Re: ipfw fwd for transparent proxy (squid) - but, not on loopback
On Mon, Sep 13, 2010 at 11:53 AM, Nathan Vidican wrote: > > Hey all - I've been trying to implement a transparent proxy for all outgoing > traffic to port 80 to forward to a proxy server. The problem is that the > proxy itself resides on a different host than the forward rule does. Has > anyone done something similar? Ideally I'd like to implement with ipfw, but > not opposed to other suggestions? > > Internet -> firewall/gateway -> proxy server -> LAN/clients > > Where the firewall/gateway is the central router for multiple networks, > including the public subnet which 'proxy server' gets it's external IP for. > So ideally I would like something along the lines of this (assuming the proxy > server is running on 10.1.1.12:3128): > > ipfw add 600 fwd 10.1.1.12,3128 tcp from 10.1.2.0/24 to any 80 via 10.1.2.254 > ipfw add 600 fwd 10.1.1.12,3128 tcp from 10.1.3.0/24 to any 80 via 10.1.3.254 > ipfw add 600 fwd 10.1.1.12,3128 tcp from 10.1.1.0/26 to any 80 via 10.1.1.1 > > I have tried the identical rules to above using 127.0.0.1,3128 - of course > starting up squid on the gateway machine too... the problem is that machine > simply doesn't have the resources and I'd prefer to run squid on a different > host. > > Any suggestions or referrals to RTFM somewhere would be greatly appreciated. > Thanks. > > -- > Nathan Vidican > nat...@vidican.com > Go figure, five minutes after posting I found what I needed in squid's documentation. FYI in case anyone comes accross this thread, what I had been doing wrong was 'http_port 3128 transparent' should have been 'http_port 3128 intercept' instead. See this link for more details: http://wiki.squid-cache.org/ConfigExamples/Intercept/FreeBsdIpfw -- Nathan Vidican nat...@vidican.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
ipfw fwd for transparent proxy (squid) - but, not on loopback
Hey all - I've been trying to implement a transparent proxy for all outgoing traffic to port 80 to forward to a proxy server. The problem is that the proxy itself resides on a different host than the forward rule does. Has anyone done something similar? Ideally I'd like to implement with ipfw, but not opposed to other suggestions? Internet -> firewall/gateway -> proxy server -> LAN/clients Where the firewall/gateway is the central router for multiple networks, including the public subnet which 'proxy server' gets it's external IP for. So ideally I would like something along the lines of this (assuming the proxy server is running on 10.1.1.12:3128): ipfw add 600 fwd 10.1.1.12,3128 tcp from 10.1.2.0/24 to any 80 via 10.1.2.254 ipfw add 600 fwd 10.1.1.12,3128 tcp from 10.1.3.0/24 to any 80 via 10.1.3.254 ipfw add 600 fwd 10.1.1.12,3128 tcp from 10.1.1.0/26 to any 80 via 10.1.1.1 I have tried the identical rules to above using 127.0.0.1,3128 - of course starting up squid on the gateway machine too... the problem is that machine simply doesn't have the resources and I'd prefer to run squid on a different host. Any suggestions or referrals to RTFM somewhere would be greatly appreciated. Thanks. -- Nathan Vidican nat...@vidican.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Transparent proxy using IPFW
Hello, > 2009/11/30 > >> Dear All, >> >> Is it possible to do like my requirement below? >> >> 1. Setup portfwd in my server listen on port 555 and forward all >> connection through this port to another server with same port or >> different >> port >> 2. All client which connected through this port, then remote server >> which >> landed to the end can see the client's IP. >> >> example: >> >> Client IP: 202.15.15.16 >> FreeBSD IP: 202.16.17.18 listen on port 555 >> Remote Server IP: 202.89.89.90 >> >> Client IP connect to 202.16.17.18 on port 555, and then FreeBSD forward >> it >> to 202.89.89.90 with same port or different port. Server with IP >> 202.89.89.90 can see Client's IP 202.15.15.16. >> >> I am using FreeBSD 7.2-stable. >> >> Thank you >> >> Kalpin Erlangga Silaen >> >> ___ >> freebsd-questions@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-questions >> To unsubscribe, send any mail to " >> freebsd-questions-unsubscr...@freebsd.org" >> > > you can but you will need to do some natting otherwise the return traffic > will go direct to host a from c and not via your box host b > > or you could use nc via inetd > > eg > > some_service stream tcp nowait root > /usr/local/bin/nc nc -n -w 3 hostC port_on_hostc > ___ I tried install rinetd, but it looks the IP come from the server not client's ip. Also, I tried portfwd and portfwd need transparent proxy in kernel. How do I enable this? Need your advice. Regards, Kalpin Erlangga Silaen ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Transparent proxy using IPFW
2009/11/30 > Dear All, > > Is it possible to do like my requirement below? > > 1. Setup portfwd in my server listen on port 555 and forward all > connection through this port to another server with same port or different > port > 2. All client which connected through this port, then remote server which > landed to the end can see the client's IP. > > example: > > Client IP: 202.15.15.16 > FreeBSD IP: 202.16.17.18 listen on port 555 > Remote Server IP: 202.89.89.90 > > Client IP connect to 202.16.17.18 on port 555, and then FreeBSD forward it > to 202.89.89.90 with same port or different port. Server with IP > 202.89.89.90 can see Client's IP 202.15.15.16. > > I am using FreeBSD 7.2-stable. > > Thank you > > Kalpin Erlangga Silaen > > ___ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to " > freebsd-questions-unsubscr...@freebsd.org" > you can but you will need to do some natting otherwise the return traffic will go direct to host a from c and not via your box host b or you could use nc via inetd eg some_service stream tcp nowait root /usr/local/bin/nc nc -n -w 3 hostC port_on_hostc ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Transparent proxy using IPFW
Dear All, Is it possible to do like my requirement below? 1. Setup portfwd in my server listen on port 555 and forward all connection through this port to another server with same port or different port 2. All client which connected through this port, then remote server which landed to the end can see the client's IP. example: Client IP: 202.15.15.16 FreeBSD IP: 202.16.17.18 listen on port 555 Remote Server IP: 202.89.89.90 Client IP connect to 202.16.17.18 on port 555, and then FreeBSD forward it to 202.89.89.90 with same port or different port. Server with IP 202.89.89.90 can see Client's IP 202.15.15.16. I am using FreeBSD 7.2-stable. Thank you Kalpin Erlangga Silaen ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Transparent Proxy with IPFW + Squid 2.7
Ott Köstner wrote: Cagri Ersen wrote: I want to configure a transparent proxy with IPFW and Squid. I enabled IPFW on a FreeBSD 7.0 and also install squid 2.7 I am running such a setup, but with pf. Works fine. Maybe it helps Oh, before compiling Squid, in Squid port directory: # make config ? ?[X] SQUID_IPFW Enable transparent proxying with IPFW ? ? ? ?[X] SQUID_PF Enable transparent proxying with PF pf rule I am using: demo="dc0" rdr on $demo proto tcp from any to any port 80 -> 127.0.0.1 port 3128 Squid config file # Squid normally listens to port 3128 http_port 127.0.0.1:3128 transparent Greetings, O.K. -- Testi oma Interneti kiirust / Test Your Internet speed: http://speedtest.zzz.ee/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Transparent Proxy with IPFW + Squid 2.7
Cagri Ersen wrote: I want to configure a transparent proxy with IPFW and Squid. I enabled IPFW on a FreeBSD 7.0 and also install squid 2.7 I am running such a setup, but with pf. Works fine. Maybe it heplps pf rule I am using: demo="dc0" rdr on $demo proto tcp from any to any port 80 -> 127.0.0.1 port 3128 Squid config file # Squid normally listens to port 3128 http_port 127.0.0.1:3128 transparent Greetings, O.K. -- Testi oma Interneti kiirust / Test Your Internet speed: http://speedtest.zzz.ee/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Transparent Proxy with IPFW + Squid 2.7
Cagri Ersen wrote: I want to configure a transparent proxy with IPFW and Squid. I enabled IPFW on a FreeBSD 7.0 and also install squid 2.7 I am running such a setup, but with pf. Works fine. Maybe it heplps pf rule I am using: demo="dc0" rdr on $demo proto tcp from any to any port 80 -> 127.0.0.1 port 3128 Squid config file # Squid normally listens to port 3128 http_port 127.0.0.1:3128 transparent Greetings, O.K. -- Testi oma Interneti kiirust / Test Your Internet speed: http://speedtest.zzz.ee/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Transparent Proxy with IPFW + Squid 2.7
On Nov 23, 2008, at 2:30 PM, Cagri Ersen wrote: Hi there, I want to configure a transparent proxy with IPFW and Squid. I enabled IPFW on a FreeBSD 7.0 and also install squid 2.7 this is content of my squid.conf: acl manager proto cache_object acl localhost src 127.0.0.1/32 acl to_localhost dst 127.0.0.0/8 acl all src all acl localnet src 192.168.12.0/24 acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT http_access allow manager localhost http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localnet icp_access allow localnet icp_access deny all http_port 3128 transparent hierarchy_stoplist cgi-bin ? access_log /usr/local/squid/logs/access.log squid refresh_pattern ^ftp: 144020% 10080 refresh_pattern ^gopher:14400% 1440 refresh_pattern (cgi-bin|\?)0 0% 0 refresh_pattern . 0 20% 4320 icp_port 3130 coredump_dir /usr/local/squid/cache And this is base IPFW rules. $cmd 00500 fwd 127.0.0.1,3128 $log tcp from any to any 80 in recv $lanif $cmd 02000 allow $log all from any to any As you can see, all packages which is destination port 80 forwarding to the squid's port (3128). with this configuration everything seems work fine. however if i deny all traffic on the last rule and then open desired ports or connections one by one then squid isn't work. Sample base denying rule set like this: $cmd 00010 allow all from any to any via lo0 $cmd 00015 check-state $cmd 00020 allow tcp from any to any established . $cmd 00021 deny all from any to any frag in via $adslif $cmd 00025 allow all from me to any keep-state $cmd 00050 allow tcp from "table()" to any keep-state $cmd 00500 fwd 127.0.0.1,3128 $log tcp from any to any 80 in recv $lanif $cmd 00600 allow all from $lan to any 53 $cmd 00602 allow udp from any 53 to any out via $lanif $cmd 00603 allow udp from any 53 to any in via $adslif $cmd 01500 allow all from $lan to any 443,25,110 keep-state $cmd 02000 deny $log all from any to any As i said, if i run IPFW with this rules, my client doesn't surf on the internet. And also i didn't seen anything about denying on the ipfw log file. Also there is no activity on squid log files. I think forwarding rule didn't work with that conf. So please can somebody tell me what's wrong in this situation ? Thanks in advance for your help. -- Cagri Ersen ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED] " Don't you need a rule allow connections to port 80? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Transparent Proxy with IPFW + Squid 2.7
Hi there, I want to configure a transparent proxy with IPFW and Squid. I enabled IPFW on a FreeBSD 7.0 and also install squid 2.7 this is content of my squid.conf: acl manager proto cache_object acl localhost src 127.0.0.1/32 acl to_localhost dst 127.0.0.0/8 acl all src all acl localnet src 192.168.12.0/24 acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT http_access allow manager localhost http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localnet icp_access allow localnet icp_access deny all http_port 3128 transparent hierarchy_stoplist cgi-bin ? access_log /usr/local/squid/logs/access.log squid refresh_pattern ^ftp: 144020% 10080 refresh_pattern ^gopher:14400% 1440 refresh_pattern (cgi-bin|\?)0 0% 0 refresh_pattern . 0 20% 4320 icp_port 3130 coredump_dir /usr/local/squid/cache And this is base IPFW rules. $cmd 00500 fwd 127.0.0.1,3128 $log tcp from any to any 80 in recv $lanif $cmd 02000 allow $log all from any to any As you can see, all packages which is destination port 80 forwarding to the squid's port (3128). with this configuration everything seems work fine. however if i deny all traffic on the last rule and then open desired ports or connections one by one then squid isn't work. Sample base denying rule set like this: $cmd 00010 allow all from any to any via lo0 $cmd 00015 check-state $cmd 00020 allow tcp from any to any established . $cmd 00021 deny all from any to any frag in via $adslif $cmd 00025 allow all from me to any keep-state $cmd 00050 allow tcp from "table()" to any keep-state $cmd 00500 fwd 127.0.0.1,3128 $log tcp from any to any 80 in recv $lanif $cmd 00600 allow all from $lan to any 53 $cmd 00602 allow udp from any 53 to any out via $lanif $cmd 00603 allow udp from any 53 to any in via $adslif $cmd 01500 allow all from $lan to any 443,25,110 keep-state $cmd 02000 deny $log all from any to any As i said, if i run IPFW with this rules, my client doesn't surf on the internet. And also i didn't seen anything about denying on the ipfw log file. Also there is no activity on squid log files. I think forwarding rule didn't work with that conf. So please can somebody tell me what's wrong in this situation ? Thanks in advance for your help. -- Cagri Ersen ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Bypassing Transparent Proxy
On Fri, 1 Aug 2008, RW wrote: On Thu, 31 Jul 2008 15:57:26 -0600 (MDT) Warren Block <[EMAIL PROTECTED]> wrote: On Thu, 31 Jul 2008, Jay Hall wrote: Is there an easy way to bypass the proxy server when accessing this one address? Instead of in the firewall, you can do that with squid: http://wiki.squid-cache.org/SquidFaq/ConfiguringSquid#head-d82a8d4c42f3600c857cef92d77d76914af54592 In case that URL doesn't work, it's the "Can I make Squid go direct for some sites?" question about the always_direct access list. That makes squid itself go direct, bypassing other caches in the hierarchy, but the access is still going through squid. Oh. Sorry. All right, I know squid can do it, but can't remember how. -Warren Block * Rapid City, South Dakota USA ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Bypassing Transparent Proxy
On Thu, 31 Jul 2008 15:57:26 -0600 (MDT) Warren Block <[EMAIL PROTECTED]> wrote: > On Thu, 31 Jul 2008, Jay Hall wrote: > >> > Is there an easy way to bypass the proxy server when accessing this > > one address? > > Instead of in the firewall, you can do that with squid: > > http://wiki.squid-cache.org/SquidFaq/ConfiguringSquid#head-d82a8d4c42f3600c857cef92d77d76914af54592 > > In case that URL doesn't work, it's the "Can I make Squid go direct > for some sites?" question about the always_direct access list. That makes squid itself go direct, bypassing other caches in the hierarchy, but the access is still going through squid. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Bypassing Transparent Proxy
On Thu, 31 Jul 2008, Jay Hall wrote: A situation has arisen for which I need to bypass my transparent proxy server (Squid) for a ceratin IP address range. Following are the contents of my ipnat.rules file. Is there an easy way to bypass the proxy server when accessing this one address? Instead of in the firewall, you can do that with squid: http://wiki.squid-cache.org/SquidFaq/ConfiguringSquid#head-d82a8d4c42f3600c857cef92d77d76914af54592 In case that URL doesn't work, it's the "Can I make Squid go direct for some sites?" question about the always_direct access list. -Warren Block * Rapid City, South Dakota USA ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Bypassing Transparent Proxy
Ladies and Gentlemen, A situation has arisen for which I need to bypass my transparent proxy server (Squid) for a ceratin IP address range. Following are the contents of my ipnat.rules file. map em1 192.d.e.f/24 -> 0/32 map em1 from 10.a.b.c/24 to 69.147.83.33/32 -> 0/32 rdr em0 0.0.0.0/0 port 80 -> 10.x.y.z port 3128 tcp map em1 10.a.b.c/24 -> 0/32 em1 is the external interface on my server. My thinking with the rules, was adding the map command before the rdr would prevent traffic destined for 69.147.83.33 from hitting the proxy server. Unfortunately, it did not work. Is there an easy way to bypass the proxy server when accessing this one address? Thanks, Jay ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Squid3.0 missing something with pf transparent proxy.
