing sessions and have them come
# in if there is a waiting socket :-)
${fwcmd} add allow ip from any to ${oip} uid 0
${fwcmd} add allow ip from any to ${oip} uid 53
${fwcmd} add allow ip from any to ${oip} uid 1000
# ignore any mention of RFC1918 nets on the outside interface
${fwcmd} add deny log all from any to "table(1)"
${fwcmd} add deny log not icmp from "table(1)" to any
#^v^v^v^v^v^v^v^v^v^v^v^v^v INCOMING NAT POINT ^v^v^v^v^v^v^v^v^v^v^v^v^v^v^v
# NAT anything that is left and trust NATD
${fwcmd} add divert natd all from any to any
#After translation
# explicitly allow NAT-T from the vpn server to inside nets
${fwcmd} add allow udp from ${work_vpnserver} to "table(4)"
# allow the us to do traceroute and ping
# note: if you point the natd target else where,
# the gateway will NOT be able to do this.
# Allow access to our DNS (NOPE)
# is after nat to allow others to do dns too relies on
# ${fwcmd} add pass tcp from any to ${oip} 53 setup
# ${fwcmd} add pass udp from ${oip} 53 to any
# Allow TCP through if setup succeeded .
# bypass the logging step. too much data
${fwcmd} add allow tcp from any to any established
# take note of unexpected stuff. then drop it.
${fwcmd} add drop log ip from any to ${natd_target}
# Allow IP fragments to pass through (NOPE)
# ${fwcmd} add pass all from any to any frag
# XXX remove this if you turn on the target option on
# natd to allow a server
# Reject & Log all setup of incoming connections from the outside
# that have not been explicitly allowed above.
${fwcmd} add deny log tcp from any to ${natd_target} setup
# anything here should be logged. it's intersting.
${fwcmd} add count log ip from any to any
# after that gauntlet, allow it to proceed.
${fwcmd} add allow ip from any to any
#----- OUTGOING
# Stop RFC1918 nets getting out to the outside interface
# except for the wierdness of our next hop being such an address.
${fwcmd} add ${OUTGOING} allow icmp from ${oip} to ${onet}/${omask} keep-state
${fwcmd} add deny log all from any to "table(1)"
# The firewall (and julian) can talk out if it wants to.
# these are local sessions by definition.
${fwcmd} add pass all from ${oip} to any keep-state
# ${fwcmd} add pass udp from ${oip} to any keep-state
# ${fwcmd} add pass icmp from ${oip} to any keep-state
# Allow NTP queries out in the world from the firewall.
# ${fwcmd} add pass udp from ${oip} to any 123 keep-state
# Allow DNS queries out in the world from the firewall.
# ${fwcmd} add pass udp from ${oip} to any 53 keep-state
#^v^v^v^v^v^v^v^v^v^v^v^v^v^v^v OUTGOING NAT POINT ^v^v^v^v^v^v^v^v^v^v^v^v^v^v^v
${fwcmd} add divert natd all from any to any out recv ${iif}
# just in case natd goes wierd.
${fwcmd} add deny log all from "table(1)" to any
# in fact don't allow packets out that are not from this interface exactly
${fwcmd} add deny log ip from not ${oip} to any
${fwcmd} add allow all from any to any
sysctl net.inet.ip.fw.enable=1
More information about the freebsd-ipfw
mailing list