Date: Mon, 23 Jun 2008 12:36:13 -0700 (PDT) From: Tommy Pham <tommyhp2@yahoo.com> To: freebsd-pf@freebsd.org, =?iso-8859-1?Q?Miguel_Alc=E1ntara?= <miguel.alc@gmail.com> Subject: Re: PF and SQUID Message-ID: <640718.84795.qm@web38202.mail.mud.yahoo.com> In-Reply-To: <5855700c0806230850r2df3d656of675ca4e0e307a51@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--- On Mon, 6/23/08, Miguel Alc=E1ntara <miguel.alc@gmail.com> wrote:
> From: Miguel Alc=E1ntara <miguel.alc@gmail.com>
> Subject: PF and SQUID
> To: freebsd-pf@freebsd.org
> Date: Monday, June 23, 2008, 11:50 AM
> Hi everybody, I'm having a problem for a week. I have to
> setup PF + SQUID in
> a P2 machine, with 128RAM and 6GB hard disk and just one
> nic. I virtualized
> an interface with an ip 192.168.1.80 and it has squid, the
> nic has
> 192.168.1.60 and all the lan is 192.168.1.0/24.
>=20
> My problem is that I can=B4t browse some sites the must be
> permitted.
>=20
> pf.conf
>=20
> #rules for firewall
> ext_nic =3D "dc0"
> yo =3D "192.168.1.0/24"
>=20
> table <dns_cautivo> {208.67.220.220, 208.67.222.222}
> #SQUID CONFIGURATION
> rdr pass on $ext_nic inet proto tcp from $yo to any port
> www ->
> 192.168.1.80port 3128
I don't know if the missing space between the IP address and "port" is a ty=
po or not in the email but if it's copy and paste from your conf file, that=
maybe your problem.
~Tommy
> nat on $ext_nic from $yo to any -> ($ext_nic)
> #FILTER
> block all
> #pass in on $ext_nic from $yo
> pass out on $ext_nic from any to <dns_cautivo>
>=20
> squid.conf
>=20
> #Recommended minimum configuration:
> acl all src 0.0.0.0/0.0.0.0
> acl manager proto cache_object
> acl localhost src 127.0.0.1/255.255.255.255
> acl to_localhost dst 127.0.0.0/8
> acl SSL_ports port 443
> acl Safe_ports port 80 # http
> acl Safe_ports port 21 # ftp
> acl Safe_ports port 443 # https
> acl Safe_ports port 70 # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535 # unregistered ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
> acl CONNECT method CONNECT
> #/////////
> acl special_client src 192.168.1.0/24
> #acl lista_permitidos url_regex
> "/usr/local/etc/squid/free.squid"
>=20
> #acl special_url url_regex ucci
> acl hotmail dstdomain .hotmail.com
> acl mail dstdomain .blu134.mail.live.com
> acl mailhot dstdom_regex -i mail
> acl hotmail_mail dstdomain .hotmail.msn.com
> acl passport dstdomain .passport.net
> acl msn dstdomain .msn.com
> acl ie6 browser MSIE[[:space:]]6
> acl permitidos url_regex
> "/usr/local/etc/squid/free.squid"
> acl palabra urlpath_regex -i login.srt
> acl numconn maxconn 80
> acl browse_hotmail url_regex www.hotmail.com
> acl browse_ulima url_regex www.ulima.edu.pe
> acl browse_yahoo url_regex www.yahoo.com
>=20
> http_access allow manager localhost
> http_access deny manager
> # Deny requests to unknown ports
> http_access deny !Safe_ports
> # Deny CONNECT to other than SSL ports
> http_access deny CONNECT !SSL_ports
> ##http_access allow special_client lista_permitidos
> ##http_access allow special_client hotmail
> ##http_access allow special_client mailhot
> ##http_access allow special_client mail
> #http_access deny special_url
> #http_access allow special_client
>=20
> http_access allow special_client permitidos
> http_access allow special_client hotmail
> http_access allow special_client mail
> http_access allow special_client mailhot
> http_access allow special_client Safe_ports
> http_access allow special_client hotmail_mail
> http_access allow special_client palabra
> http_access allow special_client browse_hotmail
> http_access allow special_client browse_ulima
> http_access allow special_client browse_yahoo
> #http_access allow special_client special_url
> http_access deny all
>=20
>=20
> Well, it doens`t work, when I try to surf in any domain
> name listed above in
> squid squid sends me a message:
>=20
> ERROR The requested URL could not be retrieved
> ------------------------------
>=20
> While trying to retrieve the URL: http://www.yahoo.com/
>=20
> The following error was encountered:
>=20
> - * Connection to Failed *
>=20
> The system returned:
>=20
> * (1) Operation not permitted*
>=20
> The remote host or network may be down. Please try the
> request again.
>=20
> Your cache administrator is webmaster.
> ------------------------------
> Generated Thu, 27 Dec 2007 13:12:36 GMT by pf
> (squid/2.6.STABLE16)
>=20
>=20
> *Then in logs from squid I can see an 503 error TCP_MISS.
>=20
> I use FBSD 7 and SQUID 2.6, obviously with PF. Ah!, squid
> was compiled with
> pf habilities or something like that.
>=20
> Plz, what I am doing wrong.
> *
>=20
>=20
> --=20
> Atte.
>=20
> Miguel Alc=E1ntara
> A._______________________________________________
> freebsd-pf@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-pf
> To unsubscribe, send any mail to
> "freebsd-pf-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?640718.84795.qm>