-----
Original Message -----
Sent:
Thursday, February 23, 2006 5:08 PM
Subject:
[FreeBSD] squid ve transparency
firewall dan tüm port 80 isteklerini clientlar ile aynı
ipye sahip bir server a yönlendirdim.
server üzerinde squid kuruluı ve çalışıyor.
clientlar ın proxy ayarlarını elle yaptığımda proxy den
yararlanarak internete çıkıyorlar. ama elle ayarlamadan firewall dan
yönlendirdiğim de istekler geliyor ama proxy internete çıkış yapmadan
hemen cevap gönderiyor. neden anlayamadım.
squid üzerinde ipfw yüklü ve herhangi bir engelmeme yok.
port yönlendirme de yok çünkü port zaten başka bir firewall tarafından
yönlendiriliyor. tüm istekler squid in dinlediği porta
geliyor.
kernel dosyası içeriğinin son satırları:
options IPFIREWALL
options IPFIREWALL_VERBOSE
options IPFIREWALL_FORWARD
options IPDIVERT
options
DUMMYNET
options IPSTEALTH
options IPFIREWALL_VERBOSE_LIMIT=100
options IPFIREWALL_DEFAULT_TO_ACCEPT
options DUMMYNET #bandwith
icin.
#pseudo-device vlan 3 # IEEE 802.1Q VLAN Support
options SYSVMSG
options
MSGMNB=8192 # max # of bytes in a
queue
options
MSGMNI=40 # number
of message queue identifiers
options
MSGSEG=512 # number of message
segments per queue
options
MSGSSZ=64 # size of a
message segment
options MSGTQL=2048 # max
messages in system
options SYSVSHM
options
SHMSEG=16 #
max shared mem id's per process
options
SHMMNI=32 #
max shared mem id's per system
options SHMMAX=2097152 # max
shared memory segment size (bytes)
options
SHMALL=4096 # max amount of
shared
squid.conf dosyası:
http_port 3128
visible_hostname proxy.mydomain.com
hierarchy_stoplist cgi-bin
?
acl QUERY urlpath_regex cgi-bin \?
no_cache deny
QUERY
cache_mem 128 MB
maximum_object_size 512 KB
ipcache_size
2048
fqdncache_size 2048
cache_dir ufs /usr/local/squid/cache 3072
60 312
read_timeout 5 minutes
request_timeout 30
seconds
half_closed_clients off
forwarded_for off
auth_param
basic children 5
auth_param basic realm Squid proxy-caching web
server
auth_param basic credentialsttl 2 hours
refresh_pattern
^ftp:
1440 20%
10080
refresh_pattern
^gopher: 1440
0% 1440
refresh_pattern
.
0 20%
4320
acl all src 0.0.0.0/0.0.0.0
acl
internet src 172.16.0.0/21
acl
nodownload urlpath_regex -i "/usr/local/etc/squid/nodownload"
http_access deny nodownload
acl DENYPAGE urlpath_regex
Servlet
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports
port 443 563
acl Safe_ports port
80 # http
acl
Safe_ports port 21 #
ftp
acl Safe_ports port 443 563 # https,
snews
acl Safe_ports port
70 # gopher
acl
Safe_ports port 210 #
wais
acl Safe_ports port 1025-65535 # unregistered ports
acl
Safe_ports port 280 #
http-mgmt
acl Safe_ports port
488 # gss-http
acl
Safe_ports port 591 #
filemaker
acl Safe_ports port
777 # multiling
http
acl CONNECT method CONNECT
no_cache deny
DENYPAGE
http_access allow internet
http_access allow manager
localhost
http_access deny manager
http_access deny
!Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow
localhost
http_reply_access allow all
http_access deny
all
icp_access allow all
httpd_accel_host
virtual
httpd_accel_port 80
httpd_accel_with_proxy
on
httpd_accel_uses_host_header on
coredump_dir /usr/local/squid
/
error_directory /usr/local/etc/squid/errors/Turkish
client_db
off
#redirect_program /usr/local/bin/squidGuard
#redirect_children
10
cache_effective_user squid
cache_effective_group
squid
access_log /usr/local/squid/logs/access.log squid
---------------------------------------------------------------
[EMAIL PROTECTED]# egrep squid rc.conf
squid_enable="YES"
[EMAIL PROTECTED]# sockstat -l | grep
squid
squid squid
903 5 udp4
*:58934
*:*
squid squid
903 12 tcp4
*:3128
*:*
squid squid
903 13 udp4
*:3130
*:*
squid squid
903 14 udp4
*:4827
*:*
[EMAIL PROTECTED]# ps auxww | grep
squid
squid 552 0.0 0.1 1660
1116 ?? Ss 1:33PM 0:00.15
(pinger) (pinger)
squid 709 0.0 0.1
1660 1104 ?? Ss 2:17PM
0:00.13 (pinger) (pinger)
squid 711 0.0
0.1 1660 1104 ?? Ss
2:17PM 0:00.13 (pinger) (pinger)
squid
746 0.0 0.1 1660 1116 ??
Ss 2:18PM 0:00.16 (pinger)
(pinger)
squid 901 0.0 0.3 5552
2804 ?? Is 3:09PM 0:00.01
/usr/local/sbin/squid -D
squid 903 0.0 1.0
11472 9932 ?? S
3:09PM 0:02.01 (squid) -D (squid)
squid
904 0.0 0.1 1272 596 ??
Is 3:09PM 0:00.04 (unlinkd)
(unlinkd)
squid 905 0.0 0.1 1660
1116 ?? Ss 3:09PM 0:00.11
(pinger) (pinger)
root 1094 0.0 0.1
1316 688 p0 I
4:27PM 0:00.01 tail -f
/usr/local/squid/logs/access.log
root 1222 0.0
0.1 1588 968 p2 S+
5:06PM 0:00.01 grep squid
[EMAIL PROTECTED]# ls -l /var/db/pkg/
| grep squid
drwxr-xr-x 2 root
wheel 512 Feb 17 18:07 squid-2.5.12_4
[EMAIL PROTECTED]#
rc.conf içerisinde ipfw ile ilgili bir satır
yok.
iyi
çalışmalar