Date: Wed, 29 Jun 2016 14:33:53 +0100 From: krad <kraduk@gmail.com> To: "C. L. Martinez" <carlopmart@gmail.com> Cc: FreeBSD Questions <freebsd-questions@freebsd.org> Subject: Re: Problems with pf rules for intercept squid proxy Message-ID: <CALfReyf97=nAi8X%2B8Z-GwJAXfLdDGXSL_HMW9hEoF6SgYR35bQ@mail.gmail.com> In-Reply-To: <CALfReydN13fzvkQ=Wv84=MD4UpPL7T3uvRrQdTUVO3QWaTNHyw@mail.gmail.com> References: <20160628130759.GA13226@beagle.bcn.sia.es> <2822287D-FE6F-4A4B-995A-639B696911DF@FreeBSD.org> <20160629113324.GA10436@beagle.bcn.sia.es> <CALfReycmb%2BtW%2BRZMPiFqUwUbVmG7GbD4vAwt-igriL_i9x4Stw@mail.gmail.com> <20160629131951.GA12552@beagle.bcn.sia.es> <CALfReydN13fzvkQ=Wv84=MD4UpPL7T3uvRrQdTUVO3QWaTNHyw@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
oh also if you are redirecting https you will need to setup squid to do ssl bump and install certs on all your clients. As you havent supplied your squid.conf its difficult to know if thats correct. On 29 June 2016 at 14:32, krad <kraduk@gmail.com> wrote: > you need to as squid needs read write access to the /dev/pf to work in > intercept mode. As long as you dont have any other users in the squid gro= up > you are good. Did you restart devfs or reboot? > > > On 29 June 2016 at 14:20, C. L. Martinez <carlopmart@gmail.com> wrote: > >> Yep, is it not too dangerous to assign 0770 to /dev/pf?? >> >> Anyway, I have tried, but with same error: traffic is denied by squid ..= . >> >> >> On Wed 29.Jun'16 at 13:39:46 +0100, krad wrote: >> > have you got these lines in your /etc/devfs.conf file >> > >> > >> > own pf root:squid >> > perm pf 0770 >> > >> > you also need lines like this in the squid.conf >> > >> > http_port 192.168.1.1:3128 intercept >> > >> > >> > >> > On 29 June 2016 at 12:33, C. L. Martinez <carlopmart@gmail.com> wrote: >> > >> > > On Tue 28.Jun'16 at 19:37:37 +0200, Kristof Provost wrote: >> > > > >> > > > >> > > > On 28 Jun 2016, at 15:07, C. L. Martinez wrote: >> > > > > I have some problems with my pf rules on a FreeBSD 10.3 host >> that acts >> > > > > as a squid intercept proxy. My actual pf rules are: >> > > > > >> > > > > rdr pass on $vpnif proto tcp from $int_network to any port http >> -> lo0 >> > > > > port 5144 >> > > > > rdr pass on $vpnif proto tcp from $int_network to any port https >> -> lo0 >> > > > > port 5145 >> > > > > >> > > > > At first stage it seems that these rules works, but don't. >> Traffic is >> > > > > redirected to squid, but squid denies all connections: >> > > > > >> > > > > 1467111934.502 1 172.22.55.1 TCP_DENIED/403 4221 GET >> > > > > http://www.osnews.com/ - HIER_NONE/- text/html >> > > > > >> > > > > Using same squid.conf's file under an OpenBSD test machine, squ= id >> > > works >> > > > > without problems. For this reason, I don't think there is some >> problem >> > > > > with my squid's config. The only difference between this OpenBSD >> host >> > > > > and FreeBSD are the pf rules. >> > > > > >> > > > You may have a different squid version, or they may be patched >> > > differently. >> > > > Your redirect rules are working, as demonstrated by the fact that >> squid >> > > gets >> > > > a request, and replies to it. >> > > > >> > > > Note that pf does not change your HTTP payload, it only affects >> TCP. In >> > > > other words: if Squid sees the connection (and it does) it=E2=80= =99s a Squid >> > > > problem. >> > > > >> > > > Also note that you=E2=80=99re redirecting on FreeBSD, but using di= vert-to on >> > > > OpenBSD. >> > > > This may be triggering different behaviour from Squid. The man pag= e >> says >> > > > that with divert-to: >> > > > >> > > > The packets will not be modified, so getsockname(2) on the >> socket >> > > will >> > > > return >> > > > the