Quoting Mehul Ved <[EMAIL PROTECTED]>: On 2/2/08, eculp <[EMAIL PROTECTED]> wrote: when I use the pf redirect it seems to not get the url parsing right for some reason. I put http://www.google.com and see 1201906217.304 0 172.16.0.14 NONE/400 1809 GET /google.com/ - NONE/- text/html 1201906217.466 0 172.16.0.14 NONE/400 1809 GET /favicon.ico - NONE/- text/html 1 in the squid access.log rather than http:://www.google.com.and the screen shows: http://encontacto.net/transSquid3.0.png I faced that too. Turns out I had http_port 3128 but I needed http_port 3128 transparent That one word solve the problem immediately. Thanks a lot. I was ready to give up on both myself and squid and uninstall. Thanks again ed after making the change proxy worked perfectly fine. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]" ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Squid3.0 missing something with pf transparent proxy.
On 2/2/08, eculp <[EMAIL PROTECTED]> wrote: > when I > use the pf redirect it seems to not get the url parsing right for some > reason. I put http://www.google.com and see > 1201906217.304 0 172.16.0.14 NONE/400 1809 GET /google.com/ - > NONE/- text/html > 1201906217.466 0 172.16.0.14 NONE/400 1809 GET /favicon.ico - > NONE/- text/html > 1 > in the squid access.log rather than http:://www.google.com.and the > screen shows: > http://encontacto.net/transSquid3.0.png I faced that too. Turns out I had http_port 3128 but I needed http_port 3128 transparent after making the change proxy worked perfectly fine. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Squid3.0 missing something with pf transparent proxy.
I haven't been using squid since version 2.5. I just built a new 3.0 and did a very basic configuration that works fine configuring the prefs -> advanced -> network and adding the host and port but when I use the pf redirect it seems to not get the url parsing right for some reason. I put http://www.google.com and see 1201906217.304 0 172.16.0.14 NONE/400 1809 GET /google.com/ - NONE/- text/html 1201906217.466 0 172.16.0.14 NONE/400 1809 GET /favicon.ico - NONE/- text/html 1 in the squid access.log rather than http:://www.google.com.and the screen shows: http://encontacto.net/transSquid3.0.png The pf redirect, etc is working fine, /dev/pf has squid as the group with rw perms, I have no idea where to look. I've got the idea that I must have missed something in the 3.0 configuration. Does anyone have it working and could you give me a hint or maybe share your squid.conf that works, just the diffs from the squid.conf.dist. Thanks, ed ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Portsnap and freebsd-update don't work behind transparent proxy?
I have a 2 fresh installs of FreeBSD 6.2 on i386 box and on a vmware host. Both hosts are behind a transparent proxy. Both tools, which use phttp, fail. # freebsd-update fetch Looking up update.FreeBSD.org mirrors... 1 mirrors found. Fetching metadata signature from update1.FreeBSD.org... done. Fetching metadata index... done. Inspecting system... done. Preparing to download files... done. Fetching 26 patches. done. Applying patches... done. Fetching 25 files... failed. # portsnap fetch Looking up portsnap.FreeBSD.org mirrors... 4 mirrors found. Fetching snapshot tag from portsnap3.FreeBSD.org... done. Fetching snapshot metadata... done. Updating from Tue Nov 6 16:55:02 PST 2007 to Wed Nov 7 13:35:57 PST 2007. Fetching 0 metadata patches. done. Applying metadata patches... done. Fetching 0 metadata files... done. Fetching 22 patches. done. Applying patches... done. Fetching 21 new ports or files... /usr/sbin/portsnap: cannot open 1f807d6e1674085144565408e4376cdb85611b9199c09ede8a1a9dc566b91957.gz: No such file or directory snapshot is corrupt. I've tried multiple times all day. Same results each time. How do I get around this? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Bandwith limitations, NAT and transparent proxy
Здравствуйте, freebsd-questions. You need to add queue's and forward all you inside subnets to those queues smthing like this ${fwcmd} pipe 1 config bw 128Kbit/s queue 20Kbytes ${fwcmd} queue 1 config pipe 1 weight 50 queue 20 mask dst-ip 0x ${fwcmd} queue 2 config pipe 1 weight 50 queue 20 mask src-ip 0xfff ${fwcmd} add 4 queue 1 ip from any to 192.168.1.128/25 via em0 ${fwcmd} add 40001 queue 2 ip from 192.168.1.128/25 to any via em0 > Hi ! > > I have FreeBSD 4.8 installed. > There is IPFIREWALL, IPFIREWALL_FORWARD, IPDIVERT and DUMMYNET in my > kernel configration. > On my FBSD gateway to the Internet I would like to use NAT (of course > :-))) ), transparent proxy and limit the outgoing traffic. > xl0 (62.169.170.166/30) is the public interface, xl1 (192.168.1.1/24) is > the private one. > > If my firewall rules look like: > ipfw pipe 1 config bw 256Kbit/s queue 40Kbytes > ipfw add 47 pipe 1 ip from any to any out via xl0 > ipfw add 48 allow ip from 192.168.1.1 to any > ipfw add 49 fwd 192.168.1.1,3128 tcp from 192.168.1.0/24 to any 80 > ipfw add 50 divert 8668 ip from any to any via xl0 > ... (the rest of OPEN firewall rules) > nothing except http (because of transparent proxy, I think) goes through > the gateway from the local net. > > If my firewall rules look like: > ipfw pipe 1 config bw 256Kbit/s queue 40Kbytes > ipfw add 47 pipe 1 ip from 62.169.170.166 to any out via xl0 > ipfw add 48 allow ip from 192.168.1.1 to any > ipfw add 49 fwd 192.168.1.1,3128 tcp from 192.168.1.0/24 to any 80 > ipfw add 50 divert 8668 ip from any to any via xl0 > ... (the rest of OPEN firewall rules) > everything works fine except except the bandwith limitation. > > Do you have any ideas, how to get these three things (bandwith > limitation, nat, transparent proxy) work together ? > > Thanks a lot in advance. > > GIGI -- С уважением, Alexandre Fedotov Management Training Center www.mtcenter.ru mailto:[EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: setting up transparent proxy/webcache server in bridge mode
On Tue, 28 Nov 2006, Nima Tshering wrote: Hi, Please kindly help me in setting up transparent proxy/webcache server in bridge mode using FREEBSD 6.1 Actually I have got one running, but I forgot to write down how I did it. If you are sort of patient we can do a step by step installation (and hope someone helpful jumps in in case we get stuck). Thus we don't have to take notes, but always can look up the mailing list's archive :-) 0) I use squid. 1) What exactly do you mean by "bridge mode": Do you use two NICs? 2) Does your future proxy already work as a gateway? Regards, Peter Ulrich Kruppa Wuppertal Germany ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
setting up transparent proxy/webcache server in bridge mode
Hi, Please kindly help me in setting up transparent proxy/webcache server in bridge mode using FREEBSD 6.1 Thanks nima Bhutan ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Need help with getting transparent proxy working across WAN
I have a FreeBSD transparent proxy working on local lan. Where the workstation's NIC has its gateway set to the proxy server's internal ip address. Everything works fine. Problem is when I move my workstation from the local lan where the proxy server resides, on to the 10.4.0.0 network, this is across a WAN link, Transparent proxy stops working it appears no web traffic is getting to the proxy, and I'm not able to get to ant web site. I am able to ping the proxy server, and use the proxy if I utilize a pac file, and drop the IPFW rules. I should also note that I have transparent proxy running under Debian using iptables, across the WAN link, but want to move to FreeBSD. So I feel my routers are setup correctly. I suspect the problem is with my IPFW rules or NAT configuration but I'm not sure. FreeBSD 6.1 Kernel was recompiled with: options IPFIREWALL options IPFIREWALL_FORWARD options IPFIREWALL_DEFAULT_TO_ACCEPT options IPDIVERT RC.CONF contains gateway_enable="YES" ifconfig_xl0="inet x.x.x.x. netmask 255.255.255.0" ifconfig_xl1="inet x.x.x.x netmask 255.255.255.0" firewall_enable="YES" firewall_type="OPEN" natd_enable="YES" natd_interface="xl1" natd_flags="" CISCO router has the following configured access-list 199 permit tcp 10.4.0.0 0.0.255.255 any eq www access-list 199 deny ip any any route-map redirect-proxy permit 10 match ip address 199 set ip next-hop My IPFW rules: ipfw -q flush ipfw add divert natd all from not me to any via ipfw add fwd 127.0.0.1:8000 tcp from any to any 80 squid complied with SQUID_CONFIGURE_ARGS+=--enable-pf-transparent" SQUID.CONF httpd_accel_host virtual httpd_accel_port 0 httpd_accel_with_proxy on httpd_accel_uses_host_header on header_access Via deny all header_access X-Forwarded-For deny all Thank you for taking the time to look. Any advice or troubleshooting tips are welcome. _ Dont just search. Find. Check out the new MSN Search! http://search.msn.click-url.com/go/onm00200636ave/direct/01/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: transparent proxy howto
Oliver A. Rojo wrote: > Skylar Thompson wrote: >> Oliver A. Rojo wrote: >> >>> hi! >>> >>> Im using freebsd-5.2.1-RELEASE-p14 and I just want to ask if how can I >>> setup transparent proxying with squid using ipnat? >>> >> >> You're going to want something like this in your ipnat configuration: >> >> rdr int0 0/0 port 80 -> 192.168.0.1 port 3128 >> >> Where int0 is your internal interface name, and 192.168.0.1 is your >> internal interface IP address. You'll also want this in your squid.conf: >> >> http_port 8080 >> httpd_accel_host virtual >> httpd_accel_port 80 >> httpd_accel_with_proxy on >> >> Full documentation here: >> >> http://www.squid-cache.org/Doc/FAQ/FAQ-17.html >> httpd_accel_uses_host_header on >> >> >> >> > is there anything to be done with the kernel? I've done this one but > it didn't worked... Make sure that ipnat is loaded by putting ipnat_enable="YES" in /etc/rc.conf, and you should be good to go. -- -- Skylar Thompson ([EMAIL PROTECTED]) -- http://www.cs.earlham.edu/~skylar/ signature.asc Description: OpenPGP digital signature
Re: transparent proxy howto
Skylar Thompson wrote: Oliver A. Rojo wrote: hi! Im using freebsd-5.2.1-RELEASE-p14 and I just want to ask if how can I setup transparent proxying with squid using ipnat? You're going to want something like this in your ipnat configuration: rdr int0 0/0 port 80 -> 192.168.0.1 port 3128 Where int0 is your internal interface name, and 192.168.0.1 is your internal interface IP address. You'll also want this in your squid.conf: http_port 8080 httpd_accel_host virtual httpd_accel_port 80 httpd_accel_with_proxy on Full documentation here: http://www.squid-cache.org/Doc/FAQ/FAQ-17.html httpd_accel_uses_host_header on is there anything to be done with the kernel? I've done this one but it didn't worked... ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: transparent proxy howto
Skylar Thompson wrote: Oliver A. Rojo wrote: hi! Im using freebsd-5.2.1-RELEASE-p14 and I just want to ask if how can I setup transparent proxying with squid using ipnat? You're going to want something like this in your ipnat configuration: rdr int0 0/0 port 80 -> 192.168.0.1 port 3128 Where int0 is your internal interface name, and 192.168.0.1 is your internal interface IP address. You'll also want this in your squid.conf: http_port 8080 httpd_accel_host virtual httpd_accel_port 80 httpd_accel_with_proxy on Full documentation here: http://www.squid-cache.org/Doc/FAQ/FAQ-17.html httpd_accel_uses_host_header on ok but do i need to change something on the kernel? -- Oliver A. Rojo __ This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the company. Finally, the recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: transparent proxy howto
Oliver A. Rojo wrote: > hi! > > Im using freebsd-5.2.1-RELEASE-p14 and I just want to ask if how can I > setup transparent proxying with squid using ipnat? You're going to want something like this in your ipnat configuration: rdr int0 0/0 port 80 -> 192.168.0.1 port 3128 Where int0 is your internal interface name, and 192.168.0.1 is your internal interface IP address. You'll also want this in your squid.conf: http_port 8080 httpd_accel_host virtual httpd_accel_port 80 httpd_accel_with_proxy on Full documentation here: http://www.squid-cache.org/Doc/FAQ/FAQ-17.html httpd_accel_uses_host_header on -- -- Skylar Thompson ([EMAIL PROTECTED]) -- http://www.cs.earlham.edu/~skylar/ signature.asc Description: OpenPGP digital signature
transparent proxy howto
hi! Im using freebsd-5.2.1-RELEASE-p14 and I just want to ask if how can I setup transparent proxying with squid using ipnat? thanks! ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
transparent proxy with freebsd-5.2.1
How to setup tranparent proxy with squid. I'm using Freebsd-5.2.1, ipf and ipnat. Thanks! -- Oliver A. Rojo __ This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the company. Finally, the recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: transparent proxy with FreeBSD
On Wednesday 10 May 2006 10:43, Oliver A. Rojo wrote: > Is there any docs on setting up transparent proxy using squid, ipf, > ipnat + freebsd-5.3? I would personally use pf; if that's an option, this works perfectly: http://www.benzedrine.cx/transquid.html ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: transparent proxy with FreeBSD
You can safely use any doc about transparent squid + linux.. Only the syntax of PF is different.But there is an example in openbsd.org/faq/pf For ipfilter use the appropriate man page.. On 5/10/06, Oliver A. Rojo <[EMAIL PROTECTED]> wrote: Is there any docs on setting up transparent proxy using squid, ipf, ipnat + freebsd-5.3? -- Oliver A. Rojo __ This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the company. Finally, the recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to " [EMAIL PROTECTED]" ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
transparent proxy with FreeBSD
Is there any docs on setting up transparent proxy using squid, ipf, ipnat + freebsd-5.3? -- Oliver A. Rojo __ This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the company. Finally, the recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Squid transparent proxy masquerading as Client IPs
