My ipfw rules doesn't work

Sat Jul 10 09:54:55 PDT 2004

In order for your squid to perform as a transparent proxy, you will have
to first successfully compile it with transparent proxy support.
If you passed -enable-ipf-transparent to your configure script, it looks
for files; ip_nat.h, ip_fil.h, and ip_compat.h in /usr/include/
you could locate these files and copy them over into that directory ...
better still; cd to /usr/src/ and make installincludes,
then recompile and install your squid with transparent proxy support.
That should do it.
Regards.
On Sat, 2004-07-10 at 09:33, Carlos Alarcón wrote:
> I configured squid with transparent-proxy support, but i think this  
> configuration fails when i compiled it, i probed with squid 2.5 but it  
> doesnt compile on my freebsd.
> when i compile squid the output on the transparent proxy is this:
> -enable-ipf-transparent
> WARNING: Cannot find necessary IP-Filter header files
>           Transparent Proxy support WILL NOT be enabled
> I use ipfw, when this happened i put ipf support but it was the same thing.
> 
> -enable-pf-transparent
> WARNING: Cannot find necessary Pf header files
>           Transparent Proxy support WILL NOT be enabled
> 
> With the client browser settings set to point to the proxy my redirection  
> rule increase. when client settings proxy is not set, this rules doesn't  
> increase.
> is my redirection rule ok??
> 
> 00012     1587     1148100 fwd 172.16.1.33,3128 tcp from any to any
> dst-port 80
> 
> On Sat, 10 Jul 2004 11:09:56 -0700, Ezra Banoba <ebanoba at one2net.co.ug>  
> wrote:
> 
> > Did you configure your squid with transparent-proxy support?
> > I'm not sure about how the BSD protocol stack handles this but assuming
> > the redirection is dealt with before the bridging, then there should be
> > no problem.
> > On Fri, 2004-07-09 at 14:48, Carlos Alarcón wrote:
> >
> >>  who have
> >> the proxy's configuration fails giving me this
> >> message
> >>
> >> You are not authorized to view this page
> >> You might not have permission to view this directory or page using the
> >> credentials you supplied.
> >
> > Does this also happen with the client browser settings set to point to
> > the proxy?
> >
> >> i add the ipfw output
> >>
> >> 00012     1587     1148100 fwd 172.16.1.33,3128 tcp from any to any
> >> dst-port 80
> >> 00100  9257210  6707379406 pipe 1 ip from any to any in via xl0
> >> 00200  1558457   715268891 pipe 2 ip from any to any out via xl0
> >> 01300     2027      101248 deny ip from 10.0.0.0/8 to any in via xl0
> >> 01400     2315       96466 deny ip from 192.168.0.0/16 to any in via xl0
> >> 01500 14882804 10144500248 allow tcp from 172.16.1.33 to any setup
> >> keep-state
> >> 01600   437760    84307478 allow udp from 172.16.1.33 to any keep-state
> >> 01700    53564    13382458 allow ip from 172.16.1.33 to any
> >> 01800 89927607 52765076360 allow tcp from any to any in via xl1 setup
> >> keep-state
> >> 01900 18918311  2483412584 allow udp from any to any in via xl1  
> >> keep-state
> >> 02000  3629310   116342293 allow ip from any to any in via xl1
> >> 02500      830       41582 allow icmp from any to any icmptypes 8
> >> keep-state
> >> 02600   568996    61796292 allow icmp from any to any icmptypes 3
> >> 02700    15888     1527232 allow icmp from any to any icmptypes 11
> >> 02800  9118822  2306878168 allow ip from any to any
> >> 65535      352       10550 deny ip from any to any
> >>
> >> part of my kernel configuration file
> >>
> >> options IPFIREWALL
> >> options IPFIREWALL_FORWARD
> >> options IPFIREWALL_VERBOSE_LIMIT
> >> options DUMMYNET
> >> options BRIDGE
> >> options PFIL_HOOKS
> >> options MSGMNB=8192
> >> options MSGMNI=40
> >> options MSGSEG=512
> >> options MSGSSZ=64
> >> options MSGTQL=2048
> >> options HZ=1000
> >> options IPDIVERT
> >>
> >>
> >> > Which bad results are these?
-- 
Ezra Banoba 
Network Engineer
one2net
www.one2net.co.ug

"Doing well is a result of Doing good. That's what capitalism is all about."