Problems with pf rules for intercept squid proxy

krad kraduk at gmail.com
Wed Jun 29 13:33:56 UTC 2016 

oh also if you are redirecting https you will need to setup squid to do ssl
bump and install certs on all your clients. As you havent supplied your
squid.conf its difficult to know if thats correct.

On 29 June 2016 at 14:32, krad <kraduk at gmail.com> wrote:

> you need to as squid needs read write access to the /dev/pf to work in
> intercept mode. As long as you dont have any other users in the squid group
> you are good. Did you restart devfs or reboot?
>
>
> On 29 June 2016 at 14:20, C. L. Martinez <carlopmart at gmail.com> wrote:
>
>> Yep, is it not too dangerous to assign 0770 to /dev/pf??
>>
>> Anyway, I have tried, but with same error: traffic is denied by squid ...
>>
>>
>> On Wed 29.Jun'16 at 13:39:46 +0100, krad wrote:
>> > have you got these lines in your /etc/devfs.conf file
>> >
>> >
>> > own     pf      root:squid
>> > perm    pf      0770
>> >
>> > you also need lines like this in the squid.conf
>> >
>> > http_port 192.168.1.1:3128 intercept
>> >
>> >
>> >
>> > On 29 June 2016 at 12:33, C. L. Martinez <carlopmart at gmail.com> wrote:
>> >
>> > > On Tue 28.Jun'16 at 19:37:37 +0200, Kristof Provost wrote:
>> > > >
>> > > >
>> > > > On 28 Jun 2016, at 15:07, C. L. Martinez wrote:
>> > > > >  I have some problems with my pf rules on a FreeBSD 10.3 host
>> that acts
>> > > > > as a squid intercept proxy. My actual pf rules are:
>> > > > >
>> > > > > rdr pass on $vpnif proto tcp from $int_network to any port http
>> -> lo0
>> > > > > port 5144
>> > > > > rdr pass on $vpnif proto tcp from $int_network to any port https
>> -> lo0
>> > > > > port 5145
>> > > > >
>> > > > >  At first stage it seems that these rules works, but don't.
>> Traffic is
>> > > > > redirected to squid, but squid denies all connections:
>> > > > >
>> > > > >  1467111934.502      1 172.22.55.1 TCP_DENIED/403 4221 GET
>> > > > > http://www.osnews.com/ - HIER_NONE/- text/html
>> > > > >
>> > > > >  Using same squid.conf's file under an OpenBSD test machine, squid
>> > > works
>> > > > > without problems. For this reason, I don't think there is some
>> problem
>> > > > > with my squid's config. The only difference between this OpenBSD
>> host
>> > > > > and FreeBSD are the pf rules.
>> > > > >
>> > > > You may have a different squid version, or they may be patched
>> > > differently.
>> > > > Your redirect rules are working, as demonstrated by the fact that
>> squid
>> > > gets
>> > > > a request, and replies to it.
>> > > >
>> > > > Note that pf does not change your HTTP payload, it only affects
>> TCP. In
>> > > > other words: if Squid sees the connection (and it does) it’s a Squid
>> > > > problem.
>> > > >
>> > > > Also note that you’re redirecting on FreeBSD, but using divert-to on
>> > > > OpenBSD.
>> > > > This may be triggering different behaviour from Squid. The man page
>> says
>> > > > that with divert-to:
>> > > >
>> > > >       The packets will not be modified, so getsockname(2) on the
>> socket
>> > > will
>> > > > return
>> > > >       the original destination address of the packet.
>> > > >
>> > > > That might be affecting an ACL in Squid.
>> > > >
>> > > > Regards,
>> > > > Kristof
>> > >
>> > > Thanks Kristof. I am using squid installed from pkg under a FreeBSD
>> 10.3,
>> > > fully updated:
