Date: Mon, 3 Jul 2000 00:11:55 -0400 From: Neill Robins <freebsd@nc.rr.com> To: Joel Eusebio <joel@tilapia.pang.pworld.net.ph> Cc: freebsd-questions@FreeBSD.ORG Subject: Re: transparent proxy Message-ID: <3610112858.20000703001155@nc.rr.com> In-Reply-To: <Pine.LNX.3.95.1000703031221.11342A-100000@tilapia.pang.pworld.net.ph> References: <Pine.LNX.3.95.1000703031221.11342A-100000@tilapia.pang.pworld.net.ph>
next in thread | previous in thread | raw e-mail | index | archive | help
Sunday, July 02, 2000, 11:31:41 PM, you wrote:
JE> Hi,
JE> I have compiled a new kernel with all the instructions that you told me
JE> and I have read the man pages and the README's of transproxy. I am doing a
JE> test on 1 workstation I configured it so that it's gateway is the FreeBSD
JE> box running transparent proxy. I configured my Netscape Navigator to go
JE> direct so theoretically the FreeBSD box will intercept all HTTP request
JE> and pipe it to my proxy server which is the same box also. My squid is
JE> configured to accomodate this setup with all the httpd_accel turned on. My
JE> workstations can't connect to the internet....HTTP, IRC . What other
JE> things do I have to check for this to work. The transproxy README says
JE> that I have to add certain ipfw rules??? where do I put them???
JE> /etc/rc.firewall??? Thanks a lot for your support.
JE> ---------------------->jOEl
To add ipfw rules, I simply changed /etc/rc.firewall with the rules
that I needed. I am assuming you have config'd and compiled/installed
a new kernel with the correct firewall settings. Also, does the
firewall work if it is set to 'open' in rc.conf (assuming it is set to
otherwise. I know this is not secure, but it helped me make sure my
current setting were working)
Back to the ipfw rules: I edit /etc/rc.firewall with the rules I
needed (compiled from www.mostgraveconcern.com/freebsd/ipfw.html).
After editting that file, just sh /etc/rc.firewall to load the new
rules and that was it. Of course, that is only for firewall settings,
which might have nothing to do with your proxy problem, but might be
worth a try.
Good Luck,
Neill freebsd@nc.rr.com
JE> On Sun, 2 Jul 2000, Neill Robins wrote:
>> Sunday, July 02, 2000, 9:32:39 PM, you wrote:
>> JE> Hi,
>> JE> I followed your instructions and I was succesfull in compiling a new
>> JE> kernel with IP_FIREWALL, IPFIREWALL_VERBOSE, IP_DIVERT and IP_FORWARD
>> JE> activated but when rebooted and tried to ping one of my servers it says
>> JE> "permission denied" what did I do wrong??? Another is if I compiled a new
>> JE> kernel from my understanding the previous kernel will be named kernel.old
>> JE> how would I use this kernel.old in case my new kernel does not work.
>> JE> Thanks a lot.
>>
>> JE> ------------------------>jOEl
>>
>>
>> JE> On Sun, 2 Jul 2000, Crist J. Clark wrote:
>>
>> >> On Sun, Jul 02, 2000 at 01:34:32PM +0000, Joel Eusebio wrote:
>> >> > Hi All,
>> >> > Do I have to tweak the GENERIC kernel on /usr/src/sys to activate ipfw
>> >>
>> >> No, you can just load the KLD.
>> >>
>> >> > and
>> >> > what does LINT do???
>> >>
>> >> It is not a working kernel. It just lists all (pretty close to all
>> >> anyway) of the things you could put into a kernel config file and has
>> >> some useful comments.
>> >>
>> >> > If so what are the values that I have to add in the
>> >> > GENERIC kernel or in the LINT in order for ipfw or natd to work???
>> >>
>> >> Go to the LINT kernel and search for IPFIREWALL. Also, see ipfw(8),
>> >> natd(8), and divert(4).
>> >>
>> >> > BTW I'm
>> >> > setting up a transparent proxy on my 4.0-stable and I've posted this
>> >> > before and tried the suggestions that was given to me by some helpfull
>> >> > people but still I can't make transparent proxy to run. Thanks again
>> >>
>> >> Well, transparent proxies need more options to run, namely,
>> >> IPFIREWALL_FORWARD.
>> >>
>> >> Copy GENERIC to some new file, the machine name is a popular choice,
>> >> add the lines you figure out you need, delete things that came from
>> >> GENERIC that you don't need, and build a new kernel.
>> >> --
>> >> Crist J. Clark cjclark@alum.mit.edu
>> >>
>>
>> Hello Joel,
>>
>> 1- To boot an old kernel, just type boot kernel.old at the boot prompt
>> (I believe you have to hit a key first...I am not currently at my
>> machine to make sure)
>> 2- To ping, you need to enable ICMP which looks like this as one of my
>> IPFW rules in /etc/rc.firewall
>>
>> # ICMP - for ping, etc
>> ${fwcmd} add pass icmp from any to any
>>
>> See www.freebsddiary.org and www.mostgraveconcern/freebsd/ along with
>> the handbook and manpages for more info.
>>
>> This works for me.
>>
>> Good luck,
>> Neill
>> freebsd@nc.rr.com
>>
>>
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3610112858.20000703001155>