Re: Why are there no PKG_PATH defaults?
One think that could be done without hammering servers when you install from CD
would be to add a question to the install script :
Would you like to define the PKG PATH ? :
- [1] : propose mirrors based on the timezone given (and then provide a menu
and you just have to select the proxy)
- [2] : manually define PKG PATH (type the string, could even check if the path
seems valid)
- [3] : nope thanks
But would it really help much ?
Romain
-Message d'origine-
De : owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] De la part de
Alexander Hall
Envoyé : mercredi 24 septembre 2014 23:20
À : Ville Valkonen
Cc : PPC Miscellaneous Discussions
Objet : Re: Why are there no PKG_PATH defaults?
On 09/24/14 23:09, Ville Valkonen wrote:
Out of curiosity, what's wrong with the one that installer uses?
Nothing, however the installer only cares about a mirror if you actually
install from one of them. If you install from e.g. CD, you don't have a
selected mirror.
If you do install or upgrade (I'm pretty sure) from a mirror, /etc/pkg.conf
will be updated accordingly.
/Alexander
--
Regards,
Ville
On 24 September 2014 19:34, Alexander Hall alexan...@beard.se wrote:
On September 24, 2014 6:09:04 PM CEST, openda...@hushmail.com wrote:
Indeed, the installer only creates that if you install from a
mirror. Apart from that, as someone else pointed out, which mirror
should one choose?
Cool, I didn't know that.
Then, in the event that someone installed via an ISO or some
pre-defined VM (ie. a DigitalOcean droplets) -- how about a one-time
script upon first root login to ask for such info?
You do not have a `PKG_PATH` set for `pkg_add`. Would you like us
to set it for you? (Y/n) y
Choose your nearest mirror:
1. Continent
2. Whatever
3. ...
There is currently no ports collection in `/usr/ports`. Would you
like us to get it for you? (Y/n)
I can't speak for others, but I'd be terribly annoyed by this.
Also, the script isn't trivial. Feel free to give it a go, share and use it
for your own sake, but I'd be surprised to see it go in.
/Alexander
Thanks!
O.D.
On 24. september 2014 at 1:05 PM, Alexander Hall wrote:On
September 24, 2014 12:44:14 PM CEST, openda...@hushmail.com wrote:
Because /etc/pkg.conf ?
Sorry, no such file over here.
Indeed, the installer only creates that if you install from a mirror.
Apart from that, as someone else pointed out, which mirror should
one choose?
/Alexander
O.D.
On 23. september 2014 at 1:47 PM, Alexander Hall wrote:On
September
23, 2014 3:00:41 PM CEST, openda...@hushmail.com wrote:
Hi,
Expanding on the whole
http://en.wikipedia.org/wiki/Convention_over_configuration thing
-- why aren't there any sane PKG_PATH defaults? Ie.:
release=$(uname -r)
architecture=$(uname -p)
export
PKG_PATH=ftp://ftp.openbsd.org/pub/OpenBSD/${release}/packages/${a
rchitecture}/
Because /etc/pkg.conf ?
/Alexander
Thanks!
O.D.
Re: Request for Funding our Electricity
It's been a while I want to buy Tshirts and sweatshirts but they never are available (right size for some, total availability for others). I mean if CD's and shirts do weight for a third of the the fundings... the store should be a little more pro (speaking about products availabilty) It's a fantastic project, made by great people. Keep the good work... I'm sure you will find some way for your fundings. Ps : Just found some shirts left on the german website (http://www.ixsoft.de/), is buying on it OK ? -Message d'origine- De : owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] De la part de Theo de Raadt Envoyé : mercredi 15 janvier 2014 02:36 À : Nicolai Cc : misc@openbsd.org Objet : Re: Request for Funding our Electricity Nicolai, and others, I'd like to take the opportunity to thank all of those stepping up to the call for contributions. Every little bit helps. For those who ask, the OpenBSD Foundation is the best path for contributions. I hope some larger contributors will step up, to take a more long term view (like Google does). Rather than the little people funding our efforts. Many of the things we do in OpenBSD are often incorporated into products made by multi-million dollar companies. This is not a BSD vs GPL issue, it is about a plain lack of goodwill, something you cannot mandate via a license. A lack of goodwill is effectively badwill. There is a good list in the last paragraph of the OpenSSH web site. Maybe the community's activism can make inroads there which we have not been able to.
