From owner-freebsd-pf@FreeBSD.ORG Mon Jun 23 23:37:09 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id F1DE4106566C for ; Mon, 23 Jun 2008 23:37:08 +0000 (UTC) (envelope-from eculp@encontacto.net) Received: from ns2.bafirst.com (72-12-2-19.static.networktel.net [72.12.2.19]) by mx1.freebsd.org (Postfix) with ESMTP id 95DAA8FC0C for ; Mon, 23 Jun 2008 23:37:08 +0000 (UTC) (envelope-from eculp@encontacto.net) Received: from HOME.encontacto.net ([189.190.8.164]) by ns2.bafirst.com with esmtp; Mon, 23 Jun 2008 18:26:49 -0500 id 000D511A.48603139.0000571A Received: from localhost (localhost [127.0.0.1]) (uid 80) by HOME.encontacto.net with local; Mon, 23 Jun 2008 18:26:43 -0500 id 0004AC20.48603133.000142E4 Received: from local65.local.net.mx (local65.local.net.mx [192.168.1.65]) by intranet.encontacto.net (Horde Framework) with HTTP; Mon, 23 Jun 2008 18:26:43 -0500 Message-ID: <20080623182643.75686fq9ijcydyg4@intranet.encontacto.net> Date: Mon, 23 Jun 2008 18:26:43 -0500 From: eculp To: freebsd-pf@freebsd.org References: <5855700c0806230850r2df3d656of675ca4e0e307a51@mail.gmail.com> In-Reply-To: <5855700c0806230850r2df3d656of675ca4e0e307a51@mail.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8; DelSp="Yes"; format="flowed" Content-Disposition: inline Content-Transfer-Encoding: quoted-printable User-Agent: Internet Messaging Program (IMP) H3 (4.2-cvs) Cc: Subject: Re: PF and SQUID X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 23 Jun 2008 23:37:09 -0000 Quoting Miguel Alc=C3=A1ntara : > Hi everybody, I'm having a problem for a week. I have to setup PF + SQUID = in > a P2 machine, with 128RAM and 6GB hard disk and just one nic. I virtualize= d > an interface with an ip 192.168.1.80 and it has squid, the nic has > 192.168.1.60 and all the lan is 192.168.1.0/24. > > My problem is that I can=C2=B4t browse some sites the must be permitted. > > pf.conf > > #rules for firewall > ext_nic =3D "dc0" > yo =3D "192.168.1.0/24" As Max suggested, it might be easier for Miguel in his native language =20 but we aren't sure which language that is but I'm going to take a shot =20 in Spanish and see if that helps. Apologies to the list and Miguel =20 can take other questions offline should he feel more comfortable in =20 Spanish. Hola Miguel, Por tu nombre, tal vez ser=C3=A1 m=C3=A1s f=C3=A1cil apoyarte en espa=C3=B1o= l. Te acabo =20 de hacer una configuracion basica para squid y otro para pf que espero =20 que te ayudan. Los tome de una configuraci=C3=B3n m=C3=ADa pero eliminando = lo =20 que no tiene que ver con un firewall basico o la operaci=C3=B3n de squid. = =20 Espero que te ayuda. http://encontacto.net/SHARE/pf.conf.BASICA.txt http://encontacto.net/SHARE/squid.conf.BASICA.txt Agreg=C3=A9 unos # comentarios que espero que sean utiles. Suerte y saludos, ed > > table {208.67.220.220, 208.67.222.222} > #SQUID CONFIGURATION > rdr pass on $ext_nic inet proto tcp from $yo to any port www -> > 192.168.1.80port 3128 > nat on $ext_nic from $yo to any -> ($ext_nic) > #FILTER > block all > #pass in on $ext_nic from $yo > pass out on $ext_nic from any to > > squid.conf > > #Recommended minimum configuration: > acl all src 0.0.0.0/0.0.0.0 > acl manager proto cache_object > acl localhost src 127.0.0.1/255.255.255.255 > acl to_localhost dst 127.0.0.0/8 > acl SSL_ports port 443 > acl Safe_ports port 80 # http > acl Safe_ports port 21 # ftp > acl Safe_ports port 443 # https > acl Safe_ports port 70 # gopher > acl Safe_ports port 210 # wais > acl Safe_ports port 1025-65535 # unregistered ports > acl Safe_ports port 280 # http-mgmt > acl Safe_ports port 488 # gss-http > acl Safe_ports port 591 # filemaker > acl Safe_ports port 777 # multiling http > acl CONNECT method CONNECT > #///////// > acl special_client src 192.168.1.0/24 > #acl lista_permitidos url_regex "/usr/local/etc/squid/free.squid" > > #acl special_url url_regex ucci > acl hotmail dstdomain .hotmail.com > acl mail dstdomain .blu134.mail.live.com > acl mailhot dstdom_regex -i mail > acl hotmail_mail dstdomain .hotmail.msn.com > acl passport dstdomain .passport.net > acl msn dstdomain .msn.com > acl ie6 browser MSIE[[:space:]]6 > acl permitidos url_regex "/usr/local/etc/squid/free.squid" > acl palabra urlpath_regex -i login.srt > acl numconn maxconn 80 > acl browse_hotmail url_regex www.hotmail.com > acl browse_ulima url_regex www.ulima.edu.pe > acl browse_yahoo url_regex www.yahoo.com > > http_access allow manager localhost > http_access deny manager > # Deny requests to unknown ports > http_access deny !Safe_ports > # Deny CONNECT to other than SSL ports > http_access deny CONNECT !SSL_ports > ##http_access allow special_client lista_permitidos > ##http_access allow special_client hotmail > ##http_access allow special_client mailhot > ##http_access allow special_client mail > #http_access deny special_url > #http_access allow special_client > > http_access allow special_client permitidos > http_access allow special_client hotmail > http_access allow special_client mail > http_access allow special_client mailhot > http_access allow special_client Safe_ports > http_access allow special_client hotmail_mail > http_access allow special_client palabra > http_access allow special_client browse_hotmail > http_access allow special_client browse_ulima > http_access allow special_client browse_yahoo > #http_access allow special_client special_url > http_access deny all > > > Well, it doens`t work, when I try to surf in any domain name listed above = in > squid squid sends me a message: > > ERROR The requested URL could not be retrieved > ------------------------------ > > While trying to retrieve the URL: http://www.yahoo.com/ > > The following error was encountered: > > - * Connection to Failed * > > The system returned: > > * (1) Operation not permitted* > > The remote host or network may be down. Please try the request again. > > Your cache administrator is webmaster. > ------------------------------ > Generated Thu, 27 Dec 2007 13:12:36 GMT by pf (squid/2.6.STABLE16) > > > *Then in logs from squid I can see an 503 error TCP_MISS. > > I use FBSD 7 and SQUID 2.6, obviously with PF. Ah!, squid was compiled wit= h > pf habilities or something like that. > > Plz, what I am doing wrong. > * > > > -- > Atte. > > Miguel Alc=C3=A1ntara A. >