Re: tranparent proxying, squid, nat, ipfw
I have done a number of servers in this setup. It really is as simple as following this http://www.squid-cache.org/Doc/FAQ/FAQ-17.html#ss17.8 plus the divert line as the first line in ipfw and the necessary NAT in rc.conf. However, if you are thinking of implementing WCCP+transparent proxy+NAT, it doesn't seem to work together, or at least not for me :-D (help?). I have read from Osnews that there's a new ipfw implementation that might solve this and it is due to come out with the 4.9-RELEASE. I'm not sure if this is related though...I didn't read thoroughly. chael > Hi, > my advice is, take it step by step. Set up your nat, apache (if you need it), > squid (don't use httpd_accel at the beginning!). > Now I'm a bit unsure what you want to do, if you want to force the use of a > proxy for your NAT-Users, so create your redirection rule which redirects > outgoing traffic to port 80 (,https,...) to your localhost squid. > httpd_accel is for accelerating a specific webserver in your realm, you can use > it to speed up the responses from your local apache or any other webserver in > your lan (and thereby making it accessible from outside, if you set the ACL > accordingly). > The question is, what do you want to accomplish? > Kind regards, > Alex. > > Quoting Gil Agno Virtucio <[EMAIL PROTECTED]>: > > so far this was the simpliest squid configuration that i've seen... > > http://ezine.daemonnews.org/200209/squid.html > > > hope this helps... > > - > Gil Agno Virtucio > Janitor/Collector/Messenger > NEC System Integration and Construction Philippines Inc. > 15th Floor BPI Buendia Center > Gil Puyat Ave. Makati City 1200 > Cellphone : +639163989695 > Office Phone: +6328914167 > - > > > -----Original Message----- > From: synrat [mailto:[EMAIL PROTECTED] > Sent: Monday, October 06, 2003 11:40 AM > To: [EMAIL PROTECTED] > Subject: tranparent proxying, squid, nat, ipfw > > > I'm having a hard time getting this working together. > I have squid 2.5 stable working and with all the required > setting for transparent proxying. The machine has the kernel with IPFW > and > forwarding options. NAT is on, firewall type is simple with some > modifications. Internal interface address is 192.168.1.1. Squid runs > fine > when the browser is setup to access it, but the goal is not to have to > do > that. > > http_port 3128 > httpd_accel_host virtual > httpd_accel_port 80 > httpd_accel_with_proxy on > httpd_accel_uses_host_header on > > I have the forwarding rule as well > > fwd 127.0.0.1,3128 tcp from any to any 80 > > I tried 192.168.1.1,3128 in the rule. Tried putting it before both > divert > rules. Here's my ipfw list output > > > > 00050 divert 8668 ip from any to any via rl0 > 00100 allow ip from any to any via lo0 > 00200 deny ip from any to 127.0.0.0/8 > 00300 deny ip from 127.0.0.0/8 to any > 00400 deny ip from 192.168.1.0/24 to any in recv rl0 > 00500 deny ip from 66.92.100.0/24 to any in recv rl1 > 00600 deny ip from any to 10.0.0.0/8 via rl0 > 00700 deny ip from any to 172.16.0.0/12 via rl0 > 00800 deny ip from any to 192.168.0.0/16 via rl0 > 00900 deny ip from any to 0.0.0.0/8 via rl0 > 01000 deny ip from any to 169.254.0.0/16 via rl0 > 01100 deny ip from any to 192.0.2.0/24 via rl0 > 01200 deny ip from any to 224.0.0.0/4 via rl0 > 01300 deny ip from any to 240.0.0.0/4 via rl0 > 01400 divert 8668 ip from any to any via rl0 > 01500 deny ip from 10.0.0.0/8 to any via rl0 > 01600 deny ip from 172.16.0.0/12 to any via rl0 > 01700 deny ip from 192.168.0.0/16 to any via rl0 > 01800 deny ip from 0.0.0.0/8 to any via rl0 > 01900 deny ip from 169.254.0.0/16 to any via rl0 > 02000 deny ip from 192.0.2.0/24 to any via rl0 > 02100 deny ip from 224.0.0.0/4 to any via rl0 > 02200 deny ip from 240.0.0.0/4 to any via rl0 > 02300 allow tcp from any to any established > 02400 allow ip from any to any frag > 02500 allow tcp from any to 66.92.100.221 25 setup > 02600 allow tcp from 192.168.1.0/24 to 192.168.1.0/24 > 02700 allow tcp from 192.168.1.0/24 to 192.168.1.0/24 > 02800 allow udp from 192.168.1.0/24 to 192.168.1.0/24 > 02900 allow udp from 192.168.1.0/24 to 192.168.1.0/24 > 03000 allow tcp from any to 66.92.100.221 80 setup > 03100 allow tcp from any to 66.92.100.221 8080 setup > 03200 allow tcp from any to 66.92.100.221 8021 setup > 03300 allow tcp from any to 66.92.100.221 21 setup > 03400 allow tcp from any to 66.92.100.221 22 setup > 03500 allow tcp from any to 66.92.100.221 110 setup >