Re: Transparent proxy with Squid on OpenBSD 5.4
In this topology :
Computers = Switch = Webfiltering bridge = Router =
Internet
Without a bridge, a system with 2 network cards wont let :
- data from the Computers going to the Router.
- data from the Router going to the Computers
How do you make it work without a bridge ???
- Maybe youre talking about a single network interface system with
just a proxy function on it
o But no real security would be added in this topology, since you can
bypass the proxy
- There could be a way to activate packets forwarding, but as far
as I know forwading requieres 2 networks
De : carlos albino garcia grijalba [mailto:genesi...@hotmail.com]
Envoyé : jeudi 9 janvier 2014 07:16
À : Romain FABBRI - Alien Consulting; grazzol...@gmail.com; 'Cremator'
Cc : 'Misc OpenBSD'
Objet : RE: Transparent proxy with Squid on OpenBSD 5.4
ok but why do u need the bridge? i think that u want it to be there for
intercept the web and let all pass but u can do this without the bridge part
intercepting the web requests and then letting all the other go to router
not sure if the bridge can do this because its function its to be there but
the packets does not know that it is there i mean as far as i know (correct
me if i am wrong) they operate in layer 2 so it never reach higher leves
where interception works
From: mailto:romain.fab...@alienconsulting.net
romain.fab...@alienconsulting.net
To: mailto:genesi...@hotmail.com genesi...@hotmail.com;
mailto:grazzol...@gmail.com grazzol...@gmail.com;
mailto:cremator.li...@gmail.com cremator.li...@gmail.com
CC: mailto:misc@openbsd.org misc@openbsd.org
Subject: RE: Transparent proxy with Squid on OpenBSD 5.4
Date: Thu, 9 Jan 2014 00:18:43 +0100
In fact here is the topology I had in mind :
Computers = Switch = Webfiltering bridge = Router = Internet
Since I want my system to do both :
- the bridge role
- webfiltering
... without adding a network (I mean adding a network and make the
Webfiltering box route beetween the two subnets)
I think it is necessary to build a bridge...
And that the design should work...
But I'm still strugling on this matter.
-Message d'origine-
De : mailto:owner-m...@openbsd.org owner-m...@openbsd.org [
mailto:owner-m...@openbsd.org mailto:owner-m...@openbsd.org] De la part de
carlos albino garcia grijalba
Envoyé : mercredi 8 janvier 2014 21:29
À : Romain FABBRI - Alien Consulting; mailto:grazzol...@gmail.com
grazzol...@gmail.com; 'Cremator'
Cc : 'Misc OpenBSD'
Objet : Re: Transparent proxy with Squid on OpenBSD 5.4
i agree with giancarlo why do u need the bridge function? for transparent
proxy u dont need the bridge
From: mailto:romain.fab...@alienconsulting.net
romain.fab...@alienconsulting.net
To: mailto:grazzol...@gmail.com grazzol...@gmail.com;
mailto:cremator.li...@gmail.com cremator.li...@gmail.com
CC: mailto:misc@openbsd.org misc@openbsd.org
Subject: Re: Transparent proxy with Squid on OpenBSD 5.4
Date: Fri, 3 Jan 2014 17:57:37 +0100
I didn't investigate the bridge in itself since it seems to be working
as a bridge...
#===
# Bridge configuration
#===
#vi /etc/hostname.bge0
up
#vi /etc/hostname.bge1
up
#vi /etc/hostname.vether0
inet 192.168.200.253 255.255.255.0 192.168.200.255
#vi /etc/hostname.bridge0
add vether0
add bge0
add bge1
up
#vi /etc/mygate
192.168.200.254
#===
# PF configuration
#===
# Macros Tables
ext_if=bge0
int_if=bge1
# Options
set reassemble yes no-df
# Redirect www to our transparent squid proxy pass in quick log on
$int_if inet proto tcp from 192.168.200.0/24 to port
80
divert-to 127.0.0.1 port 3129
pass out quick on $int_if inet from 192.168.200.0/24 divert-reply
# Allow TerminalServer
pass quick inet proto tcp from any to any port 3389 keep state
# Allow SSH
pass quick inet proto tcp from any to 192.168.200.253 port ssh
# NTP
pass out quick proto udp from $int_if to any port 123 keep state
# Allow mail
pass out quick proto tcp from $int_if to any port { 25, 143, 993, 995
}
keep
state
# Allow Ping/Traceroute/DNS
pass quick inet proto udp from any to any port domain pass quick inet
proto tcp from any to any port domain flags S/SA synproxy state pass
quick inet proto icmp all icmp-type { echoreq, unreach } keep state
#===
# Squid configuration
#===
# Only usefull for Squid 2.7
#acl localhost src 127.0.0.1/32
#acl manager proto cache_object
#acl all src 0.0.0.0/0.0.0.0
# Interfacage avec SquidGuard
url_rewrite_program /usr/local/bin/squidGuard -c
/etc/squidguard/squidguard.conf
# Number of redirector processes to spawn url_rewrite_children 5
# To prevent loops, don't send requests from
Re: Transparent proxy with Squid on OpenBSD 5.4
In fact here is the topology I had in mind :
Computers = Switch = Webfiltering bridge = Router = Internet
Since I want my system to do both :
- the bridge role
- webfiltering
... without adding a network (I mean adding a network and make the
Webfiltering box route beetween the two subnets)
I think it is necessary to build a bridge...
