[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

transparent Squid + pf

P-IV 3.06 GHz with Intel Original motherboard.
Hard Disk: SATA 80 GB.

Squid runs on this system nicely in non-transparent

I am trying Transparent Squid with FreeBSD 6.2.
The two NICs are rl0 and dc0.
rl0 is configured as : 192.168.x.x #  my
internal interface for pf
dc0 is configured as : DHCP                      #  my
external interface for pf

The squid configuration is :


dns_nameserver x.x.x.x x.x.x.x

visible_hostname xxxxxx

Kernel options that I have applied, recompiled and
installed are:

options INET
device  bpf
device  pf
device  pflog
device  pfsync

I can ping my internal internal interface and
interface (when external interface is assigned an IP
address). Kernel 

gives message: 

kernel:arp: 192.168.1.X is on rl0 but got reply from
xx:xx:xx:xx:xx on dc0.

Squid gives error :

ipcache_init: DNS name lookup tests failed

I tried to ping my dns server. I get error:
ping: no route to host.

I read at "http://freebsdonline.com"; to allow squid to
access pf device, following commands are to be given,

chgrp _squid /dev/pf
chmod g+rw /dev/pf

Out of this the fist command does not work as it is,
it has worked as under;

chgrp squid /dev/pf

Her is  my pf.conf. and rc.conf for perusal please. I
am in no hurry, please advise me to set the things

My "/etc/rc.conf": 

# -- sysinstall generated deltas -- # Fri May  5
07:17:11 2006
# Created: Fri May  5 07:17:11 2006
# Enable network daemons for user convenience.
# Please make all changes to this file, not to
# This file now contains just the overrides from
#REMOVED: ifconfig_rl0="inet  netmask"
ifconfig_rl0="inet  netmask
media 10baseT/UTP"
# -- sysinstall generated deltas -- # Mon Feb  5
19:43:03 2007
media 10baseT/UTP" # external interface

My "pf.conf":

# Macros: define common values, so they can be
referenced and changed easily.
ext_if="dc0"    # replace with actual external
interface name i.e., dc0
int_if="rl0"    # replace with actual internal
interface name i.e., dc1

tcp_services = "{ 22, 443 }"

# define our networks
inet = "{ }"
extaddr = ""
icmp_types = "echoreq"
natone = int_if
allproto = " {tcp, udp, ipv6, icmp, esp, ipencap }
privnets = "{,, }"

set loginterface $ext_if

scrub on ext_if from $int_if:network to any ->

#HTTP, HTTPS, to natone
rdr on $ext_if proto tcp from any to any port 80 ->

#ssh to natone
rdr on $ext_if proto tcp from any to any port 22 ->


# Tables: similar to macros, but more flexible for
many addresses.
#table <foo> {, !,, }

# Options: tune the behavior of pf, default values are

#set timeout { interval 10, frag 30 }
#set timeout { tcp.first 120, tcp.opening 30,
tcp.established 86400 }
#set timeout { tcp.closing 900, tcp.finwait 45,
tcp.closed 90 }
#set timeout { udp.first 60, udp.single 30,
udp.multiple 60 }
#set timeout { icmp.first 20, icmp.error 10 }
#set timeout { other.first 60, other.single 30,
other.multiple 60 }
#set timeout { adaptive.start 0, adaptive.end 0 }
#set limit { states 10000, frags 5000 }
#set loginterface none
#set optimization normal
#set block-policy drop
#set require-order yes
#set fingerprints "/etc/pf.os"

# Normalization: reassemble fragments and resolve or
reduce traffic ambiguities.
#scrub in all

# Queueing: rule-based bandwidth control.
#altq on $ext_if bandwidth 2Mb cbq queue { dflt,
developers, marketing }
#queue dflt bandwidth 5% cbq(default)
#queue developers bandwidth 80%
#queue marketing  bandwidth 15%

# Translation: specify how addresses are to be mapped
or redirected.
# nat: packets going out through $ext_if with source
address $internal_net will
# get translated as coming from the address of
$ext_if, a state is created for
# such packets, and incoming packets will be
redirected to the internal address.
nat on $ext_if from $internal_net to any -> ($ext_if)

# rdr: packets coming in on $ext_if with destination
$external_addr:1234 will
# be redirected to A state is created
for such packets, and
# outgoing packets will be translated as coming from
the external address.

# my rules start here
rdr on $int_if inet proto tcp from any to any port www
-> port 3128
pass in on $int_if inet proto tcp from any to port 3128 keep state
pass out on $ext_if inet proto tcp from any to any
port www keep state
#rdr pass on $int_if inet proto tcp to any port 80 ->
port 3128
block log
pass quick on lo0 all
block drop in $ext_if from $privnets to any
block drop in on $ext_if from any to $privnets

#Webserver, HTTPS, 8000
pass in on $int_if proto tcp from any to any port 80
flags S/SA
pass in on $ext_if proto tcp from any to any port
$tcp_services flags S/SA
##BAsic rules
pass in inet proto icmp all icmp-type $icmp_types keep
# lets keep the local net free
pass in on $int_if from $int_if:network to any keep
#Allow fw to establish connections to internal net
pass out on $int_if from any to $int_if:network keep
# Pass out TCP UDP, ICMP and ipv6
pass out on $ext_if proto ipv6 all
# Pass out on $ext_if proto ( tcp, udp, icmp } all
keep state
pass out on $ext_if all keep state
#DNS Server
pass in on $ext_if proto {tcp, udp} from any to any
port 53

# my rules end here
# spamd-setup puts addresses to be redirected into
table <spamd>.
#table <spamd> persist
#no rdr on { lo0, lo1 } from any to any
#rdr inet proto tcp from <spamd> to any port smtp -> port 8025

# Filtering: the implicit first two rules are
#pass in all
#pass out all

# block all incoming packets but allow ssh, pass all
outgoing tcp and udp
# connections and keep state, logging blocked packets.
#block in log all
#pass  in  on $ext_if proto tcp from any to $ext_if
port 22 keep state
#pass  out on $ext_if proto { tcp, udp } all keep

# pass incoming packets destined to the addresses
given in table <foo>.
#pass in on $ext_if proto { tcp, udp } from any to
<foo> port 80 keep state
pass in on $int_if inet proto tcp from any to port 3128 keep state
# pass incoming ports for ftp-proxy
#pass in on $ext_if inet proto tcp from any to $ext_if
port > 49151 keep state

# Alternate rule to pass incoming ports for ftp-proxy
# NOTE: Please see pf.conf(5) BUGS section before
using user/group rules.
#pass in on $ext_if inet proto tcp from any to $ext_if
user proxy keep state

# assign packets to a queue.
#pass out on $ext_if from to any keep
state queue developers
#pass out on $ext_if from to any keep
state queue marketing
pass out on $ext_if inet proto tcp from any to any
port www keep state
I want to achieve transparent proxying without NAT
facility, though I want to be able to achive NAT
capability also. 

(NAT will be done by my router).

Squid is compiled with pf support

I need your help/hints, Gurus. 

Yahoo! India Answers: Share what you know. Learn something new
freebsd-questions_(_at_)_freebsd_(_dot_)_org mailing list
To unsubscribe, send any mail to "freebsd-questions-unsubscribe_(_at_)_freebsd_(_dot_)_org"