Hello,
Am un router cu freebsd 6.0 , nat cu pf , 100 de clientzi in spate ,
squid proxy totul ok .. inafara de o mica problema . Am redirectionat
tot traficul "www" prin squid. Intrebarea mea este daca se poate face
in asa fel incat clientii sa nu trebuiasca sa mai teteze proxy la
browser.
aci este continutul la pf.conf :
ext_if="rl0"
int_if="rl1"
internal_net="10.10.10.0/24"
external_addr="WWW.XXX.YYY.ZZZ"
allow_ssh="{ ZZZ.XXX.YYY.WWW }"
allow="{ 21, 25, 110, 5050, 22, 80, 443, 8080, 3128, 8000, 53, 6667,
8200, 8100, 8000 }"
table <sshscan> persist
TCP_OPTIONS = "flags S/SAFRUP keep state"
set optimization high-latency
set block-policy drop
set state-policy if-bound
set skip on lo0
# Normalization: reassemble fragments and resolve or reduce traffic
ambiguities.
scrub all reassemble tcp no-df
scrub in all fragment reassemble
scrub out all random-id
#nat outgoing
nat on rl0 from $internal_net to any -> $external_addr
# Transparent squid
rdr on $int_if inet proto tcp from any to any port www -> 127.0.0.1 port
3128
# FTP Proxy
rdr on $int_if proto tcp from any to any port 21 -> 127.0.0.1 port 8021
#default block
block log all
block in log quick from any os "NMAP"
#internal net unrestricted
pass quick on $int_if from $internal_net to $internal_net keep state
pass in on $int_if from $internal_net to any keep state
#antispoof
antispoof log quick for $ext_if inet
antispoof log quick for $int_if inet #let them go outside
pass out on $ext_if proto { tcp, udp } from $internal_net to any port
$allow flags S/SA keep state
pass out on $ext_if proto { tcp, udp } from $external_addr to any port
$allow flags S/SA keep state
#### FTP proxy to allow passive connections to go out:
pass out quick on $ext_if inet proto tcp from ($ext_if) to any port ftp
$TCP_OPTIONS
pass out quick on $ext_if inet proto tcp from ($ext_if) to any user
proxy $TCP_OPTIONS
#### FTP Proxy to allow active connections to get in:
pass in quick on $ext_if inet proto tcp from any to ($ext_if) user
proxy $TCP_OPTIONS
#### Squid Proxy
pass out on $ext_if inet proto tcp from any to any port www keep state
#### Squid Proxy
pass in on $int_if inet proto tcp from any to 127.0.0.1 port 3128 keep
state
#allow ssh from trusted hosts
pass in on $ext_if proto tcp from $allow_ssh to any port 22 keep state
# Block script kiddies trying to get in on ssh
block in log quick on $ext_if proto tcp from <sshscan> to any port 22
continutul la squid.conf :
http_port 3128
icp_port 0
acl QUERY urlpath_regex cgi-bin \?
cache_mem 16 MB
cache_dir ufs /usr/cache 40000 128 256
emulate_httpd_log on
redirect_rewrites_host_header off
acl all src 0.0.0.0/0.0.0.0
no_cache deny QUERY
http_access allow all
cache_mgr [EMAIL PROTECTED]
cache_effective_user squid
cache_effective_group squid
httpd_accel_port 80
log_icp_queries off
cachemgr_passwd my-secret-pass all
buffered_logs on
visible_hostname server
Apreciez orice ajutor.Mersi anticipat.
________________________________________________________
To unsubscribe send a mail to [EMAIL PROTECTED]
