Transparent squid proxy with if_bridge

James Seward jamesoff at gmail.com
Tue Jul 31 11:13:54 UTC 2007 

Hello all,

I'm trying to set up a machine using if_bridge to do transparent
proxying via squid.

I've been following a selection of walkthroughs online including
http://www.benzedrine.cx/transquid.html

I have a machine with three network cards, two of which form the
bridge and the third is for management.

Using a rdr rule in pf.conf, I am rewriting packets from my
workstation (currently the only client while I test) to
localhost:8080. I have also tried redirecting to the IP of the
management card. In both cases squid was configured to listen either
on localhost:8080 or management_ip:8080. The "transparent" option
appears on the http_port configuration line. Squid is currently set to
allow anyone access.

If squid is listening on the management_ip, I can point my browser at
that and squid services my request normally. If I bind squid to
localhost, I can nc(1) to it and it services my request.

If I let the rdr rule redirect my packets to squid, nothing happens
and the client times out. pfctl -sa shows that pf has done the
redirection and displays something like:
127.0.0.1:8080 <- external_ip:80 <- client_ip:34582 CLOSED:SYN_SENT
so it seems the SYN never arrives at squid. tcpdumping lo0 shows no
traffic at all.

I have tried this with and without IPs for the bridged cards (without
would suit me better) but I'm not sure if that's the problem at this
stage.

--8<-- pf.conf ----
ext_if="fxp0"
int_if="xl0"

# send web-type stuff to the cache
rdr on $int_if inet proto tcp \
        from 192.168.200.112 to any port www \
        -> 127.0.0.1 port 8080

pass in all
pass out all
-----

--8<--- squid.conf
# egrep -v "^#" /usr/local/etc/squid/squid.conf | egrep -v '^$'
http_port 127.0.0.1:8080 transparent
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
cache_mem 32 MB
cache_dir ufs /usr/local/squid/cache 4096 16 256
access_log /usr/local/squid/logs/access.log squid
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern .               0       20%     4320
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access     allow   all
http_reply_access allow all
icp_access allow all
cache_mgr XXXXX
mail_program mail
visible_hostname XXXXX
logfile_rotate 10
append_domain .XXXXX
always_direct allow all
coredump_dir /usr/local/squid/cache
------

--%<--- ifconfig
fxp0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
        options=8<VLAN_MTU>
        inet 192.168.200.17 netmask 0xffffff00 broadcast 192.168.200.255
        ether 00:a0:c9:ea:92:91
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active
xl0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
        options=9<RXCSUM,VLAN_MTU>
        inet 192.168.200.16 netmask 0xffffff00 broadcast 192.168.200.255
        ether 00:50:04:39:c2:f2
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active
rl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        options=8<VLAN_MTU>
        inet 192.168.200.113 netmask 0xffffff00 broadcast 192.168.200.255
        ether 00:40:f4:4d:84:31
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x6
        inet6 ::1 prefixlen 128
        inet 127.0.0.1 netmask 0xff000000
bridge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        ether 5a:6b:3a:b8:6a:c1
        id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
        maxage 20 holdcnt 6 proto stp maxaddr 100 timeout 1200
        root id 00:00:00:00:00:00 priority 0 ifcost 0 port 0
        member: fxp0 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
        member: xl0 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
------
(xl0 and fxp0 currently have ips, but it doesn't work when they don't either)

Sample state:
STATES:
self tcp 127.0.0.1:8080 <- 207.46.193.254:80 <- 192.168.200.112:50526
     CLOSED:SYN_SENT


Every walkthrough makes it sound very simple and easy; I feel like I
must be missing something obvious :)

Thanks in advance,
James

More information about the freebsd-pf mailing list