RE: Transparent Proxy going astray
> -Original Message- > From: L.Norvydas [mailto:[EMAIL PROTECTED] > Sent: 24 January 2005 10:41 > To: freebsd-questions@freebsd.org > Subject: Transparent Proxy going astray > > > Hello, Paul, > > I saw your message in freebsd-questions forum about > transparent proxy. Right now I'm facing the same problem: > gateway with ipfw/natd and squid proxy on different machine. > Maybe you have solved this problem? Everywhere I look, I see > the same questions I'm asking, i.e. "has anyone successfuly > configured gateway and proxy, working on different machines?" :) > Have you looked at "WCCP"? Not sure if there are BSD implementations of this, but in linux there are. Its basically a protocol that runs on both the proxy and f/w server such that any http traffic is transparently forwarding to the proxy server for caching/whatever before it goes through the gateway... It used to be a cisco proprietary protocol, but I believe it may have been RFCd brad This email may contain confidential material. If you were not an intended recipient, please notify the sender and delete all copies. We may monitor email to and from our network. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Transparent Proxy going astray
Hello, Paul, I saw your message in freebsd-questions forum about transparent proxy. Right now I'm facing the same problem: gateway with ipfw/natd and squid proxy on different machine. Maybe you have solved this problem? Everywhere I look, I see the same questions I'm asking, i.e. "has anyone successfuly configured gateway and proxy, working on different machines?" :) I have FreeBSD-4.10 with ipfw/natd working with quite complex ruleset and other box with squid. When I install squid on the gateway machine and make "fwd GW_LOOPBACK,3128 tcp from MY_TEST_PC to any 80" then this squid works just fine. But when I try to forward to other, not gateway machine, i.e. "fwd OTHER_BOX_WITH_SQUID,3128 tcp from MY_TEST_PC to any 80", then it isn't working... I see packets maching fwd rule (counter increases), but no traffic reaches squid machine. I have wandered through lots of forums and mailing lists, but haven't found solution until now. Thought maybe you have successfuly coped with this and maybe you can help or advice something? Lawrence, network / systems administrator ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
FW: Transparent Proxy going astray - Help!
Hi all, Has no-one seen this problem? If so, wow, what have I done wrong here? Do you need more info? Cheers, Paul Hamilton -Original Message- From: Paul Hamilton [mailto:[EMAIL PROTECTED] Sent: Saturday, 21 June 2003 1:34 PM To: Freebsd-Questions Subject: Transparent Proxy going astray Hi all, I have watched/lurked on this list for sometime now, and see a Transparent Proxy question every now or then. None of them have answered my problem. I give it a bash every now and then to see if I will trip over the answer. It hasn't worked, so I will try this list again. I run FreeBSD 4.8 on the gateway, Squid Cache: Version 2.4.STABLE4 Squid.conf has the required lines: http_port 8080 httpd_accel_port 80 httpd_accel_host virtual httpd_accel_with_proxy on httpd_accel_uses_host_header on and the required ipfw2 firewall rules: 00050271 27520 allow tcp from 192.168.0.10 to any 00060 3144 fwd 127.0.0.1,8080 tcp from any to any dst-port 80 Interestingly enough when watching the ip traffic on the gateway, I see this on my inside NIC: 08:27:18.735861 192.168.0.2.3276 > 203.10.1.17.53: 1093+ A? www.google.com.au. (35) 08:27:18.922217 203.10.1.17.53 > 192.168.0.2.3276: 1093 2/4/4 CNAME[|domain] 08:27:18.923667 192.168.0.2.3277 > 