Transparent Proxy going astray
Hello, Paul, I saw your message in freebsd-questions forum about transparent proxy. Right now I'm facing the same problem: gateway with ipfw/natd and squid proxy on different machine. Maybe you have solved this problem? Everywhere I look, I see the same questions I'm asking, i.e. has anyone successfuly configured gateway and proxy, working on different machines? :) I have FreeBSD-4.10 with ipfw/natd working with quite complex ruleset and other box with squid. When I install squid on the gateway machine and make fwd GW_LOOPBACK,3128 tcp from MY_TEST_PC to any 80 then this squid works just fine. But when I try to forward to other, not gateway machine, i.e. fwd OTHER_BOX_WITH_SQUID,3128 tcp from MY_TEST_PC to any 80, then it isn't working... I see packets maching fwd rule (counter increases), but no traffic reaches squid machine. I have wandered through lots of forums and mailing lists, but haven't found solution until now. Thought maybe you have successfuly coped with this and maybe you can help or advice something? Lawrence, network / systems administrator ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: Transparent Proxy going astray
-Original Message- From: L.Norvydas [mailto:[EMAIL PROTECTED] Sent: 24 January 2005 10:41 To: freebsd-questions@freebsd.org Subject: Transparent Proxy going astray Hello, Paul, I saw your message in freebsd-questions forum about transparent proxy. Right now I'm facing the same problem: gateway with ipfw/natd and squid proxy on different machine. Maybe you have solved this problem? Everywhere I look, I see the same questions I'm asking, i.e. has anyone successfuly configured gateway and proxy, working on different machines? :) Have you looked at WCCP? Not sure if there are BSD implementations of this, but in linux there are. Its basically a protocol that runs on both the proxy and f/w server such that any http traffic is transparently forwarding to the proxy server for caching/whatever before it goes through the gateway... It used to be a cisco proprietary protocol, but I believe it may have been RFCd brad This email may contain confidential material. If you were not an intended recipient, please notify the sender and delete all copies. We may monitor email to and from our network. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
FW: Transparent Proxy going astray - Help!
Hi all, Has no-one seen this problem? If so, wow, what have I done wrong here? Do you need more info? Cheers, Paul Hamilton -Original Message- From: Paul Hamilton [mailto:[EMAIL PROTECTED] Sent: Saturday, 21 June 2003 1:34 PM To: Freebsd-Questions Subject: Transparent Proxy going astray Hi all, I have watched/lurked on this list for sometime now, and see a Transparent Proxy question every now or then. None of them have answered my problem. I give it a bash every now and then to see if I will trip over the answer. It hasn't worked, so I will try this list again. I run FreeBSD 4.8 on the gateway, Squid Cache: Version 2.4.STABLE4 Squid.conf has the required lines: http_port 8080 httpd_accel_port 80 httpd_accel_host virtual httpd_accel_with_proxy on httpd_accel_uses_host_header on and the required ipfw2 firewall rules: 00050271 27520 allow tcp from 192.168.0.10 to any 00060 3144 fwd 127.0.0.1,8080 tcp from any to any dst-port 80 Interestingly enough when watching the ip traffic on the gateway, I see this on my inside NIC: 08:27:18.735861 192.168.0.2.3276 203.10.1.17.53: 1093+ A? www.google.com.au. (35) 08:27:18.922217 203.10.1.17.53 192.168.0.2.3276: 1093 2/4/4 CNAME[|domain] 08:27:18.923667 192.168.0.2.3277 216.239.39.99.80: S 813553086:813553086(0) win 16384 mss 1460,nop,nop,sackOK (DF) 08:27:18.923722 216.239.39.99.80 192.168.0.2.3277: R 0:0(0) ack 813553087 win 0 08:27:19.397657 192.168.0.2.3277 216.239.39.99.80: S 813553086:813553086(0) win 16384 mss 1460,nop,nop,sackOK (DF) 08:27:19.397697 216.239.39.99.80 192.168.0.2.3277: R 0:0(0) ack 1 win 0 08:27:19.906095 192.168.0.2.3277 216.239.39.99.80: S 813553086:813553086(0) win 16384 mss 1460,nop,nop,sackOK (DF) 08:27:19.906153 216.239.39.99.80 192.168.0.2.3277: R 0:0(0) ack 1 win 0 and this on my outside NIC: 08:27:18.736970 202.72.147.43.3276 203.10.1.17.53: 1093+ A? www.google.com.au. (35) 08:27:18.922026 203.10.1.17.53 202.72.147.43.3276: 1093 2/4/4 CNAME www.google.com., (215) The cache_access.log doesn't show any traffic, yet (something) is pretending to be the google website, as there is a reply from 216.239.39.99.80. I have tried to run tcpdump -ni lo0 but there isn't any traffic. Should I be able to see traffic on lo0? Any thoughts on what I am missing? Cheers, Paul Hamilton ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Transparent Proxy going astray
