Date: Mon, 6 Oct 2003 16:41:48 +0800 From: <chael@southgate.ph.inter.net> To: "synrat" <synrat@wirewalk.org>, <freebsd-questions@freebsd.org> Subject: Re: tranparent proxying, squid, nat, ipfw Message-ID: <003101c38be5$ae6d34b0$ee01a8c0@JMICH> References: <20031005233037.R18591@mail.wirewalk.com>
next in thread | previous in thread | raw e-mail | index | archive | help
your port 80 hijack is waaay to far below. it should be like in the first
three lines:
100 divert 8668 ip from any to any via ${oif}
200 allow tcp from ${oip} to any
300 fwd 127.0.0.1,3128 tcp from any to any dst-port 80
append the rest from here...
;-)
----- Original Message -----
From: "synrat" <synrat@wirewalk.org>
To: <freebsd-questions@freebsd.org>
Sent: Monday, October 06, 2003 11:40 AM
Subject: tranparent proxying, squid, nat, ipfw
> I'm having a hard time getting this working together.
> I have squid 2.5 stable working and with all the required
> setting for transparent proxying. The machine has the kernel with IPFW and
> forwarding options. NAT is on, firewall type is simple with some
> modifications. Internal interface address is 192.168.1.1. Squid runs fine
> when the browser is setup to access it, but the goal is not to have to do
> that.
>
> http_port 3128
> httpd_accel_host virtual
> httpd_accel_port 80
> httpd_accel_with_proxy on
> httpd_accel_uses_host_header on
>
> I have the forwarding rule as well
>
> fwd 127.0.0.1,3128 tcp from any to any 80
>
> I tried 192.168.1.1,3128 in the rule. Tried putting it before both divert
> rules. Here's my ipfw list output
>
>
>
> 00050 divert 8668 ip from any to any via rl0
> 00100 allow ip from any to any via lo0
> 00200 deny ip from any to 127.0.0.0/8
> 00300 deny ip from 127.0.0.0/8 to any
> 00400 deny ip from 192.168.1.0/24 to any in recv rl0
> 00500 deny ip from 66.92.100.0/24 to any in recv rl1
> 00600 deny ip from any to 10.0.0.0/8 via rl0
> 00700 deny ip from any to 172.16.0.0/12 via rl0
> 00800 deny ip from any to 192.168.0.0/16 via rl0
> 00900 deny ip from any to 0.0.0.0/8 via rl0
> 01000 deny ip from any to 169.254.0.0/16 via rl0
> 01100 deny ip from any to 192.0.2.0/24 via rl0
> 01200 deny ip from any to 224.0.0.0/4 via rl0
> 01300 deny ip from any to 240.0.0.0/4 via rl0
> 01400 divert 8668 ip from any to any via rl0
> 01500 deny ip from 10.0.0.0/8 to any via rl0
> 01600 deny ip from 172.16.0.0/12 to any via rl0
> 01700 deny ip from 192.168.0.0/16 to any via rl0
> 01800 deny ip from 0.0.0.0/8 to any via rl0
> 01900 deny ip from 169.254.0.0/16 to any via rl0
> 02000 deny ip from 192.0.2.0/24 to any via rl0
> 02100 deny ip from 224.0.0.0/4 to any via rl0
> 02200 deny ip from 240.0.0.0/4 to any via rl0
> 02300 allow tcp from any to any established
> 02400 allow ip from any to any frag
> 02500 allow tcp from any to 66.92.100.221 25 setup
> 02600 allow tcp from 192.168.1.0/24 to 192.168.1.0/24
> 02700 allow tcp from 192.168.1.0/24 to 192.168.1.0/24
> 02800 allow udp from 192.168.1.0/24 to 192.168.1.0/24
> 02900 allow udp from 192.168.1.0/24 to 192.168.1.0/24
> 03000 allow tcp from any to 66.92.100.221 80 setup
> 03100 allow tcp from any to 66.92.100.221 8080 setup
> 03200 allow tcp from any to 66.92.100.221 8021 setup
> 03300 allow tcp from any to 66.92.100.221 21 setup
> 03400 allow tcp from any to 66.92.100.221 22 setup
> 03500 allow tcp from any to 66.92.100.221 110 setup
> 03600 allow tcp from any to 66.92.100.221 143 setup
> 03700 allow tcp from any to 66.92.100.221 993 setup
> 03800 allow tcp from any to 66.92.100.221 995 setup
> 03900 allow icmp from any to any
> 04000 deny log tcp from any to any in recv rl0 setup
> 04100 allow tcp from any to any setup
> 04200 fwd 127.0.0.1,3128 tcp from any to any 80
> 04300 allow udp from 66.92.100.221 to any keep-state
> 04400 allow udp from 192.168.1.3 to any keep-state
> 65535 deny ip from any to any
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> _______________________________________________
> freebsd-questions@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to
"freebsd-questions-unsubscribe@freebsd.org"
>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?003101c38be5$ae6d34b0$ee01a8c0>