Re: Squid 2.6 transparent proxy with pf
On Thursday, December 21, 2006, at 15:32:24, Peter N. M. Hansteen wrote: Dominik Zalewski [EMAIL PROTECTED] writes: My question is can redirect traffic on $int_if to another machine connected to the same interface? Does this rule is corrrect ? You can redirect, but you need to let the packets from the proxy pass without redirection to the rest of the world. rdr pass on $int_if proto tcp from any to any port 80 - $squid port 8080 I would supplement this with a 'no rdr' rule for the proxy generated traffic. one thing you should notice is that if packets are generated from the same network your proxy stands in, then proxy will try to send reply packets (and packets with www pages of course) directly to machines in your LAN. And it means problems ;) What I should do is create another network (i.e. if your lan is 10.0.0.0/24 you can use 10.1.0.0/24) and attach 10.1.0.1 to OpenBSD NAT box and 10.1.0.2 to proxy. Then add NAT rules at OpenBSD NAT box and the following lines: no rdr on $int_if from 10.1.0.2 rdr on $int_if from your.lan/net to any port 80 - 10.1.0.2 port 8080 I made such config about a year ago and it worked. Maybe there are newer features in PF that will work now, but my scenario was good year ago and I haven't changed it (old IT rule: if sth works well don't touch that :-)) regards, -- Sylwester S. Biernacki [EMAIL PROTECTED] X-NET, http://www.xnet.com.pl/
Re: Squid 2.6 transparent proxy with pf
On Thursday, December 21, 2006, at 14:04:34, misc@openbsd.org wrote: Dominik Zalewski [EMAIL PROTECTED] writes: I have OpenBSD 4.0 firewall and I would like to redirect all outgoing http requests to my squid web proxy. Daniel Hartmeier wrote about this a while back, his article can be found at http://www.benzedrine.cx/transquid.html However Daniel's article doesn't cover squid-2.6. Guys from squid team changed configuration options in squid.conf which you should use to make it working. Here you are working config for 2.6.STABLE5: http_port 3128 transparent #httpd_accel_host virtual #httpd_accel_port 80 #httpd_accel_with_proxy on #httpd_accel_uses_host_header on Daniel: can you change it also at your page to cover that ? -- Sylwester S. Biernacki [EMAIL PROTECTED] X-NET, http://www.xnet.com.pl/
Re: Squid 2.6 transparent proxy with pf
Dominik Zalewski [EMAIL PROTECTED] writes: I have OpenBSD 4.0 firewall and I would like to redirect all outgoing http requests to my squid web proxy. Daniel Hartmeier wrote about this a while back, his article can be found at http://www.benzedrine.cx/transquid.html -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://www.blug.linux.no/rfc1149/ http://www.datadok.no/ http://www.nuug.no/ First, we kill all the spammers The Usenet Bard, Twice-forwarded tales 20:11:56 delilah spamd[26905]: 146.151.48.74: disconnected after 36099 seconds
Squid 2.6 transparent proxy with pf
I have OpenBSD 4.0 firewall and I would like to redirect all outgoing http requests to my squid web proxy. INTERNET --- $ext_if - OpenBSD - $int_if --- Switch --- squid | | LAN -- from pf.conf --- ext_if = fxp0 int_if = fxp1 squid = 10.0.0.2 lan = 10.0.0.0/24 rdr pass on $int_if proto tcp from any to any port 80 - $squid port 8080 -- end --- Is this rule correct ? or redirected traffic can not come back on the same interface ? Long time ago pfctl parser gave me errors about this, now it doesnt Should I get another NIC and put in OpenBSD firewall and bridge it with squid for an example ? What is the best solution? Thank you in advance, Dominik
Re: Squid 2.6 transparent proxy with pf
On Thursday 21 December 2006 15:04, Peter N. M. Hansteen wrote: Dominik Zalewski [EMAIL PROTECTED] writes: I have OpenBSD 4.0 firewall and I would like to redirect all outgoing http requests to my squid web proxy. Daniel Hartmeier wrote about this a while back, his article can be found at http://www.benzedrine.cx/transquid.html In this article squid is running on the same machine as OpenBSD firewall. In my case I have squid running on different machine connected to LAN interface. My question is can redirect traffic on $int_if to another machine connected to the same interface? Does this rule is corrrect ? rdr pass on $int_if proto tcp from any to any port 80 - $squid port 8080 pfctl doesnt complain about nothing but its simply doesnt work. here is cut from my squid.conf: ### Main ### http_port 8080 transparent ... acl lan src 10.0.0.0/255.255.255.0 ... http_access allow lan When I setup proxy manually in my browser, its works.
