Re: tranparent proxying, squid, nat, ipfw
your port 80 hijack is waaay to far below. it should be like in the first
three lines:
100 divert 8668 ip from any to any via ${oif}
200 allow tcp from ${oip} to any
300 fwd 127.0.0.1,3128 tcp from any to any dst-port 80
append the rest from here...
;-)
- Original Message -
From: synrat [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Monday, October 06, 2003 11:40 AM
Subject: tranparent proxying, squid, nat, ipfw
I'm having a hard time getting this working together.
I have squid 2.5 stable working and with all the required
setting for transparent proxying. The machine has the kernel with IPFW and
forwarding options. NAT is on, firewall type is simple with some
modifications. Internal interface address is 192.168.1.1. Squid runs fine
when the browser is setup to access it, but the goal is not to have to do
that.
http_port 3128
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
I have the forwarding rule as well
fwd 127.0.0.1,3128 tcp from any to any 80
I tried 192.168.1.1,3128 in the rule. Tried putting it before both divert
rules. Here's my ipfw list output
00050 divert 8668 ip from any to any via rl0
00100 allow ip from any to any via lo0
00200 deny ip from any to 127.0.0.0/8
00300 deny ip from 127.0.0.0/8 to any
00400 deny ip from 192.168.1.0/24 to any in recv rl0
00500 deny ip from 66.92.100.0/24 to any in recv rl1
00600 deny ip from any to 10.0.0.0/8 via rl0
00700 deny ip from any to 172.16.0.0/12 via rl0
00800 deny ip from any to 192.168.0.0/16 via rl0
00900 deny ip from any to 0.0.0.0/8 via rl0
01000 deny ip from any to 169.254.0.0/16 via rl0
01100 deny ip from any to 192.0.2.0/24 via rl0
01200 deny ip from any to 224.0.0.0/4 via rl0
01300 deny ip from any to 240.0.0.0/4 via rl0
01400 divert 8668 ip from any to any via rl0
01500 deny ip from 10.0.0.0/8 to any via rl0
01600 deny ip from 172.16.0.0/12 to any via rl0
01700 deny ip from 192.168.0.0/16 to any via rl0
01800 deny ip from 0.0.0.0/8 to any via rl0
01900 deny ip from 169.254.0.0/16 to any via rl0
02000 deny ip from 192.0.2.0/24 to any via rl0
02100 deny ip from 224.0.0.0/4 to any via rl0
02200 deny ip from 240.0.0.0/4 to any via rl0
02300 allow tcp from any to any established
02400 allow ip from any to any frag
02500 allow tcp from any to 66.92.100.221 25 setup
02600 allow tcp from 192.168.1.0/24 to 192.168.1.0/24
02700 allow tcp from 192.168.1.0/24 to 192.168.1.0/24
02800 allow udp from 192.168.1.0/24 to 192.168.1.0/24
02900 allow udp from 192.168.1.0/24 to 192.168.1.0/24
03000 allow tcp from any to 66.92.100.221 80 setup
03100 allow tcp from any to 66.92.100.221 8080 setup
03200 allow tcp from any to 66.92.100.221 8021 setup
03300 allow tcp from any to 66.92.100.221 21 setup
03400 allow tcp from any to 66.92.100.221 22 setup
03500 allow tcp from any to 66.92.100.221 110 setup
03600 allow tcp from any to 66.92.100.221 143 setup
03700 allow tcp from any to 66.92.100.221 993 setup
03800 allow tcp from any to 66.92.100.221 995 setup
03900 allow icmp from any to any
04000 deny log tcp from any to any in recv rl0 setup
04100 allow tcp from any to any setup
04200 fwd 127.0.0.1,3128 tcp from any to any 80
04300 allow udp from 66.92.100.221 to any keep-state
04400 allow udp from 192.168.1.3 to any keep-state
65535 deny ip from any to any
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to
[EMAIL PROTECTED]
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: tranparent proxying, squid, nat, ipfw