Some ISPs use Linux with tproxy kernel patch to masquerade the requests from clients and make them appear as if they came from the client with no proxy connection. After digging around the squid-cache archives and mailing lists, Henrik Nordstrom suggested using tcp_outgoing_address and nat to achieve the same on FreeBSD and Squid in transparent (intercepting mode). The Idea is to assign for each Client a private IP on the Squid Server (as aliases worked fine). In squid.conf we add header_access Via deny all header_access X-Forwarded-For deny all # this removes both headers # and for each client we need acl clientxxx src tcp_outgoing_address clientxxx Squid binds requests from clientxxx's to the then we nat those to the making the request appear as if it came directly from the client not the proxy. To make things easy I used two scripts. 1. I added the add-alias.sh script to /etc/rc.local to create the aliases on startup # < add-alias.sh > start IP=110 MAXIP=150 PRIV=10.10.10 ALIASIF= # I used lo0 to do the aliases on # Also I tested a virtual interface (netgraph) # Just to make sure no conflicts with transparent proxy rules (loops) while [ $IP -le $MAXIP ] do if !( ifconfig $ALIASIF inet $PRIV.$IP netmask 0x alias ) then echo Error Creating Alias $PRIV.$IP on $ALIASIF exit fi IP=$(( $IP + 1 )) done # < add-alias.sh > end 2. The squid-ipnat.sh script deletes the old ipnat.conf file and creates a new one with rules for the external interface. It also creates 2 files with ACLs for squid I used it once to create the ipnat.conf file and keep it just in case I need to change the IPs (real/private). And the 2 files with ACLs for squid were used to copy and paste the ACLs to squid.conf. Oh ya backup you configuration files just in case. # < squid-ipnat.sh > start IP=110 MAXIP=150 PRIV=10.10.10 REAL=xxx.xxx.xxx EXTIF= # I used the external interface for nat cd rm ipnat.conf # carefull deletes old ipnat.conf file rm squid_acl.conf rm squid_tcp.conf while [ $IP -le $MAXIP ] do echo "bimap $EXTIF from $PRIV.$IP/32 to 0.0.0.0/0 port = 80 -> $REAL.$IP/32" >> ipnat.conf echo "acl Client$IP src $REAL.$IP" >> squid_acl.conf echo "tcp_outgoing_address $PRIV.$IP Client$IP" >> squid_tcp.conf # Client$IP is the name for the ACL expands from Client110 to Client150 # squid_acl.conf and squid_tcp.conf end in copy and paste to squid.conf both IP=$(( $IP + 1 )) done # < squid-ipnat.sh > end As you can see, I used IPNAT's bimap and tested the configuration for 40+ clients. My network is small and I wonder if someone can use this to test a larger network. Also test PF or IPFW/DIVERT/NAT and see what performs better or just for fun. One last note the tcp_outgoing_address does not follow the X-Forwarded-For patch and it caused me to lose my head since I had Dansguardian in front of Squid. The Delay pools followed-X fine and that caused me to think there was a problem with my configuration. After Disabling Dansguardian the configuration worked as expected. So do not wonder if it does not work if you use another proxy before squid. -- Kind regards Abu Khaled ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Portfwd transparent proxy problem
Hello all, I'm trying to make portfwd, with transparent forwarding enabled, work on a 4.11-STABLE kernel with transparent proxy enabled (options IPFIREWALL_FORWARD #enable transparent proxy support). The make process of portfwd keeps showing: Transparent proxy support is NOT present in kernel. I've read several manpages and searched the net but cannot find the answer. Does anyone know a tip to make this work? Thank you, Jacco ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Squid/ipfilter Transparent Proxy Problems
I am trying to set up a transparent caching proxy using squid and ipfilter. Currently, if I manually configure my web browser to use the squid proxy server, it works fine. My problem arises when I use ipfilter NAT to intercept HTTP requests, and force clients to use the proxy, using the following ipfilter redirect rule: rdr rl0 0/0 port 80 -> 127.0.0.1 port 3128 tcp This causes squid to crash and restart. I noticed the following error in squid's cache.log: parseHttpRequest: NAT open failed: (13) Permission denied It was suggested the permissions on /dev/ipnat should be relaxed, but this did not seem to work. Any suggestions? Here is the output of "squid -v": Squid Cache: Version 2.5.STABLE10 configure options: --bindir=/usr/local/sbin --sysconfdir=/usr/local/etc/squid - -datadir=/usr/local/etc/squid --libexecdir=/usr/local/libexec/squid --localstatedir=/usr/local/squid '--enable-removal-policies=lru heap' '--enable-auth=basic ntlm digest' '--enable-basic-auth-helpers=NCSA PAM MSNT SMB winbind' --enable-digest-auth-helpers=password '--enable-external-acl-helpers=ip_user unix_group wbinfo_group winbind_group' '--enable-ntlm-auth-helpers=SMB winbind' '--enable-store io=ufs diskd null' --enable-underscores --enable-ipf-transparent --with-large-files --enable-large-cache-files '--enable-err-languages=[omitted] --enable-default-err-language=English --prefix=/usr/local i386-portbld-freebsd5.4 __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
RE: configuring Squid as a Transparent proxy in BSD with ipfw
-Original Message- >From: [EMAIL PROTECTED] >[mailto:[EMAIL PROTECTED] Behalf Of Diego Camarena >González >Subject: configuring Squid as a Transparent proxy in BSD with ipfw > > >Does anyone knows how can i configure Squid as a Transparent proxy >using IPFW assuming that i have already configured Squid with Samba >authentication. You can not mix transparent proxy and squid authentication, its in the squid FAQ. --- Miguel Miranda ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
configuring Squid as a Transparent proxy in BSD with ipfw
Does anyone knows how can i configure Squid as a Transparent proxy using IPFW assuming that i have already configured Squid with Samba authentication. I've configure Squid that allow users to log on pages using their smb account but i have to configure every computer on my Lan to connect to the proxy server. How can i configure IPFW and Squid to work as a trasnparent proxy to work on every computer authenticating samba users in my lan that uses internet explorer. Net interfaces: xl0 : 10.254.254.253 --- LAN ip xl1 : 172.21.14.253--- This ip is used to make the SMB authentication and get the internet connection Requeriments: OS: FreeBSD 5.2 Authentication module: smb_auth Firewall: IPFW Could anyone please send me a configuration that has been proved or any idea? i have already read the FAQ about squid transparent proxy but any of the configurations works with samba authentication and IPFW {#358;#373;#65155;#321;#1602;#65155;#1106;#354;} - Do You Yahoo!? Yahoo! Net: La mejor conexión a internet y 25MB extra a tu correo por $100 al mes. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
RE: Transparent Proxy going astray
> -Original Message- > From: L.Norvydas [mailto:[EMAIL PROTECTED] > Sent: 24 January 2005 10:41 > To: freebsd-questions@freebsd.org > Subject: Transparent Proxy going astray > > > Hello, Paul, > > I saw your message in freebsd-questions forum about > transparent proxy. Right now I'm facing the same problem: > gateway with ipfw/natd and squid proxy on different machine. > Maybe you have solved this problem? Everywhere I look, I see > the same questions I'm asking, i.e. "has anyone successfuly > configured gateway and proxy, working on different machines?" :) > Have you looked at "WCCP"? Not sure if there are BSD implementations of this, but in linux there are. Its basically a protocol that runs on both the proxy and f/w server such that any http traffic is transparently forwarding to the proxy server for caching/whatever before it goes through the gateway... It used to be a cisco proprietary protocol, but I believe it may have been RFCd brad This email may contain confidential material. If you were not an intended recipient, please notify the sender and delete all copies. We may monitor email to and from our network. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Transparent Proxy going astray
Hello, Paul, I saw your message in freebsd-questions forum about transparent proxy. Right now I'm facing the same problem: gateway with ipfw/natd and squid proxy on different machine. Maybe you have solved this problem? Everywhere I look, I see the same questions I'm asking, i.e. "has anyone successfuly configured gateway and proxy, working on different machines?" :) I have FreeBSD-4.10 with ipfw/natd working with quite complex ruleset and other box with squid. When I install squid on the gateway machine and make "fwd GW_LOOPBACK,3128 tcp from MY_TEST_PC to any 80" then this squid works just fine. But when I try to forward to other, not gateway machine, i.e. "fwd OTHER_BOX_WITH_SQUID,3128 tcp from MY_TEST_PC to any 80", then it isn't working... I see packets maching fwd rule (counter increases), but no traffic reaches squid machine. I have wandered through lots of forums and mailing lists, but haven't found solution until now. Thought maybe you have successfuly coped with this and maybe you can help or advice something? Lawrence, network / systems administrator ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
RE: IPFW/NATD Transparent Proxy
>Your ipfw rules are invalid. They seem to work perfectly. My only gripe is that static rule #15100 is required to succeed with redirect_port from 1.2.3.4:80 to 192.168.2.250:80 when 192.168.1.247 requests a web page using the domain name for 1.2.3.4. I'm looking for a solution that doesn't require rule #15100. >This causes the dynamic >internal state table to cross match packets in error because it does >not keep track of which interface the packet is from. This has been >a long time bug in stateful rules for NATed interfaces. Technically >your whole stateful environment is being forced to look like its >working when in fact its all most useless. How can that be? If I'm on 192.168.2.100, I can make a request to www.cnn.com and it works fine. Yet I have no rule that allows any packets to be accepted IN via my outside nic (de0), and no rule that allows any port 80 OUT to my private lan on de2. That sounds to me like the dynamic rules are working. How else are the packets getting into de0 and out to de2? >That is why the stateful + nated rule example from the new firewall >rewrite uses skipto rules to work around this problem. I'm using skipto's as well, just not using the keep-state parameter on the skipto rule. I don't believe the transparent proxy problem I'm having is a result of skipto. It's a chicken/egg issue when using stateful rules because either NATD or the original nic "remembers" that the packet changed when it got redirected. If I allow the stateful rule first, it gets created as 192.168.1.247 <-> 1.2.3.4 and immediately starts communicating with the outside interface due to the dynamic rule bypassing the rest of the firewall. So the packets never get to go through the divert rule to be redirected to 192.168.2.250. If I go through divert first (as in my firewall example), the packet matches rule 100, the destination gets changed to 192.168.2.250, and the packet continues down through the firewall. Great! Next, it matches on 300 and gets passed to 15000 where a the dynamic rule 192.168.1.247 <-> 192.168.2.250 gets created. More greatness! When 192.168.2.250 replies to 192.168.1.247, that packet also matches rule 100, gets diverted and NATD rewrites the source to the original IP address so the packet is now configured as 1.2.3.4 -> 192.168.1.247. Continued greatness! But now, the packet gets denied at 15200 (remember 15100 does not exist in this example) because there's no rule to allow 1.2.3.4 to communicate with 192.168.1.247. Hence, I have to add in #15100 to explicitly allow 1.2.3.4 to communicate with 192.168.1.247. In my example ruleset I simply allowed anything to go out via de1. >Basically the unpublished rule of thumb >is ipfw keep-state rules can not be used on the internal interface >and external interface in same rule set. Keep-state rules can only >be used on the external interface. There are no error messages to >enforce this. Actually, the only problem I've run into is the combination of external/internal with NATD doing a redirect_port or redirect_address. I've not run into any problems with external/internal and normal NATD address translations. J IPFW RULES == 00100 divert 9000 log ip from any to any 00200 allow log ip from any to any out via de0 keep-state 00300 skipto 15000 log ip from any to any via de1 00400 skipto 2 log ip from any to any via de2 00500 deny log ip from any to any 15000 allow log ip from any to any in via de1 keep-state 15100 allow log ip from any to any out via de1 15200 deny log ip from any to any 2 allow log ip from any to any in via de2 keep-state 20100 allow log ip from any to any dst-port 80 out via de2 keep-state 20200 deny log ip from any to any 20300 deny log ip from any to any NATD Config File (/etc/natd.conf) redirect_port tcp 192.168.2.250:80 1.2.3.4:80 NATD Command /sbin/natd -dynamic -n de0 -p 9000 -f /etc/natd.conf ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: IPFW/NATD Transparent Proxy
de0 = 1.2.3.4 (make up any valid public ip) (mydomain.com) de1 = 192.168.1.1 de2 = 192.168.2.1 When 192.168.1.247 requests a web page from MYDOMAIN.COM the request needs to be forwarded to 192.168.2.250:80 In the ruleset below, 15100 is required for this to work. If I pull out 15100 I get no response from the web page because there is no rule to allow 1.2.3.4 back out to 192.168.1.247. I can't find a solution that does not require an explicit rule to allow 1.2.3.4 back out to 192.168.1.247. In other words, I can't find a set of rules that allows dynamic setup of 192.168.1.247: <-> 1.2.3.4:80 192.168.1.247: <-> 192.168.2.250:80 I hope this information helps. Thanks in advance for pointing me in the right direction. IPFW RULES == 00100 divert 9000 log ip from any to any 00200 allow log ip from any to any out via de0 keep-state 00300 skipto 15000 log ip from any to any via de1 00400 skipto 2 log ip from any to any via de2 00500 deny log ip from any to any 15000 allow log ip from any to any in via de1 keep-state 15100 allow log ip from any to any out via de1 15200 deny log ip from any to any 2 allow log ip from any to any in via de2 keep-state 20100 allow log ip from any to any dst-port 80 out via de2 keep-state 20200 deny log ip from any to any 20300 deny log ip from any to any NATD Config File (/etc/natd.conf) redirect_port tcp 192.168.2.250:80 1.2.3.4:80 NATD Command /sbin/natd -dynamic -n de0 -p 9000 -f /etc/natd.conf On Sunday 08 August 2004 06:30 pm, Eric Crist wrote: > > -Original Message- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of > > [EMAIL PROTECTED] > > Sent: Sunday, August 08, 2004 5:43 PM > > To: [EMAIL PROTECTED] > > Subject: Re: IPFW/NATD Transparent Proxy > > > > On Sunday 08 August 2004 04:38 pm, JJB wrote: > > > A new rewrite of the FreeBSD handbook firewall section is currently > > > being made ready for update to the handbook. You can get an > > > > in-process > > > > > copy from www.a1poweruser.com/FBSD_firewall/ > > > > The firewall rewrite only deals with a single public nic and > > a single internal nic and does not have the information I require. > > > > > From what you posted looks like you want public internet users to > > > access web server on one of your LAN machines. Both ipfw > > > > and ipfilter > > > > > does this normally with port redirect. > > > > No, I want a user on 192.168.1.247 to be redirected to > > 192.168.2.250:80 when > > they request 1.2.3.4:80, where 1.2.3.4 is a PUBLIC ip number > > on the FreeBSD > > internet gateway. Again, the configuration is > > de0 = PUBLIC IP = 1.2.3.4 > > de1 = 192.168.1.1 > > de2 = 192.168.2.1 > > > > I don't have a problem with incoming requests for 1.2.3.4:80 > > from the Internet > > being redirected to 192.168.2.250. That works fine. But I > > want someone on > > 192.168.1.247 to ALSO be redirected to 192.168.2.250:80 when > > they request the > > public address 1.2.3.4:80. > > Could you send us (or me, peronally) your firewall script, and the > address you want to use? > > Thanks. > > Eric F Crist ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: IPFW/NATD Transparent Proxy
