ok but why do u need the bridge? i think that u want it to be there for intercept the web and let all pass but u can do this without the bridge part intercepting the web requests and then letting all the other go to router not sure if the bridge can do this because its function its to be there but the packets does not know that it is there i mean as far as i know (correct me if i am wrong) they operate in layer 2 so it never reach higher leves where interception works
> From: romain.fab...@alienconsulting.net > To: genesi...@hotmail.com; grazzol...@gmail.com; cremator.li...@gmail.com > CC: misc@openbsd.org > Subject: RE: Transparent proxy with Squid on OpenBSD 5.4 > Date: Thu, 9 Jan 2014 00:18:43 +0100 > > In fact here is the topology I had in mind : > > Computers <=> Switch <=> Webfiltering bridge <=> Router <=> Internet > > Since I want my system to do both : > - the bridge role > - webfiltering > > ... without adding a network (I mean adding a network and make the > Webfiltering box route beetween the two subnets) > > I think it is necessary to build a bridge... > And that the design should work... > > But I'm still strugling on this matter. > > > -----Message d'origine----- > De : owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] De la part de > carlos albino garcia grijalba > Envoyé : mercredi 8 janvier 2014 21:29 > À : Romain FABBRI - Alien Consulting; grazzol...@gmail.com; 'Cremator' > Cc : 'Misc OpenBSD' > Objet : Re: Transparent proxy with Squid on OpenBSD 5.4 > > i agree with giancarlo why do u need the bridge function? for transparent > proxy u dont need the bridge > > > From: romain.fab...@alienconsulting.net > > To: grazzol...@gmail.com; cremator.li...@gmail.com > > CC: misc@openbsd.org > > Subject: Re: Transparent proxy with Squid on OpenBSD 5.4 > > Date: Fri, 3 Jan 2014 17:57:37 +0100 > > > > I didn't investigate the bridge in itself since it seems to be working > > as a bridge... > > > > #=============================== > > # Bridge configuration > > #=============================== > > > > #vi /etc/hostname.bge0 > > up > > > > #vi /etc/hostname.bge1 > > up > > > > #vi /etc/hostname.vether0 > > inet 192.168.200.253 255.255.255.0 192.168.200.255 > > > > #vi /etc/hostname.bridge0 > > add vether0 > > add bge0 > > add bge1 > > up > > > > #vi /etc/mygate > > 192.168.200.254 > > > > #=============================== > > # PF configuration > > #=============================== > > # Macros & Tables > > ext_if="bge0" > > int_if="bge1" > > > > # Options > > set reassemble yes no-df > > > > # Redirect www to our transparent squid proxy pass in quick log on > > $int_if inet proto tcp from 192.168.200.0/24 to port > 80 > > divert-to 127.0.0.1 port 3129 > > pass out quick on $int_if inet from 192.168.200.0/24 divert-reply > > > > # Allow TerminalServer > > pass quick inet proto tcp from any to any port 3389 keep state > > > > # Allow SSH > > pass quick inet proto tcp from any to 192.168.200.253 port ssh > > > > # NTP > > pass out quick proto udp from $int_if to any port 123 keep state > > > > # Allow mail > > pass out quick proto tcp from $int_if to any port { 25, 143, 993, 995 > > } > keep > > state > > > > # Allow Ping/Traceroute/DNS > > pass quick inet proto udp from any to any port domain pass quick inet > > proto tcp from any to any port domain flags S/SA synproxy state pass > > quick inet proto icmp all icmp-type { echoreq, unreach } keep state > > > > > > #======================================= > > # Squid configuration > > #======================================= > > > > # Only usefull for Squid 2.7 > > #acl localhost src 127.0.0.1/32 > > #acl manager proto cache_object > > #acl all src 0.0.0.0/0.0.0.0 > > > > # Interfacage avec SquidGuard > > url_rewrite_program /usr/local/bin/squidGuard -c > > /etc/squidguard/squidguard.conf > > > > # Number of redirector processes to spawn url_rewrite_children 5 > > > > # To prevent loops, don't send requests from localhost to the redirector > > url_rewrite_access deny localhost > > > > # Only allow cachemgr access from localhost http_access allow > > localhost manager http_access deny manager > > > > # Define sources > > acl localnet src 192.168.200.0/24 > > > > # Define ports > > acl SSL_ports port 443 > > acl Safe_ports port 80 # http > > acl Safe_ports port 21 # ftp > > acl Safe_ports port 443 # https > > acl Safe_ports port 70 # gopher > > acl Safe_ports port 210 # wais > > acl Safe_ports port 1025-65535 # unregistered ports > > acl Safe_ports port 280 # http-mgmt > > acl Safe_ports port 488 # gss-http > > acl Safe_ports port 591 # filemaker > > acl Safe_ports port 777 # multiling http > > acl CONNECT method CONNECT > > > > # Deny requests to certain unsafe ports http_access deny !Safe_ports > > > > # Deny CONNECT to other than secure SSL ports http_access deny CONNECT > > !SSL_ports > > > > # Example rule allowing access from your local networks. > > # Adapt localnet in the ACL section to list your (internal) IP > > networks # from where browsing should be allowed http_access allow > > localnet http_access allow localhost > > > > # We strongly recommend the following be uncommented to protect > > innocent # web applications running on the proxy server who think the > > only # one who can access services on "localhost" is a local user > > #http_access deny to_localhost > > > > # And finally deny all other access to this proxy http_access deny all > > > > # Squid normally listens to port 3128 > > http_port 3128 > > http_port 127.0.0.1:3129 tproxy > > > > # Real squid memory cache > > cache_mem 1500 MB > > maximum_object_size_in_memory 8 MB > > > > # Squid disk cache cache_dir ufs /var/squid/cache 1500 16 64 > > minimum_object_size 3 KB maximum_object_size 8 MB > > > > # Uncomment and adjust the following to add a disk cache directory. > > cache_dir ufs /var/squid/cache 200 16 256 > > > > # IP & DNS names memory cache > > ipcache_size 5120 > > fqdncache_size 5120 > > > > # File descriptor number > > #max_filedescriptors 4096 > > > > # Public exposed hostname > > visible_hostname openfw.local > > > > # Added to footer of error pages. > > cache_mgr em...@test.net > > > > # Log client request activities > > access_log /var/squid/logs/access.log squid > > > > # Log information about the cache's behavior cache_log > > /var/squid/logs/cache.log > > > > # Leave coredumps in the first cache dir coredump_dir /var/squid/cache > > > > # Add any of your own refresh_pattern entries above these. > > refresh_pattern ^ftp: 1440 20% 10080 > > refresh_pattern ^gopher: 1440 0% 1440 > > refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320
