Re: pf + squid
Greg Donald wrote: On 5/18/05, Greg Donald <[EMAIL PROTECTED]> wrote: I'm still having problems getting this to work. I think I found my issue. When I first installed squid I picked the wrong option for use with pf. I should have picked the --enable-pf-transparent in the dialogue box. I'm pretty sure I picked ipf or something like that. But now I can't seem to make it ask me which option I want again. I did make deinstall and make clean but when I go to do make install again it doesn't ask me for any options choices. I even removed it from /usr/ports, updated my ports collection to get it back and still it doesn't ask me anything before beginning to compile. Any clues? Delete /var/db/ports/squid/options. I think there is a make target in the port as well. Try man ports. --Alex -- Phone: +44 131 468 2422 Email: [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: pf + squid
On 5/18/05, Greg Donald <[EMAIL PROTECTED]> wrote: > I'm still having problems getting this to work. I think I found my issue. When I first installed squid I picked the wrong option for use with pf. I should have picked the --enable-pf-transparent in the dialogue box. I'm pretty sure I picked ipf or something like that. But now I can't seem to make it ask me which option I want again. I did make deinstall and make clean but when I go to do make install again it doesn't ask me for any options choices. I even removed it from /usr/ports, updated my ports collection to get it back and still it doesn't ask me anything before beginning to compile. Any clues? -- Greg Donald Zend Certified Engineer http://destiney.com/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: pf + squid
On 5/18/05, Tomas Quintero <[EMAIL PROTECTED]> wrote: > I use PF myself. I've disabled my ipfw and natd stuff in rc.conf. Trying only with pf now. I'm still having problems getting this to work. Most sites I go to fail to load, google.com for example. Other sites, the HTML loads but not the images, slashdot.org for example. See anything wrong with my conf files ? squid.conf: acl all src 0.0.0.0/0.0.0.0 acl our_networks src 10.0.0.0/8 acl to_localhost dst 127.0.0.0/8 http_port 127.0.0.1:3128 http_access deny to_localhost http_access allow our_networks visible_hostname gateway.localdomain httpd_accel_host virtual httpd_accel_port 80 httpd_accel_with_proxy on httpd_accel_uses_host_header on pf.conf: ext_if="dc0" int_if="dc1" internal_net="10.0.0.0/8" external_addr="24.159.59.97" rdr on $int_if inet proto tcp from any to any port www -> 127.0.0.1 port 3128 pass in on $int_if inet proto tcp from any to 127.0.0.1 port 3128 keep state pass out on $ext_if inet proto tcp from any to any port www keep state my pf setting from rc.conf: pf_enable="YES" pf_rules="/etc/pf.conf" pf_flags="" pflog_enable="YES" pflog_logfile="/var/log/pflog" pflog_flags="" gateway_enable="YES" With these settings I have no NAT and most of the sites I try I can't reach, it acts lik eI'm trying to access a broekn DNS server or something. I have a local DNS server 10.0.0.2 that works fine with my old ipfw setup. I read in the pf docs that gateway_enable="YES" activates a pf NAT or something to that effect. Is there more to do? Seems I have _something_ working, but it's not working 100% yet. Or better yet does anyone have a transparent proxy setup they might share their conf files from with me? I'll do the diff :) Thanks, -- Greg Donald Zend Certified Engineer http://destiney.com/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: pf + squid
> Guess I better go ahead and ask now, is it ok to use natd with pf? PF does NAT for you, in one line. I hope you're not using natd, ipfw, and pf >< http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls.html Read it, choose one. I use PF myself. -- -Tomas Quintero ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: pf + squid
On 5/18/05, Tomas Quintero <[EMAIL PROTECTED]> wrote: > Why are you using IPFW and PF? I assume from your question that I should not. And I guess the answer is because I didn't know any better. So to use pf I have to stop using ipfw? And I have to convert my ipfw stuff to pf? Guess I better go ahead and ask now, is it ok to use natd with pf? Thanks, -- Greg Donald Zend Certified Engineer http://destiney.com/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: pf + squid