original destination address of the packet. >> > > > >> > > > That might be affecting an ACL in Squid. >> > > > >> > > > Regards, >> > > > Kristof >> > > >> > > Thanks Kristof. I am using squid installed from pkg under a FreeBSD >> 10.3, >> > > fully updated: >> > > >> > > Squid Cache: Version 3.5.19 >> > > Service Name: squid >> > > configure options: '--with-default-user=3Dsquid' >> '--bindir=3D/usr/local/sbin' >> > > '--sbindir=3D/usr/local/sbin' '--datadir=3D/usr/local/etc/squid' >> > > '--libexecdir=3D/usr/local/libexec/squid' '--localstatedir=3D/var' >> > > '--sysconfdir=3D/usr/local/etc/squid' '--with-logdir=3D/var/log/squi= d' >> > > '--with-pidfile=3D/var/run/squid/squid.pid' >> '--with-swapdir=3D/var/squid/cache' >> > > '--without-gnutls' '--enable-auth' '--enable-build-info' >> > > '--enable-loadable-modules' '--enable-removal-policies=3Dlru heap' >> > > '--disable-epoll' '--disable-linux-netfilter' '--disable-linux-tprox= y' >> > > '--disable-translation' '--disable-arch-native' '--enable-eui' >> > > '--enable-cache-digests' '--enable-delay-pools' '--disable-ecap' >> > > '--disable-esi' '--enable-follow-x-forwarded-for' '--enable-htcp' >> > > '--enable-icap-client' '--enable-icmp' '--enable-ident-lookups' >> > > '--enable-ipv6' '--enable-kqueue' '--with-large-files' >> > > '--enable-http-violations' '--without-nettle' '--enable-snmp' >> > > '--enable-ssl' '--with-openssl=3D/usr' >> 'LIBOPENSSL_CFLAGS=3D-I/usr/include' >> > > 'LIBOPENSSL_LIBS=3D-lcrypto -lssl' '--enable-ssl-crtd' >> > > '--disable-stacktraces' '--enable-ipf-transparent' >> > > '--enable-ipfw-transparent' '--enable-pf-transparent' >> '--with-nat-devpf' >> > > '--enable-forw-via-db' '--enable-wccp' '--enable-wccpv2' >> > > '--with-heimdal-krb5=3D/usr' 'CFLAGS=3D-I/usr/include -O2 -pipe >> > > -fstack-protector -fno-strict-aliasing' 'LDFLAGS=3D-L/usr/lib -pthr= ead >> > > -fstack-protector' 'LIBS=3D-lkrb5 -lgssapi -lgssapi_krb5 ' >> > > 'KRB5CONFIG=3D/usr/bin/krb5-config' '--enable-auth-basic=3DDB SMB_LM >> > > MSNT-multi-domain NCSA PAM POP3 RADIUS fake getpwnam NIS' >> > > '--enable-auth-digest=3Dfile' '--enable-external-acl-helpers=3Dfile_= userip >> > > time_quota unix_group' '--enable-auth-negotiate=3Dkerberos wrapper' >> > > '--enable-auth-ntlm=3Dfake smb_lm' '--enable-storeio=3Daufs diskd ro= ck >> ufs' >> > > '--enable-disk-io=3DDiskThreads DiskDaemon AIO Blocking IpcIo Mmappe= d' >> > > '--enable-log-daemon-helpers=3Dfile' '--enable-url-rewrite-helpers= =3Dfake' >> > > '--enable-storeid-rewrite-helpers=3Dfile' '--prefix=3D/usr/local' >> > > '--mandir=3D/usr/local/man' '--infodir=3D/usr/local/info/' >> > > '--build=3Damd64-portbld-freebsd10.1' >> 'build_alias=3Damd64-portbld-freebsd10.1' >> > > 'CC=3Dcc' 'CPPFLAGS=3D' 'CXX=3Dc++' 'CXXFLAGS=3D-O2 -pipe -fstack-pr= otector >> > > -fno-strict-aliasing ' 'CPP=3Dcpp' --enable-ltdl-convenience >> > > >> > > According to this options, intercept is enabled ... Then, I don't >> > > understand why it doesn't works ... >> > > >> > > -- >> > > Greetings, >> > > C. L. Martinez >> > > _______________________________________________ >> > > freebsd-questions@freebsd.org mailing list >> > > https://lists.freebsd.org/mailman/listinfo/freebsd-questions >> > > To unsubscribe, send any mail to " >> > > freebsd-questions-unsubscribe@freebsd.org" >> > > >> >> -- >> Greetings, >> C. L. Martinez >> _______________________________________________ >> freebsd-questions@freebsd.org mailing list >> https://lists.freebsd.org/mailman/listinfo/freebsd-questions >> To unsubscribe, send any mail to " >> freebsd-questions-unsubscribe@freebsd.org" >> > >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CALfReyf97=nAi8X%2B8Z-GwJAXfLdDGXSL_HMW9hEoF6SgYR35bQ>