And that the design should work...
But I'm still strugling on this matter.
-Message d'origine-
De : owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] De la part de
carlos albino garcia grijalba
Envoyé : mercredi 8 janvier 2014 21:29
À : Romain FABBRI - Alien Consulting; grazzol...@gmail.com; 'Cremator'
Cc : 'Misc OpenBSD'
Objet : Re: Transparent proxy with Squid on OpenBSD 5.4
i agree with giancarlo why do u need the bridge function? for transparent
proxy u dont need the bridge
From: romain.fab...@alienconsulting.net
To: grazzol...@gmail.com; cremator.li...@gmail.com
CC: misc@openbsd.org
Subject: Re: Transparent proxy with Squid on OpenBSD 5.4
Date: Fri, 3 Jan 2014 17:57:37 +0100
I didn't investigate the bridge in itself since it seems to be working
as a bridge...
#===
# Bridge configuration
#===
#vi /etc/hostname.bge0
up
#vi /etc/hostname.bge1
up
#vi /etc/hostname.vether0
inet 192.168.200.253 255.255.255.0 192.168.200.255
#vi /etc/hostname.bridge0
add vether0
add bge0
add bge1
up
#vi /etc/mygate
192.168.200.254
#===
# PF configuration
#===
# Macros Tables
ext_if=bge0
int_if=bge1
# Options
set reassemble yes no-df
# Redirect www to our transparent squid proxy pass in quick log on
$int_if inet proto tcp from 192.168.200.0/24 to port
80
divert-to 127.0.0.1 port 3129
pass out quick on $int_if inet from 192.168.200.0/24 divert-reply
# Allow TerminalServer
pass quick inet proto tcp from any to any port 3389 keep state
# Allow SSH
pass quick inet proto tcp from any to 192.168.200.253 port ssh
# NTP
pass out quick proto udp from $int_if to any port 123 keep state
# Allow mail
pass out quick proto tcp from $int_if to any port { 25, 143, 993, 995
}
keep
state
# Allow Ping/Traceroute/DNS
pass quick inet proto udp from any to any port domain pass quick inet
proto tcp from any to any port domain flags S/SA synproxy state pass
quick inet proto icmp all icmp-type { echoreq, unreach } keep state
#===
# Squid configuration
#===
# Only usefull for Squid 2.7
#acl localhost src 127.0.0.1/32
#acl manager proto cache_object
#acl all src 0.0.0.0/0.0.0.0
# Interfacage avec SquidGuard
url_rewrite_program /usr/local/bin/squidGuard -c
/etc/squidguard/squidguard.conf
# Number of redirector processes to spawn url_rewrite_children 5
# To prevent loops, don't send requests from localhost to the redirector
url_rewrite_accessdeny localhost
# Only allow cachemgr access from localhost http_access allow
localhost manager http_access deny manager
# Define sources
acl localnet src 192.168.200.0/24
# Define ports
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
# Deny requests to certain unsafe ports http_access deny !Safe_ports
# Deny CONNECT to other than secure SSL ports http_access deny CONNECT
!SSL_ports
# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP
networks # from where browsing should be allowed http_access allow
localnet http_access allow localhost
# We strongly recommend the following be uncommented to protect
innocent # web applications running on the proxy server who think the
only # one who can access services on localhost is a local user
#http_access deny to_localhost
# And finally deny all other access to this proxy http_access deny all
# Squid normally listens to port 3128
http_port 3128
http_port 127.0.0.1:3129 tproxy
