Re: Why are there no PKG_PATH defaults?
One think that could be done without hammering servers when you install from CD would be to add a question to the install script : Would you like to define the PKG PATH ? : - [1] : propose mirrors based on the timezone given (and then provide a menu and you just have to select the proxy) - [2] : manually define PKG PATH (type the string, could even check if the path seems valid) - [3] : nope thanks But would it really help much ? Romain -Message d'origine- De : owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] De la part de Alexander Hall Envoyé : mercredi 24 septembre 2014 23:20 À : Ville Valkonen Cc : PPC Miscellaneous Discussions Objet : Re: Why are there no PKG_PATH defaults? On 09/24/14 23:09, Ville Valkonen wrote: Out of curiosity, what's wrong with the one that installer uses? Nothing, however the installer only cares about a mirror if you actually install from one of them. If you install from e.g. CD, you don't have a selected mirror. If you do install or upgrade (I'm pretty sure) from a mirror, /etc/pkg.conf will be updated accordingly. /Alexander -- Regards, Ville On 24 September 2014 19:34, Alexander Hall alexan...@beard.se wrote: On September 24, 2014 6:09:04 PM CEST, openda...@hushmail.com wrote: Indeed, the installer only creates that if you install from a mirror. Apart from that, as someone else pointed out, which mirror should one choose? Cool, I didn't know that. Then, in the event that someone installed via an ISO or some pre-defined VM (ie. a DigitalOcean droplets) -- how about a one-time script upon first root login to ask for such info? You do not have a `PKG_PATH` set for `pkg_add`. Would you like us to set it for you? (Y/n) y Choose your nearest mirror: 1. Continent 2. Whatever 3. ... There is currently no ports collection in `/usr/ports`. Would you like us to get it for you? (Y/n) I can't speak for others, but I'd be terribly annoyed by this. Also, the script isn't trivial. Feel free to give it a go, share and use it for your own sake, but I'd be surprised to see it go in. /Alexander Thanks! O.D. On 24. september 2014 at 1:05 PM, Alexander Hall wrote:On September 24, 2014 12:44:14 PM CEST, openda...@hushmail.com wrote: Because /etc/pkg.conf ? Sorry, no such file over here. Indeed, the installer only creates that if you install from a mirror. Apart from that, as someone else pointed out, which mirror should one choose? /Alexander O.D. On 23. september 2014 at 1:47 PM, Alexander Hall wrote:On September 23, 2014 3:00:41 PM CEST, openda...@hushmail.com wrote: Hi, Expanding on the whole http://en.wikipedia.org/wiki/Convention_over_configuration thing -- why aren't there any sane PKG_PATH defaults? Ie.: release=$(uname -r) architecture=$(uname -p) export PKG_PATH=ftp://ftp.openbsd.org/pub/OpenBSD/${release}/packages/${a rchitecture}/ Because /etc/pkg.conf ? /Alexander Thanks! O.D.
Re: Request for Funding our Electricity
It's been a while I want to buy Tshirts and sweatshirts but they never are available (right size for some, total availability for others). I mean if CD's and shirts do weight for a third of the the fundings... the store should be a little more pro (speaking about products availabilty) It's a fantastic project, made by great people. Keep the good work... I'm sure you will find some way for your fundings. Ps : Just found some shirts left on the german website (http://www.ixsoft.de/), is buying on it OK ? -Message d'origine- De : owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] De la part de Theo de Raadt Envoyé : mercredi 15 janvier 2014 02:36 À : Nicolai Cc : misc@openbsd.org Objet : Re: Request for Funding our Electricity Nicolai, and others, I'd like to take the opportunity to thank all of those stepping up to the call for contributions. Every little bit helps. For those who ask, the OpenBSD Foundation is the best path for contributions. I hope some larger contributors will step up, to take a more long term view (like Google does). Rather than the little people funding our efforts. Many of the things we do in OpenBSD are often incorporated into products made by multi-million dollar companies. This is not a BSD vs GPL issue, it is about a plain lack of goodwill, something you cannot mandate via a license. A lack of goodwill is effectively badwill. There is a good list in the last paragraph of the OpenSSH web site. Maybe the community's activism can make inroads there which we have not been able to.
