Resolvi com o PF e coloquei estas opções no kernel: # Squid options MSGMNB=16384 options MSGMNI=41 options MSGSEG=2049 options MSGSSZ=64 options MSGTQL=512 options SHMSEG=16 options SHMMNI=32 options SHMMAX=2097152 options SHMALL=3096
# Package Filter device pf device pflog device pfsync device carp # Ponte de rede options BRIDGE # Filtros de TCP/IP options TCP_DROP_SYNFIN # drop TCP packets with SYN+FIN /etc/pf.conf ext_if="vr0" int_if="xl0" internal_net="192.168.0.0/24" nat on $ext_if from $internal_net to any -> ($ext_if) table <rede> { 192.168.0.0/24 } rdr on $int_if inet proto tcp from <rede> to any port http -> 127.0.0.1 port 3128 Tá funcinando o squid 2.6.16, só não sei pq o squidGuard parou de filtrar os endereços, mas se eu realizar um teste assim: # echo "http://www.playboy.com/ 127.0.0.1/- - GET" | /usr/local/bin/squidGuard -c /usr/local/etc/squid/squidGuard.conf -d funciona de boa. ThOLOko escreveu: -- Sergio Augusto Vladisauskis -> Analista de Sistemas e Administrador de Rede -> Fone: +55 81 3229 1224 -> Celular: +55 81 9288 2803 -> Skype: sergiovl-aktua -> Registered Linux User: 305281 > Galerinha conseguimos fazer rodar aqui.... > > Recompilei o kernel com estas opções > > options MROUTING # Multicast routing > options IPFIREWALL #firewall > options IPFIREWALL_VERBOSE #print information about > options IPFIREWALL_FORWARD #enable transparent proxy support > options IPFIREWALL_VERBOSE_LIMIT=100 #limit verbosity > options IPFIREWALL_DEFAULT_TO_ACCEPT #allow everything by > options IPDIVERT #divert sockets > options IPFILTER #ipfilter support > options IPFILTER_LOG #ipfilter logging > options IPSTEALTH #support for stealth forwarding > options TCPDEBUG > options ACCEPT_FILTER_DATA > options ACCEPT_FILTER_HTTP > options TCP_DROP_SYNFIN #drop TCP packets with SYN+FIN > options DUMMYNET > options BRIDGE > > e depois instalei o squid colocando somente o transparent na frente do > http_port.... > > no ipfw > > ipfw add 400 forward 127.0.0.1,3128 tcp from any to any dst-port 80 via rl0 > > > Vlw pela ajuda... era algo faltando no kernel... ctz... > > Abraçossss... > > Em 22/10/07, joao jamaicabsd <[EMAIL PROTECTED]> escreveu: >> Em 22/10/07, ThOLOko <[EMAIL PROTECTED]> escreveu: >>> mas na parte do sysctl.conf seriam somente minhas config de performance >>> correto??? >>> >>> Estou reinstalando o squid novamente... dei um make config e soh >> coloquei >>> a >>> mais a opção de transparet proxy para ipf >>> >>> Abraços! >>> >>> Em 19/10/07, Vitor Renato Alves de Brito <[EMAIL PROTECTED]> >>> escreveu: >>>> Olá, >>>> >>>> Entao realmente nao sei te falar. Se o seu kernel foi compilado >>>> corretamente, seu ipfw tá ok e o squid.conf tb. só pode ser outra >>>> coisa. Veja o meu sysctl.conf: >>>> >>>> net.link.ether.bridge.enable=1 >>>> net.link.ether.bridge.ipfw=1 >>>> net.link.ether.bridge.ipf=1 >>>> net.link.ether.bridge.config=xl0,xl1 >>>> net.inet.ip.fw.one_pass=0 >>>> net.inet.ip.fw.verbose_limit=10000 >>>> net.inet.ip.forwarding=1 >>>> net.inet.ip.fastforwarding=1 >>>> net.inet.tcp.delayed_ack=0 >>>> net.inet.tcp.sendspace=65536 >>>> net.inet.tcp.recvspace=65536 >>>> net.inet.udp.recvspace=65536 >>>> net.link.ether.inet.log_arp_wrong_iface=0 >>>> net.link.ether.inet.log_arp_movements=0 >>>> kern.ipc.somaxconn=512 >>>> kern.maxfiles=65536 >>>> kern.maxfilesperproc=32768 >>>> net.inet.ip.portrange.last=65535 >>>> net.inet.ip.intr_queue_maxlen=100 >>>> >>>> Kernel: >>>> options MROUTING # Multicast routing >>>> options IPFIREWALL #firewall >>>> options