so far this was the simpliest squid configuration that i've seen... http://ezine.daemonnews.org/200209/squid.html hope this helps... - Gil Agno Virtucio Janitor/Collector/Messenger NEC System Integration and Construction Philippines Inc. 15th Floor BPI Buendia Center Gil Puyat Ave. Makati City 1200 Cellphone : +639163989695 Office Phone: +6328914167 - -Original Message- From: synrat [mailto:[EMAIL PROTECTED] Sent: Monday, October 06, 2003 11:40 AM To: [EMAIL PROTECTED] Subject: tranparent proxying, squid, nat, ipfw I'm having a hard time getting this working together. I have squid 2.5 stable working and with all the required setting for transparent proxying. The machine has the kernel with IPFW and forwarding options. NAT is on, firewall type is simple with some modifications. Internal interface address is 192.168.1.1. Squid runs fine when the browser is setup to access it, but the goal is not to have to do that. http_port 3128 httpd_accel_host virtual httpd_accel_port 80 httpd_accel_with_proxy on httpd_accel_uses_host_header on I have the forwarding rule as well fwd 127.0.0.1,3128 tcp from any to any 80 I tried 192.168.1.1,3128 in the rule. Tried putting it before both divert rules. Here's my ipfw list output 00050 divert 8668 ip from any to any via rl0 00100 allow ip from any to any via lo0 00200 deny ip from any to 127.0.0.0/8 00300 deny ip from 127.0.0.0/8 to any 00400 deny ip from 192.168.1.0/24 to any in recv rl0 00500 deny ip from 66.92.100.0/24 to any in recv rl1 00600 deny ip from any to 10.0.0.0/8 via rl0 00700 deny ip from any to 172.16.0.0/12 via rl0 00800 deny ip from any to 192.168.0.0/16 via rl0 00900 deny ip from any to 0.0.0.0/8 via rl0 01000 deny ip from any to 169.254.0.0/16 via rl0 01100 deny ip from any to 192.0.2.0/24 via rl0 01200 deny ip from any to 224.0.0.0/4 via rl0 01300 deny ip from any to 240.0.0.0/4 via rl0 01400 divert 8668 ip from any to any via rl0 01500 deny ip from 10.0.0.0/8 to any via rl0 01600 deny ip from 172.16.0.0/12 to any via rl0 01700 deny ip from 192.168.0.0/16 to any via rl0 01800 deny ip from 0.0.0.0/8 to any via rl0 01900 deny ip from 169.254.0.0/16 to any via rl0 02000 deny ip from 192.0.2.0/24 to any via rl0 02100 deny ip from 224.0.0.0/4 to any via rl0 02200 deny ip from 240.0.0.0/4 to any via rl0 02300 allow tcp from any to any established 02400 allow ip from any to any frag 02500 allow tcp from any to 66.92.100.221 25 setup 02600 allow tcp from 192.168.1.0/24 to 192.168.1.0/24 02700 allow tcp from 192.168.1.0/24 to 192.168.1.0/24 02800 allow udp from 192.168.1.0/24 to 192.168.1.0/24 02900 allow udp from 192.168.1.0/24 to 192.168.1.0/24 03000 allow tcp from any to 66.92.100.221 80 setup 03100 allow tcp from any to 66.92.100.221 8080 setup 03200 allow tcp from any to 66.92.100.221 8021 setup 03300 allow tcp from any to 66.92.100.221 21 setup 03400 allow tcp from any to 66.92.100.221 22 setup 03500 allow tcp from any to 66.92.100.221 110 setup 03600 allow tcp from any to 66.92.100.221 143 setup 03700 allow tcp from any to 66.92.100.221 993 setup 03800 allow tcp from any to 66.92.100.221 995 setup 03900 allow icmp from any to any 04000 deny log tcp from any to any in recv rl0 setup 04100 allow tcp from any to any setup 04200 fwd 127.0.0.1,3128 tcp from any to any 80 04300 allow udp from 66.92.100.221 to any keep-state 04400 allow udp from 192.168.1.3 to any keep-state 65535 deny ip from any to any ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ** Get your free E-Mail account at WWW.DIGITELONE.COM ** ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: tranparent proxying, squid, nat, ipfw
Hi, my advice is, take it step by step. Set up your nat, apache (if you need it), squid (don't use httpd_accel at the beginning!). Now I'm a bit unsure what you want to do, if you want to force the use of a proxy for your NAT-Users, so create your redirection rule which redirects outgoing traffic to port 80 (,https,...) to your localhost squid. httpd_accel is for accelerating a specific webserver in your realm, you can use it to speed up the responses from your local apache or any other webserver in your lan (and thereby making it accessible from outside, if you set the ACL accordingly). The question is, what do you want to accomplish? Kind regards, Alex. Quoting Gil Agno Virtucio [EMAIL PROTECTED]: so far this was the simpliest squid configuration that i've seen... http://ezine.daemonnews.org/200209/squid.html hope this helps... - Gil Agno Virtucio