Re: Transparent proxy with Squid on OpenBSD 5.4
In this topology : Computers = Switch = Webfiltering bridge = Router = Internet Without a bridge, a system with 2 network cards wont let : - data from the Computers going to the Router. - data from the Router going to the Computers How do you make it work without a bridge ??? - Maybe youre talking about a single network interface system with just a proxy function on it o But no real security would be added in this topology, since you can bypass the proxy - There could be a way to activate packets forwarding, but as far as I know forwading requieres 2 networks De : carlos albino garcia grijalba [mailto:genesi...@hotmail.com] Envoyé : jeudi 9 janvier 2014 07:16 À : Romain FABBRI - Alien Consulting; grazzol...@gmail.com; 'Cremator' Cc : 'Misc OpenBSD' Objet : RE: Transparent proxy with Squid on OpenBSD 5.4 ok but why do u need the bridge? i think that u want it to be there for intercept the web and let all pass but u can do this without the bridge part intercepting the web requests and then letting all the other go to router not sure if the bridge can do this because its function its to be there but the packets does not know that it is there i mean as far as i know (correct me if i am wrong) they operate in layer 2 so it never reach higher leves where interception works From: mailto:romain.fab...@alienconsulting.net romain.fab...@alienconsulting.net To: mailto:genesi...@hotmail.com genesi...@hotmail.com; mailto:grazzol...@gmail.com grazzol...@gmail.com; mailto:cremator.li...@gmail.com cremator.li...@gmail.com CC: mailto:misc@openbsd.org misc@openbsd.org Subject: RE: Transparent proxy with Squid on OpenBSD 5.4 Date: Thu, 9 Jan 2014 00:18:43 +0100 In fact here is the topology I had in mind : Computers = Switch = Webfiltering bridge = Router = Internet Since I want my system to do both : - the bridge role - webfiltering ... without adding a network (I mean adding a network and make the Webfiltering box route beetween the two subnets) I think it is necessary to build a bridge... And that the design should work... But I'm still strugling on this matter. -Message d'origine- De : mailto:owner-m...@openbsd.org owner-m...@openbsd.org [ mailto:owner-m...@openbsd.org mailto:owner-m...@openbsd.org] De la part de carlos albino garcia grijalba Envoyé : mercredi 8 janvier 2014 21:29 À : Romain FABBRI - Alien Consulting; mailto:grazzol...@gmail.com grazzol...@gmail.com; 'Cremator' Cc : 'Misc OpenBSD' Objet : Re: Transparent proxy with Squid on OpenBSD 5.4 i agree with giancarlo why do u need the bridge function? for transparent proxy u dont need the bridge From: mailto:romain.fab...@alienconsulting.net romain.fab...@alienconsulting.net To: mailto:grazzol...@gmail.com grazzol...@gmail.com; mailto:cremator.li...@gmail.com cremator.li...@gmail.com CC: mailto:misc@openbsd.org misc@openbsd.org Subject: Re: Transparent proxy with Squid on OpenBSD 5.4 Date: Fri, 3 Jan 2014 17:57:37 +0100 I didn't investigate the bridge in itself since it seems to be working as a bridge... #=== # Bridge configuration #=== #vi /etc/hostname.bge0 up #vi /etc/hostname.bge1 up #vi /etc/hostname.vether0 inet 192.168.200.253 255.255.255.0 192.168.200.255 #vi /etc/hostname.bridge0 add vether0 add bge0 add bge1 up #vi /etc/mygate 192.168.200.254 #=== # PF configuration #=== # Macros Tables ext_if=bge0 int_if=bge1 # Options set reassemble yes no-df # Redirect www to our transparent squid proxy pass in quick log on $int_if inet proto tcp from 192.168.200.0/24 to port 80 divert-to 127.0.0.1 port 3129 pass out quick on $int_if inet from 192.168.200.0/24 divert-reply # Allow TerminalServer pass quick inet proto tcp from any to any port 3389 keep state # Allow SSH pass quick inet proto tcp from any to 192.168.200.253 port ssh # NTP pass out quick proto udp from $int_if to any port 123 keep state # Allow mail pass out quick proto tcp from $int_if to any port { 25, 143, 993, 995 } keep state # Allow Ping/Traceroute/DNS pass quick inet proto udp from any to any port domain pass quick inet proto tcp from any to any port domain flags S/SA synproxy state pass quick inet proto icmp all icmp-type { echoreq, unreach } keep state #=== # Squid configuration #=== # Only usefull for Squid 2.7 #acl localhost src 127.0.0.1/32 #acl manager proto cache_object #acl all src 0.0.0.0/0.0.0.0 # Interfacage avec SquidGuard url_rewrite_program /usr/local/bin/squidGuard -c /etc/squidguard/squidguard.conf # Number of redirector processes to spawn url_rewrite_children 5 # To prevent loops, don't send requests from
