Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 23 Nov 2008 17:44:59 -0500
From:      Tom Marchand <m0rchand@comcast.net>
To:        FreeBSD Mailing List <freebsd-questions@freebsd.org>
Subject:   Re: Transparent Proxy with IPFW + Squid 2.7
Message-ID:  <7BBDB4E9-D17D-4F86-9987-A108F353F1D6@comcast.net>
In-Reply-To: <73a179920811231130k53387b55p2838f80b30fdc6cd@mail.gmail.com>
References:  <73a179920811231130k53387b55p2838f80b30fdc6cd@mail.gmail.com>

next in thread | previous in thread | raw e-mail | index | archive | help

On Nov 23, 2008, at 2:30 PM, Cagri Ersen wrote:

> Hi there,
>
> I want to configure a transparent proxy with IPFW and Squid.
> I enabled IPFW on a FreeBSD 7.0 and also install squid 2.7
>
> this is content of my squid.conf:
>
>    acl manager proto cache_object
>    acl localhost src 127.0.0.1/32
>    acl to_localhost dst 127.0.0.0/8
>    acl all src all
>    acl localnet src 192.168.12.0/24
>    acl SSL_ports port 443
>    acl Safe_ports port 80          # http
>    acl Safe_ports port 21          # ftp
>    acl Safe_ports port 443         # https
>    acl Safe_ports port 70          # gopher
>    acl Safe_ports port 210         # wais
>    acl Safe_ports port 1025-65535  # unregistered ports
>    acl Safe_ports port 280         # http-mgmt
>    acl Safe_ports port 488         # gss-http
>    acl Safe_ports port 591         # filemaker
>    acl Safe_ports port 777         # multiling http
>    acl CONNECT method CONNECT
>    http_access allow manager localhost
>    http_access deny manager
>    http_access deny !Safe_ports
>    http_access deny CONNECT !SSL_ports
>    http_access allow localnet
>    icp_access allow localnet
>    icp_access deny all
>    http_port 3128 transparent
>    hierarchy_stoplist cgi-bin ?
>    access_log /usr/local/squid/logs/access.log squid
>    refresh_pattern ^ftp:           1440    20%     10080
>    refresh_pattern ^gopher:        1440    0%      1440
>    refresh_pattern (cgi-bin|\?)    0       0%      0
>    refresh_pattern .               0       20%     4320
>    icp_port 3130
>    coredump_dir /usr/local/squid/cache
>
>
> And this is base IPFW rules.
>
> $cmd 00500 fwd 127.0.0.1,3128 $log tcp from any to any 80 in recv  
> $lanif
> $cmd 02000 allow $log all from any to any
>
> As you can see, all packages which is destination port 80 forwarding  
> to the
> squid's port (3128). with this configuration everything seems work  
> fine.
>
> however if i deny all traffic on the last rule and then open desired  
> ports
> or connections one by one then squid isn't work.
>
> Sample base denying rule set like this:
>
> $cmd 00010 allow all from any to any via lo0
> $cmd 00015 check-state
> $cmd 00020 allow tcp from any to any established   .
> $cmd 00021 deny all from any to any frag in via $adslif
> $cmd 00025 allow all from me to any keep-state
> $cmd 00050 allow tcp from "table()" to any keep-state
>
> $cmd 00500 fwd 127.0.0.1,3128 $log tcp from any to any 80 in recv  
> $lanif
>
> $cmd 00600 allow all from $lan to any 53
> $cmd 00602 allow udp from any 53 to any out via $lanif
> $cmd 00603 allow udp from any 53 to any in via $adslif
>
> $cmd 01500 allow all from $lan to any 443,25,110 keep-state
> $cmd 02000 deny $log all from any to any
>
> As i said, if i run IPFW with this rules, my client doesn't surf on  
> the
> internet. And also i didn't seen anything about denying on the ipfw  
> log
> file. Also there is no activity on squid log files. I think  
> forwarding rule
> didn't work with that conf.
>
> So please can somebody tell me what's wrong in this situation ?
> Thanks in advance for your help.
>
>
> -- 
> Cagri Ersen
> _______________________________________________
> freebsd-questions@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org 
> "

Don't you need a rule allow connections to port 80?





Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?7BBDB4E9-D17D-4F86-9987-A108F353F1D6>