From owner-freebsd-net@FreeBSD.ORG Mon Jun 20 15:40:54 2005 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id ACD4C16A41C for ; Mon, 20 Jun 2005 15:40:54 +0000 (GMT) (envelope-from mrsharky@iastate.edu) Received: from mailhub-5.iastate.edu (mailhub-5.iastate.edu [129.186.140.15]) by mx1.FreeBSD.org (Postfix) with ESMTP id 774A443D1F for ; Mon, 20 Jun 2005 15:40:52 +0000 (GMT) (envelope-from mrsharky@iastate.edu) Received: from mailout-1.iastate.edu (mailout-1.iastate.edu [129.186.140.1]) by mailhub-5.iastate.edu (8.12.10/8.12.10) with SMTP id j5KFepeQ018365 for ; Mon, 20 Jun 2005 10:40:51 -0500 Received: from webmail-11.iastate.edu(129.186.140.31) by mailout-1.iastate.edu via csmap id a0a78f32_e1a2_11d9_9624_00304811d932_5298; Mon, 20 Jun 2005 10:47:38 -0500 (CDT) To: freebsd-net@freebsd.org From: "Ryan Rathje " Date: Mon, 20 Jun 2005 10:40:50 -0500 (CDT) X-Mailer: Endymion MailMan Professional Edition v3.0.14 ISU Version mp8.13 Message-Id: <50401020510511701@webmail.iastate.edu> Subject: transparent Squid 2.5Stable10 + FreeBSD 5.3 X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 20 Jun 2005 15:40:54 -0000 Here's my FreeBSD setup Nic1 -> outside (123.456.789.10) Nic2 -> internal (192.168.1.2) Here's my client Win2k setup IP: 192.168.1.5 MASK: 255.255.255.0 GW: 192.168.1.2 ------------------------------------- I have FreeBSD 5.3 installed with the modified kernel options options IPFILTER options IPFILTER_LOG options NMBCLUSTERS=32768 options IPFIREWALL options IPFIREWALL_FORWARD options IPFIREWALL_DEFAULT_TO_ACCEPT in a machine with 2 NICS ( NIC1 -> outside work; NIC2 -> interal network (192.168.1.2). I configured Squid with the ARG --enable-ipf-transparent, and ths is what my options (/var/db/ports/squid/) file looks like for configuring Squid: # This file is auto-generated by 'make config'. # No user-servicable parts inside! # Options for squid-2.5.10_1 _OPTIONS_READ=squid-2.5.10_1 WITHOUT_SQUID_LDAP_AUTH=true WITHOUT_SQUID_DELAY_POOLS=true WITHOUT_SQUID_SNMP=true WITHOUT_SQUID_CARP=true WITHOUT_SQUID_SSL=true WITH_SQUID_PINGER=true WITHOUT_SQUID_DNS_HELPER=true WITHOUT_SQUID_HTCP=true WITHOUT_SQUID_VIA_DB=true WITHOUT_SQUID_CACHE_DIGESTS=true WITH_SQUID_WCCP=true WITH_SQUID_UNDERSCORES=true WITH_SQUID_CHECK_HOSTNAME=true WITHOUT_SQUID_STRICT_HTTP=true WITH_SQUID_IDENT=true WITHOUT_SQUID_USERAGENT_LOG=true WITHOUT_SQUID_ARP_ACL=true WITHOUT_SQUID_PF=true WITH_SQUID_IPFILTER=true WITH_SQUID_FOLLOW_XFF=true WITHOUT_SQUID_AUFS=true WITHOUT_SQUID_COSS=true WITHOUT_SQUID_LARGEFILE=true WITHOUT_SQUID_STACKTRACES=true WITH_SQUID_RCNG=true In the squid.conf file I've made (what I think) are the appropriate changes: http_port 3128 httpd_accel_host virtual httpd_accel_port 80 httpd_accel_with_proxy on httpd_accel_uses_host_header on and lastly, this is what my rc.conf looks like: hostname="Gohan" squid_enable="YES" firewall_enable="YES" firewall_type="open" firewall_quiet="NO" firewall_logging="YES" # IPFILTER enabled ipfilter_enable="YES" ipfilter_program="/sbin/ipf" ipfilter_rules="/etc/ipf.rules" ipfilter_flags="" ipfw add allow all from any to 192.168.1.2 80 ipfw add fwd 192.168.1.2 tcp from any to 192.168.1.2 3128 ipfw add fwd 192.168.1.2,3128 tcp from any to any 80,82,3128 out recv 192.168.1.2 xmit 129.186.215.57 --------------------------------------------------------- I ran ethereal on the client machine (192.168.1.5) that is behind Squid, and it appears that the client hits the 192.168.1.2 but doesn't forward it onto the Squird proxy, therefor never reaching the outside world. I get the normal "Page can not be displayed" message on the client. I would have thought that if it was hitting the Squid it would give a Squid error message. My gut feeling is it has something to do with my ipfw rules, any and ALL help would get GREATLY appreciated. thanks