RE: tranparent proxying, squid, nat, ipfw
Hi, my advice is, take it step by step. Set up your nat, apache (if you need it), squid (don't use httpd_accel at the beginning!). Now I'm a bit unsure what you want to do, if you want to force the use of a proxy for your NAT-Users, so create your redirection rule which redirects outgoing traffic to port 80 (,https,...) to your localhost squid. httpd_accel is for accelerating a specific webserver in your realm, you can use it to speed up the responses from your local apache or any other webserver in your lan (and thereby making it accessible from outside, if you set the ACL accordingly). The question is, what do you want to accomplish? Kind regards, Alex. Quoting Gil Agno Virtucio <[EMAIL PROTECTED]>: so far this was the simpliest squid configuration that i've seen... http://ezine.daemonnews.org/200209/squid.html hope this helps... - Gil Agno Virtucio Janitor/Collector/Messenger NEC System Integration and Construction Philippines Inc. 15th Floor BPI Buendia Center Gil Puyat Ave. Makati City 1200 Cellphone : +639163989695 Office Phone: +6328914167 - -Original Message- From: synrat [mailto:[EMAIL PROTECTED] Sent: Monday, October 06, 2003 11:40 AM To: [EMAIL PROTECTED] Subject: tranparent proxying, squid, nat, ipfw I'm having a hard time getting this working together. I have squid 2.5 stable working and with all the required setting for transparent proxying. The machine has the kernel with IPFW and forwarding options. NAT is on, firewall type is simple with some modifications. Internal interface address is 192.168.1.1. Squid runs fine when the browser is setup to access it, but the goal is not to have to do that. http_port 3128 httpd_accel_host virtual httpd_accel_port 80 httpd_accel_with_proxy on httpd_accel_uses_host_header on I have the forwarding rule as well fwd 127.0.0.1,3128 tcp from any to any 80 I tried 192.168.1.1,3128 in the rule. Tried putting it before both divert rules. Here's my ipfw list output 00050 divert 8668 ip from any to any via rl0 00100 allow ip from any to any via lo0 00200 deny ip from any to 127.0.0.0/8 00300 deny ip from 127.0.0.0/8 to any 00400 deny ip from 192.168.1.0/24 to any in recv rl0 00500 deny ip from 66.92.100.0/24 to any in recv rl1 00600 deny ip from any to 10.0.0.0/8 via rl0 00700 deny ip from any to 172.16.0.0/12 via rl0 00800 deny ip from any to 192.168.0.0/16 via rl0 00900 deny ip from any to 0.0.0.0/8 via rl0 01000 deny ip from any to 169.254.0.0/16 via rl0 01100 deny ip from any to 192.0.2.0/24 via rl0 01200 deny ip from any to 224.0.0.0/4 via rl0 01300 deny ip from any to 240.0.0.0/4 via rl0 01400 divert 8668 ip from any to any via rl0 01500 deny ip from 10.0.0.0/8 to any via rl0 01600 deny ip from 172.16.0.0/12 to any via rl0 01700 deny ip from 192.168.0.0/16 to any via rl0 01800 deny ip from 0.0.0.0/8 to any via rl0 01900 deny ip from 169.254.0.0/16 to any via rl0 02000 deny ip from 192.0.2.0/24 to any via rl0 02100 deny ip from 224.0.0.0/4 to any via rl0 02200 deny ip from 240.0.0.0/4 to any via rl0 02300 allow tcp from any to any established 02400 allow ip from any to any frag 02500 allow tcp from any to 66.92.100.221 25 setup 02600 allow tcp from 192.168.1.0/24 to 192.168.1.0/24 02700 allow tcp from 192.168.1.0/24 to 192.168.1.0/24 02800 allow udp from 192.168.1.0/24 to 192.168.1.0/24 02900 allow udp from 192.168.1.0/24 to 192.168.1.0/24 03000 allow tcp from any to 66.92.100.221 80 setup 03100 allow tcp from any to 66.92.100.221 