--On Sunday, August 08, 2004 18:43:21 -0400 [EMAIL PROTECTED] wrote: No, I want a user on 192.168.1.247 to be redirected to 192.168.2.250:80 when they request 1.2.3.4:80, where 1.2.3.4 is a PUBLIC ip number on the FreeBSD internet gateway. Again, the configuration is de0 = PUBLIC IP = 1.2.3.4 de1 = 192.168.1.1 de2 = 192.168.2.1 I don't have a problem with incoming requests for 1.2.3.4:80 from the Internet being redirected to 192.168.2.250. That works fine. But I want someone on 192.168.1.247 to ALSO be redirected to 192.168.2.250:80 when they request the public address 1.2.3.4:80. Put another way, I have a FreeBSD server acting as a Router/Firewall. It has a public interface with an IP number of 1.2.3.4 and is assigned the DNS name www.ishouldhaveusedipfilter.com. It also has a second NIC that supports a private address space of 192.168.1.0/255.255.255.0 and a third NIC that supports a private address space of 192.168.2.0/255.255.255.0 When someone from the Internet tries to reach www.ishouldhaveusedipfilter.com they get redirected to 192.168.2.250 because I've included a redirect_port rule for NATD. This works fine. But, users on all private networks (I have two, but there could be 20) also need to be redirected to 192.168.2.250 when they try to go to www.ishouldhaveusedipfilter.com So the user sitting at 192.168.1.247 shouldn't have to worry about putting in the IP number of the company web server, they should just be able to put in the company domain name (www.ishouldhaveusedipfilter.com) and be redirected to 192.168.2.250 just like anyone coming from the outside. It seems to me that the best way to handle this is through DNS. Hosts within your LAN should find www.ishouldhaveusedipfilter.com to 192.168.2.250 instead of 1.2.3.4. Typically, you would have an externally visible DNS server which is authorititave for your domain; and which lists only the publicly visible machines and IP addresses. (It should -NOT- handle referrals at all.) Somewhere within your LAN you would have another DNS server that is authoritative for your internal domain and IP range. It may handle referrals; but it is safer to have a completely separate DNS server which just handles referrals (and possibly caches results) - it should be explicitly told to use your LAN's authoritative server for your domain and IP range. With this setup, outside machines see the public address, which is redirected via your firewall/NAT rules; but internal machines see the internal address and access it directly. -Pat ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
RE: IPFW/NATD Transparent Proxy
> -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > [EMAIL PROTECTED] > Sent: Sunday, August 08, 2004 5:43 PM > To: [EMAIL PROTECTED] > Subject: Re: IPFW/NATD Transparent Proxy > > > > On Sunday 08 August 2004 04:38 pm, JJB wrote: > > A new rewrite of the FreeBSD handbook firewall section is currently > > being made ready for update to the handbook. You can get an > in-process > > copy from www.a1poweruser.com/FBSD_firewall/ > > The firewall rewrite only deals with a single public nic and > a single internal nic and does not have the information I require. > > > From what you posted looks like you want public internet users to > > access web server on one of your LAN machines. Both ipfw > and ipfilter > > does this normally with port redirect. > > No, I want a user on 192.168.1.247 to be redirected to > 192.168.2.250:80 when > they request 1.2.3.4:80, where 1.2.3.4 is a PUBLIC ip number > on the FreeBSD > internet gateway. Again, the configuration is > de0 = PUBLIC IP = 1.2.3.4 > de1 = 192.168.1.1 > de2 = 192.168.2.1 > > I don't have a problem with incoming requests for 1.2.3.4:80 > from the Internet > being redirected to 192.168.2.250. That works fine. But I > want someone on > 192.168.1.247 to ALSO be redirected to 192.168.2.250:80 when > they request the > public address 1.2.3.4:80. > Could you send us (or me, peronally) your firewall script, and the address you want to use? Thanks. Eric F Crist ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: IPFW/NATD Transparent Proxy
On Sunday 08 August 2004 04:38 pm, JJB wrote: > A new rewrite of the FreeBSD handbook firewall section is currently > being made ready for update to the handbook. You can get an > in-process copy from www.a1poweruser.com/FBSD_firewall/ The firewall rewrite only deals with a single public nic and a single internal nic and does not have the information I require. > From what you posted looks like you want public internet users to > access web server on one of your LAN machines. Both ipfw and > ipfilter does this normally with port redirect. No, I want a user on 192.168.1.247 to be redirected to 192.168.2.250:80 when they request 1.2.3.4:80, where 1.2.3.4 is a PUBLIC ip number on the FreeBSD internet gateway. Again, the configuration is de0 = PUBLIC IP = 1.2.3.4 de1 = 192.168.1.1 de2 = 192.168.2.1 I don't have a problem with incoming requests for 1.2.3.4:80 from the Internet being redirected to 192.168.2.250. That works fine. But I want someone on 192.168.1.247 to ALSO be redirected to 192.168.2.250:80 when they request the public address 1.2.3.4:80. Put another way, I have a FreeBSD server acting as a Router/Firewall. It has a public interface with an IP number of 1.2.3.4 and is assigned the DNS name www.ishouldhaveusedipfilter.com. It also has a second NIC that supports a private address space of 192.168.1.0/255.255.255.0 and a third NIC that supports a private address space of 192.168.2.0/255.255.255.0 When someone from the Internet tries to reach www.ishouldhaveusedipfilter.com they get redirected to 192.168.2.250 because I've included a redirect_port rule for NATD. This works fine. But, users on all private networks (I have two, but there could be 20) also need to be redirected to 192.168.2.250 when they try to go to www.ishouldhaveusedipfilter.com So the user sitting at 192.168.1.247 shouldn't have to worry about putting in the IP number of the company web server, they should just be able to put in the company domain name (www.ishouldhaveusedipfilter.com) and be redirected to 192.168.2.250 just like anyone coming from the outside. > You need to post > more info about your system config. > Post the full contents of your rc.conf and firewall rules files. My rc.conf file is properly configured and has no bearing on my question. My gateway works fine from public to private IP space and private to public IP space. I've tried so many combination of rules and NATD options that I wouldn't know what to post. What I need is someone who has completed a similar configuration to send me their configuration (change the IP numbers if you like). From what I can see, I don't believe this is possible with stateful rules. Let me add that I've been successful with stateless rules, but I'd like to use 100% stateful if possible. > > The limit you write about ipfilter is not true. > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of > [EMAIL PROTECTED] > Sent: Sunday, August 08, 2004 2:11 PM > To: [EMAIL PROTECTED] > Subject: IPFW/NATD Transparent Proxy > > > Anyone up for a challenge? > > I've come to the conclusion that IPFW/NATD cannot support > transparent > proxying with ONLY stateful rules. I'd like to hear from anyone who > has > been successful doing so in case I'm missing something. > > Configuration is: > FreeBSD 5.2.1 > 3 - NICS (de0, de1, de2) > de1 = Public IP = 1.2.3.4 > de2 = LAN1 = 192.168.1.0 > de3 = LAN2 = 192.168.2.0 > > The challenge: > 1) TCP request from 192.168.1.247 to 1.2.3.4:80 > 2) Redirect 1.2.3.4:80 to 192.168.2.250:80 > 3) Use stateful rules > > On another note, I read somewhere on the Internet that IPFILTER has > a > limitation in that it cannot redirect a public destination to a > private > destination if the source machine is on the same subnet as the > redirected > destination. In other words, the following supposedly will not > work: > 1) A tcp request from 192.168.1.247 to 1.2.3.4:80 > 2) Redirect 1.2.3.4:80 to 192.168.1.100:80 > > Is this an accurate limitation of IPFILTER? > > > > J > > ___ > [EMAIL PROTECTED] mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to > "[EMAIL PROTECTED]" ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
RE: IPFW/NATD Transparent Proxy
A new rewrite of the FreeBSD handbook firewall section is currently being made ready for update to the handbook. You can get an in-process copy from www.a1poweruser.com/FBSD_firewall/ >From what you posted looks like you want public internet users to access web server on one of your LAN machines. Both ipfw and ipfilter does this normally with port redirect. You need to post more info about your system config. Post the full contents of your rc.conf and firewall rules files. The limit you write about ipfilter is not true. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of [EMAIL PROTECTED] Sent: Sunday, August 08, 2004 2:11 PM To: [EMAIL PROTECTED] Subject: IPFW/NATD Transparent Proxy Anyone up for a challenge? I've come to the conclusion that IPFW/NATD cannot support transparent proxying with ONLY stateful rules. I'd like to hear from anyone who has been successful doing so in case I'm missing something. Configuration is: FreeBSD 5.2.1 3 - NICS (de0, de1, de2) de1 = Public IP = 1.2.3.4 de2 = LAN1 = 192.168.1.0 de3 = LAN2 = 192.168.2.0 The challenge: 1) TCP request from 192.168.1.247 to 1.2.3.4:80 2) Redirect 1.2.3.4:80 to 192.168.2.250:80 3) Use stateful rules On another note, I read somewhere on the Internet that IPFILTER has a limitation in that it cannot redirect a public destination to a private destination if the source machine is on the same subnet as the redirected destination. In other words, the following supposedly will not work: 1) A tcp request from 192.168.1.247 to 1.2.3.4:80 2) Redirect 1.2.3.4:80 to 192.168.1.100:80 Is this an accurate limitation of IPFILTER? J ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]" ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
IPFW/NATD Transparent Proxy
Anyone up for a challenge? I've come to the conclusion that IPFW/NATD cannot support transparent proxying with ONLY stateful rules. I'd like to hear from anyone who has been successful doing so in case I'm missing something. Configuration is: FreeBSD 5.2.1 3 - NICS (de0, de1, de2) de1 = Public IP = 1.2.3.4 de2 = LAN1 = 192.168.1.0 de3 = LAN2 = 192.168.2.0 The challenge: 1) TCP request from 192.168.1.247 to 1.2.3.4:80 2) Redirect 1.2.3.4:80 to 192.168.2.250:80 3) Use stateful rules On another note, I read somewhere on the Internet that IPFILTER has a limitation in that it cannot redirect a public destination to a private destination if the source machine is on the same subnet as the redirected destination. In other words, the following supposedly will not work: 1) A tcp request from 192.168.1.247 to 1.2.3.4:80 2) Redirect 1.2.3.4:80 to 192.168.1.100:80 Is this an accurate limitation of IPFILTER? J ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
RE: Transparent proxy/nat server using DHCP.
> -Original Message- > From: [EMAIL PROTECTED] [mailto:owner-freebsd- > [EMAIL PROTECTED] On Behalf Of Jesper Wallin > Sent: Sunday, April 18, 2004 7:02 AM > To: [EMAIL PROTECTED] > Subject: Transparent proxy/nat server using DHCP. > > Heya.. > > My ISP allow me to have 5 dynamic ip addresses. Yet, it's locked to the > MAC address (i > think) .. currently my network look like this: > > [ Internet ][ 16-ports Unex Switch ][ my network ] > > ..and in the local network, I have 3 servers and my two workstations. My > idea was to put > one server "infront" of all other computers, like: > > [ Internet ][ FreeBSD ][ 16-ports Unex Switch ][ my networks ] > > ..and have the FreeBSD server holding all 5 ips from my ISP and then > NAT/Forward it to > the rest of the network.. like a transparent firewall/logging server. Like > having 3 of > the ips going to my 3 servers.. and have another IP for NAT:ing the two > workstaions > which uses a local IP range.. or something. > > My porblem is to get the FreeBSD server request 5 ips on the same NIC > using the DHCP > protocol. Is it even possible? > > > Regards, > Jesper 'Z3l3zT' Wallin > > You could always set up the FreeBSD computer as filtering bridge http://www.freebsd.org/doc/en_US.ISO8859-1/articles/filtering-bridges/index. html Nick Radonicich [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Transparent proxy/nat server using DHCP.
Heya.. My ISP allow me to have 5 dynamic ip addresses. Yet, it's locked to the MAC address (i think) .. currently my network look like this: [ Internet ][ 16-ports Unex Switch ][ my network ] ..and in the local network, I have 3 servers and my two workstations. My idea was to put one server "infront" of all other computers, like: [ Internet ][ FreeBSD ][ 16-ports Unex Switch ][ my networks ] ..and have the FreeBSD server holding all 5 ips from my ISP and then NAT/Forward it to the rest of the network.. like a transparent firewall/logging server. Like having 3 of the ips going to my 3 servers.. and have another IP for NAT:ing the two workstaions which uses a local IP range.. or something. My porblem is to get the FreeBSD server request 5 ips on the same NIC using the DHCP protocol. Is it even possible? Regards, Jesper 'Z3l3zT' Wallin ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
re: FreeBSD Firewall as a Transparent Proxy?
Try this: http://www.opennet.ru/docs/RUS/squid_filter/squidguard.html It is in Russian, but you will figure it out by looking at config files. I installed it on 5.2.1 and it is stable. Great way of keeping your users off the bad sites. Regards, Denis >>>>>>>>>>>>>>>> I have seen lots of pages on google on how to setup Squid as a Transparent Proxy server on FreeBSD. However most of these refer to 4.9 stable, using IPTables. I am currently using natd and ipfw. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
FreeBSD Firewall as a Transparent Proxy?