Janitor/Collector/Messenger NEC System Integration and Construction Philippines Inc. 15th Floor BPI Buendia Center Gil Puyat Ave. Makati City 1200 Cellphone : +639163989695 Office Phone: +6328914167 - -Original Message- From: synrat [mailto:[EMAIL PROTECTED] Sent: Monday, October 06, 2003 11:40 AM To: [EMAIL PROTECTED] Subject: tranparent proxying, squid, nat, ipfw I'm having a hard time getting this working together. I have squid 2.5 stable working and with all the required setting for transparent proxying. The machine has the kernel with IPFW and forwarding options. NAT is on, firewall type is simple with some modifications. Internal interface address is 192.168.1.1. Squid runs fine when the browser is setup to access it, but the goal is not to have to do that. http_port 3128 httpd_accel_host virtual httpd_accel_port 80 httpd_accel_with_proxy on httpd_accel_uses_host_header on I have the forwarding rule as well fwd 127.0.0.1,3128 tcp from any to any 80 I tried 192.168.1.1,3128 in the rule. Tried putting it before both divert rules. Here's my ipfw list output 00050 divert 8668 ip from any to any via rl0 00100 allow ip from any to any via lo0 00200 deny ip from any to 127.0.0.0/8 00300 deny ip from 127.0.0.0/8 to any 00400 deny ip from 192.168.1.0/24 to any in recv rl0 00500 deny ip from 66.92.100.0/24 to any in recv rl1 00600 deny ip from any to 10.0.0.0/8 via rl0 00700 deny ip from any to 172.16.0.0/12 via rl0 00800 deny ip from any to 192.168.0.0/16 via rl0 00900 deny ip from any to 0.0.0.0/8 via rl0 01000 deny ip from any to 169.254.0.0/16 via rl0 01100 deny ip from any to 192.0.2.0/24 via rl0 01200 deny ip from any to 224.0.0.0/4 via rl0 01300 deny ip from any to 240.0.0.0/4 via rl0 01400 divert 8668 ip from any to any via rl0 01500 deny ip from 10.0.0.0/8 to any via rl0 01600 deny ip from 172.16.0.0/12 to any via rl0 01700 deny ip from 192.168.0.0/16 to any via rl0 01800 deny ip from 0.0.0.0/8 to any via rl0 01900 deny ip from 169.254.0.0/16 to any via rl0 02000 deny ip from 192.0.2.0/24 to any via rl0 02100 deny ip from 224.0.0.0/4 to any via rl0 02200 deny ip from 240.0.0.0/4 to any via rl0 02300 allow tcp from any to any established 02400 allow ip from any to any frag 02500 allow tcp from any to 66.92.100.221 25 setup 02600 allow tcp from 192.168.1.0/24 to 192.168.1.0/24 02700 allow tcp from 192.168.1.0/24 to 192.168.1.0/24 02800 allow udp from 192.168.1.0/24 to 192.168.1.0/24 02900 allow udp from 192.168.1.0/24 to 192.168.1.0/24 03000 allow tcp from any to 66.92.100.221 80 setup 03100 allow tcp from any to 66.92.100.221 8080 setup 03200 allow tcp from any to 66.92.100.221 8021 setup 03300 allow tcp from any to 66.92.100.221 21 setup 03400 allow tcp from any to 66.92.100.221 22 setup 03500 allow tcp from any to 66.92.100.221 110 setup 03600 allow tcp from any to 66.92.100.221 143 setup 03700 allow tcp from any to 66.92.100.221 993 setup 03800 allow tcp from any to 66.92.100.221 995 setup 03900 allow icmp from any to any 04000 deny log tcp from any to any in recv rl0 setup 04100 allow tcp from any to any setup 04200 fwd 127.0.0.1,3128 tcp from any to any 80 04300 allow udp from 66.92.100.221 to any keep-state 04400 allow udp from 192.168.1.3 to any keep-state 65535 deny ip from any to any - This mail sent through IMP: http://horde.org/imp/ ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: tranparent proxying, squid, nat, ipfw