Re: Transparent proxy with Squid on OpenBSD 5.4
In fact here is the topology I had in mind : Computers = Switch = Webfiltering bridge = Router = Internet Since I want my system to do both : - the bridge role - webfiltering ... without adding a network (I mean adding a network and make the Webfiltering box route beetween the two subnets) I think it is necessary to build a bridge... And that the design should work... But I'm still strugling on this matter. -Message d'origine- De : owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] De la part de carlos albino garcia grijalba Envoyé : mercredi 8 janvier 2014 21:29 À : Romain FABBRI - Alien Consulting; grazzol...@gmail.com; 'Cremator' Cc : 'Misc OpenBSD' Objet : Re: Transparent proxy with Squid on OpenBSD 5.4 i agree with giancarlo why do u need the bridge function? for transparent proxy u dont need the bridge From: romain.fab...@alienconsulting.net To: grazzol...@gmail.com; cremator.li...@gmail.com CC: misc@openbsd.org Subject: Re: Transparent proxy with Squid on OpenBSD 5.4 Date: Fri, 3 Jan 2014 17:57:37 +0100 I didn't investigate the bridge in itself since it seems to be working as a bridge... #=== # Bridge configuration #=== #vi /etc/hostname.bge0 up #vi /etc/hostname.bge1 up #vi /etc/hostname.vether0 inet 192.168.200.253 255.255.255.0 192.168.200.255 #vi /etc/hostname.bridge0 add vether0 add bge0 add bge1 up #vi /etc/mygate 192.168.200.254 #=== # PF configuration #=== # Macros Tables ext_if=bge0 int_if=bge1 # Options set reassemble yes no-df # Redirect www to our transparent squid proxy pass in quick log on $int_if inet proto tcp from 192.168.200.0/24 to port 80 divert-to 127.0.0.1 port 3129 pass out quick on $int_if inet from 192.168.200.0/24 divert-reply # Allow TerminalServer pass quick inet proto tcp from any to any port 3389 keep state # Allow SSH pass quick inet proto tcp from any to 192.168.200.253 port ssh # NTP pass out quick proto udp from $int_if to any port 123 keep state # Allow mail pass out quick proto tcp from $int_if to any port { 25, 143, 993, 995 } keep state # Allow Ping/Traceroute/DNS pass quick inet proto udp from any to any port domain pass quick inet proto tcp from any to any port domain flags S/SA synproxy state pass quick inet proto icmp all icmp-type { echoreq, unreach } keep state #=== # Squid configuration #=== # Only usefull for Squid 2.7 #acl localhost src 127.0.0.1/32 #acl manager proto cache_object #acl all src 0.0.0.0/0.0.0.0 # Interfacage avec SquidGuard url_rewrite_program /usr/local/bin/squidGuard -c /etc/squidguard/squidguard.conf # Number of redirector processes to spawn url_rewrite_children 5 # To prevent loops, don't send requests from localhost to the redirector url_rewrite_accessdeny localhost # Only allow cachemgr access from localhost http_access allow localhost manager http_access deny manager # Define sources acl localnet src 192.168.200.0/24 # Define ports acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT # Deny requests to certain unsafe ports http_access deny !Safe_ports # Deny CONNECT to other than secure SSL ports http_access deny CONNECT !SSL_ports # Example rule allowing access from your local networks. # Adapt localnet in the ACL section to list your (internal) IP networks # from where browsing should be allowed http_access allow localnet http_access allow localhost # We strongly recommend the following be uncommented to protect innocent # web applications