I have seen lots of pages on google on how to setup Squid as a Transparent Proxy server on FreeBSD. However most of these refer to 4.9 stable, using IPTables. I am currently using natd and ipfw. Here are my Firewall rules rc.firewall.rules proxy# cat rc.firewall.rules # be quiet and flush all rules on start -q flush # allow local traffic, deny RFC 1918 addresses on the outside add 00100 allow ip from any to any via lo0 add 00110 deny ip from any to 127.0.0.0/8 add 00120 deny ip from any to any not verrevpath in add 00301 deny ip from 10.0.0.0/8 to any in via fxp0 add 00302 deny ip from 172.16.0.0/12 to any in via fxp0 add 00303 deny ip from 192.168.0.0/16 to any in via fxp0 # check if incoming packets belong to a natted session, allow through if yes add 01000 divert natd ip from any to me in via fxp0 add 01001 check-state # allow some traffic from the local net to the router # SSH add 04000 allow tcp from any to me dst-port 22 setup keep-state # ICMP add 04001 allow icmp from 192.168.1.0/24 to me in via xl0 # NTP add 04002 allow tcp from 192.168.1.0/24 to me dst-port 123 in via xl0 setup keep-state add 04003 allow udp from 192.168.1.0/24 to me dst-port 123 in via xl0 keep-state # DNS add 04006 allow udp from 192.168.1.0/24 to me dst-port 53 in via xl0 # drop everything else add 04009 deny ip from 192.168.1.0/24 to me # pass outgoing packets (to be natted) on to a special NAT rule add 04109 skipto 61000 ip from 192.168.1.0/24 to any in via xl0 keep-state # allow all outgoing traffic from the router (maybe you should be more restrictive) add 05010 allow ip from me to any out keep-state # drop everything that has come so far. This means it doesn't belong to an # established connection, don't log the most noisy scans. add 59998 deny icmp from any to me add 5 deny ip from any to me dst-port 135,137-139,445,4665 add 6 deny log tcp from any to any established add 6 deny log ip from any to any # this is the NAT rule. Only outgoing packets from the local net will come here. # First, nat them, then pass them on (again, you may choose to be more restrictive) add 61000 divert natd ip from 192.168.1.0/24 to any out via fxp0 add 61001 allow ip from any to any natd.conf proxy# cat natd.conf unregistered_only interface fxp0 use_sockets dynamic # dyamically open fw for ftp, irc punch_fw 2000:50 proxy# uname -a FreeBSD proxy.valuedj.com 5.2.1-RELEASE FreeBSD 5.2.1-RELEASE #0: Fri Mar 26 19:14:17 PST 2004 [EMAIL PROTECTED]:/usr/obj/usr/src/sys/MYKERNEL i386 how would I set it so all incoming packets from xl0 would get redirected to port 8080 for the proxy server. I want to setup DansGuardian for content filtering and I don't want the people who will be using my network to find a way around disabling the Proxy in the browser. Anyone have any ideas? Thanks for your help ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Bandwith limitations, NAT and transparent proxy
Hi ! I have FreeBSD 4.8 installed. There is IPFIREWALL, IPFIREWALL_FORWARD, IPDIVERT and DUMMYNET in my kernel configration. On my FBSD gateway to the Internet I would like to use NAT (of course :-))) ), transparent proxy and limit the outgoing traffic. xl0 (62.169.170.166/30) is the public interface, xl1 (192.168.1.1/24) is the private one. If my firewall rules look like: ipfw pipe 1 config bw 256Kbit/s queue 40Kbytes ipfw add 47 pipe 1 ip from any to any out via xl0 ipfw add 48 allow ip from 192.168.1.1 to any ipfw add 49 fwd 192.168.1.1,3128 tcp from 192.168.1.0/24 to any 80 ipfw add 50 divert 8668 ip from any to any via xl0 ... (the rest of OPEN firewall rules) nothing except http (because of transparent proxy, I think) goes through the gateway from the local net. If my firewall rules look like: ipfw pipe 1 config bw 256Kbit/s queue 40Kbytes ipfw add 47 pipe 1 ip from 62.169.170.166 to any out via xl0 ipfw add 48 allow ip from 192.168.1.1 to any ipfw add 49 fwd 192.168.1.1,3128 tcp from 192.168.1.0/24 to any 80 ipfw add 50 divert 8668 ip from any to any via xl0 ... (the rest of OPEN firewall rules) everything works fine except except the bandwith limitation. Do you have any ideas, how to get these three things (bandwith limitation, nat, transparent proxy) work together ? Thanks a lot in advance. GIGI ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
FW: Transparent Proxy going astray - Help!
Hi all, Has no-one seen this problem? If so, wow, what have I done wrong here? Do you need more info? Cheers, Paul Hamilton -Original Message- From: Paul Hamilton [mailto:[EMAIL PROTECTED] Sent: Saturday, 21 June 2003 1:34 PM To: Freebsd-Questions Subject: Transparent Proxy going astray Hi all, I have watched/lurked on this list for sometime now, and see a Transparent Proxy question every now or then. None of them have answered my problem. I give it a bash every now and then to see if I will trip over the answer. It hasn't worked, so I will try this list again. I run FreeBSD 4.8 on the gateway, Squid Cache: Version 2.4.STABLE4 Squid.conf has the required lines: http_port 8080 httpd_accel_port 80 httpd_accel_host virtual httpd_accel_with_proxy on httpd_accel_uses_host_header on and the required ipfw2 firewall rules: 00050271 27520 allow tcp from 192.168.0.10 to any 00060 3144 fwd 127.0.0.1,8080 tcp from any to any dst-port 80 Interestingly enough when watching the ip traffic on the gateway, I see this on my inside NIC: 08:27:18.735861 192.168.0.2.3276 > 203.10.1.17.53: 1093+ A? www.google.com.au. (35) 08:27:18.922217 203.10.1.17.53 > 192.168.0.2.3276: 1093 2/4/4 CNAME[|domain] 08:27:18.923667 192.168.0.2.3277 > 216.239.39.99.80: S 813553086:813553086(0) win 16384 (DF) 08:27:18.923722 216.239.39.99.80 > 192.168.0.2.3277: R 0:0(0) ack 813553087 win 0 08:27:19.397657 192.168.0.2.3277 > 216.239.39.99.80: S 813553086:813553086(0) win 16384 (DF) 08:27:19.397697 216.239.39.99.80 > 192.168.0.2.3277: R 0:0(0) ack 1 win 0 08:27:19.906095 192.168.0.2.3277 > 216.239.39.99.80: S 813553086:813553086(0) win 16384 (DF) 08:27:19.906153 216.239.39.99.80 > 192.168.0.2.3277: R 0:0(0) ack 1 win 0 and this on my outside NIC: 08:27:18.736970 202.72.147.43.3276 > 203.10.1.17.53: 1093+ A? www.google.com.au. (35) 08:27:18.922026 203.10.1.17.53 > 202.72.147.43.3276: 1093 2/4/4 CNAME www.google.com., (215) The cache_access.log doesn't show any traffic, yet (something) is pretending to be the google website, as there is a reply from 216.239.39.99.80. I have tried to run tcpdump -ni lo0 but there isn't any traffic. Should I be able to see traffic on lo0? Any thoughts on what I am missing? Cheers, Paul Hamilton ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
RE: Transparent Proxy going astray
Nope! :-( Yes the gateway server (192.168.0.10), runs IPFW2, squid, ppp etc. I added the skip rule as you suggested. I see traffic getting to rule 60, but since I don't know of a way to tcpdump on lo0 traffic, I don't know how to troubleshoot further. Oh yes, it looks like squid logs do register a miss (after a long time out): 1056276094.519 10998 192.168.0.2 TCP_MISS/000 0 GET http://www.google.com/ I checked and made sure that the squid ACL is allowing 192.168.0.0 and 127.0.0.1 traffic through. Also what is generating this traffic (via tcpdump on the inside NIC): 17:50:51.073150 192.168.0.2.4339 > 203.10.1.17.53: 1355+ A? www.google.com. (32) 17:50:51.375673 203.10.1.17.53 > 192.168.0.2.4339: 1355 1/4/4 A 216.239.39.99 (184) 17:50:51.378720 192.168.0.2.4340 > 216.239.39.99.80: S 673769954:673769954(0) win 16384 (DF) 17:50:51.378774 216.239.39.99.80 > 192.168.0.2.4340: R 0:0(0) ack 673769955 win 0 17:50:51.814743 192.168.0.2.4340 > 216.239.39.99.80: S 673769954:673769954(0) win 16384 (DF) 17:50:51.814794 216.239.39.99.80 > 192.168.0.2.4340: R 0:0(0) ack 1 win 0 17:50:52.315527 192.168.0.2.4340 > 216.239.39.99.80: S 673769954:673769954(0) win 16384 (DF) 17:50:52.315579 216.239.39.99.80 > 192.168.0.2.4340: R 0:0(0) ack 1 win 0 Hmmm, hang on, if the above is from the inside NIC (tun0 shows only the DNS lookup), why am I seeing the 216.239.39.99:80 traffic? Is squid somehow directing it back inside, instead of out via tun0? Is this a squid config problem? By the way, examining the packets via Ethereal, it looks like there is no data in that packets. I know this is a standard setup, I'm just perplexed on where I have gone wrong (and why I can't troubleshoot it further) Cheers, Paul Hamilton -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Andrew Thomson Sent: Saturday, 21 June 2003 1:49 PM To: Freebsd-Questions Subject: Re: Transparent Proxy going astray Paul, You'd probably have noticed a few posts from me on this very subject. The good news is I did end up getting it all working.. but there were definitely a few hurdles in the way. I assume your firewall is also running the squid proxy? For some reason, I got away with just putting rule 60 in! I also added a dst port of 80 so just my http traffic got forwarded. If this is your firewall, then you'd probably want to change rule 50 to something like: skipto 70 tcp from 192.168.0.10 to any 192.168.0.10 is your firewall?? >From my understanding, an add rule will stop moving through the ruleset however you still need your requests to go through nat etc etc.. Let me know how you get on. You can be restassured that it is possible. I have now setup transparent proxies with the proxy running on the firewall and also with the proxy running on another box. I've also used 4.7 and 5.0 in seperate instances sucessfully too! good luck, ajt. On Sat, Jun 21, 2003 at 01:34:17PM +0800, Paul Hamilton wrote: > Hi all, > > I have watched/lurked on this list for sometime now, and see a Transparent > Proxy question every now or then. None of them have answered my problem. I > give it a bash every now and then to see if I will trip over the answer. It > hasn't worked, so I will try this list again. > > I run FreeBSD 4.8 on the gateway, Squid Cache: Version 2.4.STABLE4 > > Squid.conf has the required lines: > > http_port 8080 > httpd_accel_port 80 > httpd_accel_host virtual > httpd_accel_with_proxy on > httpd_accel_uses_host_header on > > and the required ipfw2 firewall rules: > > 00050271 27520 allow tcp from 192.168.0.10 to any > 00060 3144 fwd 127.0.0.1,8080 tcp from any to any dst-port > 80 > > Interestingly enough when watching the ip traffic on the gateway, I see this > on my inside NIC: > > 08:27:18.735861 192.168.0.2.3276 > 203.10.1.17.53: 1093+ A? > www.google.com.au. (35) > 08:27:18.922217 203.10.1.17.53 > 192.168.0.2.3276: 1093 2/4/4 > CNAME[|domain] > 08:27:18.923667 192.168.0.2.3277 > 216.239.39.99.80: S > 813553086:813553086(0) win 16384 (DF) > 08:27:18.923722 216.239.39.99.80 > 192.168.0.2.3277: R 0:0(0) ack 813553087 > win 0 > 08:27:19.397657 192.168.0.2.3277 > 216.239.39.99.80: S > 813553086:813553086(0) win 16384 (DF) > 08:27:19.397697 216.239.39.99.80 > 192.168.0.2.3277: R 0:0(0) ack 1 win 0 > 08:27:19.906095 192.168.0.2.3277 > 216.239.39.99.80: S > 813553086:813553086(0) win 16384 (DF) > 08:27:19.906153 216.239.39.99.80 > 192.168.0.2.3277: R 0:0(0) ack 1 win 0 > > > and this on my outside NIC: > > 08:27:18.736970 202.72.147.43.3276 > 203.10.1.17.53: 1093+ A? > www.google.com.au. (35) > 08:27:18.922026 203.10.1.17.53 > 202.72.147.43.3276: 1093 2/4/4 CNAME > www.google.com., (215) > > The cache_access.log doesn
Re: Transparent Proxy going astray
Paul, You'd probably have noticed a few posts from me on this very subject. The good news is I did end up getting it all working.. but there were definitely a few hurdles in the way. I assume your firewall is also running the squid proxy? For some reason, I got away with just putting rule 60 in! I also added a dst port of 80 so just my http traffic got forwarded. If this is your firewall, then you'd probably want to change rule 50 to something like: skipto 70 tcp from 192.168.0.10 to any 192.168.0.10 is your firewall?? >From my understanding, an add rule will stop moving through the ruleset however you still need your requests to go through nat etc etc.. Let me know how you get on. You can be restassured that it is possible. I have now setup transparent proxies with the proxy running on the firewall and also with the proxy running on another box. I've also used 4.7 and 5.0 in seperate instances sucessfully too! good luck, ajt. On Sat, Jun 21, 2003 at 01:34:17PM +0800, Paul Hamilton wrote: > Hi all, > > I have watched/lurked on this list for sometime now, and see a Transparent > Proxy question every now or then. None of them have answered my problem. I > give it a bash every now and then to see if I will trip over the answer. It > hasn't worked, so I will try this list again. > > I run FreeBSD 4.8 on the gateway, Squid Cache: Version 2.4.STABLE4 > > Squid.conf has the required lines: > > http_port 8080 > httpd_accel_port 80 > httpd_accel_host virtual > httpd_accel_with_proxy on > httpd_accel_uses_host_header on > > and the required ipfw2 firewall rules: > > 00050271 27520 allow tcp from 192.168.0.10 to any > 00060 3144 fwd 127.0.0.1,8080 tcp from any to any dst-port > 80 > > Interestingly enough when watching the ip traffic on the gateway, I see this > on my inside NIC: > > 08:27:18.735861 192.168.0.2.3276 > 203.10.1.17.53: 1093+ A? > www.google.com.au. (35) > 08:27:18.922217 203.10.1.17.53 > 192.168.0.2.3276: 1093 2/4/4 > CNAME[|domain] > 08:27:18.923667 192.168.0.2.3277 > 216.239.39.99.80: S > 813553086:813553086(0) win 16384 (DF) > 08:27:18.923722 216.239.39.99.80 > 192.168.0.2.3277: R 0:0(0) ack 813553087 > win 0 > 08:27:19.397657 192.168.0.2.3277 > 216.239.39.99.80: S > 813553086:813553086(0) win 16384 (DF) > 08:27:19.397697 216.239.39.99.80 > 192.168.0.2.3277: R 0:0(0) ack 1 win 0 > 08:27:19.906095 192.168.0.2.3277 > 216.239.39.99.80: S > 813553086:813553086(0) win 16384 (DF) > 08:27:19.906153 216.239.39.99.80 > 192.168.0.2.3277: R 0:0(0) ack 1 win 0 > > > and this on my outside NIC: > > 08:27:18.736970 202.72.147.43.3276 > 203.10.1.17.53: 1093+ A? > www.google.com.au. (35) > 08:27:18.922026 203.10.1.17.53 > 202.72.147.43.3276: 1093 2/4/4 CNAME > www.google.com., (215) > > The cache_access.log doesn't show any traffic, yet (something) is pretending > to be the google website, as there is a reply from 216.239.39.99.80. I have > tried to run tcpdump -ni lo0 but there isn't any traffic. > > Should I be able to see traffic on lo0? > > Any thoughts on what I am missing? > > Cheers, > > Paul Hamilton > > > ___ > [EMAIL PROTECTED] mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "[EMAIL PROTECTED]" > ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Transparent Proxy going astray
Hi all, I have watched/lurked on this list for sometime now, and see a Transparent Proxy question every now or then. None of them have answered my problem. I give it a bash every now and then to see if I will trip over the answer. It hasn't worked, so I will try this list again. I run FreeBSD 4.8 on the gateway, Squid Cache: Version 2.4.STABLE4 Squid.conf has the required lines: http_port 8080 httpd_accel_port 80 httpd_accel_host virtual httpd_accel_with_proxy on httpd_accel_uses_host_header on and the required ipfw2 firewall rules: 00050271 27520 allow tcp from 192.168.0.10 to any 00060 3144 fwd 127.0.0.1,8080 tcp from any to any dst-port 80 Interestingly enough when watching the ip traffic on the gateway, I see this on my inside NIC: 08:27:18.735861 192.168.0.2.3276 > 203.10.1.17.53: 1093+ A? www.google.com.au. (35) 08:27:18.922217 203.10.1.17.53 > 192.168.0.2.3276: 1093 2/4/4 CNAME[|domain] 08:27:18.923667 192.168.0.2.3277 > 216.239.39.99.80: S 813553086:813553086(0) win 16384 (DF) 08:27:18.923722 216.239.39.99.80 > 192.168.0.2.3277: R 0:0(0) ack 813553087 win 0 08:27:19.397657 192.168.0.2.3277 > 216.239.39.99.80: S 813553086:813553086(0) win 16384 (DF) 08:27:19.397697 216.239.39.99.80 > 192.168.0.2.3277: R 0:0(0) ack 1 win 0 08:27:19.906095 192.168.0.2.3277 > 216.239.39.99.80: S 813553086:813553086(0) win 16384 (DF) 08:27:19.906153 216.239.39.99.80 > 192.168.0.2.3277: R 0:0(0) ack 1 win 0 and this on my outside NIC: 08:27:18.736970 202.72.147.43.3276 > 203.10.1.17.53: 1093+ A? www.google.com.au. (35) 08:27:18.922026 203.10.1.17.53 > 202.72.147.43.3276: 1093 2/4/4 CNAME www.google.com., (215) The cache_access.log doesn't show any traffic, yet (something) is pretending to be the google website, as there is a reply from 216.239.39.99.80. I have tried to run tcpdump -ni lo0 but there isn't any traffic. Should I be able to see traffic on lo0? Any thoughts on what I am missing? Cheers, Paul Hamilton ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: more transparent proxy and squid questions.