Re: Squid 2.6 transparent proxy with pf
On 2006-12-21T15:29, Dominik Zalewski wrote: On Thursday 21 December 2006 15:04, Peter N. M. Hansteen wrote: Dominik Zalewski [EMAIL PROTECTED] writes: I have OpenBSD 4.0 firewall and I would like to redirect all outgoing http requests to my squid web proxy. Daniel Hartmeier wrote about this a while back, his article can be found at http://www.benzedrine.cx/transquid.html In this article squid is running on the same machine as OpenBSD firewall. In my case I have squid running on different machine connected to LAN interface. My question is can redirect traffic on $int_if to another machine connected to the same interface? Does this rule is corrrect ? rdr pass on $int_if proto tcp from any to any port 80 - $squid port 8080 hehe, you must exlude the squid! hth, Marcus.
Re: Squid 2.6 transparent proxy with pf
On Thu, Dec 21, 2006 at 03:29:51PM +0200, Dominik Zalewski wrote: On Thursday 21 December 2006 15:04, Peter N. M. Hansteen wrote: Dominik Zalewski [EMAIL PROTECTED] writes: I have OpenBSD 4.0 firewall and I would like to redirect all outgoing http requests to my squid web proxy. Daniel Hartmeier wrote about this a while back, his article can be found at http://www.benzedrine.cx/transquid.html In this article squid is running on the same machine as OpenBSD firewall. In my case I have squid running on different machine connected to LAN interface. My question is can redirect traffic on $int_if to another machine connected to the same interface? Does this rule is corrrect ? rdr pass on $int_if proto tcp from any to any port 80 - $squid port 8080 pfctl doesnt complain about nothing but its simply doesnt work. This is reflecting a connection back to the same interface The squid proxy tries to reply to the sender, bypassing the firewall. The sender resets the connection since it did not send a packet to the proxy in the first place. This is all discussed in the pf guide: http://www.openbsd.org/faq/pf/rdr.html#reflect with different ways to solve it. Can
Re: Squid 2.6 transparent proxy with pf
On Thursday 21 December 2006 15:59, Marcus Popp wrote: On 2006-12-21T15:29, Dominik Zalewski wrote: On Thursday 21 December 2006 15:04, Peter N. M. Hansteen wrote: Dominik Zalewski [EMAIL PROTECTED] writes: I have OpenBSD 4.0 firewall and I would like to redirect all outgoing http requests to my squid web proxy. Daniel Hartmeier wrote about this a while back, his article can be found at http://www.benzedrine.cx/transquid.html In this article squid is running on the same machine as OpenBSD firewall. In my case I have squid running on different machine connected to LAN interface. My question is can redirect traffic on $int_if to another machine connected to the same interface? Does this rule is corrrect ? rdr pass on $int_if proto tcp from any to any port 80 - $squid port 8080 hehe, you must exlude the squid! hth, Marcus. exclude the squid ? squid is connected to $int_inf thru fast ethernet switch -- Dominik Zalewski | System Administrator OpenCraft t- +2 02 336 0003 w- http://www.open-craft.com
Re: Squid 2.6 transparent proxy with pf
Dominik Zalewski [EMAIL PROTECTED] writes: My question is can redirect traffic on $int_if to another machine connected to the same interface? Does this rule is corrrect ? You can redirect, but you need to let the packets from the proxy pass without redirection to the rest of the world. rdr pass on $int_if proto tcp from any to any port 80 - $squid port 8080 I would supplement this with a 'no rdr' rule for the proxy generated traffic. -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://www.blug.linux.no/rfc1149/ http://www.datadok.no/ http://www.nuug.no/ First, we kill all the spammers The Usenet Bard, Twice-forwarded tales 20:11:56 delilah spamd[26905]: 146.151.48.74: disconnected after 36099 seconds
Re: Squid 2.6 transparent proxy with pf
Dominik, Internetext_if---BSD---int_if int_if = Gateway default for all Pcs and proxy ? If so, you have to redirect all the traffic to the proxy (you know that) and then, only allow nat on the BSD firewall from the proxy to any destination on port 80. an example from my pf.conf: proxy=170.157.20.3 nat on $ext_if inet from $proxy to any - $ext_if I hope that your squid is working as you need it. I hope this can help Jorge Valbuena Original-Nachricht Datum: Thu, 21 Dec 2006 13:40:10 +0200 Von: Dominik Zalewski [EMAIL PROTECTED] An: misc@openbsd.org, pf@benzedrine.cx Betreff: Squid 2.6 transparent proxy with pf I have OpenBSD 4.0 firewall and I would like to redirect all outgoing http requests to my squid web proxy. INTERNET --- $ext_if - OpenBSD - $int_if --- Switch --- squid | | LAN -- from pf.conf --- ext_if = fxp0 int_if = fxp1 squid = 10.0.0.2 lan = 10.0.0.0/24 rdr pass on $int_if proto tcp from any to any port 80 - $squid port 8080 -- end --- Is this rule correct ? or redirected traffic can not come back on the same interface ? Long time ago pfctl parser gave me errors about this, now it doesnt Should I get another NIC and put in OpenBSD firewall and bridge it with squid for an example ? What is the best solution? Thank you in advance, Dominik -- Der GMX SmartSurfer hilft bis zu 70% Ihrer Onlinekosten zu sparen! Ideal f|r Modem und ISDN: http://www.gmx.net/de/go/smartsurfer
