|
FlusH
Random person on Internet

Registered: 10/23/01
Posts: 2,910
Loc: Bizzaro World
Last seen: 16 days, 12 hours
|
Transparent proxy with squid and openbsd...
#5411949 - 03/17/06 09:20 AM (17 years, 10 months ago) |
|
|
I am having some problems getting this to work, am somewhat familiar with Pf filter, even more familiar with squid, and I have a good fluency in openBSD. But getting this transparent filter to work is driving me nuts!
What I have done so far is:
enable bridge hostname.rl0 = up hostname.fxp0 = up bridename.bridge0 = add fxp0 add rl0 up
Setup squid.conf http_port 127.0.0.1:3128 httpd_accel_host virtual httpd_accel_port 80 httpd_accel_with_proxy on httpd_accel_uses_host_header on
acl QUERY urlpath_regex cgi-bin \? no_cache deny QUERY
acl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl SSL_ports port 443 563 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 563 # https, snews acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT
Enabled squid access to /dev/pf
#chgrp _squid /dev/pf #chmod g+rw /dev/pf
Pf redirect and filter rules - very basic - int_if="rl0" ext_if="fxp0"
rdr on $int_if inet proto tcp from any to any port www -> 127.0.0.1 port 3128
pass in on $int_if inet proto tcp from any to 127.0.0.1 port 3128 keep state pass out on $ext_if inet proto tcp from any to any port www keep state
----------------------
The client machine (hooked up via twisted pair 10baseT on rl0 ) can access whatever it wants threw the filtered bridge, PF is working fine, I can Telnet into 127.0.0.1:3128 and access webpages via squid. But the client machine will not do this. It alway's passes right by squid.
Does anybody have any suggestions/ideas/helpfull links? Here is what I have gone over already: http://www.benzedrine.cx/transquid.html http://tomclegg.net/squid-tproxy http://www.openbsd.org/faq/pf/config.html#activate http://ezine.daemonnews.org/200103/ipf_bridge.html http://www.monkey.org/openbsd/archive/tech/0110/msg00049.html
Thanks in advance to anybody who can help!
|
FlusH
Random person on Internet

Registered: 10/23/01
Posts: 2,910
Loc: Bizzaro World
Last seen: 16 days, 12 hours
|
Re: Transparent proxy with squid and openbsd... [Re: FlusH]
#5411954 - 03/17/06 09:21 AM (17 years, 10 months ago) |
|
|
Oh, yea. I have compiled squid with transparency
( #env FLAVOR=transparent make install )
|
FlusH
Random person on Internet

Registered: 10/23/01
Posts: 2,910
Loc: Bizzaro World
Last seen: 16 days, 12 hours
|
Re: Transparent proxy with squid and openbsd... [Re: FlusH]
#5415355 - 03/18/06 08:29 AM (17 years, 10 months ago) |
|
|
Well, after playing with it some more I found out that my installation of squid must be corrupted, or an improper flag somewhere during compile. When loading up squid with 'squid -d 5' I get the error 'ipcache_init: DNS name lookup tests failed'
I can get around this with 'squid -D' to disable the DNS lookup test, but squid will not accept any inbound connections on 127.0.0.1, but it works on any Ip I assign to any of the nics.
I am now wondering if I can assign the bridge an IP address, and point squid there, but I have not found a way to do this yet.
When I do figure this out, I will definitly post detailed instructions!
--------------------
|
FlusH
Random person on Internet

Registered: 10/23/01
Posts: 2,910
Loc: Bizzaro World
Last seen: 16 days, 12 hours
|
Re: Transparent proxy with squid and openbsd... [Re: FlusH]
#5421777 - 03/20/06 09:43 AM (17 years, 10 months ago) |
|
|
ARG!!! I feel like such an idiot....
The problem was that I had the rdr line wrong in my PF.CONF, it should read "rdr on $ext_if inet proto tcp from any to any port www -> 127.0.0.1 port 3128"
it is now redirecting all information going threw the external nic and sending it to squid which is running on 127.0.0.1:3128 Before it was redirecting all information coming back to the internal nic.
This one is almost as bad as the elusive semi-colon!
--------------------
|
FlusH
Random person on Internet

Registered: 10/23/01
Posts: 2,910
Loc: Bizzaro World
Last seen: 16 days, 12 hours
|
Re: Transparent proxy with squid and openbsd... [Re: FlusH]
#5437509 - 03/24/06 08:19 AM (17 years, 10 months ago) |
|
|
I am now working on a "how to" for transparent proxying. If anybody here is interested, I can post my progress. I will not though unless somebody speaks up!
--------------------
|
|