Date: Wed, 18 May 2005 12:59:27 -0400 From: Tomas Quintero <tomasq@gmail.com> To: Greg Donald <destiney@gmail.com> Cc: freebsd-questions@freebsd.org Subject: Re: pf + squid Message-ID: <9e46c99e05051809595a16c9e@mail.gmail.com> In-Reply-To: <ea9da26c050518092667205bbc@mail.gmail.com> References: <ea9da26c050518092667205bbc@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 5/18/05, Greg Donald <destiney@gmail.com> wrote: > I am following this howto: > http://www.benzedrine.cx/transquid.html >=20 > I added pf and pflog to my kernel. After rebooting I did chgrp squid > /dev/pf and chmod g+rw /dev/pf. I also restarted squid several times. > When I try to access a remote web server it times out. I'm not > getting any errors in /var/log/pflog or /var/log/messages. >=20 > My config files look like this: >=20 > > cat /etc/pf.conf |grep -v ^# >=20 > ext_if=3D"dc0" # replace with actual external interface name i.e., dc0 > int_if=3D"dc1" # replace with actual internal interface name i.e., dc1 > internal_net=3D"10.0.0.1/8" > external_addr=3D"24.159.59.97" >=20 > rdr on $int_if inet proto tcp from any to any port www -> 127.0.0.1 port = 3128 > pass in on $int_if inet proto tcp from any to 127.0.0.1 port 3128 keep st= ate > pass out on $ext_if inet proto tcp from any to any port www keep state >=20 > > cat /usr/local/etc/squid/squid.conf |grep -v ^# > acl all src 0.0.0.0/0.0.0.0 > acl our_networks src 10.0.0.0/8 > acl to_localhost dst 127.0.0.0/8 > http_port 127.0.0.1:3128 > http_access deny to_localhost > http_access allow our_networks > visible_hostname gateway.localdomain > httpd_accel_host virtual > httpd_accel_port 80 > httpd_accel_with_proxy on > httpd_accel_uses_host_header on >=20 > I am using ipfw to create my NAT, I don't know if that matters, but > here are my config files for that as well: >=20 > > cat /etc/rc.firewall |grep -v ^# >=20 > ipfw -f flush >=20 > ipfw pipe 10 config bw 12KBytes/s > ipfw add 50 pipe 10 ip from 10.0.0.2 to any via dc1 >=20 > ipfw pipe 11 config bw 24KBytes/s > ipfw add 51 pipe 11 ip from 10.0.0.3 to any via dc1 >=20 > ipfw pipe 12 config bw 12KBytes/s > ipfw add 52 pipe 12 ip from 10.0.0.4 to any via dc1 > ipfw pipe 13 config bw 64KBytes/s > ipfw add 53 pipe 13 ip from any to 10.0.0.4 via dc1 >=20 > ipfw add 200 pass all from any to any via lo0 > ipfw add 201 deny ip from any to 127.0.0.0/8 >=20 > ipfw add 500 divert natd all from any to any via dc0 >=20 > > cat /etc/natd.conf |grep -v ^# > interface dc0 > dynamic > use_sockets > unregistered_only > punch_fw 2000:50 > redirect_port tcp 10.0.0.2:20-21 20-21 > redirect_port tcp 10.0.0.2:22 22 > redirect_port tcp 10.0.0.2:80 80 > redirect_port tcp 10.0.0.2:113 113 >=20 > redirect_port tcp 10.0.0.2:3333 3333 > redirect_port tcp 10.0.0.2:2010-2020 2010-2020 >=20 > Any ideas? TIA. >=20 > -- > Greg Donald > Zend Certified Engineer > http://destiney.com/ > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.o= rg" >=20 Why are you using IPFW and PF? --=20 -Tomas Quintero
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?9e46c99e05051809595a16c9e>