running on the proxy server who think the only # one who can access services on localhost is a local user #http_access deny to_localhost # And finally deny all other access to this proxy http_access deny all # Squid normally listens to port 3128 http_port 3128 http_port 127.0.0.1:3129 tproxy # Real squid memory cache cache_mem 1500 MB maximum_object_size_in_memory 8 MB # Squid disk cache cache_dir ufs /var/squid/cache 1500 16 64 minimum_object_size 3 KB maximum_object_size 8 MB # Uncomment and adjust the following to add a disk cache directory. cache_dir ufs /var/squid/cache 200 16 256 # IP DNS names memory cache ipcache_size 5120 fqdncache_size 5120 # File descriptor number #max_filedescriptors 4096 # Public exposed hostname visible_hostname openfw.local # Added to footer of error pages. cache_mgr em
Re: Transparent proxy with Squid on OpenBSD 5.4
Thanks, I tried according to your configuration : First test using the 3128 port as a divert-to port and as a squid http_port with tproxy or intercept statement = No traffic is getting diverted by pf Second test : Same test but using the 3129 port as a divert-to port 2 lines un squid.conf file : http_port 3128 http_port 127.0.0.1:3129 tproxy // I also tried with intercept too but no change In both tests : the web traffic (http 80) doesn't get caught by the divert-to directive... I tried to tcpdump on the lo0 interface but I got nothing. Seems like a pf problem to me... My browser accessed the internet without any restriction and without being cached... -Message d'origine- De : owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] De la part de Cremator Envoyé : jeudi 2 janvier 2014 20:29 À : Romain FABBRI - Alien Consulting Cc : Misc OpenBSD Objet : Re: Transparent proxy with Squid on OpenBSD 5.4 Hello, First I have only one line in my pf.conf and it is: pass in log on $int_if inet proto tcp from any \ to port { 80, 8080 } divert-to 127.0.0.1 port 3128 Second my squid.conf has only one line and it is: http_port 127.0.0.1:3128 intercept In your config files you are redirecting to port 3128 and you are intercepting at port 3129. On Thu, Jan 2, 2014 at 7:55 PM, Romain FABBRI - Alien Consulting romain.fab...@alienconsulting.net wrote: Hi, Im trying to do a transparent webfiltering bridge with squid. Ive used the packages for 5.4 which are squid-3.3.8 and squidGuard-1.4p6 Squid is working fine when the browser uses the vether0 administration interface of the bridge. I mean sites are cached and squidGuard is filtering according to my tests rules. But its not working when using the bridge as a transparent proxy (without specifying a proxy server). If someony could give me some advice that would be really helpfull. Here is my /etc/pf.conf # Macros Tables ext_if=bge0 int_if=bge1 # Options set skip on lo set skip on {pfsync} set reassemble yes no-df # Redirect www to our transparent squid proxy pass in quick log on $ext_if inet proto tcp to port 80 divert-to 127.0.0.1 port 3128 pass out quick from 127.0.0.1 divert-reply # Allow SSH pass quick inet proto tcp from any to 192.168.200.253 port ssh # Allow mail pass out quick proto tcp from $int_if to any port { 25, 143, 993, 995 } keep state # Allow Ping/Traceroute/DNS pass quick inet proto udp from any to any port domain pass quick inet proto tcp from any to any port domain flags S/SA synproxy state pass quick inet proto icmp all icmp-type { echoreq, unreach } keep state Ive tried almost every tutorial on the net but I had no luck with any of them using OpenBSD 5.4 and Squid 3.3.8 So Im posting to know if anybody has done this kind of configuration successfully. Happy New Year Romain In /etc/squid/squid.conf I have configured ports like that : http_port 3128 http_port 127.0.0.1:3129 intercept [demime 1.01d removed an attachment of type application/octet-stream which had a name of pf.conf] [demime 1.01d removed an attachment of type application/octet-stream which had a name of squid.conf]
Re: Transparent proxy with Squid on OpenBSD 5.4