# [EMAIL PROTECTED] / 2003-06-17 14:37:09 +1000: > further, if i do try and configure with the --enable-ipfw-transparent > option, configure complains with the following: > > checking if setresuid is implemented... yes > checking if IP-Filter header files are installed... no > WARNING: Cannot find necessary IP-Filter header files > Transparent Proxy support WILL NOT be enabled > > I appreciate it's talking about ipfilter however I use ipfw which is > compiled into the kernel. ISTR seeing separate ./configure switches for ipf and ipfw when I was installing aquid last year. The error you quoted would indicate that you specified --enable-ipf-transparent instead of the ipfw one. -- If you cc me or remove the list(s) completely I'll most likely ignore your message.see http://www.eyrie.org./~eagle/faqs/questions.html ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: more transparent proxy and squid questions.
further, if i do try and configure with the --enable-ipfw-transparent option, configure complains with the following: checking if setresuid is implemented... yes checking if IP-Filter header files are installed... no WARNING: Cannot find necessary IP-Filter header files Transparent Proxy support WILL NOT be enabled I appreciate it's talking about ipfilter however I use ipfw which is compiled into the kernel. I want transparent proxy but with ipfw.. what's the status? ajt. On Mon, Jun 16, 2003 at 04:52:12PM +1000, Andrew Thomson wrote: > i'm still having issues here.. > > has anyone else got transparent proxy going with firewall and squid on > different boxes?? > > anyway, from the squid faq, does this apply to freebsd these days?? > > ..."Compile and run a version of Squid which accepts connections for other > addresses. For some operating systems, you need to have configured and > built a version of Squid which can recognize the hijacked connections > and discern the destination addresses. For Linux this seems to work > automatically. For *BSD-based systems, you probably have to configure > squid with the --enable-ipf-transparent option. (Do a make clean if you > previously configured without that option, or the correct settings may > not be present.)"... > > i'm trying to use ipfw for my fwd'ing from the firewall to the proxy > server. > > thanks, > > ajt. > > On Mon, Jun 16, 2003 at 07:25:26AM +0300, Rapier wrote: > > From what you've said you have natd enabled,instead of redirecting with ipfw > > you shoud redirect with natd!man natd > > > > > > On Mon, 16 Jun 2003 09:41:05 +1000 > > Andrew Thomson <[EMAIL PROTECTED]> wrote: > > > > > On Fri, Jun 13, 2003 at 09:47:09AM -0400, Bill Moran wrote: > > > > > > > > Yes. You've got the right idea. > > > > > > > > > > hmm.. i have encountered some difficulties ;) so now i'm seeking some > > > more advice.. > > > > > > i have the following rules on my firewall: > > > > > > 10561 skipto 11000 ip from 192.168.1.2 to any > > > 10562 fwd 192.168.1.2,3128 tcp from 192.168.1.3 to any 80 > > > > > > keeping in line with my example, 1=fwall, 2=squid, 3=user > > > > > > the skipto is in there so we go through nat and get a proper ip. > > > > > > i never see any packets get to the squid box though.. > > > > > > ipfw show indicates matching packets > > > ipfw show 10561 10562 > > > 10561 5342331306 skipto 11000 ip from 192.168.1.2 to any > > > 10562 2520120960 fwd 192.168.1.2,3128 tcp from 192.168.1.3 to any > > > 80 > > > > > > a tcpdump on the squid box looking out for port 3128 shows nothing, although > > > the ipfw shows matches.. > > > > > > i'll keep digging around but any more tips would be appreciated on this > > > setup. > > > > > > thanks, > > > > > > andrew. > > > > > > > > > > > > ___ > > > [EMAIL PROTECTED] mailing list > > > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > > > To unsubscribe, send any mail to "[EMAIL PROTECTED]" > > ___ > > [EMAIL PROTECTED] mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > > To unsubscribe, send any mail to "[EMAIL PROTECTED]" > > > > ___ > [EMAIL PROTECTED] mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "[EMAIL PROTECTED]" > ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
RE: more transparent proxy and squid questions.
Hi, This is relatively easy if you set the gateway of the other machine to be your squid box. Otherwise you have no way of hijacking the connections !! Also this could be done via a access list on a router. Kind Regards Doron Shmaryahu -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Andrew Thomson Sent: 16 June 2003 08:52 AM To: [EMAIL PROTECTED] Subject: Re: more transparent proxy and squid questions. i'm still having issues here.. has anyone else got transparent proxy going with firewall and squid on different boxes?? anyway, from the squid faq, does this apply to freebsd these days?? ..."Compile and run a version of Squid which accepts connections for other addresses. For some operating systems, you need to have configured and built a version of Squid which can recognize the hijacked connections and discern the destination addresses. For Linux this seems to work automatically. For *BSD-based systems, you probably have to configure squid with the --enable-ipf-transparent option. (Do a make clean if you previously configured without that option, or the correct settings may not be present.)"... i'm trying to use ipfw for my fwd'ing from the firewall to the proxy server. thanks, ajt. On Mon, Jun 16, 2003 at 07:25:26AM +0300, Rapier wrote: > From what you've said you have natd enabled,instead of redirecting with ipfw you shoud redirect with natd!man natd > > > On Mon, 16 Jun 2003 09:41:05 +1000 > Andrew Thomson <[EMAIL PROTECTED]> wrote: > > > On Fri, Jun 13, 2003 at 09:47:09AM -0400, Bill Moran wrote: > > > > > > Yes. You've got the right idea. > > > > > > > hmm.. i have encountered some difficulties ;) so now i'm seeking some > > more advice.. > > > > i have the following rules on my firewall: > > > > 10561 skipto 11000 ip from 192.168.1.2 to any > > 10562 fwd 192.168.1.2,3128 tcp from 192.168.1.3 to any 80 > > > > keeping in line with my example, 1=fwall, 2=squid, 3=user > > > > the skipto is in there so we go through nat and get a proper ip. > > > > i never see any packets get to the squid box though.. > > > > ipfw show indicates matching packets > > ipfw show 10561 10562 > > 10561 5342331306 skipto 11000 ip from 192.168.1.2 to any > > 10562 2520120960 fwd 192.168.1.2,3128 tcp from 192.168.1.3 to any 80 > > > > a tcpdump on the squid box looking out for port 3128 shows nothing, although > > the ipfw shows matches.. > > > > i'll keep digging around but any more tips would be appreciated on this > > setup. > > > > thanks, > > > > andrew. > > > > > > > > ___ > > [EMAIL PROTECTED] mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > > To unsubscribe, send any mail to "[EMAIL PROTECTED]" > ___ > [EMAIL PROTECTED] mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "[EMAIL PROTECTED]" > ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]" ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: more transparent proxy and squid questions.
i'm still having issues here.. has anyone else got transparent proxy going with firewall and squid on different boxes?? anyway, from the squid faq, does this apply to freebsd these days?? ..."Compile and run a version of Squid which accepts connections for other addresses. For some operating systems, you need to have configured and built a version of Squid which can recognize the hijacked connections and discern the destination addresses. For Linux this seems to work automatically. For *BSD-based systems, you probably have to configure squid with the --enable-ipf-transparent option. (Do a make clean if you previously configured without that option, or the correct settings may not be present.)"... i'm trying to use ipfw for my fwd'ing from the firewall to the proxy server. thanks, ajt. On Mon, Jun 16, 2003 at 07:25:26AM +0300, Rapier wrote: > From what you've said you have natd enabled,instead of redirecting with ipfw > you shoud redirect with natd!man natd > > > On Mon, 16 Jun 2003 09:41:05 +1000 > Andrew Thomson <[EMAIL PROTECTED]> wrote: > > > On Fri, Jun 13, 2003 at 09:47:09AM -0400, Bill Moran wrote: > > > > > > Yes. You've got the right idea. > > > > > > > hmm.. i have encountered some difficulties ;) so now i'm seeking some > > more advice.. > > > > i have the following rules on my firewall: > > > > 10561 skipto 11000 ip from 192.168.1.2 to any > > 10562 fwd 192.168.1.2,3128 tcp from 192.168.1.3 to any 80 > > > > keeping in line with my example, 1=fwall, 2=squid, 3=user > > > > the skipto is in there so we go through nat and get a proper ip. > > > > i never see any packets get to the squid box though.. > > > > ipfw show indicates matching packets > > ipfw show 10561 10562 > > 10561 5342331306 skipto 11000 ip from 192.168.1.2 to any > > 10562 2520120960 fwd 192.168.1.2,3128 tcp from 192.168.1.3 to any 80 > > > > a tcpdump on the squid box looking out for port 3128 shows nothing, although > > the ipfw shows matches.. > > > > i'll keep digging around but any more tips would be appreciated on this > > setup. > > > > thanks, > > > > andrew. > > > > > > > > ___ > > [EMAIL PROTECTED] mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > > To unsubscribe, send any mail to "[EMAIL PROTECTED]" > ___ > [EMAIL PROTECTED] mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "[EMAIL PROTECTED]" > ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: more transparent proxy and squid questions.
From what you've said you have natd enabled,instead of redirecting with ipfw you shoud redirect with natd!man natd On Mon, 16 Jun 2003 09:41:05 +1000 Andrew Thomson <[EMAIL PROTECTED]> wrote: > On Fri, Jun 13, 2003 at 09:47:09AM -0400, Bill Moran wrote: > > > > Yes. You've got the right idea. > > > > hmm.. i have encountered some difficulties ;) so now i'm seeking some > more advice.. > > i have the following rules on my firewall: > > 10561 skipto 11000 ip from 192.168.1.2 to any > 10562 fwd 192.168.1.2,3128 tcp from 192.168.1.3 to any 80 > > keeping in line with my example, 1=fwall, 2=squid, 3=user > > the skipto is in there so we go through nat and get a proper ip. > > i never see any packets get to the squid box though.. > > ipfw show indicates matching packets > ipfw show 10561 10562 > 10561 5342331306 skipto 11000 ip from 192.168.1.2 to any > 10562 2520120960 fwd 192.168.1.2,3128 tcp from 192.168.1.3 to any 80 > > a tcpdump on the squid box looking out for port 3128 shows nothing, although > the ipfw shows matches.. > > i'll keep digging around but any more tips would be appreciated on this > setup. > > thanks, > > andrew. > > > > ___ > [EMAIL PROTECTED] mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "[EMAIL PROTECTED]" ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: more transparent proxy and squid questions.
Andrew Thomson wrote: On Fri, Jun 13, 2003 at 09:47:09AM -0400, Bill Moran wrote: Yes. You've got the right idea. hmm.. i have encountered some difficulties ;) so now i'm seeking some more advice.. i have the following rules on my firewall: 10561 skipto 11000 ip from 192.168.1.2 to any 10562 fwd 192.168.1.2,3128 tcp from 192.168.1.3 to any 80 keeping in line with my example, 1=fwall, 2=squid, 3=user the skipto is in there so we go through nat and get a proper ip. i never see any packets get to the squid box though.. ipfw show indicates matching packets ipfw show 10561 10562 10561 5342331306 skipto 11000 ip from 192.168.1.2 to any 10562 2520120960 fwd 192.168.1.2,3128 tcp from 192.168.1.3 to any 80 a tcpdump on the squid box looking out for port 3128 shows nothing, although the ipfw shows matches.. i'll keep digging around but any more tips would be appreciated on this setup. Someone else may have keener eyes, but for my part I can't guess what the problem could be from your description. Can you send your entire ipfw ruleset? (i.e. the complete output of 'ipfw show') Perhaps then I'll be able to get a better idea what you're doing. If 10562 is catching packets, then it's likely that it's somewhere else that the problem lie. -- Bill Moran Potential Technologies http://www.potentialtech.com ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: more transparent proxy and squid questions.
On Fri, Jun 13, 2003 at 09:47:09AM -0400, Bill Moran wrote: > > Yes. You've got the right idea. > hmm.. i have encountered some difficulties ;) so now i'm seeking some more advice.. i have the following rules on my firewall: 10561 skipto 11000 ip from 192.168.1.2 to any 10562 fwd 192.168.1.2,3128 tcp from 192.168.1.3 to any 80 keeping in line with my example, 1=fwall, 2=squid, 3=user the skipto is in there so we go through nat and get a proper ip. i never see any packets get to the squid box though.. ipfw show indicates matching packets ipfw show 10561 10562 10561 5342331306 skipto 11000 ip from 192.168.1.2 to any 10562 2520120960 fwd 192.168.1.2,3128 tcp from 192.168.1.3 to any 80 a tcpdump on the squid box looking out for port 3128 shows nothing, although the ipfw shows matches.. i'll keep digging around but any more tips would be appreciated on this setup. thanks, andrew. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: more transparent proxy and squid questions.
Andrew Thomson wrote: I'm not looking for help at setting this up as such, but rather a better understanding of what's happening to the packets in this situation. I have a freebsd firewall/gateway box. I then fwd the port 80 requests to the squid box on port 3128 squid then i imagine process the request.. does squid then make the same http request with it's ip as the source? perhaps an illustration might be helpful. wall/gwy = 192.168.1.1 squid = 192.168.1.2 user = 192.168.1.3 user makes an http request. ipfw rule on wall diverts to squid: ipfw add 50 fwd 192.168.1.2,3128 tcp from any to any 80 does squid then make the request with it's ip? thus we'd need something like, ipfw add 45 allow tcp from 192.168.1.2 to any 80 squid updates the cache/passes the data back to the user?? Yes. You've got the right idea. -- Bill Moran Potential Technologies http://www.potentialtech.com ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
RE: more transparent proxy and squid questions.