I have done a number of servers in this setup. It really is as simple as following this http://www.squid-cache.org/Doc/FAQ/FAQ-17.html#ss17.8 plus the divert line as the first line in ipfw and the necessary NAT in rc.conf. However, if you are thinking of implementing WCCP+transparent proxy+NAT, it doesn't seem to work together, or at least not for me :-D (help?). I have read from Osnews that there's a new ipfw implementation that might solve this and it is due to come out with the 4.9-RELEASE. I'm not sure if this is related though...I didn't read thoroughly. chael Hi, my advice is, take it step by step. Set up your nat, apache (if you need it), squid (don't use httpd_accel at the beginning!). Now I'm a bit unsure what you want to do, if you want to force the use of a proxy for your NAT-Users, so create your redirection rule which redirects outgoing traffic to port 80 (,https,...) to your localhost squid. httpd_accel is for accelerating a specific webserver in your realm, you can use it to speed up the responses from your local apache or any other webserver in your lan (and thereby making it accessible from outside, if you set the ACL accordingly). The question is, what do you want to accomplish? Kind regards, Alex. Quoting Gil Agno Virtucio [EMAIL PROTECTED]: so far this was the simpliest squid configuration that i've seen... http://ezine.daemonnews.org/200209/squid.html hope this helps... - Gil Agno Virtucio Janitor/Collector/Messenger NEC System Integration and Construction Philippines Inc. 15th Floor BPI Buendia Center Gil Puyat Ave. Makati City 1200 Cellphone : +639163989695 Office Phone: +6328914167 - -Original Message- From: synrat [mailto:[EMAIL PROTECTED] Sent: Monday, October 06, 2003 11:40 AM To: [EMAIL PROTECTED] Subject: tranparent proxying, squid, nat, ipfw I'm having a hard time getting this working together. I have squid 2.5 stable working and with all the required setting for transparent proxying. The machine has the kernel with IPFW and forwarding options. NAT is on, firewall type is simple with some modifications. Internal interface address is 192.168.1.1. Squid runs fine when the browser is setup to access it, but the goal is not to have to do that. http_port 3128 httpd_accel_host virtual httpd_accel_port 80 httpd_accel_with_proxy on httpd_accel_uses_host_header on I have the forwarding rule as well fwd 127.0.0.1,3128 tcp from any to any 80 I tried 192.168.1.1,3128 in the rule. Tried putting it before both divert rules. Here's my ipfw list output 00050 divert 8668 ip from any to any via rl0 00100 allow ip from any to any via lo0 00200 deny ip from any to 127.0.0.0/8 00300 deny ip from 127.0.0.0/8 to any 00400 deny ip from 192.168.1.0/24 to any in recv rl0 00500 deny ip from 66.92.100.0/24 to any in recv rl1 00600 deny ip from any to 10.0.0.0/8 via rl0 00700 deny ip from any to 172.16.0.0/12 via rl0 00800 deny ip from any to 192.168.0.0/16 via rl0 00900 deny ip from any to 0.0.0.0/8 via rl0 01000 deny ip from any to 169.254.0.0/16 via rl0 01100 deny ip from any to 192.0.2.0/24 via rl0 01200 deny ip from any to 224.0.0.0/4 via rl0 01300 deny ip from any to 240.0.0.0/4 via rl0 01400 divert 8668 ip from any to any via rl0 01500 deny ip from 10.0.0.0/8 to any via rl0 01600 deny ip from 172.16.0.0/12 to any via rl0 01700 deny ip from 192.168.0.0/16 to any via rl0 01800 deny ip from 0.0.0.0/8 to any via rl0 01900 deny ip from 169.254.0.0/16 to any via rl0 02000 deny ip from 192.0.2.0/24 to any via rl0 02100 deny ip from 224.0.0.0/4 to any via rl0 02200 deny ip from 240.0.0.0/4 to any via rl0 02300 allow tcp from any to any established 02400 allow ip from any to any frag 02500 allow tcp from any to 66.92.100.221 25 setup 02600 allow tcp from 192.168.1.0/24 to 192.168.1.0/24 02700 allow tcp from 192.168.1.0/24 to 192.168.1.0/24 02800 allow udp from 192.168.1.0/24 to 192.168.1.0/24 02900 allow udp from 192.168.1.0/24 to 192.168.1.0/24 03000 allow tcp from any to 66.92.100.221 80 setup 03100 allow tcp from any to 66.92.100.221 8080 setup 03200 allow tcp from any to 66.92.100.221 8021 setup 03300 allow tcp from any to 66.92.100.221 21 setup 03400 allow tcp from any to 66.92.100.221 22 setup 03500 allow tcp from any to 66.92.100.221 110 setup 03600 allow tcp from any to 66.92.100.221 143 setup 03700 allow tcp from any to 66.92.100.221 993 setup 03800 allow tcp from any to 66.92.100.221 995 setup 03900 allow icmp from any to any 04000 deny log tcp from any to any in recv rl0 setup 04100 allow tcp from any to any setup 04200 fwd 127.0.0.1,3128 tcp from any to any 80 04300 allow udp from 66.92.100.221 to any keep-state 04400 allow udp from 192.168.1.3 to any keep-state 65535 deny ip from any
