Hi guys again, the problem is a bug of ipfilter 5, the same rules in NetBSD 6.1.5 it works, version in NetBSD 6.1.5 of ipfilter is 4.
2016-07-27 5:05 GMT-05:00, Rodolfo Edgar <sololistasdecor...@gmail.com>: > Hi guys, > > Help me please, I have a small LAN in my office, the scenary is: > > Internet----Router ISP----(wm0-NetBSD-wm1,wm2)----LAN1, LAN2 > > wm0=192.168.1.85/24 > wm1=192.168.2.85/24 > wm2=192.168.3.85/24 > > I am going to do proxy on wm1, currently NetBSD is a firewall and > router, I use ipfilter, my rules are: > > +ipf.conf (basic rules) > > pass in from any to any > pass out from any to any > > +ipnat.conf > > #wm1 interface > map wm0 192.168.2.0/24 -> 0/32 portmap tcp/udp auto > map wm0 192.168.2.0/24 -> 0/32 > > #wm2 interface > map wm0 192.168.3.0/24 -> 0/32 portmap tcp/udp auto > map wm0 192.168.3.0/24 -> 0/32 > > #Proxy server > rdr wm1 0/0 port 80 -> 192.168.2.85 port 3129 tcp > > My rc.conf: > #Firewall > ipfilter=YES > ipfilter_flags="" > ipnat=YES > > #Service > squid=YES > > My sysctl.conf to forwarding ipv4 is enable > net.inet.ip.forwarding=1 > > NetBSD as router is OK, but as proxy I have some problem, the setup to > squid is basic > ... > #My simple acl > acl lan1 src 192.168.2.0/24 > acl expno url_regex "/usr/pkg/etc/squid/expno" > acl dono dstdomain "/usr/pkg/etc/squid/dono" > > #My rules > http_access allow localhost > > http_access deny expno > http_access deny dono > http_access allow lan1 > > http_access deny all > > http_port 192.168.2.85:3129 intercept > > cache_dir ufs /var/squid/cache/squid 100 16 256 > > cache_mem 128 MB > > ... > > The files expno and dono are into the path > > The proxy is running, but I think that some thing I need to add or > modify, because when I want to use some url the log of cache.log say: > > ...ERROR: No forward-proxy ports configured. > ERROR: NAT/TPROXY lookup failed to locate original IPs on > local=192.168.2.85:3129 remote=192.168.2.85:65508 FD 22 flags=33... > > The message is when I put in the browser a url for example > www.netbsd.org or another that no use https protocol, but when I use > some url that I put in dstdomain rule into dono for example > xvideos.com, the proxy works, access deny say, BUT WHEN PU SOME URL > normal without https the message says: > > empty response (zero size) > > Help me please, what is my mistake? I try to change the port, also add > http_port 3128 and http_port 3129 intercept, I read the squid-cache > http://wiki.squid-cache.org/KnowledgeBase/NoForwardProxyPorts, but I > THINK THAT I need to add some thing, I remember that I did a similar > proxy in early version of NetBSD and it was working perfect with > ipfilter, the same rule, the rule copy of ipnat.conf man page. Thanks > in advice for you reply, please help me. >
