Re: [FUG-BR] WARNING: transparent proxying not supported

2011-12-05 Por tôpico Wesley Miranda 
Rodrigo,

Eu colocaria o squid-2.7.STABLE, tiraria as regras do ipfw, implementaria o
NAT no PF e redir do squid tbm no pf.

Nunca me dei bem com squid3

Em 2 de dezembro de 2011 17:16, Rodrigo Calado <
rodrigocal...@rodrigocalado.com.br> escreveu:
-
Histórico: http://www.fug.com.br/historico/html/freebsd/
Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd

Re: [FUG-BR] WARNING: transparent proxying not supported

2011-12-05 Por tôpico Rodrigo Calado 
Ciro,
Hoje uso assim:

#!/bin/sh

#Variaveis

_ipfw=$(which ipfw)
_net="192.168.0.0/24"
_indev="xl0"

#Deleta todas as regras

$_ipfw -f flush

## Lista de IP's que n??o passam pelo Squid
$_ipfw table 15 flush
   
# Inicializa o natd

$_ipfw -q add 50 divert natd all from any to any via $_indev

$_ipfw -q add 51 skipto 6 ip from table\(15\) to any

#Liberacao de regras para o Conectividade Social.

$_ipfw -q add 60 skipto 6 ip from $_net to 200.201.160.0/20
$_ipfw -q add 61 skipto 6 ip from $_net to 200.201.166.0/24
$_ipfw -q add 62 skipto 6 ip from $_net to 200.201.173.0/24
$_ipfw -q add 63 skipto 6 ip from $_net to 200.201.174.0/24
$_ipfw -q add 64 divert 8668 ip from any to any via $_indev

#As regras neste bloco sao oaplicadas ao SQUID (Proxy Transparente).

$_ipfw -q add 100 allow tcp from me to any 80
$_ipfw -q add 101 fwd 127.0.0.1,3128 tcp from any to any 80


Em 03/12/2011, às 00:54, Ciro Cardoso de Meneses escreveu:

> tenta usar seu firewall assim:
> #===
> 
> if_in=xl1
> if_out=xl0
> minharede=192.168.0.0/24
> 
> 00060 skipto 6 ip from  $minharede to
> 200.201.160.0/20
> 00061 skipto 6 ip from $minharede to
> 200.201.166.0/24
> 00062 skipto 6 ip from $minharede to 200.201.173.0/24
> 00063 skipto 6 ip from $minharede to 200.201.174.0/24
> 
> 00100 allow tcp from me to any dst-port 80 via $if_out
> 
> 00101 fwd 127.0.0.1,3128 tcp from $minharede to any dst-port 80 in via
> $if_in
> 
> 6 divert 8668 ip from $minharede to any out via $if_out
> 60001 divert 8668 ip from any to me in via $if_out
> 
> 65535 allow ip from any to any
> 
> #=
> 
> 
> Em 2 de dezembro de 2011 17:16, Rodrigo Calado <
> rodrigocal...@rodrigocalado.com.br> escreveu:
> 
>> Olá,
>>   Já li diversos fóruns, fiz os ajustes coerentes e a mensagem
>> continua. Vejam os arquivos de configuração:
>> 
>> rc.conf
>> 
>> defaultrouter="186.215.69.177"
>> gateway_enable="YES"
>> hostname="fw.gransig.grancursos.com.br"
>> ifconfig_xl0="inet 186.215.69.182 netmask 255.255.255.248"
>> ifconfig_xl1="inet 192.168.0.254 netmask 255.255.255.0"
>> 
