2013-01-16 10:56, Daniel Hartmeier skrev:
On Wed, Jan 16, 2013 at 10:19:45AM +0100, Leslie Jensen wrote:
The squid access.log says tcp_miss which should mean that the
website has not replied.
The browser shows the squid access denied screen.
I cannot see any denied packets with tcpdump.
Commenting out the rdr rule gives direct access but I would like to
get the use of squid back again.
I would appreciate further suggestions because at the moment I'm stuck!
Standard debugging procedure, then:
On the firewall, run the following
fw# tcpdump -nvpi bge0 host 172.18.0.1
fw# tcpdump -nvpi xl0 tcp port 80
fw# tcpdump -nvvveeepi pflog0
Then initiate a single connection attempt from the proxy, like with
proxy# nc -v www.openbsd.org 80
and watch the output of the tcpdumps.
What do you expect to see?
1) TCP SYN from 172.18.0.1 to 129.128.5.194:80 on bge0
2) TCP SYN from $ext_if to 129.128.5.194:80 on xl0
3) TCP SYN+ACK from 129.128.5.194:80 to $ext_if on xl0
4) TCP SYN+ACK from 129.128.5.194:80 to 172.18.0.1 on bge0
5) nothing on pflog0 (except 'pass' messages)
What do you see instead?
If you see block messages on pflog0, re-post your current ruleset.
Daniel
I did the above but there's to much traffic going through, it's a lot of
windows machines making to much noise.
If I remember correctly I used the example for transparent proxy from
http://www.benzedrine.cx/transquid.html when I installed the machine.
I went back and used the suggested rules on that page.
Question: Should I use brackets on the variable proxyport?
Now I got "Invalid URL" from squid.
So I'll post my pf.conf
Thanks
---------------------------------------------
# macros
ext_if="xl0"
int_if="bge0"
tcp_services="{ 22, 993, 5910:5917 }"
tcp_priv_services="{ 389, 443 }"
# proxy_services = "{ 21, 80, 443, 1025:65535 }"
proxy_services = "{ 21, 80 }"
icmp_types="{ echoreq unreach squench timex }"
internal_net = "172.18.0.0/16"
proxy = "172.18.0.1"
# proxy = "127.0.0.1"
# ftp proxy port
ftpproxyport="8021"
proxyport="8080"
vncports="{ 5900, 5901 }"
torrentport="{ 50505 }"
# tables
table <goodguys> persist
table <sshguard> persist
# options
set block-policy return # ports are closed but can be seen
set loginterface $ext_if
set skip on lo0
# scrub
scrub in
# For ftp proxy
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
rdr pass proto tcp from any to any port ftp -> 127.0.0.1 port 8080
# rdr pass proto tcp from any to any port ftp -> 127.0.0.1 port 8021
# Testing for VNC!
# Translate incoming packets' destination addresses.
# As an example, redirect a TCP and UDP port to an internal machine.
# rdr on $ext_if inet proto tcp from <goodguys> to ($ext_if) port 5910 \
# -> 172.18.0.160 port 5900
# redirect www trafic to proxy
# Test
rdr on $int_if inet proto tcp from any to any port www -> 127.0.0.1 port
8080
# ext_if IP address could be dynamic, hence ($ext_if)
nat on $ext_if from !($ext_if) to any -> ($ext_if)
# filter rules
block in log on $ext_if all
# block in log all
block drop in log quick inet6 all
block drop out log quick inet6 all
block in log quick on $ext_if from <sshguard> label "ssh bruteforce"
# Allow traffic through SQUID
# Test
pass in on $int_if inet proto tcp from any to 127.0.0.1 port 8080 keep state
# pass out log on $ext_if inet proto tcp from $proxy to any port
$proxy_services keep state
# Test
#
pass out on $ext_if inet proto tcp from any to any port www keep state
#
pass out log keep state
# We need to have an anchor for ftp-proxy
anchor "ftp-proxy/*"
# Let the goodguys access the machine from the outside
pass in log on $ext_if inet proto tcp from <goodguys> to ($ext_if) port
$tcp_services flags S/SA keep state
# Torrent trafic on torrent_port
pass in log on $ext_if inet proto tcp from any to ($ext_if) port
$torrentport
# We need this for the rdr to VNC (change of portnumber)
pass in on $ext_if inet proto tcp from <goodguys> to $internal_net port
$vncports flags S/SA synproxy state
# ICMP answers (traffic) needs to be passed:
pass in inet proto icmp all icmp-type $icmp_types keep state
# traffic must be passed to and from the internal network
pass in log quick on $int_if
#
