Date: Tue, 7 Oct 2003 09:57:29 +0800 From: <chael@southgate.ph.inter.net> To: <questions@freebsd.org> Subject: Re: tranparent proxying, squid, nat, ipfw Message-ID: <001601c38c76$5d7c1b70$ee01a8c0@JMICH> References: <web-4813283@digitelone.com> <1065435306.3f8140aa05376@www.psecalw.de>
next in thread | previous in thread | raw e-mail | index | archive | help
I have done a number of servers in this setup. It really is as simple as following this http://www.squid-cache.org/Doc/FAQ/FAQ-17.html#ss17.8 plus the divert line as the first line in ipfw and the necessary NAT in rc.conf. However, if you are thinking of implementing WCCP+transparent proxy+NAT, it doesn't seem to work together, or at least not for me :-D (help?). I have read from Osnews that there's a new ipfw implementation that might solve this and it is due to come out with the 4.9-RELEASE. I'm not sure if this is related though...I didn't read thoroughly. chael > Hi, > my advice is, take it step by step. Set up your nat, apache (if you need it), > squid (don't use httpd_accel at the beginning!). > Now I'm a bit unsure what you want to do, if you want to force the use of a > proxy for your NAT-Users, so create your redirection rule which redirects > outgoing traffic to port 80 (,https,...) to your localhost squid. > httpd_accel is for accelerating a specific webserver in your realm, you can use > it to speed up the responses from your local apache or any other webserver in > your lan (and thereby making it accessible from outside, if you set the ACL > accordingly). > The question is, what do you want to accomplish? > Kind regards, > Alex. > > Quoting Gil Agno Virtucio <gihl@nesic.com.ph>: > > so far this was the simpliest squid configuration that i've seen... > > http://ezine.daemonnews.org/200209/squid.html > > > hope this helps... > > ----------------------------------------------------- > Gil Agno Virtucio > Janitor/Collector/Messenger > NEC System Integration and Construction Philippines Inc. > 15th Floor BPI Buendia Center > Gil Puyat Ave. Makati City 1200 > Cellphone : +639163989695 > Office Phone: +6328914167 > ----------------------------------------------------- > > > -----Original Message----- > From: synrat [mailto:synrat@wirewalk.org] > Sent: Monday, October 06, 2003 11:40 AM > To: freebsd-questions@freebsd.org > Subject: tranparent proxying, squid, nat, ipfw > > > I'm having a hard time getting this working together. > I have squid 2.5 stable working and with all the required > setting for transparent proxying. The machine has the kernel with IPFW > and > forwarding options. NAT is on, firewall type is simple with some > modifications. Internal interface address is 192.168.1.1. Squid runs > fine > when the browser is setup to access it, but the goal is not to have to > do > that. > > http_port 3128 > httpd_accel_host virtual > httpd_accel_port 80 > httpd_accel_with_proxy on > httpd_accel_uses_host_header on > > I have the forwarding rule as well > > fwd 127.0.0.1,3128 tcp from any to any 80 > > I tried 192.168.1.1,3128 in the rule. Tried putting it before both > divert > rules. Here's my ipfw list output > > > > 00050 divert 8668 ip from any to any via rl0 > 00100 allow ip from any to any via lo0 > 00200 deny ip from any to 127.0.0.0/8 > 00300 deny ip from 127.0.0.0/8 to any > 00400 deny ip from 192.168.1.0/24 to any in recv rl0 > 00500 deny ip from 66.92.100.0/24 to any in recv rl1 > 00600 deny ip from any to 10.0.0.0/8 via rl0 > 00700 deny ip from any to 172.16.0.0/12 via rl0 > 00800 deny ip from any to 192.168.0.0/16 via rl0 > 00900 deny ip from any to 0.0.0.0/8 via rl0 > 01000 deny ip from any to 169.254.0.0/16 via rl0 > 01100 deny ip from any to 192.0.2.0/24 via rl0 > 01200 deny ip from any to 224.0.0.0/4 via rl0 > 01300 deny ip from any to 240.0.0.0/4 via rl0 > 01400 divert 8668 ip from any to any via rl0 > 01500 deny ip from 10.0.0.0/8 to any via rl0 > 01600 deny ip from 172.16.0.0/12 to any via rl0 > 01700 deny ip from 192.168.0.0/16 to any via rl0 > 01800 deny ip from 0.0.0.0/8 to any via rl0 > 01900 deny ip from 169.254.0.0/16 to any via rl0 > 02000 deny ip from 192.0.2.0/24 to any via rl0 > 02100 deny ip from 224.0.0.0/4 to any via rl0 > 02200 deny ip from 240.0.0.0/4 to any via rl0 > 02300 allow tcp from any to any established > 02400 allow ip from any to any frag > 02500 allow tcp from any to 66.92.100.221 25 setup > 02600 allow tcp from 192.168.1.0/24 to 192.168.1.0/24 > 02700 allow tcp from 192.168.1.0/24 to 192.168.1.0/24 > 02800 allow udp from 192.168.1.0/24 to 192.168.1.0/24 > 02900 allow udp from 192.168.1.0/24 to 192.168.1.0/24 > 03000 allow tcp from any to 66.92.100.221 80 setup > 03100 allow tcp from any to 66.92.100.221 8080 setup > 03200 allow tcp from any to 66.92.100.221 8021 setup > 03300 allow tcp from any to 66.92.100.221 21 setup > 03400 allow tcp from any to 66.92.100.221 22 setup > 03500 allow tcp from any to 66.92.100.221 110 setup > 03600 allow tcp from any to 66.92.100.221 143 setup > 03700 allow tcp from any to 66.92.100.221 993 setup > 03800 allow tcp from any to 66.92.100.221 995 setup > 03900 allow icmp from any to any > 04000 deny log tcp from any to any in recv rl0 setup > 04100 allow tcp from any to any setup > 04200 fwd 127.0.0.1,3128 tcp from any to any 80 > 04300 allow udp from 66.92.100.221 to any keep-state > 04400 allow udp from 192.168.1.3 to any keep-state > 65535 deny ip from any to any > > > > > ------------------------------------------------- > This mail sent through IMP: http://horde.org/imp/ > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org" > >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?001601c38c76$5d7c1b70$ee01a8c0>