8080 setup 03200 allow tcp from any to 66.92.100.221 8021 setup 03300 allow tcp from any to 66.92.100.221 21 setup 03400 allow tcp from any to 66.92.100.221 22 setup 03500 allow tcp from any to 66.92.100.221 110 setup 03600 allow tcp from any to 66.92.100.221 143 setup 03700 allow tcp from any to 66.92.100.221 993 setup 03800 allow tcp from any to 66.92.100.221 995 setup 03900 allow icmp from any to any 04000 deny log tcp from any to any in recv rl0 setup 04100 allow tcp from any to any setup 04200 fwd 127.0.0.1,3128 tcp from any to any 80 04300 allow udp from 66.92.100.221 to any keep-state 04400 allow udp from 192.168.1.3 to any keep-state 65535 deny ip from any to any - This mail sent through IMP: http://horde.org/imp/ ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
RE: tranparent proxying, squid, nat, ipfw
so far this was the simpliest squid configuration that i've seen... http://ezine.daemonnews.org/200209/squid.html hope this helps... - Gil Agno Virtucio Janitor/Collector/Messenger NEC System Integration and Construction Philippines Inc. 15th Floor BPI Buendia Center Gil Puyat Ave. Makati City 1200 Cellphone : +639163989695 Office Phone: +6328914167 - -Original Message- From: synrat [mailto:[EMAIL PROTECTED] Sent: Monday, October 06, 2003 11:40 AM To: [EMAIL PROTECTED] Subject: tranparent proxying, squid, nat, ipfw I'm having a hard time getting this working together. I have squid 2.5 stable working and with all the required setting for transparent proxying. The machine has the kernel with IPFW and forwarding options. NAT is on, firewall type is simple with some modifications. Internal interface address is 192.168.1.1. Squid runs fine when the browser is setup to access it, but the goal is not to have to do that. http_port 3128 httpd_accel_host virtual httpd_accel_port 80 httpd_accel_with_proxy on httpd_accel_uses_host_header on I have the forwarding rule as well fwd 127.0.0.1,3128 tcp from any to any 80 I tried 192.168.1.1,3128 in the rule. Tried putting it before both divert rules. Here's my ipfw list output 00050 divert 8668 ip from any to any via rl0 00100 allow ip from any to any via lo0 00200 deny ip from any to 127.0.0.0/8 00300 deny ip from 127.0.0.0/8 to any 00400 deny ip from 192.168.1.0/24 to any in recv rl0 00500 deny ip from 66.92.100.0/24 to any in recv rl1 00600 deny ip from any to 10.0.0.0/8 via rl0 00700 deny ip from any to 172.16.0.0/12 via rl0 00800 deny ip from any to 192.168.0.0/16 via rl0 00900 deny ip from any to 0.0.0.0/8 via rl0 01000 deny ip from any to 169.254.0.0/16 via rl0 01100 deny ip from any to 192.0.2.0/24 via rl0 01200 deny ip from any to 224.0.0.0/4 via rl0 01300 deny ip from any to 240.0.0.0/4 via rl0 01400 divert 8668 ip from any to any via rl0 01500 deny ip from 10.0.0.0/8 to any via rl0 01600 deny ip from 172.16.0.0/12 to any via rl0 01700 deny ip from 192.168.0.0/16 to any via rl0 01800 deny ip from 0.0.0.0/8 to any via rl0 01900 deny ip from 169.254.0.0/16 to any via rl0 02000 deny ip from 192.0.2.0/24 to any via rl0 02100 deny ip from 224.0.0.0/4 to any via rl0 02200 deny ip from 240.0.0.0/4 to any via rl0 02300 allow tcp from any to any established 02400 allow ip from any to any frag 02500 allow tcp from any to 66.92.100.221 25 setup 02600 allow tcp from 192.168.1.0/24 to 192.168.1.0/24 02700 allow tcp from 192.168.1.0/24 to 192.168.1.0/24 02800 allow udp from 192.168.1.0/24 to 192.168.1.0/24 02900 allow udp from 192.168.1.0/24 to 192.168.1.0/24 03000 allow tcp from any to 66.92.100.221 80 setup 03100 allow tcp from any to 66.92.100.221 8080 setup 03200 allow tcp from any to 66.92.100.221 8021 setup 03300 allow tcp from any to 66.92.100.221 21 setup 03400 allow tcp from any to 66.92.100.221 22 setup 03500 allow tcp from any to 66.92.100.221 110 setup 03600 allow tcp from any to 66.92.100.221 143 setup 03700 allow tcp from any to 66.92.100.221 993 setup 03800 allow tcp from any to 66.92.100.221 995 setup 03900 allow icmp from any to any 04000 deny log tcp from any to any in recv rl0 setup 04100 allow tcp from any to any setup 04200 fwd 127.0.0.1,3128 tcp from any to any 80 04300 allow udp from 66.92.100.221 to any keep-state 04400 allow udp from 192.168.1.3 to any keep-state 65535 deny ip from any to any ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]" ** Get your free E-Mail account at WWW.DIGITELONE.COM ** ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: tranparent proxying, squid, nat, ipfw
