On OpenBSD i'm not using the configuration you mentioned for squid with
OpenBSD (5.2).

Here is mine:
# Normal for with WPAD
http_port 3128 
# http redirected port
http_port 3129 intercept
# https redirected port
https_port 3130 intercept ssl-bump cert=/etc/ssl/squid.crt
key=/etc/ssl/squid.key




-- 
Best regards,
Loïc BLOT, 
UNIX systems, security and network engineer
http://www.unix-experience.fr



Le lundi 04 novembre 2013 à 21:27 +0100, Marko Cupać a écrit :
> On Mon, 4 Nov 2013 20:15:17 +0100
> Marc Sontowski <m...@sontowski.net> wrote:
> 
> > # The internal interface (connected to the local network)
> > ext_if="em0"
> > # The external interfaces (connected to the ipv4 and ipv6 network)
> > int_if="em1"
> Strangely enough, your interface macro names are switched in regard to
> their corresponding comments. ext_if should be external interface
> facing the ISP (while comment says it is internal which means facing
> the LAN), and int_if should be internal interface facing the LAN (while
> comment says it is external which means facing the ISP).
> 
> You say in reality em0 is ISP and em1 is LAN so this shouldn't be the
> issue as comments do not influence configuration - they should be used
> to make things more understandable. However, in your case they are
> causing confusion. Either correct them or remove them.
> 
> Now, as for the filtering rules, I would avoid quick keyword in the
> beginning until I make things work. I would go with something like:
> 
> # default block from internet to our network
> block in log on $ext_if
> # pass what you need (ssh to firewall or whatever)
> pass in on $ext_if inet proto tcp from any to $ext_if port ssh
> # pass everything out on external interface (we filter on internal)
> pass out on $ext_if all
> # default block from lan to the internet
> block in log on $int_if
> # redirect all web traffic to squid
> pass in on $int_if inet proto tcp from any to any port { 80 443 } \
>       divert-to 127.0.0.1 port 3128
> # pass what you need (dns to google's public dns server or whatever)
> pass in on $int_if inet proto { tcp udp } from any to 8.8.8.8 port 53
> # pass everything out on internal interface (if it already entered on ext)
> pass out on $int_if all
> 
> Pay attention to the 'log' directive in default blocks, as it will log
> all blocked packets to pflog0 interface. Next, get familiar with
> tcpdump to inspect what gets blocked in real time. Type in terminal:
> tcpdump -n -e -q -ttt -i pflog0
> 
> Or for inspection of logs:
> tcpdump -n -e -q -ttt -r /var/log/pflog
> 
> Check your filtering rules with pfctl -vvsr to see if packets hit your
> pass rules.
> 
> Now, I doubt any of this is relevant to squid, more like pf. 

Attachment: signature.asc
Description: This is a digitally signed message part

Reply via email to