I'm now filtering on the inside interface : pass in quick log on $int_if inet proto tcp to port 80 divert-to 127.0.0.1 port 3128 It seems that pf is diverting the web traffic since the packets are counted : pfctl -sa -vv @0 pass in log quick on bge1 inet proto tcp from any to any port = 80 flags S/SA divert-to 127.0.0.1 port 3128 [ Evaluations: 3534 Packets: 1741 Bytes: 1788725 States: 17] [ Inserted: uid 0 pid 8777 State Creations: 17] If I comment the default squid port and put the intercept statement as my divert-to port, like this : #http_port 3128 http_port 127.0.0.1:3128 intercept I get : - lots of ERROR: No forward-proxy ports configured. lines when I run squid - squidGuard is not blocking sites (that does work in non transparent mode) Maybe I get the error message because newers version of squid requieres 2 ports (in order to serve files, like icons...) I find nothing in my squid.conf that would prevent caching when intercepting... That's stange... -Message d'origine- De : Giancarlo Razzolini [mailto:grazzol...@gmail.com] Envoyé : vendredi 3 janvier 2014 11:28 À : Romain FABBRI - Alien Consulting; 'Cremator' Cc : 'Misc OpenBSD' Objet : Re: Transparent proxy with Squid on OpenBSD 5.4 Em 03-01-2014 07:45, Romain FABBRI - Alien Consulting escreveu: Thanks, I tried according to your configuration : First test using the 3128 port as a divert-to port and as a squid http_port with tproxy or intercept statement = No traffic is getting diverted by pf Second test : Same test but using the 3129 port as a divert-to port 2 lines un squid.conf file : http_port 3128 http_port 127.0.0.1:3129 tproxy // I also tried with intercept too but no change In both tests : the web traffic (http 80) doesn't get caught by the divert-to directive... I tried to tcpdump on the lo0 interface but I got nothing. Seems like a pf problem to me... My browser accessed the internet without any restriction and without being cached... Hi, My pf.conf only have one line also which is the one that divert the relevant traffic to the squid port. My squid.conf has only one http_port directive that is the intercept one. If you run pfctl -sa -vv do you see any states created by your divert rule? It seems to me that you have some issue with your pf rules. From what I saw, they do not specify directions nor interfaces which might cause you trouble. Also, your divert rule is on your external interface, that should be done on packets coming IN your internal interface. Cheers, -- Giancarlo Razzolini GPG: 4096R/77B981BC
Re: Transparent proxy with Squid on OpenBSD 5.4
Could somebody provide me a working configuration exemple for pf.conf and squid.conf on an OpenBSD 5.4 (working as a bridge) ? I still can't manage to make squid working on my bridge and I don't know what more tests I could do. I even tried to compile squid 3.4.2 with '--enable-pf-transparent' according to documentation : http://wiki.squid-cache.org/ConfigExamples/Intercept/OpenBsdPf But stills no magic happens... - paquets are diverted - but the netcast test (nc -l 3129) proves that no packets are received by squid Thanks, Romain -Message d'origine- De : Giancarlo Razzolini [mailto:grazzol...@gmail.com] Envoyé : vendredi 3 janvier 2014 11:28 À : Romain FABBRI - Alien Consulting; 'Cremator' Cc : 'Misc OpenBSD' Objet : Re: Transparent proxy with Squid on OpenBSD 5.4 Em 03-01-2014 07:45, Romain FABBRI - Alien Consulting escreveu: Thanks, I tried according to your configuration : First test using the 3128 port as a divert-to port and as a squid http_port with tproxy or intercept statement = No traffic is getting diverted by pf Second test : Same test but using the 3129 port as a divert-to port 2 lines un squid.conf file : http_port 3128 http_port 127.0.0.1:3129 tproxy // I also tried with intercept too but no change In both tests : the web traffic (http 80) doesn't get caught by the divert-to directive... I tried to tcpdump on the lo0 interface but I got nothing. Seems like a pf problem to me... My browser accessed the