On 5/18/05, Greg Donald <[EMAIL PROTECTED]> wrote: > I am following this howto: > http://www.benzedrine.cx/transquid.html > > I added pf and pflog to my kernel. After rebooting I did chgrp squid > /dev/pf and chmod g+rw /dev/pf. I also restarted squid several times. > When I try to access a remote web server it times out. I'm not > getting any errors in /var/log/pflog or /var/log/messages. > > My config files look like this: > > > cat /etc/pf.conf |grep -v ^# > > ext_if="dc0"# replace with actual external interface name i.e., dc0 > int_if="dc1"# replace with actual internal interface name i.e., dc1 > internal_net="10.0.0.1/8" > external_addr="24.159.59.97" > > rdr on $int_if inet proto tcp from any to any port www -> 127.0.0.1 port 3128 > pass in on $int_if inet proto tcp from any to 127.0.0.1 port 3128 keep state > pass out on $ext_if inet proto tcp from any to any port www keep state > > > cat /usr/local/etc/squid/squid.conf |grep -v ^# > acl all src 0.0.0.0/0.0.0.0 > acl our_networks src 10.0.0.0/8 > acl to_localhost dst 127.0.0.0/8 > http_port 127.0.0.1:3128 > http_access deny to_localhost > http_access allow our_networks > visible_hostname gateway.localdomain > httpd_accel_host virtual > httpd_accel_port 80 > httpd_accel_with_proxy on > httpd_accel_uses_host_header on > > I am using ipfw to create my NAT, I don't know if that matters, but > here are my config files for that as well: > > > cat /etc/rc.firewall |grep -v ^# > > ipfw -f flush > > ipfw pipe 10 config bw 12KBytes/s > ipfw add 50 pipe 10 ip from 10.0.0.2 to any via dc1 > > ipfw pipe 11 config bw 24KBytes/s > ipfw add 51 pipe 11 ip from 10.0.0.3 to any via dc1 > > ipfw pipe 12 config bw 12KBytes/s > ipfw add 52 pipe 12 ip from 10.0.0.4 to any via dc1 > ipfw pipe 13 config bw 64KBytes/s > ipfw add 53 pipe 13 ip from any to 10.0.0.4 via dc1 > > ipfw add 200 pass all from any to any via lo0 > ipfw add 201 deny ip from any to 127.0.0.0/8 > > ipfw add 500 divert natd all from any to any via dc0 > > > cat /etc/natd.conf |grep -v ^# > interface dc0 > dynamic > use_sockets > unregistered_only > punch_fw 2000:50 > redirect_port tcp 10.0.0.2:20-21 20-21 > redirect_port tcp 10.0.0.2:22 22 > redirect_port tcp 10.0.0.2:80 80 > redirect_port tcp 10.0.0.2:113 113 > > redirect_port tcp 10.0.0.2: > redirect_port tcp 10.0.0.2:2010-2020 2010-2020 > > Any ideas? TIA. > > -- > Greg Donald > Zend Certified Engineer > http://destiney.com/ > ___ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "[EMAIL PROTECTED]" > Why are you using IPFW and PF? -- -Tomas Quintero ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
pf + squid
I am following this howto: http://www.benzedrine.cx/transquid.html I added pf and pflog to my kernel. After rebooting I did chgrp squid /dev/pf and chmod g+rw /dev/pf. I also restarted squid several times. When I try to access a remote web server it times out. I'm not getting any errors in /var/log/pflog or /var/log/messages. My config files look like this: > cat /etc/pf.conf |grep -v ^# ext_if="dc0"# replace with actual external interface name i.e., dc0 int_if="dc1"# replace with actual internal interface name i.e., dc1 internal_net="10.0.0.1/8" external_addr="24.159.59.97" rdr on $int_if inet proto tcp from any to any port www -> 127.0.0.1 port 3128 pass in on $int_if inet proto tcp from any to 127.0.0.1 port 3128 keep state pass out on $ext_if inet proto tcp from any to any port www keep state > cat /usr/local/etc/squid/squid.conf |grep -v ^# acl all src 0.0.0.0/0.0.0.0 acl our_networks src 10.0.0.0/8 acl to_localhost dst 127.0.0.0/8 http_port 127.0.0.1:3128 http_access deny to_localhost http_access allow our_networks visible_hostname gateway.localdomain httpd_accel_host virtual httpd_accel_port 80 httpd_accel_with_proxy on httpd_accel_uses_host_header on I am using ipfw to create my NAT, I don't know if that matters, but here are my config files for that as well: > cat /etc/rc.firewall |grep -v ^# ipfw -f flush ipfw pipe 10 config bw 12KBytes/s ipfw add 50 pipe 10 ip from 10.0.0.2 to any via dc1 ipfw pipe 11 config bw 24KBytes/s ipfw add 51 pipe 11 ip from 10.0.0.3 to any via dc1 ipfw pipe 12 config bw 12KBytes/s ipfw add 52 pipe 12 ip from 10.0.0.4 to any via dc1 ipfw pipe 13 config bw 64KBytes/s ipfw add 53 pipe 13 ip from any to 10.0.0.4 via dc1 ipfw add 200 pass all from any to any via lo0 ipfw add 201 deny ip from any to 127.0.0.0/8 ipfw add 500 divert natd all from any to any via dc0 > cat /etc/natd.conf |grep -v ^# interface dc0 dynamic use_sockets unregistered_only punch_fw 2000:50 redirect_port tcp 10.0.0.2:20-21 20-21 redirect_port tcp 10.0.0.2:22 22 redirect_port tcp 10.0.0.2:80 80 redirect_port tcp 10.0.0.2:113 113 redirect_port tcp 10.0.0.2: redirect_port tcp 10.0.0.2:2010-2020 2010-2020 Any ideas? TIA. -- Greg Donald Zend Certified Engineer http://destiney.com/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"