IPFIREWALL_VERBOSE #print information about >>>> options IPFIREWALL_FORWARD #enable transparent proxy >>> support >>>> options IPFIREWALL_VERBOSE_LIMIT=100 #limit verbosity >>>> options IPFIREWALL_DEFAULT_TO_ACCEPT #allow everything by >>>> options IPDIVERT #divert sockets >>>> options IPFILTER #ipfilter support >>>> options IPFILTER_LOG #ipfilter logging >>>> options IPSTEALTH #support for stealth >> forwarding >>>> options TCPDEBUG >>>> options ACCEPT_FILTER_DATA >>>> options ACCEPT_FILTER_HTTP >>>> options TCP_DROP_SYNFIN #drop TCP packets with SYN+FIN >>>> options DUMMYNET >>>> options BRIDGE >>>> Além de tuning de memoria para squid. >>>> >>>> Se tiver nat, desativa o nat e ve se vai. >>>> >>>> Falou. >>>> >>>> On Fri, 19 Oct 2007, ThOLOko wrote: >>>> >>>>> SIm carinha,,, na minha maquina cliente configurei o ip e o gateway >> é >>> a >>>>> interface LAN do proxy... >>>>> >>>>> Em 19/10/07, Vitor Renato Alves de Brito <[EMAIL PROTECTED]> >>>>> escreveu: >>>>>> Olá, >>>>>> >>>>>> Tira o vhost e deixa o resto como esta tanto no squid.conf quanto >> no >>>> ipfw. >>>>>> SÓ QUE O IP DO SEU SQUID TEM QUE SER O DEFAULT GATEWAY DA SUA >> REDE. >>>>>> Senao nao funciona transparente. Ou seja, no micro na hora de >>>> configurar o >>>>>> gateway tem que colocar o IP do squid. >>>>>> >>>>>> Aqui uso: >>>>>> Squid Cache: Version 2.6.STABLE16-20071005 >>>>>> configure options: '--enable-large-cache-files' >>>>>> '--prefix=/usr/local/squid' '--enable-snmp' >>>>>> '--enable-storeio=coss,ufs,aufs,diskd' >>>>>> '--enable-removal-policies=lru,heap' >>>> '--enable-err-language=Portuguese' >>>>>> '--enable-default-err-language=Portuguese' '--enable-delay-pools' >>>>>> '--enable-underscores' '--enable-dlmalloc' >>> '--disable-hostname-checks' >>>>>> '--enable-follow-x-forwarded-for' '--enable-coss-aio-ops' >>>>>> '--with-large-files' >>>>>> >>>>>> e funciona beleza. >>>>>> >>>>>> Falou. >>>>>> >>>>>> On Fri, 19 Oct 2007, ThOLOko wrote: >>>>>> >>>>>>> Complementando: >>>>>>> squid >>>>>>> 2007/10/19 11:16:30| Can't be both a transparent proxy and web >>>> server >>>>>>> accelerator on the same port >>>>>>> FATAL: Bungled squid.conf line 4: http_port 3128 transparent >> vhost >>>>>>> Squid Cache (Version 2.6.STABLE16): Terminated abnormally. >>>>>>> >>>>>>> >>>>>>> 2007/10/19, ThOLOko <[EMAIL PROTECTED]>: >>>>>>>> Bom dia galerinha,,, Me desculpem por esse tópico, sei que >>> existem >>>>>> varios >>>>>>>> mas mesmo seguindo vários deles (muitos sem fim) não consegui >>>> fazer >>>>>> rodar o >>>>>>>> SQUID Transparente + IPFW... >>>>>>>> >>>>>>>> Segue abaixo meu squid.conf >>>>>>>> >>>>>>>> http_port 3128 >>>>>>>> visible_hostname firewall >>>>>>>> >>>>>>>> redirect_rewrites_host_header off >>>>>>>> http_port 7.8.9.254:3128 transparent >>>>>>>> >>>>>>>> #tamanho do cache na memoria RAM >>>>>>>> cache_mem 50 MB >>>>>>>> >>>>>>>> shutdown_lifetime 3 seconds >>>>>>>> icp_port 0 >>>>>>>> >>>>>>>> #tamanho maximo dos objetos na memoria RAM >>>>>>>> maximum_object_size_in_memory 64 KB >>>>>>>> >>>>>>>> #tamanho maximo do objetos no cache >>>>>>>> maximum_object_size 20 MB >>>>>>>> >>>>>>>> #tamanho minimo do objetos no cache >>>>>>>> minimum_object_size 0 KB >>>>>>>> >>>>>>>> cache_swap_low 90 >>>>>>>> cache_swap_high 95 >>>>>>>> >>>>>>>> #diretorio do cache >>>>>>>> cache_dir ufs /usr/local/squid/cache 3000 16 256 >>>>>>>> cache_access_log /usr/local/squid/logs/access.log >>>>>>>> >>>>>>>> #atualizacao do cache >>>>>>>> refresh_pattern ^ftp: 15 20% 2280 >>>>>>>> refresh_pattern ^gopher: 15 0% 2280 >>>>>>>> refresh_pattern . 