Good Question ! I uncommented a while back the line "set skip on lo"
I checked that they are processed... They seem to be... # pfctl -sr -R 0 pass in log quick on bge1 inet proto tcp from 192.168.200.0/24 to any port = 80 flags S/SA divert-to 127.0.0.1 port 3129 # tcpdump -neipflog0 -s 500 tcpdump: listening on pflog0, link-type PFLOG 17:53:05.288153 rule 0/(match) pass in on bge1: 192.168.200.39.3397 > 91.198.174.192.80: S 4055789837:4055789837(0) win 65535 <mss 1460,nop,wscale 1,nop,nop,sackOK> (DF) 17:53:06.300554 rule 0/(match) pass in on bge1: 192.168.200.39.3398 > 91.198.174.202.80: S 4229265567:4229265567(0) win 65535 <mss 1460,nop,wscale 1,nop,nop,sackOK> (DF) tcpdump: WARNING: compensating for unaligned libpcap packets 17:53:06.306402 rule 0/(match) pass in on bge1: 192.168.200.39.3399 > 91.198.174.208.80: S 1676876276:1676876276(0) win 65535 <mss 1460,nop,wscale 1,nop,nop,sackOK> (DF) 17:53:06.411063 rule 0/(match) pass in on bge1: 192.168.200.39.3400 > 91.198.174.208.80: S 2723830504:2723830504(0) win 65535 <mss 1460,nop,wscale 1,nop,nop,sackOK> (DF) 17:53:07.377297 rule 0/(match) pass in on bge1: 192.168.200.39.3401 > 91.198.174.192.80: S 3539952074:3539952074(0) win 65535 <mss 1460,nop,wscale 1,nop,nop,sackOK> (DF) 17:53:07.624598 rule 0/(match) pass in on bge1: 192.168.200.39.3402 > 91.198.174.192.80: S 2423603451:2423603451(0) win 65535 <mss 1460,nop,wscale 1,nop,nop,sackOK> (DF) -----Message d'origine----- De : Remco [mailto:[email protected]] Envoyé : vendredi 3 janvier 2014 17:46 À : Romain FABBRI - Alien Consulting Cc : [email protected] Objet : Re: Transparent proxy with Squid on OpenBSD 5.4 Romain FABBRI - Alien Consulting wrote: > Hi, > > Im trying to do a transparent webfiltering bridge with squid. > Ive used the packages for 5.4 which are squid-3.3.8 and > squidGuard-1.4p6 > > Squid is working fine when the browser uses the vether0 administration > interface of the bridge. > I mean sites are cached and squidGuard is filtering according to my > tests rules. > > But its not working when using the bridge as a transparent proxy > (without specifying a proxy server). > If someony could give me some advice that would be really helpfull. > > Here is my /etc/pf.conf > > # Macros & Tables > ext_if="bge0" > int_if="bge1" > > # Options > set skip on lo > set skip on {pfsync} > set reassemble yes no-df > > # Redirect www to our transparent squid proxy pass in quick log on > $ext_if inet proto tcp to port 80 divert-to 127.0.0.1 port 3128 pass > out quick from 127.0.0.1 divert-reply > > # Allow SSH > pass quick inet proto tcp from any to 192.168.200.253 port ssh > > # Allow mail > pass out quick proto tcp from $int_if to any port { 25, 143, 993, 995 > } keep state > > # Allow Ping/Traceroute/DNS > pass quick inet proto udp from any to any port domain pass quick inet > proto tcp from any to any port domain flags S/SA synproxy state pass > quick inet proto icmp all icmp-type { echoreq, unreach } keep state > > Ive tried almost every tutorial on the net but I had no luck with any > of them using OpenBSD 5.4 and Squid 3.3.8 So Im posting to know if > anybody has done this kind of configuration successfully. > > Happy New Year > Romain > > > > In /etc/squid/squid.conf I have configured ports like that : > > http_port 3128 > http_port 127.0.0.1:3129 intercept Is it possible that some of your rules are never processed, and therefore have no effect, because of the "skip" rule on interface "lo" ?