>> > >
>> > > Squid Cache: Version 3.5.19
>> > > Service Name: squid
>> > > configure options:  '--with-default-user=squid'
>> '--bindir=/usr/local/sbin'
>> > > '--sbindir=/usr/local/sbin' '--datadir=/usr/local/etc/squid'
>> > > '--libexecdir=/usr/local/libexec/squid' '--localstatedir=/var'
>> > > '--sysconfdir=/usr/local/etc/squid' '--with-logdir=/var/log/squid'
>> > > '--with-pidfile=/var/run/squid/squid.pid'
>> '--with-swapdir=/var/squid/cache'
>> > > '--without-gnutls' '--enable-auth' '--enable-build-info'
>> > > '--enable-loadable-modules' '--enable-removal-policies=lru heap'
>> > > '--disable-epoll' '--disable-linux-netfilter' '--disable-linux-tproxy'
>> > > '--disable-translation' '--disable-arch-native' '--enable-eui'
>> > > '--enable-cache-digests' '--enable-delay-pools' '--disable-ecap'
>> > > '--disable-esi' '--enable-follow-x-forwarded-for' '--enable-htcp'
>> > > '--enable-icap-client' '--enable-icmp' '--enable-ident-lookups'
>> > > '--enable-ipv6' '--enable-kqueue' '--with-large-files'
>> > > '--enable-http-violations' '--without-nettle' '--enable-snmp'
>> > > '--enable-ssl' '--with-openssl=/usr'
>> 'LIBOPENSSL_CFLAGS=-I/usr/include'
>> > > 'LIBOPENSSL_LIBS=-lcrypto -lssl' '--enable-ssl-crtd'
>> > > '--disable-stacktraces' '--enable-ipf-transparent'
>> > > '--enable-ipfw-transparent' '--enable-pf-transparent'
>> '--with-nat-devpf'
>> > > '--enable-forw-via-db' '--enable-wccp' '--enable-wccpv2'
>> > > '--with-heimdal-krb5=/usr' 'CFLAGS=-I/usr/include -O2 -pipe
>> > > -fstack-protector -fno-strict-aliasing' 'LDFLAGS=-L/usr/lib  -pthread
>> > > -fstack-protector' 'LIBS=-lkrb5 -lgssapi -lgssapi_krb5 '
>> > > 'KRB5CONFIG=/usr/bin/krb5-config' '--enable-auth-basic=DB SMB_LM
>> > > MSNT-multi-domain NCSA PAM POP3 RADIUS fake getpwnam NIS'
>> > > '--enable-auth-digest=file' '--enable-external-acl-helpers=file_userip
>> > > time_quota unix_group' '--enable-auth-negotiate=kerberos wrapper'
>> > > '--enable-auth-ntlm=fake smb_lm' '--enable-storeio=aufs diskd rock
>> ufs'
>> > > '--enable-disk-io=DiskThreads DiskDaemon AIO Blocking IpcIo Mmapped'
>> > > '--enable-log-daemon-helpers=file' '--enable-url-rewrite-helpers=fake'
>> > > '--enable-storeid-rewrite-helpers=file' '--prefix=/usr/local'
>> > > '--mandir=/usr/local/man' '--infodir=/usr/local/info/'
>> > > '--build=amd64-portbld-freebsd10.1'
>> 'build_alias=amd64-portbld-freebsd10.1'
>> > > 'CC=cc' 'CPPFLAGS=' 'CXX=c++' 'CXXFLAGS=-O2 -pipe -fstack-protector
>> > > -fno-strict-aliasing ' 'CPP=cpp' --enable-ltdl-convenience
>> > >
>> > >  According to this options, intercept is enabled ... Then, I don't
>> > > understand why it doesn't works ...
>> > >
>> > > --
>> > > Greetings,
>> > > C. L. Martinez
>> > > _______________________________________________
>> > > freebsd-questions at freebsd.org mailing list
>> > > https://lists.freebsd.org/mailman/listinfo/freebsd-questions
>> > > To unsubscribe, send any mail to "
>> > > freebsd-questions-unsubscribe at freebsd.org"
>> > >
>>
>> --
>> Greetings,
>> C. L. Martinez
>> _______________________________________________
>> freebsd-questions at freebsd.org mailing list
>> https://lists.freebsd.org/mailman/listinfo/freebsd-questions
>> To unsubscribe, send any mail to "
>> freebsd-questions-unsubscribe at freebsd.org"
>>
>
>

More information about the freebsd-questions mailing list