Date: Mon, 23 Jun 2008 18:26:43 -0500 From: eculp <eculp@encontacto.net> To: freebsd-pf@freebsd.org Subject: Re: PF and SQUID Message-ID: <20080623182643.75686fq9ijcydyg4@intranet.encontacto.net> In-Reply-To: <5855700c0806230850r2df3d656of675ca4e0e307a51@mail.gmail.com> References: <5855700c0806230850r2df3d656of675ca4e0e307a51@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Quoting Miguel Alc=C3=A1ntara <miguel.alc@gmail.com>: > Hi everybody, I'm having a problem for a week. I have to setup PF + SQUID = in > a P2 machine, with 128RAM and 6GB hard disk and just one nic. I virtualize= d > an interface with an ip 192.168.1.80 and it has squid, the nic has > 192.168.1.60 and all the lan is 192.168.1.0/24. > > My problem is that I can=C2=B4t browse some sites the must be permitted. > > pf.conf > > #rules for firewall > ext_nic =3D "dc0" > yo =3D "192.168.1.0/24" As Max suggested, it might be easier for Miguel in his native language =20 but we aren't sure which language that is but I'm going to take a shot =20 in Spanish and see if that helps. Apologies to the list and Miguel =20 can take other questions offline should he feel more comfortable in =20 Spanish. Hola Miguel, Por tu nombre, tal vez ser=C3=A1 m=C3=A1s f=C3=A1cil apoyarte en espa=C3=B1o= l. Te acabo =20 de hacer una configuracion basica para squid y otro para pf que espero =20 que te ayudan. Los tome de una configuraci=C3=B3n m=C3=ADa pero eliminando = lo =20 que no tiene que ver con un firewall basico o la operaci=C3=B3n de squid. = =20 Espero que te ayuda. http://encontacto.net/SHARE/pf.conf.BASICA.txt http://encontacto.net/SHARE/squid.conf.BASICA.txt Agreg=C3=A9 unos # comentarios que espero que sean utiles. Suerte y saludos, ed > > table <dns_cautivo> {208.67.220.220, 208.67.222.222} > #SQUID CONFIGURATION > rdr pass on $ext_nic inet proto tcp from $yo to any port www -> > 192.168.1.80port 3128 > nat on $ext_nic from $yo to any -> ($ext_nic) > #FILTER > block all > #pass in on $ext_nic from $yo > pass out on $ext_nic from any to <dns_cautivo> > > squid.conf > > #Recommended minimum configuration: > acl all src 0.0.0.0/0.0.0.0 > acl manager proto cache_object > acl localhost src 127.0.0.1/255.255.255.255 > acl to_localhost dst 127.0.0.0/8 > acl SSL_ports port 443 > acl Safe_ports port 80 # http > acl Safe_ports port 21 # ftp > acl Safe_ports port 443 # https > acl Safe_ports port 70 # gopher > acl Safe_ports port 210 # wais > acl Safe_ports port 1025-65535 # unregistered ports > acl Safe_ports port 280 # http-mgmt > acl Safe_ports port 488 # gss-http > acl Safe_ports port 591 # filemaker > acl Safe_ports port 777 # multiling http > acl CONNECT method CONNECT > #///////// > acl special_client src 192.168.1.0/24 > #acl lista_permitidos url_regex "/usr/local/etc/squid/free.squid" > > #acl special_url url_regex ucci > acl hotmail dstdomain .hotmail.com > acl mail dstdomain .blu134.mail.live.com > acl mailhot dstdom_regex -i mail > acl hotmail_mail dstdomain .hotmail.msn.com > acl passport dstdomain .passport.net > acl msn dstdomain .msn.com > acl ie6 browser MSIE[[:space:]]6 > acl permitidos url_regex "/usr/local/etc/squid/free.squid" > acl palabra urlpath_regex -i login.srt > acl numconn maxconn 80 > acl browse_hotmail url_regex www.hotmail.com > acl browse_ulima url_regex www.ulima.edu.pe > acl browse_yahoo url_regex www.yahoo.com > > http_access allow manager localhost > http_access deny manager > # Deny requests to unknown ports > http_access deny !Safe_ports > # Deny CONNECT to other than SSL ports > http_access deny CONNECT !SSL_ports > ##http_access allow special_client lista_permitidos > ##http_access allow special_client hotmail > ##http_access allow special_client mailhot > ##http_access allow special_client mail > #http_access deny special_url > #http_access allow special_client > > http_access allow special_client permitidos > http_access allow special_client hotmail > http_access allow special_client mail > http_access allow special_client mailhot > http_access allow special_client Safe_ports > http_access allow special_client hotmail_mail > http_access allow special_client palabra > http_access allow special_client browse_hotmail > http_access allow special_client browse_ulima > http_access allow special_client browse_yahoo > #http_access allow special_client special_url > http_access deny all > > > Well, it doens`t work, when I try to surf in any domain name listed above = in > squid squid sends me a message: > > ERROR The requested URL could not be retrieved > ------------------------------ > > While trying to retrieve the URL: http://www.yahoo.com/ > > The following error was encountered: > > - * Connection to Failed * > > The system returned: > > * (1) Operation not permitted* > > The remote host or network may be down. Please try the request again. > > Your cache administrator is webmaster. > ------------------------------ > Generated Thu, 27 Dec 2007 13:12:36 GMT by pf (squid/2.6.STABLE16) > > > *Then in logs from squid I can see an 503 error TCP_MISS. > > I use FBSD 7 and SQUID 2.6, obviously with PF. Ah!, squid was compiled wit= h > pf habilities or something like that. > > Plz, what I am doing wrong. > * > > > -- > Atte. > > Miguel Alc=C3=A1ntara A. >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20080623182643.75686fq9ijcydyg4>