I'm now filtering on the inside interface :
pass in quick log on $int_if inet proto tcp to port 80 divert-to
127.0.0.1 port 3128
It seems that pf is diverting the web traffic since the packets are counted
:
pfctl -sa -vv
@0 pass in log quick on bge1 inet proto tcp from any to any port = 80
flags S/SA divert-to 127.0.0.1 port 3128
[ Evaluations: 3534 Packets: 1741 Bytes: 1788725 States:
17 ]
[ Inserted: uid 0 pid 8777 State Creations: 17 ]
If I comment the default squid port and put the intercept statement as my
divert-to port, like this :
#http_port 3128
http_port 127.0.0.1:3128 intercept
I get :
- lots of "ERROR: No forward-proxy ports configured." lines when I run squid
- squidGuard is not blocking sites (that does work in non transparent mode)
Maybe I get the error message because newers version of squid requieres 2
ports (in order to serve files, like icons...)
I find nothing in my squid.conf that would prevent caching when
intercepting...
That's stange...
-----Message d'origine-----
De : Giancarlo Razzolini [mailto:[email protected]]
Envoyé : vendredi 3 janvier 2014 11:28
À : Romain FABBRI - Alien Consulting; 'Cremator'
Cc : 'Misc OpenBSD'
Objet : Re: Transparent proxy with Squid on OpenBSD 5.4
Em 03-01-2014 07:45, Romain FABBRI - Alien Consulting escreveu:
> Thanks,
>
> I tried according to your configuration :
>
> First test using the 3128 port as a divert-to port and as a squid
> http_port with tproxy or intercept statement => No traffic is getting
> diverted by pf
>
> Second test :
> Same test but using the 3129 port as a divert-to port
> 2 lines un squid.conf file :
> http_port 3128
> http_port 127.0.0.1:3129 tproxy // I also tried with intercept
too
> but no change
>
> In both tests : the web traffic (http 80) doesn't get caught by the
> divert-to directive...
> I tried to tcpdump on the lo0 interface but I got nothing.
>
> Seems like a pf problem to me...
>
> My browser accessed the internet without any restriction and without
> being cached...
>
>
Hi,
My pf.conf only have one line also which is the one that divert the
relevant traffic to the squid port. My squid.conf has only one http_port
directive that is the intercept one. If you run pfctl -sa -vv do you see any
states created by your divert rule? It seems to me that you have some issue
with your pf rules. From what I saw, they do not specify directions nor
interfaces which might cause you trouble. Also, your divert rule is on your
external interface, that should be done on packets coming IN your internal
interface.
Cheers,
--
Giancarlo Razzolini
GPG: 4096R/77B981BC
