Date: Wed, 29 Jun 2016 14:35:02 +0100 From: krad <kraduk@gmail.com> To: "C. L. Martinez" <carlopmart@gmail.com> Cc: FreeBSD Questions <freebsd-questions@freebsd.org> Subject: Re: Problems with pf rules for intercept squid proxy Message-ID: <CALfReyeyzU-J8iwa9iYsBefSTyb6eQTD=JYqWqy3o09-UBhSBg@mail.gmail.com> In-Reply-To: <CALfReyf97=nAi8X%2B8Z-GwJAXfLdDGXSL_HMW9hEoF6SgYR35bQ@mail.gmail.com> References: <20160628130759.GA13226@beagle.bcn.sia.es> <2822287D-FE6F-4A4B-995A-639B696911DF@FreeBSD.org> <20160629113324.GA10436@beagle.bcn.sia.es> <CALfReycmb%2BtW%2BRZMPiFqUwUbVmG7GbD4vAwt-igriL_i9x4Stw@mail.gmail.com> <20160629131951.GA12552@beagle.bcn.sia.es> <CALfReydN13fzvkQ=Wv84=MD4UpPL7T3uvRrQdTUVO3QWaTNHyw@mail.gmail.com> <CALfReyf97=nAi8X%2B8Z-GwJAXfLdDGXSL_HMW9hEoF6SgYR35bQ@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Also make sure you have opened the squid acl to you local network On 29 June 2016 at 14:33, krad <kraduk@gmail.com> wrote: > oh also if you are redirecting https you will need to setup squid to do > ssl bump and install certs on all your clients. As you havent supplied yo= ur > squid.conf its difficult to know if thats correct. > > On 29 June 2016 at 14:32, krad <kraduk@gmail.com> wrote: > >> you need to as squid needs read write access to the /dev/pf to work in >> intercept mode. As long as you dont have any other users in the squid gr= oup >> you are good. Did you restart devfs or reboot? >> >> >> On 29 June 2016 at 14:20, C. L. Martinez <carlopmart@gmail.com> wrote: >> >>> Yep, is it not too dangerous to assign 0770 to /dev/pf?? >>> >>> Anyway, I have tried, but with same error: traffic is denied by squid .= .. >>> >>> >>> On Wed 29.Jun'16 at 13:39:46 +0100, krad wrote: >>> > have you got these lines in your /etc/devfs.conf file >>> > >>> > >>> > own pf root:squid >>> > perm pf 0770 >>> > >>> > you also need lines like this in the squid.conf >>> > >>> > http_port 192.168.1.1:3128 intercept >>> > >>> > >>> > >>> > On 29 June 2016 at 12:33, C. L. Martinez <carlopmart@gmail.com> wrote= : >>> > >>> > > On Tue 28.Jun'16 at 19:37:37 +0200, Kristof Provost wrote: >>> > > > >>> > > > >>> > > > On 28 Jun 2016, at 15:07, C. L. Martinez wrote: >>> > > > > I have some problems with my pf rules on a FreeBSD 10.3 host >>> that acts >>> > > > > as a squid intercept proxy. My actual pf rules are: >>> > > > > >>> > > > > rdr pass on $vpnif proto tcp from $int_network to any port http >>> -> lo0 >>> > > > > port 5144 >>> > > > > rdr pass on $vpnif proto tcp from $int_network to any port http= s >>> -> lo0 >>> > > > > port 5145 >>> > > > > >>> > > > > At first stage it seems that these rules works, but don't. >>> Traffic is >>> > > > > redirected to squid, but squid denies all connections: >>> > > > > >>> > > > > 1467111934.502 1 172.22.55.1 TCP_DENIED/403 4221 GET >>> > > > > http://www.osnews.com/ - HIER_NONE/- text/html >>> > > > > >>> > > > > Using same squid.conf's file under an OpenBSD test machine, >>> squid >>> > > works >>> > > > > without problems. For this reason, I don't think there is some >>> problem >>> > > > > with my squid's config. The only difference between this OpenBS= D >>> host >>> > > > > and FreeBSD are the pf rules. >>> > > > > >>> > > > You may have a different squid version, or they may be patched >>> > > differently. >>> > > > Your redirect rules are working, as demonstrated by the fact that >>> squid >>> > > gets >>> > > > a request, and replies to it. >>> > > > >>> > > > Note that pf does not change your HTTP payload, it only affects >>> TCP. In >>> > > > other words: if Squid sees the connection (and it does) it=E2=80= =99s a >>> Squid >>> > > > problem. >>> > > > >>> > > > Also note that you=E2=80=99re redirecting on FreeBSD, but using d= ivert-to >>> on >>> > > > OpenBSD. >>> > > > This may be triggering different behaviour from Squid. The man >>> page says >>> > > > that with divert-to: >>> > > > >>> > > > The