>> natd.conf
>> 
>> interface xl0
>> dynamic yes
>> use_sockets yes
>> same_ports yes
>> 
>> ipfw
>> 
>> 00050 divert 8668 ip from any to any via xl0
>> 00051 skipto 6 ip from table(15) to any
>> 00060 skipto 6 ip from 192.168.0.0/24 to 200.201.160.0/20
>> 00061 skipto 6 ip from 192.168.0.0/24 to 200.201.166.0/24
>> 00062 skipto 6 ip from 192.168.0.0/24 to 200.201.173.0/24
>> 00063 skipto 6 ip from 192.168.0.0/24 to 200.201.174.0/24
>> 00064 divert 8668 ip from any to any via xl0
>> 00100 allow tcp from me to any dst-port 80
>> 00101 fwd 127.0.0.1,3128 tcp from any to any dst-port 80
>> 65535 allow ip from any to any
>> 
>> squid.conf
>> 
>> http_port 127.0.0.1:3128 transparent
>> hierarchy_stoplist cgi-bin ?
>> acl QUERY urlpath_regex cgi-bin \?
>> no_cache deny QUERY
>> acl SWF urlpath_regex swf
>> no_cache deny SWF
>> cache_mem 100 MB
>> cache_swap_low 90
>> cache_swap_high 95
>> maximum_object_size 512 KB
>> logfile_rotate 3
>> cache_dir ufs /usr/local/squid/cache 2000 16 256
>> cache_access_log /usr/local/squid/logs/access.log
>> cache_log /usr/local/squid/logs/cache.log
>> cache_store_log /usr/local/squid/logs/store.log
>> dns_nameservers 8.8.8.8 8.8.4.4
>> hosts_file /etc/hosts
>> auth_param basic children 5
>> auth_param basic realm Squid proxy-caching web server
>> auth_param basic credentialsttl 2 hours
>> auth_param basic casesensitive off
>> refresh_pattern ^ftp:   144020% 10080
>> refresh_pattern ^gopher:14400%  1440
>> refresh_pattern .   0   20% 4320
>> cache_mgr webmas...@grancursos.com.br
>> cache_effective_user squid
>> cache_effective_group squid
>> visible_hostname fw.gransig.grancursos.com.br
>> error_directory /usr/local/etc/squid/errors/Portuguese
>> coredump_dir /usr/local/squid/cache
>> 
>> #ACLS Gerais
>> 
>> acl all src 0.0.0.0/0.0.0.0
>> acl manager proto cache_object
>> acl localhost src 127.0.0.1
>> acl to_localhost dst 127.0.0.0/8
>> acl SSL_ports port 443 563
>> acl Safe_ports port 80  # http
>> acl Safe_ports port 21  # ftp
>> acl Safe_ports port 443 563 # https, snews
>> acl Safe_ports port 70  # gopher
>> acl Safe_ports port 210 # wais
>> acl Safe_ports port 1025-65535  # unregistered ports
>> acl Safe_ports port 280 # http-mgmt
>> acl Safe_ports port 488 # gss-http
>> acl Safe_ports port 591 # filemaker
>> acl Safe_ports port 777 # multiling http
>> acl CONNECT method CONNECT
>> 
>> #>ACLS de Controle<<
>> 
>> acl rede src 192.168.0.0/24 #Rede
>> 
>> acl liberados url_regex -i "/usr/local/squid/web/liberados.sites"
>> 
>> acl administrativo src "/usr/local/squid/web/administrativo"
>> acl diretoria src "/usr/local/squid/web/diret