# Real squid memory cache
cache_mem 1500 MB
maximum_object_size_in_memory 8 MB
# Squid disk cache cache_dir ufs /var/squid/cache 1500 16 64
minimum_object_size 3 KB maximum_object_size 8 MB
# Uncomment and adjust the following to add a disk cache directory.
cache_dir ufs /var/squid/cache 200 16 256
# IP DNS names memory cache
ipcache_size 5120
fqdncache_size 5120
# File descriptor number
#max_filedescriptors 4096
# Public exposed hostname
visible_hostname openfw.local
# Added to footer of error pages.
cache_mgr em
Re: Transparent proxy with Squid on OpenBSD 5.4
Thanks,
I tried according to your configuration :
First test using the 3128 port as a divert-to port and as a squid http_port
with tproxy or intercept statement
= No traffic is getting diverted by pf
Second test :
Same test but using the 3129 port as a divert-to port
2 lines un squid.conf file :
http_port 3128
http_port 127.0.0.1:3129 tproxy // I also tried with intercept too
but no change
In both tests : the web traffic (http 80) doesn't get caught by the
divert-to directive...
I tried to tcpdump on the lo0 interface but I got nothing.
Seems like a pf problem to me...
My browser accessed the internet without any restriction and without being
cached...
-Message d'origine-
De : owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] De la part de
Cremator
Envoyé : jeudi 2 janvier 2014 20:29
À : Romain FABBRI - Alien Consulting
Cc : Misc OpenBSD
Objet : Re: Transparent proxy with Squid on OpenBSD 5.4
Hello,
First I have only one line in my pf.conf and it is:
pass in log on $int_if inet proto tcp from any \ to port { 80, 8080 }
divert-to 127.0.0.1 port 3128
Second my squid.conf has only one line and it is:
http_port 127.0.0.1:3128 intercept
In your config files you are redirecting to port 3128 and you are
intercepting at port 3129.
On Thu, Jan 2, 2014 at 7:55 PM, Romain FABBRI - Alien Consulting
romain.fab...@alienconsulting.net wrote:
Hi,
Im trying to do a transparent webfiltering bridge with squid.
Ive used the packages for 5.4 which are squid-3.3.8 and
squidGuard-1.4p6
Squid is working fine when the browser uses the vether0 administration
interface of the bridge.
I mean sites are cached and squidGuard is filtering according to my
tests rules.
But its not working when using the bridge as a transparent proxy
(without specifying a proxy server).
If someony could give me some advice that would be really helpfull.
Here is my /etc/pf.conf
# Macros Tables
ext_if=bge0
int_if=bge1
# Options
set skip on lo
set skip on {pfsync}
set reassemble yes no-df
# Redirect www to our transparent squid proxy pass in quick log on
$ext_if inet proto tcp to port 80 divert-to 127.0.0.1 port 3128 pass
out quick from 127.0.0.1 divert-reply
# Allow SSH
pass quick inet proto tcp from any to 192.168.200.253 port ssh
# Allow mail
pass out quick proto tcp from $int_if to any port { 25, 143, 993, 995
} keep state
# Allow Ping/Traceroute/DNS
pass quick inet proto udp from any to any port domain pass quick inet
proto tcp from any to any port domain flags S/SA synproxy state pass
quick inet proto icmp all icmp-type { echoreq, unreach } keep state
Ive tried almost every tutorial on the net but I had no luck with any
of them using OpenBSD 5.4 and Squid 3.3.8 So Im posting to know if
anybody has done this kind of configuration successfully.