your port 80 hijack is waaay to far below. it should be like in the first three lines: 100 divert 8668 ip from any to any via ${oif} 200 allow tcp from ${oip} to any 300 fwd 127.0.0.1,3128 tcp from any to any dst-port 80 append the rest from here... ;-) - Original Message - From: "synrat" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Monday, October 06, 2003 11:40 AM Subject: tranparent proxying, squid, nat, ipfw > I'm having a hard time getting this working together. > I have squid 2.5 stable working and with all the required > setting for transparent proxying. The machine has the kernel with IPFW and > forwarding options. NAT is on, firewall type is simple with some > modifications. Internal interface address is 192.168.1.1. Squid runs fine > when the browser is setup to access it, but the goal is not to have to do > that. > > http_port 3128 > httpd_accel_host virtual > httpd_accel_port 80 > httpd_accel_with_proxy on > httpd_accel_uses_host_header on > > I have the forwarding rule as well > > fwd 127.0.0.1,3128 tcp from any to any 80 > > I tried 192.168.1.1,3128 in the rule. Tried putting it before both divert > rules. Here's my ipfw list output > > > > 00050 divert 8668 ip from any to any via rl0 > 00100 allow ip from any to any via lo0 > 00200 deny ip from any to 127.0.0.0/8 > 00300 deny ip from 127.0.0.0/8 to any > 00400 deny ip from 192.168.1.0/24 to any in recv rl0 > 00500 deny ip from 66.92.100.0/24 to any in recv rl1 > 00600 deny ip from any to 10.0.0.0/8 via rl0 > 00700 deny ip from any to 172.16.0.0/12 via rl0 > 00800 deny ip from any to 192.168.0.0/16 via rl0 > 00900 deny ip from any to 0.0.0.0/8 via rl0 > 01000 deny ip from any to 169.254.0.0/16 via rl0 > 01100 deny ip from any to 192.0.2.0/24 via rl0 > 01200 deny ip from any to 224.0.0.0/4 via rl0 > 01300 deny ip from any to 240.0.0.0/4 via rl0 > 01400 divert 8668 ip from any to any via rl0 > 01500 deny ip from 10.0.0.0/8 to any via rl0 > 01600 deny ip from 172.16.0.0/12 to any via rl0 > 01700 deny ip from 192.168.0.0/16 to any via rl0 > 01800 deny ip from 0.0.0.0/8 to any via rl0 > 01900 deny ip from 169.254.0.0/16 to any via rl0 > 02000 deny ip from 192.0.2.0/24 to any via rl0 > 02100 deny ip from 224.0.0.0/4 to any via rl0 > 02200 deny ip from 240.0.0.0/4 to any via rl0 > 02300 allow tcp from any to any established > 02400 allow ip from any to any frag > 02500 allow tcp from any to 66.92.100.221 25 setup > 02600 allow tcp from 192.168.1.0/24 to 192.168.1.0/24 > 02700 allow tcp from 192.168.1.0/24 to 192.168.1.0/24 > 02800 allow udp from 192.168.1.0/24 to 192.168.1.0/24 > 02900 allow udp from 192.168.1.0/24 to 192.168.1.0/24 > 03000 allow tcp from any to 66.92.100.221 80 setup > 03100 allow tcp from any to 66.92.100.221 8080 setup > 03200 allow tcp from any to 66.92.100.221 8021 setup > 03300 allow tcp from any to 66.92.100.221 21 setup > 03400 allow tcp from any to 66.92.100.221 22 setup > 03500 allow tcp from any to 66.92.100.221 110 setup > 03600 allow tcp from any to 66.92.100.221 143 setup > 03700 allow tcp from any to 66.92.100.221 993 setup > 03800 allow tcp from any to 66.92.100.221 995 setup > 03900 allow icmp from any to any > 04000 deny log tcp from any to any in recv rl0 setup > 04100 allow tcp from any to any setup > 04200 fwd 127.0.0.1,3128 tcp from any to any 80 > 04300 allow udp from 66.92.100.221 to any keep-state > 04400 allow udp from 192.168.1.3 to any keep-state > 65535 deny ip from any to any > > > > > > > > > > > > > > > > > > > ___ > [EMAIL PROTECTED] mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "[EMAIL PROTECTED]" > ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: tranparent proxying, squid, nat, ipfw
