Date: Sat, 10 Jul 2004 19:58:34 -0700 From: Ezra Banoba <ebanoba@one2net.co.ug> To: freebsd-isp@freebsd.org Subject: Re: My ipfw rules doesn't work Message-ID: <1089514712.3505.79.camel@ebans.one2net.co.ug> In-Reply-To: <opsaxj9ozumvvzdj@toshibalap> References: <opsavpednwmvvzdj@toshibalap> <opsavq67vymvvzdj@toshibalap> <opsav368gemvvzdj@toshibalap> <1089482996.3505.41.camel@ebans.one2net.co.ug> <opsaxj9ozumvvzdj@toshibalap>
next in thread | previous in thread | raw e-mail | index | archive | help
In order for your squid to perform as a transparent proxy, you will have to first successfully compile it with transparent proxy support. If you passed -enable-ipf-transparent to your configure script, it looks for files; ip_nat.h, ip_fil.h, and ip_compat.h in /usr/include/ you could locate these files and copy them over into that directory ... better still; cd to /usr/src/ and make installincludes, then recompile and install your squid with transparent proxy support. That should do it. Regards. On Sat, 2004-07-10 at 09:33, Carlos Alarcón wrote: > I configured squid with transparent-proxy support, but i think this > configuration fails when i compiled it, i probed with squid 2.5 but it > doesnt compile on my freebsd. > when i compile squid the output on the transparent proxy is this: > -enable-ipf-transparent > WARNING: Cannot find necessary IP-Filter header files > Transparent Proxy support WILL NOT be enabled > I use ipfw, when this happened i put ipf support but it was the same thing. > > -enable-pf-transparent > WARNING: Cannot find necessary Pf header files > Transparent Proxy support WILL NOT be enabled > > With the client browser settings set to point to the proxy my redirection > rule increase. when client settings proxy is not set, this rules doesn't > increase. > is my redirection rule ok?? > > 00012 1587 1148100 fwd 172.16.1.33,3128 tcp from any to any > dst-port 80 > > On Sat, 10 Jul 2004 11:09:56 -0700, Ezra Banoba <ebanoba@one2net.co.ug> > wrote: > > > Did you configure your squid with transparent-proxy support? > > I'm not sure about how the BSD protocol stack handles this but assuming > > the redirection is dealt with before the bridging, then there should be > > no problem. > > On Fri, 2004-07-09 at 14:48, Carlos Alarcón wrote: > > > >> who have > >> the proxy's configuration fails giving me this > >> message > >> > >> You are not authorized to view this page > >> You might not have permission to view this directory or page using the > >> credentials you supplied. > > > > Does this also happen with the client browser settings set to point to > > the proxy? > > > >> i add the ipfw output > >> > >> 00012 1587 1148100 fwd 172.16.1.33,3128 tcp from any to any > >> dst-port 80 > >> 00100 9257210 6707379406 pipe 1 ip from any to any in via xl0 > >> 00200 1558457 715268891 pipe 2 ip from any to any out via xl0 > >> 01300 2027 101248 deny ip from 10.0.0.0/8 to any in via xl0 > >> 01400 2315 96466 deny ip from 192.168.0.0/16 to any in via xl0 > >> 01500 14882804 10144500248 allow tcp from 172.16.1.33 to any setup > >> keep-state > >> 01600 437760 84307478 allow udp from 172.16.1.33 to any keep-state > >> 01700 53564 13382458 allow ip from 172.16.1.33 to any > >> 01800 89927607 52765076360 allow tcp from any to any in via xl1 setup > >> keep-state > >> 01900 18918311 2483412584 allow udp from any to any in via xl1 > >> keep-state > >> 02000 3629310 116342293 allow ip from any to any in via xl1 > >> 02500 830 41582 allow icmp from any to any icmptypes 8 > >> keep-state > >> 02600 568996 61796292 allow icmp from any to any icmptypes 3 > >> 02700 15888 1527232 allow icmp from any to any icmptypes 11 > >> 02800 9118822 2306878168 allow ip from any to any > >> 65535 352 10550 deny ip from any to any > >> > >> part of my kernel configuration file > >> > >> options IPFIREWALL > >> options IPFIREWALL_FORWARD > >> options IPFIREWALL_VERBOSE_LIMIT > >> options DUMMYNET > >> options BRIDGE > >> options PFIL_HOOKS > >> options MSGMNB=8192 > >> options MSGMNI=40 > >> options MSGSEG=512 > >> options MSGSSZ=64 > >> options MSGTQL=2048 > >> options HZ=1000 > >> options IPDIVERT > >> > >> > >> > Which bad results are these? -- Ezra Banoba Network Engineer one2net www.one2net.co.ug "Doing well is a result of Doing good. That's what capitalism is all about."
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1089514712.3505.79.camel>