Hi all, I have watched/lurked on this list for sometime now, and see a Transparent Proxy question every now or then. None of them have answered my problem. I give it a bash every now and then to see if I will trip over the answer. It hasn't worked, so I will try this list again. I run FreeBSD 4.8 on the gateway, Squid Cache: Version 2.4.STABLE4 Squid.conf has the required lines: http_port 8080 httpd_accel_port 80 httpd_accel_host virtual httpd_accel_with_proxy on httpd_accel_uses_host_header on and the required ipfw2 firewall rules: 00050271 27520 allow tcp from 192.168.0.10 to any 00060 3144 fwd 127.0.0.1,8080 tcp from any to any dst-port 80 Interestingly enough when watching the ip traffic on the gateway, I see this on my inside NIC: 08:27:18.735861 192.168.0.2.3276 203.10.1.17.53: 1093+ A? www.google.com.au. (35) 08:27:18.922217 203.10.1.17.53 192.168.0.2.3276: 1093 2/4/4 CNAME[|domain] 08:27:18.923667 192.168.0.2.3277 216.239.39.99.80: S 813553086:813553086(0) win 16384 mss 1460,nop,nop,sackOK (DF) 08:27:18.923722 216.239.39.99.80 192.168.0.2.3277: R 0:0(0) ack 813553087 win 0 08:27:19.397657 192.168.0.2.3277 216.239.39.99.80: S 813553086:813553086(0) win 16384 mss 1460,nop,nop,sackOK (DF) 08:27:19.397697 216.239.39.99.80 192.168.0.2.3277: R 0:0(0) ack 1 win 0 08:27:19.906095 192.168.0.2.3277 216.239.39.99.80: S 813553086:813553086(0) win 16384 mss 1460,nop,nop,sackOK (DF) 08:27:19.906153 216.239.39.99.80 192.168.0.2.3277: R 0:0(0) ack 1 win 0 and this on my outside NIC: 08:27:18.736970 202.72.147.43.3276 203.10.1.17.53: 1093+ A? www.google.com.au. (35) 08:27:18.922026 203.10.1.17.53 202.72.147.43.3276: 1093 2/4/4 CNAME www.google.com., (215) The cache_access.log doesn't show any traffic, yet (something) is pretending to be the google website, as there is a reply from 216.239.39.99.80. I have tried to run tcpdump -ni lo0 but there isn't any traffic. Should I be able to see traffic on lo0? Any thoughts on what I am missing? Cheers, Paul Hamilton ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Transparent Proxy going astray
Paul, You'd probably have noticed a few posts from me on this very subject. The good news is I did end up getting it all working.. but there were definitely a few hurdles in the way. I assume your firewall is also running the squid proxy? For some reason, I got away with just putting rule 60 in! I also added a dst port of 80 so just my http traffic got forwarded. If this is your firewall, then you'd probably want to change rule 50 to something like: skipto 70 tcp from 192.168.0.10 to any 192.168.0.10 is your firewall?? From my understanding, an add rule will stop moving through the ruleset however you still need your requests to go through nat etc etc.. Let me know how you get on. You can be restassured that it is possible. I have now setup transparent proxies with the proxy running on the firewall and also with the proxy running on another box. I've also used 4.7 and 5.0 in seperate instances sucessfully too! good luck, ajt. On Sat, Jun 21, 2003 at 01:34:17PM +0800, Paul Hamilton wrote: Hi all, I have watched/lurked on this list for sometime now, and see a Transparent Proxy question every now or then. None of them have answered my problem. I give it a bash every now and then to see if I will trip over the answer. It hasn't worked, so I will try this list again. I run FreeBSD 4.8 on the gateway, Squid Cache: Version 2.4.STABLE4 Squid.conf has the required lines: http_port 8080 httpd_accel_port 80 httpd_accel_host virtual httpd_accel_with_proxy on httpd_accel_uses_host_header on and the required ipfw2 firewall rules: 00050271 27520 allow tcp from 192.168.0.10 to any 00060 3144 fwd 127.0.0.1,8080 tcp from any to any dst-port 80 Interestingly enough when watching the ip traffic on the gateway, I see this on my inside NIC: 08:27:18.735861 192.168.0.2.3276 203.10.1.17.53: 1093+ A? www.google.com.au. (35) 08:27:18.922217 203.10.1.17.53 192.168.0.2.3276: 1093 2/4/4 CNAME[|domain] 08:27:18.923667 192.168.0.2.3277 216.239.39.99.80: S 813553086:813553086(0) win 16384 mss 1460,nop,nop,sackOK (DF) 08:27:18.923722 216.239.39.99.80 192.168.0.2.3277: R 0:0(0) ack 813553087 win 0 08:27:19.397657 192.168.0.2.3277 216.239.39.99.80: S 813553086:813553086(0) win 16384 mss 1460,nop,nop,sackOK (DF) 08:27:19.397697 216.239.39.99.80 192.168.0.2.3277: R 0:0(0) ack 1 win 0 08:27:19.906095 192.168.0.2.3277 216.239.39.99.80: S 813553086:813553086(0) win 16384 mss 1460,nop,nop,sackOK (DF) 08:27:19.906153 216.239.39.99.80 192.168.0.2.3277: R 0:0(0) ack 1 win 0 and this on my outside NIC: 08:27:18.736970 202.72.147.43.3276 203.10.1.17.53: 1093+ A? www.google.com.au. (35) 08:27:18.922026 203.10.1.17.53 202.72.147.43.3276: 1093 2/4/4 CNAME www.google.com., (215) The cache_access.log doesn't show any traffic, yet (something) is pretending to be the google website, as there is a reply from 216.239.39.99.80. I have tried to run tcpdump -ni lo0 but there isn't any traffic. Should I be able to see traffic on lo0? Any thoughts on what I am missing? Cheers, Paul Hamilton ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]