tranparent proxying, squid, nat, ipfw
I'm having a hard time getting this working together. I have squid 2.5 stable working and with all the required setting for transparent proxying. The machine has the kernel with IPFW and forwarding options. NAT is on, firewall type is simple with some modifications. Internal interface address is 192.168.1.1. Squid runs fine when the browser is setup to access it, but the goal is not to have to do that. http_port 3128 httpd_accel_host virtual httpd_accel_port 80 httpd_accel_with_proxy on httpd_accel_uses_host_header on I have the forwarding rule as well fwd 127.0.0.1,3128 tcp from any to any 80 I tried 192.168.1.1,3128 in the rule. Tried putting it before both divert rules. Here's my ipfw list output 00050 divert 8668 ip from any to any via rl0 00100 allow ip from any to any via lo0 00200 deny ip from any to 127.0.0.0/8 00300 deny ip from 127.0.0.0/8 to any 00400 deny ip from 192.168.1.0/24 to any in recv rl0 00500 deny ip from 66.92.100.0/24 to any in recv rl1 00600 deny ip from any to 10.0.0.0/8 via rl0 00700 deny ip from any to 172.16.0.0/12 via rl0 00800 deny ip from any to 192.168.0.0/16 via rl0 00900 deny ip from any to 0.0.0.0/8 via rl0 01000 deny ip from any to 169.254.0.0/16 via rl0 01100 deny ip from any to 192.0.2.0/24 via rl0 01200 deny ip from any to 224.0.0.0/4 via rl0 01300 deny ip from any to 240.0.0.0/4 via rl0 01400 divert 8668 ip from any to any via rl0 01500 deny ip from 10.0.0.0/8 to any via rl0 01600 deny ip from 172.16.0.0/12 to any via rl0 01700 deny ip from 192.168.0.0/16 to any via rl0 01800 deny ip from 0.0.0.0/8 to any via rl0 01900 deny ip from 169.254.0.0/16 to any via rl0 02000 deny ip from 192.0.2.0/24 to any via rl0 02100 deny ip from 224.0.0.0/4 to any via rl0 02200 deny ip from 240.0.0.0/4 to any via rl0 02300 allow tcp from any to any established 02400 allow ip from any to any frag 02500 allow tcp from any to 66.92.100.221 25 setup 02600 allow tcp from 192.168.1.0/24 to 192.168.1.0/24 02700 allow tcp from 192.168.1.0/24 to 192.168.1.0/24 02800 allow udp from 192.168.1.0/24 to 192.168.1.0/24 02900 allow udp from 192.168.1.0/24 to 192.168.1.0/24 03000 allow tcp from any to 66.92.100.221 80 setup 03100 allow tcp from any to 66.92.100.221 8080 setup 03200 allow tcp from any to 66.92.100.221 8021 setup 03300 allow tcp from any to 66.92.100.221 21 setup 03400 allow tcp from any to 66.92.100.221 22 setup 03500 allow tcp from any to 66.92.100.221 110 setup 03600 allow tcp from any to 66.92.100.221 143 setup 03700 allow tcp from any to 66.92.100.221 993 setup 03800 allow tcp from any to 66.92.100.221 995 setup 03900 allow icmp from any to any 04000 deny log tcp from any to any in recv rl0 setup 04100 allow tcp from any to any setup 04200 fwd 127.0.0.1,3128 tcp from any to any 80 04300 allow udp from 66.92.100.221 to any keep-state 04400 allow udp from 192.168.1.3 to any keep-state 65535 deny ip from any to any ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: tranparent proxying, squid, nat, ipfw
On Sun, 5 Oct 2003 23:40:09 -0400 (EDT) synrat [EMAIL PROTECTED] wrote: I'm having a hard time getting this working together. I have squid 2.5 stable working and with all the required setting for transparent proxying. The machine has the kernel with IPFW and forwarding options. NAT is on, firewall type is simple with some modifications. Internal interface address is 192.168.1.1. Squid runs fine when the browser is setup to access it, but the goal is not to have to do that. http_port 3128 httpd_accel_host virtual httpd_accel_port 80 httpd_accel_with_proxy on httpd_accel_uses_host_header on Hi Did you install squid with the following options? # - Enable Transparent Proxy support for IP-Filter systems(incl 3.0)#CONFIGURE_ARGS+= --enable-ipf-transparent Mark ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
