Date: Thu, 8 Feb 2007 10:50:14 +0000 (GMT) From: dharam paul <exiaf_radar_guy38@yahoo.co.in> To: freebsd-questions@freebsd.org Subject: transparent Squid + pf Message-ID: <20070208105014.64814.qmail@web8908.mail.in.yahoo.com>
next in thread | raw e-mail | index | archive | help
System: P-IV 3.06 GHz with Intel Original motherboard. Hard Disk: SATA 80 GB. Squid runs on this system nicely in non-transparent mode. I am trying Transparent Squid with FreeBSD 6.2. The two NICs are rl0 and dc0. rl0 is configured as : 192.168.x.x 255.255.255.0 # my internal interface for pf dc0 is configured as : DHCP # my external interface for pf The squid configuration is : http_port 127.0.0.1:3128 dns_nameserver x.x.x.x x.x.x.x visible_hostname xxxxxx Kernel options that I have applied, recompiled and installed are: options INET device bpf device pf device pflog device pfsync I can ping my internal internal interface and interface (when external interface is assigned an IP address). Kernel gives message: kernel:arp: 192.168.1.X is on rl0 but got reply from xx:xx:xx:xx:xx on dc0. Squid gives error : ipcache_init: DNS name lookup tests failed I tried to ping my dns server. I get error: ping: no route to host. I read at "http://freebsdonline.com" to allow squid to access pf device, following commands are to be given, chgrp _squid /dev/pf chmod g+rw /dev/pf Out of this the fist command does not work as it is, it has worked as under; chgrp squid /dev/pf Her is my pf.conf. and rc.conf for perusal please. I am in no hurry, please advise me to set the things right. My "/etc/rc.conf": _________________ # -- sysinstall generated deltas -- # Fri May 5 07:17:11 2006 # Created: Fri May 5 07:17:11 2006 # Enable network daemons for user convenience. # Please make all changes to this file, not to /etc/defaults/rc.conf. # This file now contains just the overrides from /etc/defaults/rc.conf. #REMOVED: ifconfig_rl0="inet 192.168.1.1 netmask 255.255.255.0" #defaultrouter="192.168.1.1" gateway_enable="YES" hostname="wildcat.dishs.net" ifconfig_rl0="inet 192.168.1.13 netmask 255.255.255.0 media 10baseT/UTP" ipv6_enable="YES" keymap="us.iso" linux_enable="YES" moused_enable="YES" sshd_enable="YES" usbd_enable="YES" pf_enable="YES" pf_rules="/etc/pf.conf" pf_flags="" pflog_enable="YES" pflog_logfile="var/log/pflog" pflog_flags="" # -- sysinstall generated deltas -- # Mon Feb 5 19:43:03 2007 ipv6_enable="YES" media 10baseT/UTP" # external interface ifconfig_dc0="DHCP" #defaultrouter="192.168.1.1" hostname="wildcat.dishs.net" My "pf.conf": _____________ # Macros: define common values, so they can be referenced and changed easily. ext_if="dc0" # replace with actual external interface name i.e., dc0 int_if="rl0" # replace with actual internal interface name i.e., dc1 tcp_services = "{ 22, 443 }" # define our networks inet = "{ 192.168.1.0/16 }" extaddr = "1.2.3.4" icmp_types = "echoreq" natone = int_if allproto = " {tcp, udp, ipv6, icmp, esp, ipencap } privnets = "{ 127.0.0.0/8, 192.168.0.0/16 172.16.0.12, 10.0.0.0/8 }" set loginterface $ext_if scrub on ext_if from $int_if:network to any -> ($ext_if) #HTTP, HTTPS, to natone rdr on $ext_if proto tcp from any to any port 80 -> $natone #ssh to natone rdr on $ext_if proto tcp from any to any port 22 -> $natone #internal_net="10.1.1.1/8" #external_addr="192.168.1.1" # Tables: similar to macros, but more flexible for many addresses. #table <foo> { 10.0.0.0/8, !10.1.0.0/16, 192.168.0.0/24, 192.168.1.18 } # Options: tune the behavior of pf, default values are given. #set timeout { interval 10, frag 30 } #set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 } #set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 } #set timeout { udp.first 60, udp.single 30, udp.multiple 60 } #set timeout { icmp.first 20, icmp.error 10 } #set timeout { other.first 60, other.single 30, other.multiple 60 } #set timeout { adaptive.start 0, adaptive.end 0 } #set limit { states 10000, frags 5000 } #set loginterface none #set optimization normal #set block-policy drop #set require-order yes #set fingerprints "/etc/pf.os" # Normalization: reassemble fragments and resolve or reduce traffic ambiguities. #scrub in all # Queueing: rule-based bandwidth control. #altq on $ext_if bandwidth 2Mb cbq queue { dflt, developers, marketing } #queue dflt bandwidth 5% cbq(default) #queue developers bandwidth 80% #queue marketing bandwidth 15% # Translation: specify how addresses are to be mapped or redirected. # nat: packets going out through $ext_if with source address $internal_net will # get translated as coming from the address of $ext_if, a state is created for # such packets, and incoming packets will be redirected to the internal address. nat on $ext_if from $internal_net to any -> ($ext_if) # rdr: packets coming in on $ext_if with destination $external_addr:1234 will # be redirected to 10.1.1.1:5678. A state is created for such packets, and # outgoing packets will be translated as coming from the external address. # my rules start here rdr on $int_if inet proto tcp from any to any port www -> 127.0.0.1 port 3128 pass in on $int_if inet proto tcp from any to 127.0.0.1 port 3128 keep state pass out on $ext_if inet proto tcp from any to any port www keep state #rdr pass on $int_if inet proto tcp to any port 80 -> port 3128 block log pass quick on lo0 all block drop in $ext_if from $privnets to any block drop in on $ext_if from any to $privnets #Webserver, HTTPS, 8000 pass in on $int_if proto tcp from any to any port 80 flags S/SA pass in on $ext_if proto tcp from any to any port $tcp_services flags S/SA ##### ##BAsic rules ### pass in inet proto icmp all icmp-type $icmp_types keep state # lets keep the local net free pass in on $int_if from $int_if:network to any keep state #Allow fw to establish connections to internal net pass out on $int_if from any to $int_if:network keep state # Pass out TCP UDP, ICMP and ipv6 pass out on $ext_if proto ipv6 all # Pass out on $ext_if proto ( tcp, udp, icmp } all keep state pass out on $ext_if all keep state #DNS Server pass in on $ext_if proto {tcp, udp} from any to any port 53 # my rules end here # spamd-setup puts addresses to be redirected into table <spamd>. #table <spamd> persist #no rdr on { lo0, lo1 } from any to any #rdr inet proto tcp from <spamd> to any port smtp -> 127.0.0.1 port 8025 # Filtering: the implicit first two rules are #pass in all #pass out all # block all incoming packets but allow ssh, pass all outgoing tcp and udp # connections and keep state, logging blocked packets. #block in log all #pass in on $ext_if proto tcp from any to $ext_if port 22 keep state #pass out on $ext_if proto { tcp, udp } all keep state # pass incoming packets destined to the addresses given in table <foo>. #pass in on $ext_if proto { tcp, udp } from any to <foo> port 80 keep state pass in on $int_if inet proto tcp from any to 127.0.0.1 port 3128 keep state # pass incoming ports for ftp-proxy #pass in on $ext_if inet proto tcp from any to $ext_if port > 49151 keep state # Alternate rule to pass incoming ports for ftp-proxy # NOTE: Please see pf.conf(5) BUGS section before using user/group rules. #pass in on $ext_if inet proto tcp from any to $ext_if user proxy keep state # assign packets to a queue. #pass out on $ext_if from 192.168.0.0/24 to any keep state queue developers #pass out on $ext_if from 192.168.1.0/24 to any keep state queue marketing pass out on $ext_if inet proto tcp from any to any port www keep state I want to achieve transparent proxying without NAT facility, though I want to be able to achive NAT capability also. (NAT will be done by my router). Squid is compiled with pf support [B]--enable-pf-transparent[/B] I need your help/hints, Gurus. Thanks __________________________________________________________ Yahoo! India Answers: Share what you know. Learn something new http://in.answers.yahoo.com/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20070208105014.64814.qmail>