Re: pf + squid
On 5/18/05, Greg Donald <[EMAIL PROTECTED]> wrote: > I am following this howto: > http://www.benzedrine.cx/transquid.html > > I added pf and pflog to my kernel. After rebooting I did chgrp squid > /dev/pf and chmod g+rw /dev/pf. I also restarted squid several times. > When I try to access a remote web server it times out. I'm not > getting any errors in /var/log/pflog or /var/log/messages. > > My config files look like this: > > > cat /etc/pf.conf |grep -v ^# > > ext_if="dc0"# replace with actual external interface name i.e., dc0 > int_if="dc1"# replace with actual internal interface name i.e., dc1 > internal_net="10.0.0.1/8" > external_addr="24.159.59.97" > > rdr on $int_if inet proto tcp from any to any port www -> 127.0.0.1 port 3128 > pass in on $int_if inet proto tcp from any to 127.0.0.1 port 3128 keep state > pass out on $ext_if inet proto tcp from any to any port www keep state > > > cat /usr/local/etc/squid/squid.conf |grep -v ^# > acl all src 0.0.0.0/0.0.0.0 > acl our_networks src 10.0.0.0/8 > acl to_localhost dst 127.0.0.0/8 > http_port 127.0.0.1:3128 > http_access deny to_localhost > http_access allow our_networks > visible_hostname gateway.localdomain > httpd_accel_host virtual > httpd_accel_port 80 > httpd_accel_with_proxy on > httpd_accel_uses_host_header on > > I am using ipfw to create my NAT, I don't know if that matters, but > here are my config files for that as well: > > > cat /etc/rc.firewall |grep -v ^# > > ipfw -f flush > > ipfw pipe 10 config bw 12KBytes/s > ipfw add 50 pipe 10 ip from 10.0.0.2 to any via dc1 > > ipfw pipe 11 config bw 24KBytes/s > ipfw add 51 pipe 11 ip from 10.0.0.3 to any via dc1 > > ipfw pipe 12 config bw 12KBytes/s > ipfw add 52 pipe 12 ip from 10.0.0.4 to any via dc1 > ipfw pipe 13 config bw 64KBytes/s > ipfw add 53 pipe 13 ip from any to 10.0.0.4 via dc1 > > ipfw add 200 pass all from any to any via lo0 > ipfw add 201 deny ip from any to 127.0.0.0/8 > > ipfw add 500 divert natd all from any to any via dc0 > > > cat /etc/natd.conf |grep -v ^# > interface dc0 > dynamic > use_sockets > unregistered_only > punch_fw 2000:50 > redirect_port tcp 10.0.0.2:20-21 20-21 > redirect_port tcp 10.0.0.2:22 22 > redirect_port tcp 10.0.0.2:80 80 > redirect_port tcp 10.0.0.2:113 113 > > redirect_port tcp 10.0.0.2: > redirect_port tcp 10.0.0.2:2010-2020 2010-2020 > > Any ideas? TIA. > > -- > Greg Donald > Zend Certified Engineer > http://destiney.com/ > ___ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "[EMAIL PROTECTED]" > Why are you using IPFW and PF? -- -Tomas Quintero ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: pf + squid
On 5/18/05, Tomas Quintero <[EMAIL PROTECTED]> wrote: > Why are you using IPFW and PF? I assume from your question that I should not. And I guess the answer is because I didn't know any better. So to use pf I have to stop using ipfw? And I have to convert my ipfw stuff to pf? Guess I better go ahead and ask now, is it ok to use natd with pf? Thanks, -- Greg Donald Zend Certified Engineer http://destiney.com/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: pf + squid
> Guess I better go ahead and ask now, is it ok to use natd with pf? PF does NAT for you, in one line. I hope you're not using natd, ipfw, and pf >< http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls.html Read it, choose one. I use PF myself. -- -Tomas Quintero ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: pf + squid
On 5/18/05, Tomas Quintero <[EMAIL PROTECTED]> wrote: > I use PF myself. I've disabled my ipfw and natd stuff in rc.conf. Trying only with pf now. I'm still having problems getting this to work. Most sites I go to fail to load, google.com for example. Other sites, the HTML loads but not the images, slashdot.org for example. See anything wrong with my conf files ? squid.conf: acl all src 0.0.0.0/0.0.0.0 acl our_networks src 10.0.0.0/8 acl to_localhost dst 127.0.0.0/8 http_port 127.0.0.1:3128 http_access deny to_localhost http_access allow our_networks visible_hostname gateway.localdomain httpd_accel_host virtual httpd_accel_port 80 httpd_accel_with_proxy on httpd_accel_uses_host_header on pf.conf: ext_if="dc0" int_if="dc1" internal_net="10.0.0.0/8" external_addr="24.159.59.97" rdr on $int_if inet proto tcp from any to any port www -> 127.0.0.1 port 3128 pass in on $int_if inet proto tcp from any to 127.0.0.1 port 3128 keep state pass out on $ext_if inet proto tcp from any to any port www keep state my pf setting from rc.conf: pf_enable="YES" pf_rules="/etc/pf.conf" pf_flags="" pflog_enable="YES" pflog_logfile="/var/log/pflog" pflog_flags="" gateway_enable="YES" With these settings I have no NAT and most of the sites I try I can't reach, it acts lik eI'm trying to access a broekn DNS server or something. I have a local DNS server 10.0.0.2 that works fine with my old ipfw setup. I read in the pf docs that gateway_enable="YES" activates a pf NAT or something to that effect. Is there more to do? Seems I have _something_ working, but it's not working 100% yet. Or better yet does anyone have a transparent proxy setup they might share their conf files from with me? I'll do the diff :) Thanks, -- Greg Donald Zend Certified Engineer http://destiney.com/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: pf + squid
On 5/18/05, Greg Donald <[EMAIL PROTECTED]> wrote: > I'm still having problems getting this to work. I think I found my issue. When I first installed squid I picked the wrong option for use with pf. I should have picked the --enable-pf-transparent in the dialogue box. I'm pretty sure I picked ipf or something like that. But now I can't seem to make it ask me which option I want again. I did make deinstall and make clean but when I go to do make install again it doesn't ask me for any options choices. I even removed it from /usr/ports, updated my ports collection to get it back and still it doesn't ask me anything before beginning to compile. Any clues? -- Greg Donald Zend Certified Engineer http://destiney.com/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: pf + squid
Greg Donald wrote: On 5/18/05, Greg Donald <[EMAIL PROTECTED]> wrote: I'm still having problems getting this to work. I think I found my issue. When I first installed squid I picked the wrong option for use with pf. I should have picked the --enable-pf-transparent in the dialogue box. I'm pretty sure I picked ipf or something like that. But now I can't seem to make it ask me which option I want again. I did make deinstall and make clean but when I go to do make install again it doesn't ask me for any options choices. I even removed it from /usr/ports, updated my ports collection to get it back and still it doesn't ask me anything before beginning to compile. Any clues? Delete /var/db/ports/squid/options. I think there is a make target in the port as well. Try man ports. --Alex -- Phone: +44 131 468 2422 Email: [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"