216.239.39.99.80: S 813553086:813553086(0) win 16384 (DF) 08:27:18.923722 216.239.39.99.80 > 192.168.0.2.3277: R 0:0(0) ack 813553087 win 0 08:27:19.397657 192.168.0.2.3277 > 216.239.39.99.80: S 813553086:813553086(0) win 16384 (DF) 08:27:19.397697 216.239.39.99.80 > 192.168.0.2.3277: R 0:0(0) ack 1 win 0 08:27:19.906095 192.168.0.2.3277 > 216.239.39.99.80: S 813553086:813553086(0) win 16384 (DF) 08:27:19.906153 216.239.39.99.80 > 192.168.0.2.3277: R 0:0(0) ack 1 win 0 and this on my outside NIC: 08:27:18.736970 202.72.147.43.3276 > 203.10.1.17.53: 1093+ A? www.google.com.au. (35) 08:27:18.922026 203.10.1.17.53 > 202.72.147.43.3276: 1093 2/4/4 CNAME www.google.com., (215) The cache_access.log doesn't show any traffic, yet (something) is pretending to be the google website, as there is a reply from 216.239.39.99.80. I have tried to run tcpdump -ni lo0 but there isn't any traffic. Should I be able to see traffic on lo0? Any thoughts on what I am missing? Cheers, Paul Hamilton ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
RE: Transparent Proxy going astray
Nope! :-( Yes the gateway server (192.168.0.10), runs IPFW2, squid, ppp etc. I added the skip rule as you suggested. I see traffic getting to rule 60, but since I don't know of a way to tcpdump on lo0 traffic, I don't know how to troubleshoot further. Oh yes, it looks like squid logs do register a miss (after a long time out): 1056276094.519 10998 192.168.0.2 TCP_MISS/000 0 GET http://www.google.com/ I checked and made sure that the squid ACL is allowing 192.168.0.0 and 127.0.0.1 traffic through. Also what is generating this traffic (via tcpdump on the inside NIC): 17:50:51.073150 192.168.0.2.4339 > 203.10.1.17.53: 1355+ A? www.google.com. (32) 17:50:51.375673 203.10.1.17.53 > 192.168.0.2.4339: 1355 1/4/4 A 216.239.39.99 (184) 17:50:51.378720 192.168.0.2.4340 > 216.239.39.99.80: S 673769954:673769954(0) win 16384 (DF) 17:50:51.378774 216.239.39.99.80 > 192.168.0.2.4340: R 0:0(0) ack 673769955 win 0 17:50:51.814743 192.168.0.2.4340 > 216.239.39.99.80: S 673769954:673769954(0) win 16384 (DF) 17:50:51.814794 216.239.39.99.80 > 192.168.0.2.4340: R 0:0(0) ack 1 win 0 17:50:52.315527 192.168.0.2.4340 > 216.239.39.99.80: S 673769954:673769954(0) win 16384 (DF) 17:50:52.315579 216.239.39.99.80 > 192.168.0.2.4340: R 0:0(0) ack 1 win 0 Hmmm, hang on, if the above is from the inside NIC (tun0 shows only the DNS lookup), why am I seeing the 216.239.39.99:80 traffic? Is squid somehow directing it back inside, instead of out via tun0? Is this a squid config problem? By the way, examining the packets via Ethereal, it looks like there is no data in that packets. I know this is a standard setup, I'm just perplexed on where I have gone wrong (and why I can't troubleshoot it further) Cheers, Paul Hamilton -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Andrew Thomson Sent: Saturday, 21 June 2003 1:49 PM To: Freebsd-Questions Subject: Re: Transparent Proxy going astray Paul, You'd probably have noticed a few posts from me on this very subject. The good news is I did end up getting it all working.. but there were definitely a few hurdles in the way. I assume your firewall is also running the squid proxy? For some reason, I got away with just putting rule 60 in! I also added a dst port of 80 so just my http traffic got forwarded. If this is your firewall, then you'd probably want to change rule 50 to something like: skipto 70 tcp from 192.168.0.10 to any 192.168.0.10 is your firewall?? >From my understanding, an add rule will stop moving through the ruleset however you still need your requests to go through nat etc etc.. Let me know how you get on. You can