Hi, You will want to make sure that you have this rule before the divert rule allow tcp from (live ip address) to any otherwise squid will go into a forwarding loop. You do not need ip-transparent if you are using IPFW to do the divert. Oh yes the headers are from the live ip of the squid box. I know there is a way to pass the clients ip to the remote site. Check on the squid web page regarding that. Kind Regards Doron Shmaryahu -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Andrew Thomson Sent: 13 June 2003 09:14 AM To: [EMAIL PROTECTED] Subject: Re: more transparent proxy and squid questions. oh, and does squid need to be compiled with CONFIGURE_ARGS+= --enable-ipf-transparent given the firewall does the divert to the squid box ?? ta, ajt. On Fri, Jun 13, 2003 at 05:04:38PM +1000, Andrew Thomson wrote: > I'm not looking for help at setting this up as such, but rather a better > understanding of what's happening to the packets in this situation. > > I have a freebsd firewall/gateway box. > > I then fwd the port 80 requests to the squid box on port 3128 > > squid then i imagine process the request.. does squid then make the same > http request with it's ip as the source? > > perhaps an illustration might be helpful. > > wall/gwy = 192.168.1.1 > squid = 192.168.1.2 > user = 192.168.1.3 > > user makes an http request. > > ipfw rule on wall diverts to squid: > > ipfw add 50 fwd 192.168.1.2,3128 tcp from any to any 80 > > does squid then make the request with it's ip? > > thus we'd need something like, > > ipfw add 45 allow tcp from 192.168.1.2 to any 80 > > squid updates the cache/passes the data back to the user?? > > thanks, > > ajt. > > > ___ > [EMAIL PROTECTED] mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "[EMAIL PROTECTED]" > ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]" ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: more transparent proxy and squid questions.
oh, and does squid need to be compiled with CONFIGURE_ARGS+= --enable-ipf-transparent given the firewall does the divert to the squid box ?? ta, ajt. On Fri, Jun 13, 2003 at 05:04:38PM +1000, Andrew Thomson wrote: > I'm not looking for help at setting this up as such, but rather a better > understanding of what's happening to the packets in this situation. > > I have a freebsd firewall/gateway box. > > I then fwd the port 80 requests to the squid box on port 3128 > > squid then i imagine process the request.. does squid then make the same > http request with it's ip as the source? > > perhaps an illustration might be helpful. > > wall/gwy = 192.168.1.1 > squid = 192.168.1.2 > user = 192.168.1.3 > > user makes an http request. > > ipfw rule on wall diverts to squid: > > ipfw add 50 fwd 192.168.1.2,3128 tcp from any to any 80 > > does squid then make the request with it's ip? > > thus we'd need something like, > > ipfw add 45 allow tcp from 192.168.1.2 to any 80 > > squid updates the cache/passes the data back to the user?? > > thanks, > > ajt. > > > ___ > [EMAIL PROTECTED] mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "[EMAIL PROTECTED]" > ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
more transparent proxy and squid questions.
I'm not looking for help at setting this up as such, but rather a better understanding of what's happening to the packets in this situation. I have a freebsd firewall/gateway box. I then fwd the port 80 requests to the squid box on port 3128 squid then i imagine process the request.. does squid then make the same http request with it's ip as the source? perhaps an illustration might be helpful. wall/gwy = 192.168.1.1 squid = 192.168.1.2 user = 192.168.1.3 user makes an http request. ipfw rule on wall diverts to squid: ipfw add 50 fwd 192.168.1.2,3128 tcp from any to any 80 does squid then make the request with it's ip? thus we'd need something like, ipfw add 45 allow tcp from 192.168.1.2 to any 80 squid updates the cache/passes the data back to the user?? thanks, ajt. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Transparent proxy
On Sun, 23 Mar 2003, Maarten de Vries wrote: > Hi, > > On my NAT-box, I'm trying to redirect all http traffic from the desktops > behind to the squid cache, which is on the same machine. > > The ipfw rule I use that should accomplish this is: > > $ ipfw add 2350 fwd 192.168.1.1 3128 from any to any 80 Try this rule instead $ ipfw add 2350 fwd 127.0.0.1 tcp from any to any 80 recv rl1 recv rl1 means everything received from nic rl1 - you will have to put in the device name of your nic instead. Regards, Uli. > > And in squid.conf I have: > > http_port 192.168.1.1:3128 > httpd_accel_host virtual > httpd_accel_port 80 > httpd_accel_with_proxy on > httpd_accel_uses_host_header on > > Somehow I must be overlooking something, because although http traffic works > well on the clients, it isn't being picked up. The firewall- and cachelog > remain empty... > > Ipfw and Squid work well in all other respects. Any pointers would be much > appreciated! > > -- > http://unsavoury.net/ > > > > To Unsubscribe: send mail to [EMAIL PROTECTED] > with "unsubscribe freebsd-questions" in the body of the message > +---+ |Peter Ulrich Kruppa| | - Wuppertal - | | Germany | +---+ To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message
Re: Transparent proxy
On Sun, 23 Mar 2003, Maarten de Vries wrote: > $ ipfw add 2350 fwd 192.168.1.1 3128 from any to any 80 You sure you have not some earlier rule which prevents it from hitting this rule ? Also - if 192.168.1.1 is not this local machine's addr - but on a differnet box; be sure to allow that machine to capture the 'destination any' - as the packet is not rewritten in any way. DW. To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message
Transparent proxy
Hi, On my NAT-box, I'm trying to redirect all http traffic from the desktops behind to the squid cache, which is on the same machine. The ipfw rule I use that should accomplish this is: $ ipfw add 2350 fwd 192.168.1.1 3128 from any to any 80 And in squid.conf I have: http_port 192.168.1.1:3128 httpd_accel_host virtual httpd_accel_port 80 httpd_accel_with_proxy on httpd_accel_uses_host_header on Somehow I must be overlooking something, because although http traffic works well on the clients, it isn't being picked up. The firewall- and cachelog remain empty... Ipfw and Squid work well in all other respects. Any pointers would be much appreciated! -- http://unsavoury.net/ To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message
Re: Transparent Proxy
On Thu, 20 Feb 2003, Darcy Buskermolen wrote: > I'm trying to deploy a transparent proxy server for a friend's office but have > run into a couple of snags that I can't seam to find the correct answer for. > Please see http://home2.dbitech.bc.ca:8080/netconfig.txt for graphical > topology > > Note that I'm running IPFW2 on both BSD boxes. > > ipfw list output on 192.168.0.254: > > 1 skipto 5 tcp from any 1023-65535 to me dst-port 22 > 00040 skipto 50 tcp from 192.168.0.1 to any dst-port 80 > 00048 fwd 192.168.0.1 tcp from 192.168.0.0/24 to any dst-port 80 out > 00999 divert 8669 ip from any to any via ed0 > 65533 allow ip from any to any > 65535 deny ip from any to any > > ipfw list output on 192.168.0.1: > > 00500 fwd 127.0.0.1,3128 ip from 192.168.0.0/16 to any dst-port 80 in ^^^ I am no squid expert, but this was the line which caused the trouble. I told ipfw to read the traffic directly from the nic (a realtek on rl1): # ipfw add 500 fwd 127.0.0.1, 3128 tcp from any to any 80 recv rl1 Perhaps this works for you, too? Uli. > 65000 allow ip from any to any > 65535 deny ip from any to any > > When the windows box (192.168.0.32) makes a web request it gets forwarded to > the squid machine fine, and squid returns a "access denied" error message, > checking the cache.log on squid I see the reason is as follows: > > 2003/02/20 04:19:47| WARNING: Forwarding loop detected for: > GET / HTTP/1.0 > > Can anybody point me in the correct direction to tell me what it is that I'm > missing? > > P.S. >Please CC me on responses as that I'm not subscribed to questions. > > > > -- > Darcy Buskermolen > Wavefire Technologies Corp. > ph: 250.717.0200 > fx: 250.763.1759 > http://www.wavefire.com > > To Unsubscribe: send mail to [EMAIL PROTECTED] > with "unsubscribe freebsd-questions" in the body of the message > > +---+ |Peter Ulrich Kruppa| | - Wuppertal - | | Germany | +---+ To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message
Transparent Proxy
I'm trying to deploy a transparent proxy server for a friend's office but have run into a couple of snags that I can't seam to find the correct answer for. Please see http://home2.dbitech.bc.ca:8080/netconfig.txt for graphical topology Note that I'm running IPFW2 on both BSD boxes. ipfw list output on 192.168.0.254: 1 skipto 5 tcp from any 1023-65535 to me dst-port 22 00040 skipto 50 tcp from 192.168.0.1 to any dst-port 80 00048 fwd 192.168.0.1 tcp from 192.168.0.0/24 to any dst-port 80 out 00999 divert 8669 ip from any to any via ed0 65533 allow ip from any to any 65535 deny ip from any to any ipfw list output on 192.168.0.1: 00500 fwd 127.0.0.1,3128 ip from 192.168.0.0/16 to any dst-port 80 in 65000 allow ip from any to any 65535 deny ip from any to any When the windows box (192.168.0.32) makes a web request it gets forwarded to the squid machine fine, and squid returns a "access denied" error message, checking the cache.log on squid I see the reason is as follows: 2003/02/20 04:19:47| WARNING: Forwarding loop detected for: GET / HTTP/1.0 Can anybody point me in the correct direction to tell me what it is that I'm missing? P.S. Please CC me on responses as that I'm not subscribed to questions. -- Darcy Buskermolen Wavefire Technologies Corp. ph: 250.717.0200 fx: 250.763.1759 http://www.wavefire.com To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message
Re: Squid & transparent proxy
On Sat, 7 Dec 2002 08:35:01 - , [EMAIL PROTECTED] ("Bob Hall") wrote: >I'm trying to set squid up as a transparent proxy. I'm able to >do everything except the transparent part. If I point a web >browser at squid, everything works fine. But it won't work >transparently. (details snipped) My setup is an internal net on 172.16/16 and an external net on 195.74.141.0/26. The proxy is 195.74.141.2. The firewall router between internal and external has this: ># Transparent HTTP proxy: TCP packets to port 80 are forwarded to Squid cache ># >$fw add fwd 195.74.141.2 tcp from 172.16.0.0/16 to any http out and the proxy has this: >$fw add pass all from 195.74.141.2 to any >$fw add fwd 127.0.0.1,3128 tcp from any to any http I think my Squid setup is the same as yours. To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message
Re: need help setting up a transparent proxy
On Sat, 7 Dec 2002 13:35:26 -0600, Glenn Johnson wrote: >I am trying to set up a transparent squid proxy with ipfw. I am using >FreeBSD 4.7-STABLE (current as of today), version 2.5_1 of squid. I >have read the relevant information on the squid Web site and searched >the FreeBSD mail archive. I am pretty sure I have everything set up >right but it just does not work. > >I have the following in my kernel config: > >options IPFIREWALL #firewall >options IPFIREWALL_FORWARD #enable transparent proxy support >options IPDIVERT#divert sockets >options IPSTEALTH #support for stealth forwarding > >I have the following in my squid.conf file: > >http_port 3128 >httpd_accel_port 80 >httpd_accel_host virtual >httpd_accel_with_proxy on >httpd_accel_uses_host_header on > >I am using the "SIMPLE" firewall setup I have the following in my >rc.firewall file > > # Allow setup of any other TCP connection > ${fwcmd} add pass tcp from any to any setup > ># Try this to get a transparent proxy >${fwcmd} add fwd 127.0.0.1,3128 tcp from any to any 80 > >I have also tried setting the first rule above to "...any to any 80" but >that did not help. did you run squid -z to create the swap directories? --- doug reynolds | the maverick | [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message
Re: need help setting up a transparent proxy
On Sat, Dec 07, 2002 at 04:50:41PM -0600, Scott A. Moberly wrote: > > I am trying to set up a transparent squid proxy with ipfw. I am > > using FreeBSD 4.7-STABLE (current as of today), version 2.5_1 of > > squid. I have read the relevant information on the squid Web site > > and searched the FreeBSD mail archive. I am pretty sure I have > > everything set up right but it just does not work. ...snip... > > What am I missing? > > Looks like an infinite loop to me. If this is on a gateway machine, > you might try: > > $fwcmd add fwd 127.0.0.1,3128 from INTERNAL_NETWORK to any 80 Thanks; that was it. Is there any way to have the gateway/proxy machine also use the proxy cache transparently? Apparently, packets destined for outbound port 80 from the gateway/proxy machine are coming from the external interface (cable modem) rather than the internal interface. This makes sense as the default route is on the external interface. Is it possible to make those packets appear to come from the internal interface? Not a big deal but I am curious. Thanks for your help. -- Glenn Johnson [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message
Re: Squid & transparent proxy: fixed
On Sat, Dec 07, 2002 at 03:34:34AM -0500, Bob Hall wrote: > I'm trying to set squid up as a transparent proxy. I'm able to > do everything except the transparent part. If I point a web > browser at squid, everything works fine. But it won't work > transparently. Oh, never mind. I had the DIVERT and the FORWARD kernel options mixed up, and I mistakenly thought the kernel was already compiled for this. Once I compiled the kernel with the IPFIREWALL_FORWARD option, transparent caching worked fine. Bob Hall To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message
Re: need help setting up a transparent proxy
> I am trying to set up a transparent squid proxy with ipfw. I am using > FreeBSD 4.7-STABLE (current as of today), version 2.5_1 of squid. I > have read the relevant information on the squid Web site and searched > the FreeBSD mail archive. I am pretty sure I have everything set up > right but it just does not work. > > I have the following in my kernel config: > > options IPFIREWALL #firewall > options IPFIREWALL_FORWARD #enable transparent proxy > support options IPDIVERT#divert sockets > options IPSTEALTH #support for stealth forwarding > > I have the following in my squid.conf file: > > http_port 3128 > httpd_accel_port 80 > httpd_accel_host virtual > httpd_accel_with_proxy on > httpd_accel_uses_host_header on > > I am using the "SIMPLE" firewall setup I have the following in my > rc.firewall file > > # Allow setup of any other TCP connection > ${fwcmd} add pass tcp from any to any setup > > # Try this to get a transparent proxy > ${fwcmd} add fwd 127.0.0.1,3128 tcp from any to any 80 > > I have also tried setting the first rule above to "...any to any 80" but > that did not help. > > What am I missing? > > Thanks. Looks like an infinite loop to me. If this is on a gateway machine, you might try: $fwcmd add fwd 127.0.0.1,3128 from INTERNAL_NETWORK to any 80 If the machine in inside the network you will want a skipto statement. Skiping over this statement for the machine itself will resurrect you from the infinite loop. -- Scott A. Moberly [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message
need help setting up a transparent proxy
