Could somebody provide me a working configuration exemple for pf.conf and squid.conf on an OpenBSD 5.4 (working as a bridge) ?
I still can't manage to make squid working on my bridge and I don't know what more tests I could do. I even tried to compile squid 3.4.2 with '--enable-pf-transparent' according to documentation : http://wiki.squid-cache.org/ConfigExamples/Intercept/OpenBsdPf But stills no magic happens... - paquets are diverted - but the netcast test (nc -l 3129) proves that no packets are received by squid Thanks, Romain -----Message d'origine----- De : Giancarlo Razzolini [mailto:grazzol...@gmail.com] Envoyé : vendredi 3 janvier 2014 11:28 À : Romain FABBRI - Alien Consulting; 'Cremator' Cc : 'Misc OpenBSD' Objet : Re: Transparent proxy with Squid on OpenBSD 5.4 Em 03-01-2014 07:45, Romain FABBRI - Alien Consulting escreveu: > Thanks, > > I tried according to your configuration : > > First test using the 3128 port as a divert-to port and as a squid > http_port with tproxy or intercept statement => No traffic is getting > diverted by pf > > Second test : > Same test but using the 3129 port as a divert-to port > 2 lines un squid.conf file : > http_port 3128 > http_port 127.0.0.1:3129 tproxy // I also tried with intercept too > but no change > > In both tests : the web traffic (http 80) doesn't get caught by the > divert-to directive... > I tried to tcpdump on the lo0 interface but I got nothing. > > Seems like a pf problem to me... > > My browser accessed the internet without any restriction and without > being cached... > > Hi, My pf.conf only have one line also which is the one that divert the relevant traffic to the squid port. My squid.conf has only one http_port directive that is the intercept one. If you run pfctl -sa -vv do you see any states created by your divert rule? It seems to me that you have some issue with your pf rules. From what I saw, they do not specify directions nor interfaces which might cause you trouble. Also, your divert rule is on your external interface, that should be done on packets coming IN your internal interface. Cheers, -- Giancarlo Razzolini GPG: 4096R/77B981BC