Happy New Year
Romain
In /etc/squid/squid.conf I have configured ports like that :
http_port 3128
http_port 127.0.0.1:3129 intercept
[demime 1.01d removed an attachment of type application/octet-stream which had
a name of pf.conf]
[demime 1.01d removed an attachment of type application/octet-stream which had
a name of squid.conf]
Re: Transparent proxy with Squid on OpenBSD 5.4
I'm now filtering on the inside interface : pass in quick log on $int_if inet proto tcp to port 80 divert-to 127.0.0.1 port 3128 It seems that pf is diverting the web traffic since the packets are counted : pfctl -sa -vv @0 pass in log quick on bge1 inet proto tcp from any to any port = 80 flags S/SA divert-to 127.0.0.1 port 3128 [ Evaluations: 3534 Packets: 1741 Bytes: 1788725 States: 17] [ Inserted: uid 0 pid 8777 State Creations: 17] If I comment the default squid port and put the intercept statement as my divert-to port, like this : #http_port 3128 http_port 127.0.0.1:3128 intercept I get : - lots of ERROR: No forward-proxy ports configured. lines when I run squid - squidGuard is not blocking sites (that does work in non transparent mode) Maybe I get the error message because newers version of squid requieres 2 ports (in order to serve files, like icons...) I find nothing in my squid.conf that would prevent caching when intercepting... That's stange... -Message d'origine- De : Giancarlo Razzolini [mailto:grazzol...@gmail.com] Envoyé : vendredi 3 janvier 2014 11:28 À : Romain FABBRI - Alien Consulting; 'Cremator' Cc : 'Misc OpenBSD' Objet : Re: Transparent proxy with Squid on OpenBSD 5.4 Em 03-01-2014 07:45, Romain FABBRI - Alien Consulting escreveu: Thanks, I tried according to your configuration : First test using the 3128 port as a divert-to port and as a squid http_port with tproxy or intercept statement = No traffic is getting diverted by pf Second test : Same test but using the 3129 port as a divert-to port 2 lines un squid.conf file : http_port 3128 http_port 127.0.0.1:3129 tproxy // I also tried with intercept too but no change In both tests : the web traffic (http 80) doesn't get caught by the divert-to directive... I tried to tcpdump on the lo0 interface but I got nothing. Seems like a pf problem to me... My browser accessed the internet without any restriction and without being cached... Hi, My pf.conf only have one line also which is the one that divert the relevant traffic to the squid port. My squid.conf has only one http_port directive that is the intercept one. If you run pfctl -sa -vv do you see any states created by your divert rule? It seems to me that you have some issue with your pf rules. From what I saw, they do not specify directions nor interfaces which might cause you trouble. Also, your divert rule is on your external interface, that should be done on packets coming IN your internal interface. Cheers, -- Giancarlo Razzolini GPG: 4096R/77B981BC
Re: Transparent proxy with Squid on OpenBSD 5.4
Could somebody provide me a working configuration exemple for pf.conf and squid.conf on an OpenBSD 5.4 (working as a bridge) ? I still can't manage to make squid working on my bridge and I don't know what more tests I could do. I even tried to compile squid 3.4.2 with '--enable-pf-transparent' according to documentation : http://wiki.squid-cache.org/ConfigExamples/Intercept/OpenBsdPf But stills no magic happens... - paquets are diverted - but the netcast test (nc -l 3129) proves that no packets are received by squid Thanks, Romain -Message d'origine- De : Giancarlo Razzolini [mailto:grazzol...@gmail.com] Envoyé : vendredi 3 janvier 2014 11:28 À : Romain FABBRI - Alien Consulting; 'Cremator' Cc : 'Misc OpenBSD' Objet : Re: Transparent proxy with Squid on OpenBSD 5.4 Em 03-01-2014 07:45, Romain FABBRI - Alien Consulting escreveu: Thanks, I tried according to your configuration : First test using the 3128 port as a divert-to port and as a squid http_port with tproxy or intercept statement = No traffic is getting diverted by pf Second test : Same test but using the 3129 port as a divert-to port 2 lines un squid.conf file : http_port 3128 http_port 127.0.0.1:3129 tproxy // I also tried with intercept too but no change In both tests : the web traffic (http 80) doesn't get caught by the divert-to directive... I tried to tcpdump on the lo0 interface but I got nothing. Seems like a pf problem to me... My browser accessed the internet without any restriction and without being cached... Hi, My pf.conf only have one line also which is the one that divert the relevant traffic to the squid port. My squid.conf has only one http_port directive that is the intercept one. If you run pfctl -sa -vv do you see any states created by your divert rule? It seems to me that you have some issue with your pf rules. From what I saw, they do not specify directions nor interfaces which might cause you trouble. Also, your divert rule is on your external interface, that should be done on packets coming IN your internal interface. Cheers, -- Giancarlo Razzolini GPG: 4096R/77B981BC
Re: Transparent proxy with Squid on OpenBSD 5.4
Good Question !
I uncommented a while back the line set skip on lo
I checked that they are processed...
They seem to be...
