I hate to admit this, but I am stumped by what quite clearly is such a simple problem but I can't find the answer. I've seen many sites, tutorials, guides but just cannot figure this one out...it's probably my bad skills with PF but admiittedly some of the things I've read are for older version of squid and what they have does not work anymore, so I'm reaching out for a prod in the right direction.
OpenBSD 4.6, squid from the ports (up to date). The problem is, I want all users to pass through the squid server before heading out for a) caching reasons and b) to log all HTTP requests. I want to transparent and nobody can get out of it so I'm simply changing everyone's default gateway to the proxy server in DHCP (rather then setting proxy settings in Firefox etc). It must allow ALL traffic (SSH, SMPT, IMAP etc) and essentially ignore that traffic, simply working as a web cache and logger. Web traffic works fine, it goes though it, it logs it and cache is working I guess but nothing else goes through it. SMTP, SSH, IMAP all refuse to connect and I know it's something stupid but after searching around I can't find an answer. pf.conf ----------- int_if="em0" ext_if="em0" set skip on lo pass # to establish keep-state #block in quick from urpf-failed to any # use with care # By default, do not permit remote connections to X11 block in on ! lo0 proto tcp to port 6000:6010 # SQUID redirect rdr on $int_if inet proto tcp from any port www to any port www -> 127.0.0.1 port 3128 pass in on $int_if inet proto tcp from any port www to 127.0.0.1 port 3128 keep state pass out on $ext_if inet proto tcp from any port www to any port www keep state squid.conf ------------ acl all src all acl manager proto cache_object acl localhost src 127.0.0.1/32 acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 acl badwebsite url_regex "/etc/squid/squid-block.acl" http_access deny badwebsite acl localnet src 192.168.2.0/24 # RFC1918 possible internal network acl localnet src 10.0.0.0/24 acl localnet src 10.1.0.0.0/24 acl localnet src 10.2.0.0.0/24 acl SSL_ports port 443 acl Safe_ports port 22 # SSH acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl Safe_ports port 993 # SSL/TLS imap acl Safe_ports port 25 # smtp acl CONNECT method CONNECT http_access allow manager localhost http_access allow localnet http_access deny all icp_access allow localnet icp_access deny all http_port 3128 transparent hierarchy_stoplist cgi-bin ? cache_dir ufs /var/squid/cache 1024 16 256 access_log /var/squid/logs/access.log squid log_fqdn on refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320 acl shoutcast rep_header X-HTTP09-First-Line ^ICY.[0-9] upgrade_http0.9 deny shoutcast acl apache rep_header Server ^Apache broken_vary_encoding allow apache visible_hostname proxy.internaldomain.com always_direct allow all coredump_dir /var/squid/cache