Re: Squid 2.6 transparent proxy with pf
On 2006/12/21 15:29, Dominik Zalewski wrote: In this article squid is running on the same machine as OpenBSD firewall. In my case I have squid running on different machine connected to LAN interface. My question is can redirect traffic on $int_if to another machine connected to the same interface? Does this rule is corrrect ? No, you can't redirect back out the interface the packet came from. Maybe vlans could help, if there are no spare physical interfaces. Or you could run a small transparent proxy (e.g. tinyproxy) on the firewall and have that use $squid as a parent. rdr pass on $int_if proto tcp from any to any port 80 - $squid port 8080 Even if you arrange $squid to be on an interface other than $int_if, I don't think this will work: iirc Squid needs to query /dev/pf for the untranslated addresses; in that case you need route-to on the firewall and fwd - 127.0.0.1 on the proxy.
Re: Squid 2.6 transparent proxy with pf
Dominik Zalewski [EMAIL PROTECTED] wrote: On Thursday 21 December 2006 15:04, Peter N. M. Hansteen wrote: Dominik Zalewski [EMAIL PROTECTED] writes: I have OpenBSD 4.0 firewall and I would like to redirect all outgoing http requests to my squid web proxy. Daniel Hartmeier wrote about this a while back, his article can be found at http://www.benzedrine.cx/transquid.html In this article squid is running on the same machine as OpenBSD firewall. In my case I have squid running on different machine connected to LAN interface. My question is can redirect traffic on $int_if to another machine connected to the same interface? Does this rule is corrrect ? rdr pass on $int_if proto tcp from any to any port 80 - $squid port 8080 pfctl doesnt complain about nothing but its simply doesnt work. I believe Squid's intercepting mode relies on PF's DIOCNATLOOK ioctl to get an idea what the real destination was. I don't know if this information can be pfsync'ed between different machines, but from the man page I would assume that it's currently not possible (I only checked on FreeBSD 6.2-PRERELEASE, my pfsync version might be a few steps behind the one on OpenBSD 4.0). If it's not possible you probably have to move Squid to the box where PF is running, or use a proxy that extracts the destination from the host header. Unless with DIOCNATLOOK, this doesn't work for HTTP/1.0 requests without host headers, but with recent clients this shouldn't be an issue. Privoxy 3.0.7 (unreleased, only available trough CVS) does this and you could still use Squid as caching proxy, but Privoxy's intercepting mode is rather new and you would probably be the second tester ... Fabian -- http://www.fabiankeil.de/
Re: Squid 2.6 transparent proxy with pf
On Thu, Dec 21, 2006 at 02:39:50PM +, Stuart Henderson wrote: On 2006/12/21 15:29, Dominik Zalewski wrote: In this article squid is running on the same machine as OpenBSD firewall. In my case I have squid running on different machine connected to LAN interface. My question is can redirect traffic on $int_if to another machine connected to the same interface? Does this rule is corrrect ? No, you can't redirect back out the interface the packet came from. Maybe vlans could help, if there are no spare physical interfaces. Or you could run a small transparent proxy (e.g. tinyproxy) on the firewall and have that use $squid as a parent. unless you nat the connection back, but it is an ugly solution see the pf guide. rdr pass on $int_if proto tcp from any to any port 80 - $squid port 8080 Even if you arrange $squid to be on an interface other than $int_if, I don't think this will work: iirc Squid needs to query /dev/pf for the untranslated addresses; in that case you need route-to on the firewall and fwd - 127.0.0.1 on the proxy. squid needs to query /dev/pf only for HTTP/1.0 connections with no Host: header. Otherwise, it will happily use the Host: header to connect to the remote server.
