From owner-freebsd-isp@FreeBSD.ORG Sat Jul 10 16:54:55 2004 Return-Path: Delivered-To: freebsd-isp@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B83A116A4CE for ; Sat, 10 Jul 2004 16:54:55 +0000 (GMT) Received: from mail.one2net.co.ug (mx2.one2net.co.ug [81.199.88.15]) by mx1.FreeBSD.org (Postfix) with ESMTP id 469FC43D1F for ; Sat, 10 Jul 2004 16:54:52 +0000 (GMT) (envelope-from ebanoba@one2net.co.ug) Received: from [81.199.88.17] (helo=[81.199.88.17]) by mail.one2net.co.ug with esmtp (Exim 4.31; FreeBSD) id 1BjL7j-00084E-N7; Sat, 10 Jul 2004 19:55:00 +0300 From: Ezra Banoba To: freebsd-isp@freebsd.org In-Reply-To: References: <1089482996.3505.41.camel@ebans.one2net.co.ug> Content-Type: text/plain; charset=ISO-8859-1 Organization: one2net Message-Id: <1089514712.3505.79.camel@ebans.one2net.co.ug> Mime-Version: 1.0 X-Mailer: Ximian Evolution 1.4.6 Date: Sat, 10 Jul 2004 19:58:34 -0700 Content-Transfer-Encoding: quoted-printable X-Spam-Score: 0.0 (/) X-Scan-Signature: 2f5caa9990c31dbff6a3c1d2f8c2b349 Subject: Re: My ipfw rules doesn't work X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: ebanoba@one2net.co.ug List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 10 Jul 2004 16:54:55 -0000 In order for your squid to perform as a transparent proxy, you will have to first successfully compile it with transparent proxy support. If you passed -enable-ipf-transparent to your configure script, it looks for files; ip_nat.h, ip_fil.h, and ip_compat.h in /usr/include/ you could locate these files and copy them over into that directory ... better still; cd to /usr/src/ and make installincludes, then recompile and install your squid with transparent proxy support. That should do it. Regards. On Sat, 2004-07-10 at 09:33, Carlos Alarc=F3n wrote: > I configured squid with transparent-proxy support, but i think this =20 > configuration fails when i compiled it, i probed with squid 2.5 but it =20 > doesnt compile on my freebsd. > when i compile squid the output on the transparent proxy is this: > -enable-ipf-transparent > WARNING: Cannot find necessary IP-Filter header files > Transparent Proxy support WILL NOT be enabled > I use ipfw, when this happened i put ipf support but it was the same thin= g. >=20 > -enable-pf-transparent > WARNING: Cannot find necessary Pf header files > Transparent Proxy support WILL NOT be enabled >=20 > With the client browser settings set to point to the proxy my redirection= =20 > rule increase. when client settings proxy is not set, this rules doesn't = =20 > increase. > is my redirection rule ok?? >=20 > 00012 1587 1148100 fwd 172.16.1.33,3128 tcp from any to any > dst-port 80 >=20 > On Sat, 10 Jul 2004 11:09:56 -0700, Ezra Banoba =20 > wrote: >=20 > > Did you configure your squid with transparent-proxy support? > > I'm not sure about how the BSD protocol stack handles this but assuming > > the redirection is dealt with before the bridging, then there should be > > no problem. > > On Fri, 2004-07-09 at 14:48, Carlos Alarc=F3n wrote: > > > >> who have > >> the proxy's configuration fails giving me this > >> message > >> > >> You are not authorized to view this page > >> You might not have permission to view this directory or page using the > >> credentials you supplied. > > > > Does this also happen with the client browser settings set to point to > > the proxy? > > > >> i add the ipfw output > >> > >> 00012 1587 1148100 fwd 172.16.1.33,3128 tcp from any to any > >> dst-port 80 > >> 00100 9257210 6707379406 pipe 1 ip from any to any in via xl0 > >> 00200 1558457 715268891 pipe 2 ip from any to any out via xl0 > >> 01300 2027 101248 deny ip from 10.0.0.0/8 to any in via xl0 > >> 01400 2315 96466 deny ip from 192.168.0.0/16 to any in via x= l0 > >> 01500 14882804 10144500248 allow tcp from 172.16.1.33 to any setup > >> keep-state > >> 01600 437760 84307478 allow udp from 172.16.1.33 to any keep-stat= e > >> 01700 53564 13382458 allow ip from 172.16.1.33 to any > >> 01800 89927607 52765076360 allow tcp from any to any in via xl1 setup > >> keep-state > >> 01900 18918311 2483412584 allow udp from any to any in via xl1 =20 > >> keep-state > >> 02000 3629310 116342293 allow ip from any to any in via xl1 > >> 02500 830 41582 allow icmp from any to any icmptypes 8 > >> keep-state > >> 02600 568996 61796292 allow icmp from any to any icmptypes 3 > >> 02700 15888 1527232 allow icmp from any to any icmptypes 11 > >> 02800 9118822 2306878168 allow ip from any to any > >> 65535 352 10550 deny ip from any to any > >> > >> part of my kernel configuration file > >> > >> options IPFIREWALL > >> options IPFIREWALL_FORWARD > >> options IPFIREWALL_VERBOSE_LIMIT > >> options DUMMYNET > >> options BRIDGE > >> options PFIL_HOOKS > >> options MSGMNB=3D8192 > >> options MSGMNI=3D40 > >> options MSGSEG=3D512 > >> options MSGSSZ=3D64 > >> options MSGTQL=3D2048 > >> options HZ=3D1000 > >> options IPDIVERT > >> > >> > >> > Which bad results are these? --=20 Ezra Banoba=20 Network Engineer one2net www.one2net.co.ug "Doing well is a result of Doing good. That's what capitalism is all about.= "