internet without any restriction and without being cached... Hi, My pf.conf only have one line also which is the one that divert the relevant traffic to the squid port. My squid.conf has only one http_port directive that is the intercept one. If you run pfctl -sa -vv do you see any states created by your divert rule? It seems to me that you have some issue with your pf rules. From what I saw, they do not specify directions nor interfaces which might cause you trouble. Also, your divert rule is on your external interface, that should be done on packets coming IN your internal interface. Cheers, -- Giancarlo Razzolini GPG: 4096R/77B981BC
Re: Transparent proxy with Squid on OpenBSD 5.4
Good Question ! I uncommented a while back the line set skip on lo I checked that they are processed... They seem to be... # pfctl -sr -R 0 pass in log quick on bge1 inet proto tcp from 192.168.200.0/24 to any port = 80 flags S/SA divert-to 127.0.0.1 port 3129 # tcpdump -neipflog0 -s 500 tcpdump: listening on pflog0, link-type PFLOG 17:53:05.288153 rule 0/(match) pass in on bge1: 192.168.200.39.3397 91.198.174.192.80: S 4055789837:4055789837(0) win 65535 mss 1460,nop,wscale 1,nop,nop,sackOK (DF) 17:53:06.300554 rule 0/(match) pass in on bge1: 192.168.200.39.3398 91.198.174.202.80: S 4229265567:4229265567(0) win 65535 mss 1460,nop,wscale 1,nop,nop,sackOK (DF) tcpdump: WARNING: compensating for unaligned libpcap packets 17:53:06.306402 rule 0/(match) pass in on bge1: 192.168.200.39.3399 91.198.174.208.80: S 1676876276:1676876276(0) win 65535 mss 1460,nop,wscale 1,nop,nop,sackOK (DF) 17:53:06.411063 rule 0/(match) pass in on bge1: 192.168.200.39.3400 91.198.174.208.80: S 2723830504:2723830504(0) win 65535 mss 1460,nop,wscale 1,nop,nop,sackOK (DF) 17:53:07.377297 rule 0/(match) pass in on bge1: 192.168.200.39.3401 91.198.174.192.80: S 3539952074:3539952074(0) win 65535 mss 1460,nop,wscale 1,nop,nop,sackOK (DF) 17:53:07.624598 rule 0/(match) pass in on bge1: 192.168.200.39.3402 91.198.174.192.80: S 2423603451:2423603451(0) win 65535 mss 1460,nop,wscale 1,nop,nop,sackOK (DF) -Message d'origine- De : Remco [mailto:re...@d-compu.dyndns.org] Envoyé : vendredi 3 janvier 2014 17:46 À : Romain FABBRI - Alien Consulting Cc : misc@openbsd.org Objet : Re: Transparent proxy with Squid on OpenBSD 5.4 Romain FABBRI - Alien Consulting wrote: Hi, Im trying to do a transparent webfiltering bridge with squid. Ive used the packages for 5.4 which are squid-3.3.8 and squidGuard-1.4p6 Squid is working fine when the browser uses the vether0 administration interface of the bridge. I mean sites are cached and squidGuard is filtering according to my tests rules. But its not working when using the bridge as a transparent proxy (without specifying a proxy server). If someony could give me some advice that would be really helpfull. Here is my /etc/pf.conf # Macros Tables ext_if=bge0 int_if=bge1 # Options set skip on lo set skip on {pfsync} set reassemble yes no-df # Redirect www to our transparent squid proxy pass in quick log on $ext_if inet proto tcp to port 80 divert-to 127.0.0.1 port 3128 pass out quick from 127.0.0.1 divert-reply # Allow SSH pass quick inet proto tcp from any to 192.168.200.253 port ssh # Allow mail pass out quick proto tcp from $int_if to any port { 25, 143, 993, 995 } keep state # Allow Ping/Traceroute/DNS pass quick inet proto udp from any to any port domain pass quick inet proto tcp from any to any port domain flags S/SA synproxy state pass quick inet proto icmp all icmp-type { echoreq, unreach } keep state Ive tried almost every tutorial on the net but I had no luck with any of them using OpenBSD 5.4 and Squid 3.3.8 So Im posting to know if anybody has done this kind of configuration successfully. Happy New Year Romain In /etc/squid/squid.conf I have configured ports like that : http_port 3128 http_port 127.0.0.1:3129 intercept Is it possible that some of your rules are never processed, and therefore have no effect, because of the skip rule on interface lo ?