I am trying to set up a transparent squid proxy with ipfw. I am using FreeBSD 4.7-STABLE (current as of today), version 2.5_1 of squid. I have read the relevant information on the squid Web site and searched the FreeBSD mail archive. I am pretty sure I have everything set up right but it just does not work. I have the following in my kernel config: options IPFIREWALL #firewall options IPFIREWALL_FORWARD #enable transparent proxy support options IPDIVERT#divert sockets options IPSTEALTH #support for stealth forwarding I have the following in my squid.conf file: http_port 3128 httpd_accel_port 80 httpd_accel_host virtual httpd_accel_with_proxy on httpd_accel_uses_host_header on I am using the "SIMPLE" firewall setup I have the following in my rc.firewall file # Allow setup of any other TCP connection ${fwcmd} add pass tcp from any to any setup # Try this to get a transparent proxy ${fwcmd} add fwd 127.0.0.1,3128 tcp from any to any 80 I have also tried setting the first rule above to "...any to any 80" but that did not help. What am I missing? Thanks. -- Glenn Johnson [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message
Squid & transparent proxy
I'm trying to set squid up as a transparent proxy. I'm able to do everything except the transparent part. If I point a web browser at squid, everything works fine. But it won't work transparently. FreeBSD 4.4 squid-2.5_1 # ipfw l 00049 allow tcp from 192.168.0.1 to any 00050 divert 8668 ip from any to any via ppp0 65000 allow ip from any to any 65000 allow ip from any to any 65535 deny ip from any to any Standard squid configuration. http_port 3128 httpd_accel_host virtual httpd_accel_port 80 httpd_accel_with_proxy on httpd_accel_uses_host_header on I can run a web browser on the cache machine with configuring it for the cache, and it uses the cache (entry in access.log). I can point a web browser on another machine at squid, and it uses the cache (another entry in access.log). But if I don't manually configure the browser on the other host, ipfw -t l shows that rule 00050 was matched, but there's no entry in the access log. I've tried the following three versions of rule 50, with the same result: ${fwcmd} add 50 fwd 127.0.0.1 tcp from any to any 80 ${fwcmd} add 50 fwd 127.0.0.1,3128 tcp from any to any 80 ${fwcmd} add 50 fwd 192.168.0.1,3128 tcp from 192.168.0.0/24 to any 80 When I sh /etc/rc.firewall and then then test squid again, I still can't get transparent proxying, except on the machine that squid runs on. Bob Hall To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message
Re: transparent proxy support
my point was simple. Sorry you mistook it. I am using a STOCK squid install from the ports tree. I am *not* using ipf headers. Quoting Derrick Joseph <[EMAIL PROTECTED]>: > > I'm sorry man but I dont need your explanation regarding > the configuration of the squid box, ipfw, router, etc. As > I have told you, I was able to run a transparent proxy > server from FreeBSD 4.6.2 without any problem. I > customized the kernel, configured squid and my router and > it worked fine for me and my subscribers. My primary > concern here is that I did the same thing into this > FreeBSD 4.7 and when I tried compiling the squid with the > following options > > (a) --enable-ipf-transparent -- it tells me that ipfilter > header files not found > > I've also tried, > (b) --enable-pf-transparent -- it tells me that pf header > files not found > > Now, why the heck is this new release tell me that the > header files are not found. And this is my primary concern > here ... > > Deejay > > On Sat, 26 Oct 2002 13:59:24 -0400 > [EMAIL PROTECTED] wrote: > >if you are serving web pages off of your natd/ipfw/squid > >box, the following > >helps to... (to prevent people trying to view your site > >from getting squid > >denied errors) > > > >modify my previous rule 62 to read > > > >00062 4792 259184 fwd 127.0.0.1,3128 tcp from > >any to any 80 via ed0 > > > >where (in my case) ed0 is your INTERNAL nic, not your > >public nic > > > >00060 20198 1074897 allow tcp from me to any 80 > >00061 1133915005323 allow tcp from any 80 to me > >00062 4792 259184 fwd 127.0.0.1,3128 tcp from > >any to any 80 via ed0 > > > > > > > >Quoting Derrick Joseph <[EMAIL PROTECTED]>: > > > >> > >> Oh yes, I was also able to do it before as stated in my > >> previous email. The problem right now in the current > >> release is that the ipfilter header files are missing. > >> > >> On Sat, 26 Oct 2002 00:01:57 -0400 > >> [EMAIL PROTECTED] wrote: > >> >what I was saying, is that I didn't > >> >do any special build of squid at the time. > >> > > >> >unfortunately, this was before 4.7. > >> > > >> >Quoting Derrick Joseph <[EMAIL PROTECTED]>: > >> > > >> >> > >> >> So you're using 4.7 ??? > >> >> > >> >> On Fri, 25 Oct 2002 23:44:57 -0400 > >> >> [EMAIL PROTECTED] wrote: > >> >> >When I was running a transparent proxy for a college > >>I > >> >> >used to work for, I just installed the standard > >>squid > >> >> >from the ports collection and just adjusted my > >>kernel > >> >> >to do the tranparent forwarding via ipfw and it seem > >> >> >to work just fine. > >> >> > > >> >> >Quoting Derrick Joseph <[EMAIL PROTECTED]>: > >> >> > > >> >> >> > >> >> >> > >> >> >> Hello People !!! > >> >> >> > >> >> >> I just upgraded my system from FreeBSD 4.6.2 to > >> >>FreeBSD > >> >> >> 4.7-RELEASE and now I'm having problem configuring > >>a > >> >> >> transparent proxy server support. With my FreeBSD > >> >>4.6.2 > >> >> >> before, I haven't encountered a single problem > >>when I > >> >> >> compiled squid to support transparent proxy with > >> >> >> "--enable-ipf-transparent" option. Thus, after > >> >> >>installing > >> >> >> the box and enabling the IPFIREWALL option in the > >> >> >>kernel, > >> >> >> I started installing squid with the same options I > >> >>did > >> >> >> with my FreeBSD 4.6.2 box. At the installation > >> >>process > >> >> >>it > >> >> >> stops it tells me that "IPFILTER header files not > >> >>found" > >> >> >> so I went through squid's configure script and > >>found > >> >>out > >> >> >> that it should be "--enable-pf-transparent" if
Re: transparent proxy support
if you are serving web pages off of your natd/ipfw/squid box, the following helps to... (to prevent people trying to view your site from getting squid denied errors) modify my previous rule 62 to read 00062 4792 259184 fwd 127.0.0.1,3128 tcp from any to any 80 via ed0 where (in my case) ed0 is your INTERNAL nic, not your public nic 00060 20198 1074897 allow tcp from me to any 80 00061 1133915005323 allow tcp from any 80 to me 00062 4792 259184 fwd 127.0.0.1,3128 tcp from any to any 80 via ed0 Quoting Derrick Joseph <[EMAIL PROTECTED]>: > > Oh yes, I was also able to do it before as stated in my > previous email. The problem right now in the current > release is that the ipfilter header files are missing. > > On Sat, 26 Oct 2002 00:01:57 -0400 > [EMAIL PROTECTED] wrote: > >what I was saying, is that I didn't > >do any special build of squid at the time. > > > >unfortunately, this was before 4.7. > > > >Quoting Derrick Joseph <[EMAIL PROTECTED]>: > > > >> > >> So you're using 4.7 ??? > >> > >> On Fri, 25 Oct 2002 23:44:57 -0400 > >> [EMAIL PROTECTED] wrote: > >> >When I was running a transparent proxy for a college I > >> >used to work for, I just installed the standard squid > >> >from the ports collection and just adjusted my kernel > >> >to do the tranparent forwarding via ipfw and it seem > >> >to work just fine. > >> > > >> >Quoting Derrick Joseph <[EMAIL PROTECTED]>: > >> > > >> >> > >> >> > >> >> Hello People !!! > >> >> > >> >> I just upgraded my system from FreeBSD 4.6.2 to > >>FreeBSD > >> >> 4.7-RELEASE and now I'm having problem configuring a > >> >> transparent proxy server support. With my FreeBSD > >>4.6.2 > >> >> before, I haven't encountered a single problem when I > >> >> compiled squid to support transparent proxy with > >> >> "--enable-ipf-transparent" option. Thus, after > >> >>installing > >> >> the box and enabling the IPFIREWALL option in the > >> >>kernel, > >> >> I started installing squid with the same options I > >>did > >> >> with my FreeBSD 4.6.2 box. At the installation > >>process > >> >>it > >> >> stops it tells me that "IPFILTER header files not > >>found" > >> >> so I went through squid's configure script and found > >>out > >> >> that it should be "--enable-pf-transparent" if I want > >>to > >> >> use IPFW as my platform. This time it tells me "PF > >> >>header > >> >> files not found" ... what seems to be the problem in > >> >>here > >> >> ? > >> >> > >> >> Please help I'm using this box for production > >>purposes. > >> >> > >> >> Thanks. > >> >> > >> >> Deejay > >> >> > >> > >> >> ** Get your free E-Mail account at WWW.DIGITELONE.COM > >>** > >> >> > >> >> To Unsubscribe: send mail to [EMAIL PROTECTED] > >> >> with "unsubscribe freebsd-questions" in the body of > >>the > >> >>message > >> >> > >> > > >> > > >> > > >> > > >> >- > >> >This mail sent through IMP: http://horde.org/imp/ > >> > >> > >> ** Get your free E-Mail account at WWW.DIGITELONE.COM ** > >> > > > > > > > > > >- > >This mail sent through IMP: http://horde.org/imp/ > > > ** Get your free E-Mail account at WWW.DIGITELONE.COM ** > - This mail sent through IMP: http://horde.org/imp/ To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message
Re: transparent proxy support
Ok, I just set it up here. updated my ports directory first. :) performed a *STOCK* install of squid 2.5 cd /usr/ports/www/squid make install added the following to my squid.conf --- httpd_accel_host virtual httpd_accel_with_proxy on httpd_accel_uses_host_header on acl our_networks src 192.168.0.0/16 http_access allow our_networks --- created the cache directory started squid added the following ipfw rule to the box (this box is also my firewall/nat btw) (i did it after my natd divert rule) 00060 10305 545706 allow tcp from me to any 80 00061 4766 6370609 allow tcp from any 80 to me 00062 5620 299803 fwd 127.0.0.1,3128 tcp from any to any 80 tested a web site, and xmms everything is working fine and stuff shows up in my access.log --- # tail access.log 1035654302.029387 192.168.2.34 TCP_MISS/301 607 GET http://www.slashdot.org/ - DIRECT/64.28.67.150 text/html 1035654302.475328 192.168.2.34 TCP_MISS/200 11150 GET http://slashdot.org/ - DIRECT/64.28.67.150 text/html 1035654302.898231 192.168.2.34 TCP_MISS/200 341 GET http://images2.slashdot.org/Slashdot/pc.gif? - DIRECT/64.28.67.114 image/gif --- Quoting Derrick Joseph <[EMAIL PROTECTED]>: > > Oh yes, I was also able to do it before as stated in my > previous email. The problem right now in the current > release is that the ipfilter header files are missing. > > On Sat, 26 Oct 2002 00:01:57 -0400 > [EMAIL PROTECTED] wrote: > >what I was saying, is that I didn't > >do any special build of squid at the time. > > > >unfortunately, this was before 4.7. > > > >Quoting Derrick Joseph <[EMAIL PROTECTED]>: > > > >> > >> So you're using 4.7 ??? > >> > >> On Fri, 25 Oct 2002 23:44:57 -0400 > >> [EMAIL PROTECTED] wrote: > >> >When I was running a transparent proxy for a college I > >> >used to work for, I just installed the standard squid > >> >from the ports collection and just adjusted my kernel > >> >to do the tranparent forwarding via ipfw and it seem > >> >to work just fine. > >> > > >> >Quoting Derrick Joseph <[EMAIL PROTECTED]>: > >> > > >> >> > >> >> > >> >> Hello People !!! > >> >> > >> >> I just upgraded my system from FreeBSD 4.6.2 to > >>FreeBSD > >> >> 4.7-RELEASE and now I'm having problem configuring a > >> >> transparent proxy server support. With my FreeBSD > >>4.6.2 > >> >> before, I haven't encountered a single problem when I > >> >> compiled squid to support transparent proxy with > >> >> "--enable-ipf-transparent" option. Thus, after > >> >>installing > >> >> the box and enabling the IPFIREWALL option in the > >> >>kernel, > >> >> I started installing squid with the same options I > >>did > >> >> with my FreeBSD 4.6.2 box. At the installation > >>process > >> >>it > >> >> stops it tells me that "IPFILTER header files not > >>found" > >> >> so I went through squid's configure script and found > >>out > >> >> that it should be "--enable-pf-transparent" if I want > >>to > >> >> use IPFW as my platform. This time it tells me "PF > >> >>header > >> >> files not found" ... what seems to be the problem in > >> >>here > >> >> ? > >> >> > >> >> Please help I'm using this box for production > >>purposes. > >> >> > >> >> Thanks. > >> >> > >> >> Deejay > >> >> > >> > >> >> ** Get your free E-Mail account at WWW.DIGITELONE.COM > >>** > >> >> > >> >> To Unsubscribe: send mail to [EMAIL PROTECTED] > >> >> with "unsubscribe freebsd-questions" in the body of > >>the > >> >>message > >> >> > >> > > >> > > >> > > >> > > >> >- > >> >This mail sent through IMP: http://horde.org/imp/ > >> > >> > >> ** Get your free E-Mail account at WWW.DIGITELONE.COM ** > >> > > > > > > > > > >- > >This mail sent through IMP: http://horde.org/imp/ > > > ** Get your free E-Mail account at WWW.DIGITELONE.COM ** > - This mail sent through IMP: http://horde.org/imp/ To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message
Re: transparent proxy support
# [EMAIL PROTECTED] / 2002-10-26 11:21:55 +0800: > > > Hello People !!! > > I just upgraded my system from FreeBSD 4.6.2 to FreeBSD > 4.7-RELEASE and now I'm having problem configuring a > transparent proxy server support. With my FreeBSD 4.6.2 > before, I haven't encountered a single problem when I > compiled squid to support transparent proxy with > "--enable-ipf-transparent" option. Thus, after installing > the box and enabling the IPFIREWALL option in the kernel, IPFIREWALL is ipfw. if you want ipf, make buildkernel with IPFILTER. > I started installing squid with the same options I did > with my FreeBSD 4.6.2 box. At the installation process it > stops it tells me that "IPFILTER header files not found" > so I went through squid's configure script and found out > that it should be "--enable-pf-transparent" if I want to > use IPFW as my platform. This time it tells me "PF header > files not found" ... what seems to be the problem in here pf is the OpenBSD-specific firewall. i haven't tried it personally with a new squid release, but I'd hazard to guess that you misread the install. instructions. -- If you cc me or take the list(s) out completely I'll most likely ignore your message. To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message
transparent proxy support
Hello People !!! I just upgraded my system from FreeBSD 4.6.2 to FreeBSD 4.7-RELEASE and now I'm having problem configuring a transparent proxy server support. With my FreeBSD 4.6.2 before, I haven't encountered a single problem when I compiled squid to support transparent proxy with "--enable-ipf-transparent" option. Thus, after installing the box and enabling the IPFIREWALL option in the kernel, I started installing squid with the same options I did with my FreeBSD 4.6.2 box. At the installation process it stops it tells me that "IPFILTER header files not found" so I went through squid's configure script and found out that it should be "--enable-pf-transparent" if I want to use IPFW as my platform. This time it tells me "PF header files not found" ... what seems to be the problem in here ? Please help I'm using this box for production purposes. Thanks. Deejay ** Get your free E-Mail account at WWW.DIGITELONE.COM ** To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message