be restassured that it is possible. I have now setup transparent proxies with the proxy running on the firewall and also with the proxy running on another box. I've also used 4.7 and 5.0 in seperate instances sucessfully too! good luck, ajt. On Sat, Jun 21, 2003 at 01:34:17PM +0800, Paul Hamilton wrote: > Hi all, > > I have watched/lurked on this list for sometime now, and see a Transparent > Proxy question every now or then. None of them have answered my problem. I > give it a bash every now and then to see if I will trip over the answer. It > hasn't worked, so I will try this list again. > > I run FreeBSD 4.8 on the gateway, Squid Cache: Version 2.4.STABLE4 > > Squid.conf has the required lines: > > http_port 8080 > httpd_accel_port 80 > httpd_accel_host virtual > httpd_accel_with_proxy on > httpd_accel_uses_host_header on > > and the required ipfw2 firewall rules: > > 00050271 27520 allow tcp from 192.168.0.10 to any > 00060 3144 fwd 127.0.0.1,8080 tcp from any to any dst-port > 80 > > Interestingly enough when watching the ip traffic on the gateway, I see this > on my inside NIC: > > 08:27:18.735861 192.168.0.2.3276 > 203.10.1.17.53: 1093+ A? > www.google.com.au. (35) > 08:27:18.922217 203.10.1.17.53 > 192.168.0.2.3276: 1093 2/4/4 > CNAME[|domain] > 08:27:18.923667 192.168.0.2.3277 > 216.239.39.99.80: S > 813553086:813553086(0) win 16384 (DF) > 08:27:18.923722 216.239.39.99.80 > 192.168.0.2.3277: R 0:0(0) ack 813553087 > win 0 > 08:27:19.397657 192.168.0.2.3277 > 216.239.39.99.80: S > 813553086:813553086(0) win 16384 (DF) > 08:27:19.397697 216.239.39.99.80 > 192.168.0.2.3277: R 0:0(0) ack 1 win 0 > 08:27:19.906095 192.168.0.2.3277 > 216.239.39.99.80: S > 813553086:813553086(0) win 16384 (DF) > 08:27:19.906153 216.239.39.99.80 > 192.168.0.2.3277: R 0:0(0) ack 1 win 0 > > > and this on my outside NIC: > > 08:27:18.736970 202.72.147.43.3276 > 203.10.1.17.53: 1093+ A? > www.google.com.au. (35) > 08:27:18.922026 203.10.1.17.53 > 202.72.147.43.3276: 1093 2/4/4 CNAME > www.google.com., (215) > > The cache_access.log doesn
Re: Transparent Proxy going astray
Paul, You'd probably have noticed a few posts from me on this very subject. The good news is I did end up getting it all working.. but there were definitely a few hurdles in the way. I assume your firewall is also running the squid proxy? For some reason, I got away with just putting rule 60 in! I also added a dst port of 80 so just my http traffic got forwarded. If this is your firewall, then you'd probably want to change rule 50 to something like: skipto 70 tcp from 192.168.0.10 to any 192.168.0.10 is your firewall?? >From my understanding, an add rule will stop moving through the ruleset however you still need your requests to go through nat etc etc.. Let me know how you get on. You can be restassured that it is possible. I have now setup transparent proxies with the proxy running on the firewall and also with the proxy running on another box. I've also used 4.7 and 5.0 in seperate instances sucessfully too! good luck, ajt. On Sat, Jun 21, 2003 at 01:34:17PM +0800, Paul Hamilton wrote: > Hi all, > > I have watched/lurked on this list for sometime now, and see a Transparent > Proxy question every now or then. None of them have answered my problem. I > give it a bash every now and then to see if I will trip over the answer. It > hasn't worked, so I will try this list again. > > I run FreeBSD 4.8 on the gateway, Squid Cache: Version 2.4.STABLE4 > > Squid.conf has the required lines: > > http_port 8080 > httpd_accel_port 80 > httpd_accel_host virtual > httpd_accel_with_proxy on > httpd_accel_uses_host_header on > > and the required ipfw2 firewall