On Sun, 5 Oct 2003 23:40:09 -0400 (EDT) synrat <[EMAIL PROTECTED]> wrote: > I'm having a hard time getting this working together. > I have squid 2.5 stable working and with all the required > setting for transparent proxying. The machine has the kernel with IPFW > and forwarding options. NAT is on, firewall type is simple with some > modifications. Internal interface address is 192.168.1.1. Squid runs > fine when the browser is setup to access it, but the goal is not to > have to do that. > > http_port 3128 > httpd_accel_host virtual > httpd_accel_port 80 > httpd_accel_with_proxy on > httpd_accel_uses_host_header on Hi Did you install squid with the following options? # - Enable Transparent Proxy support for IP-Filter systems(incl 3.0)#CONFIGURE_ARGS+= --enable-ipf-transparent Mark ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
tranparent proxying, squid, nat, ipfw
I'm having a hard time getting this working together. I have squid 2.5 stable working and with all the required setting for transparent proxying. The machine has the kernel with IPFW and forwarding options. NAT is on, firewall type is simple with some modifications. Internal interface address is 192.168.1.1. Squid runs fine when the browser is setup to access it, but the goal is not to have to do that. http_port 3128 httpd_accel_host virtual httpd_accel_port 80 httpd_accel_with_proxy on httpd_accel_uses_host_header on I have the forwarding rule as well fwd 127.0.0.1,3128 tcp from any to any 80 I tried 192.168.1.1,3128 in the rule. Tried putting it before both divert rules. Here's my ipfw list output 00050 divert 8668 ip from any to any via rl0 00100 allow ip from any to any via lo0 00200 deny ip from any to 127.0.0.0/8 00300 deny ip from 127.0.0.0/8 to any 00400 deny ip from 192.168.1.0/24 to any in recv rl0 00500 deny ip from 66.92.100.0/24 to any in recv rl1 00600 deny ip from any to 10.0.0.0/8 via rl0 00700 deny ip from any to 172.16.0.0/12 via rl0 00800 deny ip from any to 192.168.0.0/16 via rl0 00900 deny ip from any to 0.0.0.0/8 via rl0 01000 deny ip from any to 169.254.0.0/16 via rl0 01100 deny ip from any to 192.0.2.0/24 via rl0 01200 deny ip from any to 224.0.0.0/4 via rl0 01300 deny ip from any to 240.0.0.0/4 via rl0 01400 divert 8668 ip from any to any via rl0 01500 deny ip from 10.0.0.0/8 to any via rl0 01600 deny ip from 172.16.0.0/12 to any via rl0 01700 deny ip from 192.168.0.0/16 to any via rl0 01800 deny ip from 0.0.0.0/8 to any via rl0 01900 deny ip from 169.254.0.0/16 to any via rl0 02000 deny ip from 192.0.2.0/24 to any via rl0 02100 deny ip from 224.0.0.0/4 to any via rl0 02200 deny ip from 240.0.0.0/4 to any via rl0 02300 allow tcp from any to any established 02400 allow ip from any to any frag 02500 allow tcp from any to 66.92.100.221 25 setup 02600 allow tcp from 192.168.1.0/24 to 192.168.1.0/24 02700 allow tcp from 192.168.1.0/24 to 192.168.1.0/24 02800 allow udp from 192.168.1.0/24 to 192.168.1.0/24 02900 allow udp from 192.168.1.0/24 to 192.168.1.0/24 03000 allow tcp from any to 66.92.100.221 80 setup 03100 allow tcp from any to 66.92.100.221 8080 setup 03200 allow tcp from any to 66.92.100.221 8021 setup 03300 allow tcp from any to 66.92.100.221 21 setup 03400 allow tcp from any to 66.92.100.221 22 setup 03500 allow tcp from any to 66.92.100.221 110 setup 03600 allow tcp from any to 66.92.100.221 143 setup 03700 allow tcp from any to 66.92.100.221 993 setup 03800 allow tcp from any to 66.92.100.221 995 setup 03900 allow icmp from any to any 04000 deny log tcp from any to any in recv rl0 setup 04100 allow tcp from any to any setup 04200 fwd 127.0.0.1,3128 tcp from any to any 80 04300 allow udp from 66.92.100.221 to any keep-state 04400 allow udp from 192.168.1.3 to any keep-state 65535 deny ip from any to any ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"