packets will not be modified, so getsockname(2) on the >>> socket >>> > > will >>> > > > return >>> > > > the original destination address of the packet. >>> > > > >>> > > > That might be affecting an ACL in Squid. >>> > > > >>> > > > Regards, >>> > > > Kristof >>> > > >>> > > Thanks Kristof. I am using squid installed from pkg under a FreeBSD >>> 10.3, >>> > > fully updated: >>> > > >>> > > Squid Cache: Version 3.5.19 >>> > > Service Name: squid >>> > > configure options: '--with-default-user=3Dsquid' >>> '--bindir=3D/usr/local/sbin' >>> > > '--sbindir=3D/usr/local/sbin' '--datadir=3D/usr/local/etc/squid' >>> > > '--libexecdir=3D/usr/local/libexec/squid' '--localstatedir=3D/var' >>> > > '--sysconfdir=3D/usr/local/etc/squid' '--with-logdir=3D/var/log/squ= id' >>> > > '--with-pidfile=3D/var/run/squid/squid.pid' >>> '--with-swapdir=3D/var/squid/cache' >>> > > '--without-gnutls' '--enable-auth' '--enable-build-info' >>> > > '--enable-loadable-modules' '--enable-removal-policies=3Dlru heap' >>> > > '--disable-epoll' '--disable-linux-netfilter' >>> '--disable-linux-tproxy' >>> > > '--disable-translation' '--disable-arch-native' '--enable-eui' >>> > > '--enable-cache-digests' '--enable-delay-pools' '--disable-ecap' >>> > > '--disable-esi' '--enable-follow-x-forwarded-for' '--enable-htcp' >>> > > '--enable-icap-client' '--enable-icmp' '--enable-ident-lookups' >>> > > '--enable-ipv6' '--enable-kqueue' '--with-large-files' >>> > > '--enable-http-violations' '--without-nettle' '--enable-snmp' >>> > > '--enable-ssl' '--with-openssl=3D/usr' >>> 'LIBOPENSSL_CFLAGS=3D-I/usr/include' >>> > > 'LIBOPENSSL_LIBS=3D-lcrypto -lssl' '--enable-ssl-crtd' >>> > > '--disable-stacktraces' '--enable-ipf-transparent' >>> > > '--enable-ipfw-transparent' '--enable-pf-transparent' >>> '--with-nat-devpf' >>> > > '--enable-forw-via-db' '--enable-wccp' '--enable-wccpv2' >>> > > '--with-heimdal-krb5=3D/usr' 'CFLAGS=3D-I/usr/include -O2 -pipe >>> > > -fstack-protector -fno-strict-aliasing' 'LDFLAGS=3D-L/usr/lib -pth= read >>> > > -fstack-protector' 'LIBS=3D-lkrb5 -lgssapi -lgssapi_krb5 ' >>> > > 'KRB5CONFIG=3D/usr/bin/krb5-config' '--enable-auth-basic=3DDB SMB_L= M >>> > > MSNT-multi-domain NCSA PAM POP3 RADIUS fake getpwnam NIS' >>> > > '--enable-auth-digest=3Dfile' >>> '--enable-external-acl-helpers=3Dfile_userip >>> > > time_quota unix_group' '--enable-auth-negotiate=3Dkerberos wrapper' >>> > > '--enable-auth-ntlm=3Dfake smb_lm' '--enable-storeio=3Daufs diskd r= ock >>> ufs' >>> > > '--enable-disk-io=3DDiskThreads DiskDaemon AIO Blocking IpcIo Mmapp= ed' >>> > > '--enable-log-daemon-helpers=3Dfile' >>> '--enable-url-rewrite-helpers=3Dfake' >>> > > '--enable-storeid-rewrite-helpers=3Dfile' '--prefix=3D/usr/local' >>> > > '--mandir=3D/usr/local/man' '--infodir=3D/usr/local/info/' >>> > > '--build=3Damd64-portbld-freebsd10.1' >>> 'build_alias=3Damd64-portbld-freebsd10.1' >>> > > 'CC=3Dcc' 'CPPFLAGS=3D' 'CXX=3Dc++' 'CXXFLAGS=3D-O2 -pipe -fstack-p= rotector >>> > > -fno-strict-aliasing ' 'CPP=3Dcpp' --enable-ltdl-convenience >>> > > >>> > > According to this options, intercept is enabled ... Then, I don't >>> > > understand why it doesn't works ... >>> > > >>> > > -- >>> > > Greetings, >>> > > C. L. Martinez >>> > > _______________________________________________ >>> > > freebsd-questions@freebsd.org mailing list >>> > > https://lists.freebsd.org/mailman/listinfo/freebsd-questions >>> > > To unsubscribe, send any mail to " >>> > > freebsd-questions-unsubscribe@freebsd.org" >>> > > >>> >>> -- >>> Greetings, >>> C. L. Martinez >>> _______________________________________________ >>> freebsd-questions@freebsd.org mailing list >>> https://lists.freebsd.org/mailman/listinfo/freebsd-questions >>> To unsubscribe, send any mail to " >>> freebsd-questions-unsubscribe@freebsd.org" >>> >> >> >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CALfReyeyzU-J8iwa9iYsBefSTyb6eQTD=JYqWqy3o09-UBhSBg>