Re: Squid 2.6 transparent proxy with pf
i seem to remember someone saying that you could NOT redirect out the same interface but not 100% sure. cs -Original Message- From: [EMAIL PROTECTED] on behalf of Dominik Zalewski Sent: Thu 12/21/2006 8:29 AM To: Peter N. M. Hansteen Cc: misc@openbsd.org; pf@benzedrine.cx Subject:Re: Squid 2.6 transparent proxy with pf On Thursday 21 December 2006 15:04, Peter N. M. Hansteen wrote: Dominik Zalewski [EMAIL PROTECTED] writes: I have OpenBSD 4.0 firewall and I would like to redirect all outgoing http requests to my squid web proxy. Daniel Hartmeier wrote about this a while back, his article can be found at http://www.benzedrine.cx/transquid.html In this article squid is running on the same machine as OpenBSD firewall. In my case I have squid running on different machine connected to LAN interface. My question is can redirect traffic on $int_if to another machine connected to the same interface? Does this rule is corrrect ? rdr pass on $int_if proto tcp from any to any port 80 - $squid port 8080 pfctl doesnt complain about nothing but its simply doesnt work. here is cut from my squid.conf: ### Main ### http_port 8080 transparent .. acl lan src 10.0.0.0/255.255.255.0 .. http_access allow lan When I setup proxy manually in my browser, its works.
Re: Squid 2.6 transparent proxy with pf
-Original Message- From: Stuart Henderson [mailto:[EMAIL PROTECTED] Sent: Thursday, December 21, 2006 9:40 AM To: Dominik Zalewski Cc: Peter N. M. Hansteen; misc@openbsd.org; pf@benzedrine.cx Subject: Re: Squid 2.6 transparent proxy with pf On 2006/12/21 15:29, Dominik Zalewski wrote: In this article squid is running on the same machine as OpenBSD firewall. In my case I have squid running on different machine connected to LAN interface. My question is can redirect traffic on $int_if to another machine connected to the same interface? Does this rule is corrrect ? No, you can't redirect back out the interface the packet came from. Maybe vlans could help, if there are no spare physical interfaces. Or you could run a small transparent proxy (e.g. tinyproxy) on the firewall and have that use $squid as a parent. Sure you can, I do it all day long. You may need to NAT based on your network. Have your clients NATed to an address on your firewall and then redirect it over to your squid box, which will reply to the NATed address on your firewall which can then unNAT it and send it back to the client.
Re: Squid 2.6 transparent proxy with pf
Fabian Keil [EMAIL PROTECTED] wrote: Dominik Zalewski [EMAIL PROTECTED] wrote: On Thursday 21 December 2006 15:04, Peter N. M. Hansteen wrote: Dominik Zalewski [EMAIL PROTECTED] writes: I have OpenBSD 4.0 firewall and I would like to redirect all outgoing http requests to my squid web proxy. Daniel Hartmeier wrote about this a while back, his article can be found at http://www.benzedrine.cx/transquid.html In this article squid is running on the same machine as OpenBSD firewall. In my case I have squid running on different machine connected to LAN interface. My question is can redirect traffic on $int_if to another machine connected to the same interface? Does this rule is corrrect ? I believe Squid's intercepting mode relies on PF's DIOCNATLOOK ioctl to get an idea what the real destination was. You can safely ignore my posting. According to Daniel's article Squid can use the host header as well and even does it by default. Fabian -- http://www.fabiankeil.de/