Date: Tue, 31 Jul 2007 11:45:41 +0100 From: "James Seward" <jamesoff@gmail.com> To: freebsd-pf@freebsd.org Subject: Transparent squid proxy with if_bridge Message-ID: <720051dc0707310345y1fe23172x69dce6b939ee50c6@mail.gmail.com>
next in thread | raw e-mail | index | archive | help
Hello all, I'm trying to set up a machine using if_bridge to do transparent proxying via squid. I've been following a selection of walkthroughs online including http://www.benzedrine.cx/transquid.html I have a machine with three network cards, two of which form the bridge and the third is for management. Using a rdr rule in pf.conf, I am rewriting packets from my workstation (currently the only client while I test) to localhost:8080. I have also tried redirecting to the IP of the management card. In both cases squid was configured to listen either on localhost:8080 or management_ip:8080. The "transparent" option appears on the http_port configuration line. Squid is currently set to allow anyone access. If squid is listening on the management_ip, I can point my browser at that and squid services my request normally. If I bind squid to localhost, I can nc(1) to it and it services my request. If I let the rdr rule redirect my packets to squid, nothing happens and the client times out. pfctl -sa shows that pf has done the redirection and displays something like: 127.0.0.1:8080 <- external_ip:80 <- client_ip:34582 CLOSED:SYN_SENT so it seems the SYN never arrives at squid. tcpdumping lo0 shows no traffic at all. I have tried this with and without IPs for the bridged cards (without would suit me better) but I'm not sure if that's the problem at this stage. --8<-- pf.conf ---- ext_if="fxp0" int_if="xl0" # send web-type stuff to the cache rdr on $int_if inet proto tcp \ from 192.168.200.112 to any port www \ -> 127.0.0.1 port 8080 pass in all pass out all ----- --8<--- squid.conf # egrep -v "^#" /usr/local/etc/squid/squid.conf | egrep -v '^$' http_port 127.0.0.1:8080 transparent hierarchy_stoplist cgi-bin ? acl QUERY urlpath_regex cgi-bin \? cache deny QUERY acl apache rep_header Server ^Apache broken_vary_encoding allow apache cache_mem 32 MB cache_dir ufs /usr/local/squid/cache 4096 16 256 access_log /usr/local/squid/logs/access.log squid refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern . 0 20% 4320 acl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl to_localhost dst 127.0.0.0/8 acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT http_access allow manager localhost http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow all http_reply_access allow all icp_access allow all cache_mgr XXXXX mail_program mail visible_hostname XXXXX logfile_rotate 10 append_domain .XXXXX always_direct allow all coredump_dir /usr/local/squid/cache ------ --%<--- ifconfig fxp0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500 options=8<VLAN_MTU> inet 192.168.200.17 netmask 0xffffff00 broadcast 192.168.200.255 ether 00:a0:c9:ea:92:91 media: Ethernet autoselect (100baseTX <full-duplex>) status: active xl0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500 options=9<RXCSUM,VLAN_MTU> inet 192.168.200.16 netmask 0xffffff00 broadcast 192.168.200.255 ether 00:50:04:39:c2:f2 media: Ethernet autoselect (100baseTX <full-duplex>) status: active rl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 options=8<VLAN_MTU> inet 192.168.200.113 netmask 0xffffff00 broadcast 192.168.200.255 ether 00:40:f4:4d:84:31 media: Ethernet autoselect (100baseTX <full-duplex>) status: active lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x6 inet6 ::1 prefixlen 128 inet 127.0.0.1 netmask 0xff000000 bridge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 ether 5a:6b:3a:b8:6a:c1 id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15 maxage 20 holdcnt 6 proto stp maxaddr 100 timeout 1200 root id 00:00:00:00:00:00 priority 0 ifcost 0 port 0 member: fxp0 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP> member: xl0 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP> ------ (xl0 and fxp0 currently have ips, but it doesn't work when they don't either) Sample state: STATES: self tcp 127.0.0.1:8080 <- 207.46.193.254:80 <- 192.168.200.112:50526 CLOSED:SYN_SENT Every walkthrough makes it sound very simple and easy; I feel like I must be missing something obvious :) Thanks in advance, James
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?720051dc0707310345y1fe23172x69dce6b939ee50c6>