rules: > > 00050271 27520 allow tcp from 192.168.0.10 to any > 00060 3144 fwd 127.0.0.1,8080 tcp from any to any dst-port > 80 > > Interestingly enough when watching the ip traffic on the gateway, I see this > on my inside NIC: > > 08:27:18.735861 192.168.0.2.3276 > 203.10.1.17.53: 1093+ A? > www.google.com.au. (35) > 08:27:18.922217 203.10.1.17.53 > 192.168.0.2.3276: 1093 2/4/4 > CNAME[|domain] > 08:27:18.923667 192.168.0.2.3277 > 216.239.39.99.80: S > 813553086:813553086(0) win 16384 (DF) > 08:27:18.923722 216.239.39.99.80 > 192.168.0.2.3277: R 0:0(0) ack 813553087 > win 0 > 08:27:19.397657 192.168.0.2.3277 > 216.239.39.99.80: S > 813553086:813553086(0) win 16384 (DF) > 08:27:19.397697 216.239.39.99.80 > 192.168.0.2.3277: R 0:0(0) ack 1 win 0 > 08:27:19.906095 192.168.0.2.3277 > 216.239.39.99.80: S > 813553086:813553086(0) win 16384 (DF) > 08:27:19.906153 216.239.39.99.80 > 192.168.0.2.3277: R 0:0(0) ack 1 win 0 > > > and this on my outside NIC: > > 08:27:18.736970 202.72.147.43.3276 > 203.10.1.17.53: 1093+ A? > www.google.com.au. (35) > 08:27:18.922026 203.10.1.17.53 > 202.72.147.43.3276: 1093 2/4/4 CNAME > www.google.com., (215) > > The cache_access.log doesn't show any traffic, yet (something) is pretending > to be the google website, as there is a reply from 216.239.39.99.80. I have > tried to run tcpdump -ni lo0 but there isn't any traffic. > > Should I be able to see traffic on lo0? > > Any thoughts on what I am missing? > > Cheers, > > Paul Hamilton > > > ___ > [EMAIL PROTECTED] mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "[EMAIL PROTECTED]" > ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Transparent Proxy going astray
Hi all, I have watched/lurked on this list for sometime now, and see a Transparent Proxy question every now or then. None of them have answered my problem. I give it a bash every now and then to see if I will trip over the answer. It hasn't worked, so I will try this list again. I run FreeBSD 4.8 on the gateway, Squid Cache: Version 2.4.STABLE4 Squid.conf has the required lines: http_port 8080 httpd_accel_port 80 httpd_accel_host virtual httpd_accel_with_proxy on httpd_accel_uses_host_header on and the required ipfw2 firewall rules: 00050271 27520 allow tcp from 192.168.0.10 to any 00060 3144 fwd 127.0.0.1,8080 tcp from any to any dst-port 80 Interestingly enough when watching the ip traffic on the gateway, I see this on my inside NIC: 08:27:18.735861 192.168.0.2.3276 > 203.10.1.17.53: 1093+ A? www.google.com.au. (35) 08:27:18.922217 203.10.1.17.53 > 192.168.0.2.3276: 1093 2/4/4 CNAME[|domain] 08:27:18.923667 192.168.0.2.3277 > 216.239.39.99.80: S 813553086:813553086(0) win 16384 (DF) 08:27:18.923722 216.239.39.99.80 > 192.168.0.2.3277: R 0:0(0) ack 813553087 win 0 08:27:19.397657 192.168.0.2.3277 > 216.239.39.99.80: S 813553086:813553086(0) win 16384 (DF) 08:27:19.397697 216.239.39.99.80 > 192.168.0.2.3277: R 0:0(0) ack 1 win 0 08:27:19.906095 192.168.0.2.3277 > 216.239.39.99.80: S 813553086:813553086(0) win 16384 (DF) 08:27:19.906153 216.239.39.99.80 > 192.168.0.2.3277: R 0:0(0) ack 1 win 0 and this on my outside NIC: 08:27:18.736970 202.72.147.43.3276 > 203.10.1.17.53: 1093+ A? www.google.com.au. (35) 08:27:18.922026 203.10.1.17.53 > 202.72.147.43.3276: 1093 2/4/4 CNAME www.google.com., (215) The cache_access.log doesn't show any traffic, yet (something) is pretending to be the google website, as there is a reply from 216.239.39.99.80. I have tried to run tcpdump -ni lo0 but there isn't any traffic. Should I be able to see traffic on lo0? Any thoughts on what I am missing? Cheers, Paul Hamilton ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"