In fact here is the topology I had in mind : Computers <=> Switch <=> Webfiltering bridge <=> Router <=> Internet
Since I want my system to do both : - the bridge role - webfiltering ... without adding a network (I mean adding a network and make the Webfiltering box route beetween the two subnets) I think it is necessary to build a bridge... And that the design should work... But I'm still strugling on this matter. -----Message d'origine----- De : owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] De la part de carlos albino garcia grijalba Envoyé : mercredi 8 janvier 2014 21:29 À : Romain FABBRI - Alien Consulting; grazzol...@gmail.com; 'Cremator' Cc : 'Misc OpenBSD' Objet : Re: Transparent proxy with Squid on OpenBSD 5.4 i agree with giancarlo why do u need the bridge function? for transparent proxy u dont need the bridge > From: romain.fab...@alienconsulting.net > To: grazzol...@gmail.com; cremator.li...@gmail.com > CC: misc@openbsd.org > Subject: Re: Transparent proxy with Squid on OpenBSD 5.4 > Date: Fri, 3 Jan 2014 17:57:37 +0100 > > I didn't investigate the bridge in itself since it seems to be working > as a bridge... > > #=============================== > # Bridge configuration > #=============================== > > #vi /etc/hostname.bge0 > up > > #vi /etc/hostname.bge1 > up > > #vi /etc/hostname.vether0 > inet 192.168.200.253 255.255.255.0 192.168.200.255 > > #vi /etc/hostname.bridge0 > add vether0 > add bge0 > add bge1 > up > > #vi /etc/mygate > 192.168.200.254 > > #=============================== > # PF configuration > #=============================== > # Macros & Tables > ext_if="bge0" > int_if="bge1" > > # Options > set reassemble yes no-df > > # Redirect www to our transparent squid proxy pass in quick log on > $int_if inet proto tcp from 192.168.200.0/24 to port 80 > divert-to 127.0.0.1 port 3129 > pass out quick on $int_if inet from 192.168.200.0/24 divert-reply > > # Allow TerminalServer > pass quick inet proto tcp from any to any port 3389 keep state > > # Allow SSH > pass quick inet proto tcp from any to 192.168.200.253 port ssh > > # NTP > pass out quick proto udp from $int_if to any port 123 keep state > > # Allow mail > pass out quick proto tcp from $int_if to any port { 25, 143, 993, 995 > } keep > state > > # Allow Ping/Traceroute/DNS > pass quick inet proto udp from any to any port domain pass quick inet > proto tcp from any to any port domain flags S/SA synproxy state pass > quick inet proto icmp all icmp-type { echoreq, unreach } keep state > > > #======================================= > # Squid configuration > #======================================= > > # Only usefull for Squid 2.7 > #acl localhost src 127.0.0.1/32 > #acl manager proto cache_object > #acl all src 0.0.0.0/0.0.0.0 > > # Interfacage avec SquidGuard > url_rewrite_program /usr/local/bin/squidGuard -c > /etc/squidguard/squidguard.conf > > # Number of redirector processes to spawn url_rewrite_children 5 > > # To prevent loops, don't send requests from localhost to the redirector > url_rewrite_access deny localhost > > # Only allow cachemgr access from localhost http_access allow > localhost manager http_access deny manager > > # Define sources > acl localnet src 192.168.200.0/24 > > # Define ports > acl SSL_ports port 443 > acl Safe_ports port 80 # http > acl Safe_ports port 21 # ftp > acl Safe_ports port 443 # https > acl Safe_ports port 70 # gopher > acl Safe_ports port 210 # wais > acl Safe_ports port 1025-65535 # unregistered ports > acl Safe_ports port 280 # http-mgmt > acl Safe_ports port 488 # gss-http > acl Safe_ports port 591 # filemaker > acl Safe_ports port 777 # multiling http > acl CONNECT method CONNECT > > # Deny requests to certain unsafe ports http_access deny !Safe_ports > > # Deny CONNECT to other than secure SSL ports http_access deny CONNECT > !SSL_ports > > # Example rule allowing access from your local networks. > # Adapt localnet in the ACL section to list your (internal) IP > networks # from where browsing should be allowed http_access allow > localnet http_access allow localhost > > # We strongly recommend the following be uncommented to protect > innocent # web applications running on the proxy server who think the > only # one who can access services on "localhost" is a local user > #http_access deny to_localhost > > # And finally deny all other access to this proxy http_access deny all > > # Squid normally listens to port 3128 > http_port 3128 > http_port 127.0.0.1:3129 tproxy > > # Real squid memory cache > cache_mem 1500 MB > maximum_object_size_in_memory 8 MB > > # Squid disk cache cache_dir ufs /var/squid/cache 1500 16 64 > minimum_object_size 3 KB maximum_object_size 8 MB > > # Uncomment and adjust the following to add a disk cache directory. > cache_dir ufs /var/squid/cache 200 16 256 > > # IP & DNS names memory cache > ipcache_size 5120 > fqdncache_size 5120 > > # File descriptor number > #max_filedescriptors 4096 > > # Public exposed hostname > visible_hostname openfw.local > > # Added to footer of error pages. > cache_mgr em...@test.net > > # Log client request activities > access_log /var/squid/logs/access.log squid > > # Log information about the cache's behavior cache_log > /var/squid/logs/cache.log > > # Leave coredumps in the first cache dir coredump_dir /var/squid/cache > > # Add any of your own refresh_pattern entries above these. > refresh_pattern ^ftp: 1440 20% 10080 > refresh_pattern ^gopher: 1440 0% 1440 > refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320