Re: [FUG-BR] WARNING: transparent proxying not supported

2011-12-02 Por tôpico Ciro Cardoso de Meneses 
tenta usar seu firewall assim:
#===

if_in=xl1
if_out=xl0
minharede=192.168.0.0/24

00060 skipto 6 ip from  $minharede to
200.201.160.0/20
00061 skipto 6 ip from $minharede to
200.201.166.0/24
00062 skipto 6 ip from $minharede to 200.201.173.0/24
00063 skipto 6 ip from $minharede to 200.201.174.0/24

00100 allow tcp from me to any dst-port 80 via $if_out

00101 fwd 127.0.0.1,3128 tcp from $minharede to any dst-port 80 in via
$if_in

6 divert 8668 ip from $minharede to any out via $if_out
60001 divert 8668 ip from any to me in via $if_out

65535 allow ip from any to any

#=


Em 2 de dezembro de 2011 17:16, Rodrigo Calado <
rodrigocal...@rodrigocalado.com.br> escreveu:

> Olá,
>Já li diversos fóruns, fiz os ajustes coerentes e a mensagem
> continua. Vejam os arquivos de configuração:
>
> rc.conf
>
> defaultrouter="186.215.69.177"
> gateway_enable="YES"
> hostname="fw.gransig.grancursos.com.br"
> ifconfig_xl0="inet 186.215.69.182 netmask 255.255.255.248"
> ifconfig_xl1="inet 192.168.0.254 netmask 255.255.255.0"
>
> natd.conf
>
> interface xl0
> dynamic yes
> use_sockets yes
> same_ports yes
>
> ipfw
>
> 00050 divert 8668 ip from any to any via xl0
> 00051 skipto 6 ip from table(15) to any
> 00060 skipto 6 ip from 192.168.0.0/24 to 200.201.160.0/20
> 00061 skipto 6 ip from 192.168.0.0/24 to 200.201.166.0/24
> 00062 skipto 6 ip from 192.168.0.0/24 to 200.201.173.0/24
> 00063 skipto 6 ip from 192.168.0.0/24 to 200.201.174.0/24
> 00064 divert 8668 ip from any to any via xl0
> 00100 allow tcp from me to any dst-port 80
> 00101 fwd 127.0.0.1,3128 tcp from any to any dst-port 80
> 65535 allow ip from any to any
>
> squid.conf
>
> http_port 127.0.0.1:3128 transparent
> hierarchy_stoplist cgi-bin ?
> acl QUERY urlpath_regex cgi-bin \?
> no_cache deny QUERY
> acl SWF urlpath_regex swf
> no_cache deny SWF
> cache_mem 100 MB
> cache_swap_low 90
> cache_swap_high 95
> maximum_object_size 512 KB
> logfile_rotate 3
> cache_dir ufs /usr/local/squid/cache 2000 16 256
> cache_access_log /usr/local/squid/logs/access.log
> cache_log /usr/local/squid/logs/cache.log
> cache_store_log /usr/local/squid/logs/store.log
> dns_nameservers 8.8.8.8 8.8.4.4
> hosts_file /etc/hosts
> auth_param basic children 5
> auth_param basic realm Squid proxy-caching web server
> auth_param basic credentialsttl 2 hours
> auth_param basic casesensitive off
> refresh_pattern ^ftp:   144020% 10080
> refresh_pattern ^gopher:14400%  1440
> refresh_pattern .   0   20% 4320
> cache_mgr webmas...@grancursos.com.br
> cache_effective_user squid
> cache_effective_group squid
> visible_hostname fw.gransig.grancursos.com.br
> error_directory /usr/local/etc/squid/errors/Portuguese
> coredump_dir /usr/local/squid/cache
>
> #ACLS Gerais
>
> acl all src 0.0.0.0/0.0.0.0
> acl manager proto cache_object
> acl localhost src 127.0.0.1
> acl to_localhost dst 127.0.0.0/8
> acl SSL_ports port 443 563
> acl Safe_ports port 80  # http
> acl Safe_ports port 21  # ftp
> acl Safe_ports port 443 563 # https, snews
> acl Safe_ports port 70  # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535  # unregistered ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
> acl CONNECT method CONNECT
>
> #>ACLS de Controle<<
>
> acl rede src 192.168.0.0/24 #Rede
>
> acl liberados url_regex -i "/usr/local/squid/web/liberados.sites"
>
> acl administrativo src "/usr/local/squid/web/administrativo"
> acl diretoria src "/usr/local/squid/web/diretoria.txt"
> acl term_consulta src  "/usr/local/squid/web/term_consulta.txt"
> acl consulta_portal url_regex -i
>  "/usr/local/squid/web/consulta_portal.txt"
>
> # Novas regras acl adicionadas by ROD_NOKEY.
>
> acl spyware url_regex -i "/usr/local/squid/web/spyware.txt" # Lista com
> dom?nios de spyware.
> acl chat url_regex -i "/usr/local/squid/web/chat.txt" # Lista com dom?nios
> de chat.
> acl redirector url_regex -i "/usr/local/squid/web/redirector.txt" # Lista
> com dom?nios de sites que funcionam como browser.
> acl violence url_regex -i "/usr/local/squid/web/violence.txt" # Lista com
> dom?nios de viol?ncia.
> acl warez url_regex -i "/usr/local/squid/web/warez.txt" # Lista com
> dom?nios de warez, torrents e upfiles.
> acl webtv url_regex -i "/usr/local/squid/web/webtv.txt" # Lista com
> dom?nios de webtv.
> acl msn url_regex -i "/usr/local/squid/web/msn.txt" # Lista para bloquear
> MSN apenas.
>
>
> # Bloqueio de ICQ
> acl bloq_icq req_mime_type -i ^application/x-Icq$
>
> #>>Diretivas http_accesss Padrao<<
>
> http_access allow manager localhost
> http_access deny manager
> http_access deny !Safe_ports
> http_acce

Re: [FUG-BR] WARNING: transparent proxying not supported

2011-12-02 Por tôpico Bruno Farias 
Se voce nos passasse a "mensagem", ficaria um pouco mais fácil..

Em 2 de dezembro de 2011 18:16, Rodrigo Calado <
rodrigocal...@rodrigocalado.com.br> escreveu:

> Olá,
>Já li diversos fóruns, fiz os ajustes coerentes e a mensagem
> continua. Vejam os arquivos de configuração:
>
> rc.conf
>
> defaultrouter="186.215.69.177"
> gateway_enable="YES"
> hostname="fw.gransig.grancursos.com.br"
> ifconfig_xl0="inet 186.215.69.182 netmask 255.255.255.248"
> ifconfig_xl1="inet 192.168.0.254 netmask 255.255.255.0"
>
> natd.conf
>
> interface xl0
> dynamic yes
> use_sockets yes
> same_ports yes
>
> ipfw
>
> 00050 divert 8668 ip from any to any via xl0
> 00051 skipto 6 ip from table(15) to any
> 00060 skipto 6 ip from 192.168.0.0/24 to 200.201.160.0/20
> 00061 skipto 6 ip from 192.168.0.0/24 to 200.201.166.0/24
> 00062 skipto 6 ip from 192.168.0.0/24 to 200.201.173.0/24
> 00063 skipto 6 ip from 192.168.0.0/24 to 200.201.174.0/24
> 00064 divert 8668 ip from any to any via xl0
> 00100 allow tcp from me to any dst-port 80
> 00101 fwd 127.0.0.1,3128 tcp from any to any dst-port 80
> 65535 allow ip from any to any
>
> squid.conf
>
> http_port 127.0.0.1:3128 transparent
> hierarchy_stoplist cgi-bin ?
> acl QUERY urlpath_regex cgi-bin \?
> no_cache deny QUERY
> acl SWF urlpath_regex swf
> no_cache deny SWF
> cache_mem 100 MB
> cache_swap_low 90
> cache_swap_high 95
> maximum_object_size 512 KB
> logfile_rotate 3
> cache_dir ufs /usr/local/squid/cache 2000 16 256
> cache_access_log /usr/local/squid/logs/access.log
> cache_log /usr/local/squid/logs/cache.log
> cache_store_log /usr/local/squid/logs/store.log
> dns_nameservers 8.8.8.8 8.8.4.4
> hosts_file /etc/hosts
> auth_param basic children 5
> auth_param basic realm Squid proxy-caching web server
> auth_param basic credentialsttl 2 hours
> auth_param basic casesensitive off
> refresh_pattern ^ftp:   144020% 10080
> refresh_pattern ^gopher:14400%  1440
> refresh_pattern .   0   20% 4320
> cache_mgr webmas...@grancursos.com.br
> cache_effective_user squid
> cache_effective_group squid
> visible_hostname fw.gransig.grancursos.com.br
> error_directory /usr/local/etc/squid/errors/Portuguese
> coredump_dir /usr/local/squid/cache
>
> #ACLS Gerais
>
> acl all src 0.0.0.0/0.0.0.0
> acl manager proto cache_object
> acl localhost src 127.0.0.1
> acl to_localhost dst 127.0.0.0/8
> acl SSL_ports port 443 563
> acl Safe_ports port 80  # http
> acl Safe_ports port 21  # ftp
> acl Safe_ports port 443 563 # https, snews
> acl Safe_ports port 70  # gopher
> acl Safe_ports port 210 # wais
> acl Safe_ports port 1025-65535  # unregistered ports
> acl Safe_ports port 280 # http-mgmt
> acl Safe_ports port 488 # gss-http
> acl Safe_ports port 591 # filemaker
> acl Safe_ports port 777 # multiling http
> acl CONNECT method CONNECT
>
> #>ACLS de Controle<<
>
> acl rede src 192.168.0.0/24 #Rede
>
> acl liberados url_regex -i "/usr/local/squid/web/liberados.sites"
>
> acl administrativo src "/usr/local/squid/web/administrativo"
> acl diretoria src "/usr/local/squid/web/diretoria.txt"
> acl term_consulta src  "/usr/local/squid/web/term_consulta.txt"
> acl consulta_portal url_regex -i
>  "/usr/local/squid/web/consulta_portal.txt"
>
> # Novas regras acl adicionadas by ROD_NOKEY.
>
> acl spyware url_regex -i "/usr/local/squid/web/spyware.txt" # Lista com
> dom?nios de spyware.
> acl chat url_regex -i "/usr/local/squid/web/chat.txt" # Lista com dom?nios
> de chat.
> acl redirector url_regex -i "/usr/local/squid/web/redirector.txt" # Lista
> com dom?nios de sites que funcionam como browser.
> acl violence url_regex -i "/usr/local/squid/web/violence.txt" # Lista com
> dom?nios de viol?ncia.
> acl warez url_regex -i "/usr/local/squid/web/warez.txt" # Lista com
> dom?nios de warez, torrents e upfiles.
> acl webtv url_regex -i "/usr/local/squid/web/webtv.txt" # Lista com
> dom?nios de webtv.
> acl msn url_regex -i "/usr/local/squid/web/msn.txt" # Lista para bloquear
> MSN apenas.
>
>
> # Bloqueio de ICQ
> acl bloq_icq req_mime_type -i ^application/x-Icq$
>
> #>>Diretivas http_accesss Padrao<<
>
> http_access allow manager localhost
> http_access deny manager
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_reply_access allow all
> icp_access allow all
>
>
> #>Diretivas http_access Customizadas<<
>
> # A regra abaixo est? bloqueando todas as listas de dom?nios das regras acl
> # e retirando os IP's da secretaria e do call center da rede
> 192.168.0.0/24.
>
> http_access allow !administrativo !chat !spyware !redirector !violence
> !warez !bloq_icq !term_consulta rede
>
> http_access allow administrativo liberados
>
> http_access allow term_consulta consulta_portal
>
> http_access allow all diretoria
>
> http_access deny all
>
> Compilação
>
> # This file is auto-generated by 'm