Date: Wed, 08 Feb 2006 21:33:22 +0700 From: Reza Muhammad <rezmuh@cbn.net.id> To: freebsd-user@freebsd.org, freebsd-questions@freebsd.org Subject: Transparent Proxy using Squid and PF Message-ID: <43EA0132.9020408@cbn.net.id>
next in thread | raw e-mail | index | archive | help
Hey guys, I need a little help on setting up transparent proxy with Squid and PF in FreeBSD 5.4-RELEASE. In the beginning I think I forgot to install Squid with PF Support, so I did "make deinstall", and then I deleted the /var/db/ports/squid/options, and then I did "make config", and choose the support for PF, and then "make install". But then it still didn't work. When I tried basic config file, and then I set the client's browser's proxy using to the router (which is also the squid server), it worked okay. So the problem seems like PF doesn't redirect the incoming connection from internal network to squid. Here's my pf.conf: ext_if="rl0" int_if="rl1" rdr on $int_if inet proto tcp from any to any port www -> 127.0.0.1 port 3128 pass in on $int_if inet proto tcp from any to 127.0.0.1 port 3128 keep state pass out on $ext_if inet proto tcp from any to any port www keep state and here's my squid.conf: http_port 127.0.0.1:3128 cache_mem 20 MB hierarchy_stoplist cgi-bin ? acl QUERY urlpath_regex cgi-bin \? no_cache deny QUERY auth_param basic children 5 auth_param basic realm Squid proxy-caching web server auth_param basic credentialsttl 2 hours auth_param basic casesensitive off refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern . 0 20% 4320 acl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl to_localhost dst 127.0.0.0/8 acl SSL_ports port 443 563 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 563 # https, snews acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT http_access allow manager localhost http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_reply_access allow all icp_access allow all coredump_dir /var/squid/cache http_access deny to_localhost acl our_networks src 192.168.0.0/24 ##################### # block porn sites ## ##################### #acl porn1 url_regex -i (adultos|adultsight|adultsite|adultsonly|adultweb|blow-?job|bondage|centerfold|cumshot|cyberlust|cybercore|hardcore|incest|masturbat|obscene|pedophil|pedofil|playmate|pornstar|sexdream|showgirl|softcore|striptease) #acl porn2 url_regex -i (^|[-.\?+=/_0-9])(all|big|cute|cyber|fake|firm|hard|huge|little|mega|mini|naughty|new|old|pure|real|small|serious|soft|super|tiny|young)?(anal|babe|bharath|boob|breast|busen|busty|clit|cum|cunt|dick|fetish|fuck|hooter|lez|lust|naked|nude|oral|orgy|porno?|pupper|pussy|rotten|sex|shit|smutpump|teen|tit|topp?les|vixen|xxx)s?(cafe|site|surf|surfing|web|website)?([-.\?+=/_0-9]|$) #acl porn3 url_regex -i (^|[-.\?+=/_0-9])(all|big|cute|cyber|fake|firm|hard|huge|little|mega|mini|naughty|new|old|pure|real|small|serious|soft|super|tiny|young)(girl|virgin)s?(cafe|site|surf|surfing|web|website)?([-.\?+=/_0-9]|$) #acl pornWeb url_regex "/usr/local/etc/squid/porn/domains" #http_access deny porn1 #http_access deny porn2 #http_access deny porn3 #http_access deny pornWeb ######################## # block advertisement ## ######################## acl ads dstdomain "/usr/local/etc/squid/ads/domains" acl ads2 dst "/etc/squid/ads/ip" deny_info ERR_NO_ADS ads http_access deny ads http_access deny ads2 http_access allow our_networks http_access deny all visible_hostname blowfish httpd_accel_host virtual httpd_accel_port 80 httpd_accel_with_proxy on httpd_accel_uses_host_header on Now the thing is, this configuration works fine on OpenBSD. So I think I didn't compile Squid in a right way. Can someone help me out? I'm fairly new to FreeBSD. Thanks in advance.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?43EA0132.9020408>