Re: Transparent proxy with Squid on OpenBSD 5.4
I didn't investigate the bridge in itself since it seems to be working as a bridge... #=== # Bridge configuration #=== #vi /etc/hostname.bge0 up #vi /etc/hostname.bge1 up #vi /etc/hostname.vether0 inet 192.168.200.253 255.255.255.0 192.168.200.255 #vi /etc/hostname.bridge0 add vether0 add bge0 add bge1 up #vi /etc/mygate 192.168.200.254 #=== # PF configuration #=== # Macros Tables ext_if=bge0 int_if=bge1 # Options set reassemble yes no-df # Redirect www to our transparent squid proxy pass in quick log on $int_if inet proto tcp from 192.168.200.0/24 to port 80 divert-to 127.0.0.1 port 3129 pass out quick on $int_if inet from 192.168.200.0/24 divert-reply # Allow TerminalServer pass quick inet proto tcp from any to any port 3389 keep state # Allow SSH pass quick inet proto tcp from any to 192.168.200.253 port ssh # NTP pass out quick proto udp from $int_if to any port 123 keep state # Allow mail pass out quick proto tcp from $int_if to any port { 25, 143, 993, 995 } keep state # Allow Ping/Traceroute/DNS pass quick inet proto udp from any to any port domain pass quick inet proto tcp from any to any port domain flags S/SA synproxy state pass quick inet proto icmp all icmp-type { echoreq, unreach } keep state #=== # Squid configuration #=== # Only usefull for Squid 2.7 #acl localhost src 127.0.0.1/32 #acl manager proto cache_object #acl all src 0.0.0.0/0.0.0.0 # Interfacage avec SquidGuard url_rewrite_program /usr/local/bin/squidGuard -c /etc/squidguard/squidguard.conf # Number of redirector processes to spawn url_rewrite_children 5 # To prevent loops, don't send requests from localhost to the redirector url_rewrite_accessdeny localhost # Only allow cachemgr access from localhost http_access allow localhost manager http_access deny manager # Define sources acl localnet src 192.168.200.0/24 # Define ports acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT # Deny requests to certain unsafe ports http_access deny !Safe_ports # Deny CONNECT to other than secure SSL ports http_access deny CONNECT !SSL_ports # Example rule allowing access from your local networks. # Adapt localnet in the ACL section to list your (internal) IP networks # from where browsing should be allowed http_access allow localnet http_access allow localhost # We strongly recommend the following be uncommented to protect innocent # web applications running on the proxy server who think the only # one who can access services on localhost is a local user #http_access deny to_localhost # And finally deny all other access to this proxy http_access deny all # Squid normally listens to port 3128 http_port 3128 http_port 127.0.0.1:3129 tproxy # Real squid memory cache cache_mem 1500 MB maximum_object_size_in_memory 8 MB # Squid disk cache cache_dir ufs /var/squid/cache 1500 16 64 minimum_object_size 3 KB maximum_object_size 8 MB # Uncomment and adjust the following to add a disk cache directory. cache_dir ufs /var/squid/cache 200 16 256 # IP DNS names memory cache ipcache_size 5120 fqdncache_size 5120 # File descriptor number #max_filedescriptors 4096 # Public exposed hostname visible_hostname openfw.local # Added to footer of error pages. cache_mgr em...@test.net # Log client request activities access_log /var/squid/logs/access.log squid # Log information about the cache's behavior cache_log /var/squid/logs/cache.log # Leave coredumps in the first cache dir coredump_dir /var/squid/cache # Add any of your own refresh_pattern entries above these. refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320
Transparent proxy with Squid on OpenBSD 5.4
Hi, Im trying to do a transparent webfiltering bridge with squid. Ive used the packages for 5.4 which are squid-3.3.8 and squidGuard-1.4p6 Squid is working fine when the browser uses the vether0 administration interface of the bridge. I mean sites are cached and squidGuard is filtering according to my tests rules. But its not working when using the bridge as a transparent proxy (without specifying a proxy server). If someony could give me some advice that would be really helpfull. Here is my /etc/pf.conf # Macros Tables ext_if=bge0 int_if=bge1 # Options set skip on lo set skip on {pfsync} set reassemble yes no-df # Redirect www to our transparent squid proxy pass in quick log on $ext_if inet proto tcp to port 80 divert-to 127.0.0.1 port 3128 pass out quick from 127.0.0.1 divert-reply # Allow SSH pass quick inet proto tcp from any to 192.168.200.253 port ssh # Allow mail pass out quick proto tcp from $int_if to any port { 25, 143, 993, 995 } keep state # Allow Ping/Traceroute/DNS pass quick inet proto udp from any to any port domain pass quick inet proto tcp from any to any port domain flags S/SA synproxy state pass quick inet proto icmp all icmp-type { echoreq, unreach } keep state Ive tried almost every tutorial on the net but I had no luck with any of them using OpenBSD 5.4 and Squid 3.3.8 So Im posting to know if anybody has done this kind of configuration successfully. Happy New Year Romain In /etc/squid/squid.conf I have configured ports like that : http_port 3128 http_port 127.0.0.1:3129 intercept