Date: Mon, 17 Jan 2011 23:17:52 +0500 From: "Fazal Ahmed Malik" <fam@sky.net.pk> To: <freebsd-ipfw@freebsd.org> Subject: transparent squid and ipfw Message-ID: <0C410D9FC67644B397092B0709802DC9@fam>
next in thread | raw e-mail | index | archive | help
This is a multi-part message in MIME format. ------=_NextPart_000_0007_01CBB69C.C37A80D0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Dear All, =20 I have problem in setting up transparent squid and ipfw dummynet = together on freebsd. I sent this question earlier but yet no luck to = implement. I am using mpd5 for pppoe server and have addclient script = which limit the user bandwidth(working perfect) now i want my all = traffic redirected to squid transparently mean users does not need to = configure their browser for proxy. When i redirect port 80 traffic to = squid than bandwidth does not get controlled mean dummy net pipe is no = more effective. I have following ipfw rules and also addclient script is attached any = body having implemented such solution please help. 00002 157925 116380443 divert 8668 ip from any to any via xl0 00997 fwd 192.168.3.50,8080 $log tcp from any to any 80 in recv $vpn_if 00048 6 288 deny tcp from any to any dst-port 445 out via xl0 00049 0 0 deny tcp from any to any dst-port 445 in via xl0 00050 0 0 deny tcp from any to any dst-port 137 in via xl0 00051 0 0 deny tcp from any to any dst-port 138 in via xl0 00052 0 0 deny tcp from any to any dst-port 139 in via xl0 00053 0 0 allow tcp from any to any dst-port 20 setup 00054 0 0 allow tcp from any to any dst-port 21 setup 00055 0 0 allow tcp from any to any dst-port 22 setup 00056 5 240 allow tcp from any to any dst-port 23 setup 00999 287274 228262006 allow tcp from any to any out keep-state 01003 1298 140582 pipe 3 ip from 192.168.3.80 to any via ng0 01005 3654 409511 pipe 5 ip from 192.168.3.81 to any via ng1 03000 772 52308 allow icmp from me to any 04000 394 26536 allow icmp from any to any 65535 33414 5509180 allow ip from any to any Best regards, Fazal Ahmed Malik ------=_NextPart_000_0007_01CBB69C.C37A80D0 Content-Type: application/octet-stream; name="addclient.sh" Content-Transfer-Encoding: quoted-printable Content-Disposition: attachment; filename="addclient.sh" #!/bin/sh=0A= user=3D$5 #grab args off the command line (USER, type, HISADDR, = INTERFACE)=0A= type=3D$2=0A= clientip=3D$4=0A= int=3D$1=0A= fwcmd=3D/sbin/ipfw #specify firewall command=0A= =0A= usernum1=3D${int#ng}=0A= usernum=3D`expr $usernum1 + 1`=0A= inkbps=3D`grep -w ""$user"" /usr/local/etc/mpd5/bandwidth.conf | cut -d" = " -f2` #grab max inbound throughput=0A= outkbps=3D`grep -w ""$user"" /usr/local/etc/mpd5/bandwidth.conf | cut = -d" " -f3` #grab max outbound throughput=0A= if [ -z $usernum ]; then #if no usernum=0A= currentusers=3D`wc -l /usr/local/etc/mpd5/bandwidth.conf | cut -d " " = -f8` =0A= #count the lines in the file=0A= usernum=3D`expr $currentusers + 1` #add one to the count of lines=0A= echo newusernum: $usernum=0A= fi=0A= =0A= if [ -z $outkbps ]; then #if no inkbps, default to 1024kbps=0A= outkbps=3D1024=0A= echo newoutkbps: $outkbps=0A= fi=0A= if [ -z $inkbps ]; then #if no outkbps, default to 1024kbps=0A= inkbps=3D1024=0A= echo newinkbps: $inkbps=0A= fi=0A= pipein=3D`echo $usernum*2 | bc` #the firewall pipe and rule numbers=0A= pipeout=3D`expr $pipein + 1` #get seeded by the usernumber=0A= fwrulein=3D`expr $pipein + 1000`=0A= fwruleout=3D`expr $fwrulein + 1`=0A= fwholein=3D`expr $pipein + 33000`=0A= fwholeout=3D`expr $fwholein + 1`=0A= $fwcmd pipe $pipein config bw ${inkbps}Kbit/s=0A= #make an inbound pipe of the right size=0A= $fwcmd pipe $pipeout config bw ${outkbps}Kbit/s =0A= #same for outgoing=0A= #$fwcmd add $fwrulein pipe $pipein ip from any to $clientip in = =0A= #force traffic through the correct pipe=0A= $fwcmd add $fwruleout pipe $pipeout ip from $clientip to any via $int =0A= #$fwcmd add $fwruleout pipe $pipeout ip from $clientip to any out =0A= #$fwcmd add $fwholein permit ip from any to $clientip =0A= #allow that traffic through firewall=0A= #$fwcmd add $fwholeout permit ip from $clientip to any =0A= echo `date`,$usernum,$user,$type,$clientip,$int,$inkbps,$outkbps >> = /var/log/mpd.output=0A= =0A= # -------------- end addclient.sh file ----------=0A= =0A= =0A= =0A= ------=_NextPart_000_0007_01CBB69C.C37A80D0--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?0C410D9FC67644B397092B0709802DC9>