15 20% 2280 >>>>>>>> >>>>>>>> #ACLs >>>>>>>> acl all src 0.0.0.0/0.0.0.0 >>>>>>>> acl manager proto cache_object >>>>>>>> acl localhost src 127.0.0.1/255.255.255.255 >>>>>>>> >>>>>>>> acl SSL_ports port 445 443 441 563 >>>>>>>> acl Safe_ports port 80 # http >>>>>>>> acl Safe_ports port 21 # ftp >>>>>>>> acl Safe_ports port 445 443 441 563 # https, snews >>>>>>>> acl Safe_ports port 70 # gopher >>>>>>>> acl Safe_ports port 210 # wais >>>>>>>> acl Safe_ports port 1025-65535 # unregistered ports >>>>>>>> acl Safe_ports port 280 # http-mgmt >>>>>>>> acl Safe_ports port 488 # gss-http >>>>>>>> acl Safe_ports port 591 # filemaker >>>>>>>> acl Safe_ports port 777 # multiling http >>>>>>>> acl Safe_ports port 901 # SWAT >>>>>>>> acl purge method PURGE >>>>>>>> acl CONNECT method CONNECT >>>>>>>> >>>>>>>> acl redeinterna src 7.8.9.0/24 >>>>>>>> acl admin src 7.8.9.248 >>>>>>>> >>>>>>>> #acl restritos dstdom_regex "/usr/local/etc/squid/restritos" >>>>>>>> acl bloqueados dstdom_regex "/usr/local/etc/squid/bloqueados" >>>>>>>> >>>>>>>> acl manha time MTWHF 08:00-12:00 >>>>>>>> acl tarde time MTWHF 13:30-17:20 >>>>>>>> #S-Domingo, M-Segunda, T-Ter.a, W-Quarta, H-Quinta, F-Sexta, >>>> A-Sabado >>>>>>>> http_access allow manager localhost >>>>>>>> http_access deny !Safe_ports >>>>>>>> http_access deny CONNECT !SSL_ports >>>>>>>> http_access deny manager >>>>>>>> http_access allow purge localhost >>>>>>>> http_access deny purge >>>>>>>> http_access allow localhost >>>>>>>> >>>>>>>> http_access allow admin >>>>>>>> >>>>>>>> http_access deny bloqueados >>>>>>>> #http_access deny manha restritos >>>>>>>> #http_access deny tarde restritos >>>>>>>> >>>>>>>> http_access allow redeinterna >>>>>>>> >>>>>>>> http_access deny all >>>>>>>> >>>>>>>> >>>>>>>> Agora minhas regras de IPFW: >>>>>>>> >>>>>>>> /sbin/ipfw -f flush >>>>>>>> >>>>>>>> ipfw add allow tcp from 7.8.9.254 to any 80 # evita loop >>>>>>>> ipfw add fwd 7.8.9.254,3128 tcp from 7.8.9.0/24 to any 80 >>>>>>>> >>>>>>>> >>>>>>>> E já compilei o Kernel para rodar nat e ipfw... O NAT esta >>> rodando >>>>>>>> perfeitamente... >>>>>>>> >>>>>>>> Não sei se a opção correta é http_port 7.8.9.254:3128 >> transparent >>>>>>>> Abraços! >>>>>>>> >>>>>>>> -- >> >> >> Cara esse ipfw aqui tá funfando que é uma belezinha >> >> ## Proxy Transparente >> ipfw add fwd 127.0.0.1,3128 tcp from 192.168.1.0/24 to any 80 via rl1 >> >> # NATD >> ipfw add divert natd ip from any to any via rl0 >> >> E já que o seu squid é o 6 então coloca assim >> >> http_port 127.0.0.1:Transparent >> http_port 192.168.1.254 >> >> Esse "transparent" se não não funfar passa para a de baixo, já fiz isso e >> funfou, e lembrando q a linha de baixo é o gateway que será conf nos hosts >> >> Espero ter ajudado >> >> falow >> >> >> E-mail: [EMAIL PROTECTED] >> Aux Suporte de Sistemas (Universidade do Sul de Santa Catarina) >> MSN: [EMAIL PROTECTED] >> Cel: (48) 9144 2326 >> ------------------------- >> Histórico: http://www.fug.com.br/historico/html/freebsd/ >> Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd >> > > > -- []'s Sergio Augusto Vladisauskis (Animal-X®) Jabber: [EMAIL PROTECTED] | Google Talk: [EMAIL PROTECTED] Skype: animal-x | ICQ: 31967968 Linux User: 305281 | Linux, OpenSolaris, BSD's & Haiku http://sergiovl.sytes.net
signature.asc
Description: OpenPGP digital signature
------------------------- Histórico: http://www.fug.com.br/historico/html/freebsd/ Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd