Date: Sun, 23 Nov 2008 17:44:59 -0500 From: Tom Marchand <m0rchand@comcast.net> To: FreeBSD Mailing List <freebsd-questions@freebsd.org> Subject: Re: Transparent Proxy with IPFW + Squid 2.7 Message-ID: <7BBDB4E9-D17D-4F86-9987-A108F353F1D6@comcast.net> In-Reply-To: <73a179920811231130k53387b55p2838f80b30fdc6cd@mail.gmail.com> References: <73a179920811231130k53387b55p2838f80b30fdc6cd@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Nov 23, 2008, at 2:30 PM, Cagri Ersen wrote: > Hi there, > > I want to configure a transparent proxy with IPFW and Squid. > I enabled IPFW on a FreeBSD 7.0 and also install squid 2.7 > > this is content of my squid.conf: > > acl manager proto cache_object > acl localhost src 127.0.0.1/32 > acl to_localhost dst 127.0.0.0/8 > acl all src all > acl localnet src 192.168.12.0/24 > acl SSL_ports port 443 > acl Safe_ports port 80 # http > acl Safe_ports port 21 # ftp > acl Safe_ports port 443 # https > acl Safe_ports port 70 # gopher > acl Safe_ports port 210 # wais > acl Safe_ports port 1025-65535 # unregistered ports > acl Safe_ports port 280 # http-mgmt > acl Safe_ports port 488 # gss-http > acl Safe_ports port 591 # filemaker > acl Safe_ports port 777 # multiling http > acl CONNECT method CONNECT > http_access allow manager localhost > http_access deny manager > http_access deny !Safe_ports > http_access deny CONNECT !SSL_ports > http_access allow localnet > icp_access allow localnet > icp_access deny all > http_port 3128 transparent > hierarchy_stoplist cgi-bin ? > access_log /usr/local/squid/logs/access.log squid > refresh_pattern ^ftp: 1440 20% 10080 > refresh_pattern ^gopher: 1440 0% 1440 > refresh_pattern (cgi-bin|\?) 0 0% 0 > refresh_pattern . 0 20% 4320 > icp_port 3130 > coredump_dir /usr/local/squid/cache > > > And this is base IPFW rules. > > $cmd 00500 fwd 127.0.0.1,3128 $log tcp from any to any 80 in recv > $lanif > $cmd 02000 allow $log all from any to any > > As you can see, all packages which is destination port 80 forwarding > to the > squid's port (3128). with this configuration everything seems work > fine. > > however if i deny all traffic on the last rule and then open desired > ports > or connections one by one then squid isn't work. > > Sample base denying rule set like this: > > $cmd 00010 allow all from any to any via lo0 > $cmd 00015 check-state > $cmd 00020 allow tcp from any to any established . > $cmd 00021 deny all from any to any frag in via $adslif > $cmd 00025 allow all from me to any keep-state > $cmd 00050 allow tcp from "table()" to any keep-state > > $cmd 00500 fwd 127.0.0.1,3128 $log tcp from any to any 80 in recv > $lanif > > $cmd 00600 allow all from $lan to any 53 > $cmd 00602 allow udp from any 53 to any out via $lanif > $cmd 00603 allow udp from any 53 to any in via $adslif > > $cmd 01500 allow all from $lan to any 443,25,110 keep-state > $cmd 02000 deny $log all from any to any > > As i said, if i run IPFW with this rules, my client doesn't surf on > the > internet. And also i didn't seen anything about denying on the ipfw > log > file. Also there is no activity on squid log files. I think > forwarding rule > didn't work with that conf. > > So please can somebody tell me what's wrong in this situation ? > Thanks in advance for your help. > > > -- > Cagri Ersen > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org > " Don't you need a rule allow connections to port 80?
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?7BBDB4E9-D17D-4F86-9987-A108F353F1D6>