# pfctl -sr -R 0
pass in log quick on bge1 inet proto tcp from 192.168.200.0/24 to any port =
80 flags S/SA divert-to 127.0.0.1 port 3129
# tcpdump -neipflog0 -s 500
tcpdump: listening on pflog0, link-type PFLOG
17:53:05.288153 rule 0/(match) pass in on bge1: 192.168.200.39.3397
91.198.174.192.80: S 4055789837:4055789837(0) win 65535 mss 1460,nop,wscale
1,nop,nop,sackOK (DF)
17:53:06.300554 rule 0/(match) pass in on bge1: 192.168.200.39.3398
91.198.174.202.80: S 4229265567:4229265567(0) win 65535 mss 1460,nop,wscale
1,nop,nop,sackOK (DF)
tcpdump: WARNING: compensating for unaligned libpcap packets
17:53:06.306402 rule 0/(match) pass in on bge1: 192.168.200.39.3399
91.198.174.208.80: S 1676876276:1676876276(0) win 65535 mss 1460,nop,wscale
1,nop,nop,sackOK (DF)
17:53:06.411063 rule 0/(match) pass in on bge1: 192.168.200.39.3400
91.198.174.208.80: S 2723830504:2723830504(0) win 65535 mss 1460,nop,wscale
1,nop,nop,sackOK (DF)
17:53:07.377297 rule 0/(match) pass in on bge1: 192.168.200.39.3401
91.198.174.192.80: S 3539952074:3539952074(0) win 65535 mss 1460,nop,wscale
1,nop,nop,sackOK (DF)
17:53:07.624598 rule 0/(match) pass in on bge1: 192.168.200.39.3402
91.198.174.192.80: S 2423603451:2423603451(0) win 65535 mss 1460,nop,wscale
1,nop,nop,sackOK (DF)
-Message d'origine-
De : Remco [mailto:re...@d-compu.dyndns.org]
Envoyé : vendredi 3 janvier 2014 17:46
À : Romain FABBRI - Alien Consulting
Cc : misc@openbsd.org
Objet : Re: Transparent proxy with Squid on OpenBSD 5.4
Romain FABBRI - Alien Consulting wrote:
Hi,
Im trying to do a transparent webfiltering bridge with squid.
Ive used the packages for 5.4 which are squid-3.3.8 and
squidGuard-1.4p6
Squid is working fine when the browser uses the vether0 administration
interface of the bridge.
I mean sites are cached and squidGuard is filtering according to my
tests rules.
But its not working when using the bridge as a transparent proxy
(without specifying a proxy server).
If someony could give me some advice that would be really helpfull.
Here is my /etc/pf.conf
# Macros Tables
ext_if=bge0
int_if=bge1
# Options
set skip on lo
set skip on {pfsync}
set reassemble yes no-df
# Redirect www to our transparent squid proxy pass in quick log on
$ext_if inet proto tcp to port 80 divert-to 127.0.0.1 port 3128 pass
out quick from 127.0.0.1 divert-reply
# Allow SSH
pass quick inet proto tcp from any to 192.168.200.253 port ssh
# Allow mail
pass out quick proto tcp from $int_if to any port { 25, 143, 993, 995
} keep state
# Allow Ping/Traceroute/DNS
pass quick inet proto udp from any to any port domain pass quick inet
proto tcp from any to any port domain flags S/SA synproxy state pass
quick inet proto icmp all icmp-type { echoreq, unreach } keep state
Ive tried almost every tutorial on the net but I had no luck with any
of them using OpenBSD 5.4 and Squid 3.3.8
So Im posting to know if
anybody has done this kind of configuration successfully.
Happy New Year
Romain
In /etc/squid/squid.conf I have configured ports like that :
http_port 3128
http_port 127.0.0.1:3129 intercept
Is it possible that some of your rules are never processed, and therefore
have no effect, because of the skip rule on interface lo ?
Re: Transparent proxy with Squid on OpenBSD 5.4
I didn't investigate the bridge in itself since it seems to be working as a
bridge...
#===
# Bridge configuration
#===
#vi /etc/hostname.bge0
up
#vi /etc/hostname.bge1
up
#vi /etc/hostname.vether0
inet 192.168.200.253 255.255.255.0 192.168.200.255
#vi /etc/hostname.bridge0
add vether0
add bge0
add bge1
up
#vi /etc/mygate
192.168.200.254
#===
# PF configuration
#===
# Macros Tables
ext_if=bge0
int_if=bge1
# Options
set reassemble yes no-df
# Redirect www to our transparent squid proxy
pass in quick log on $int_if inet proto tcp from 192.168.200.0/24 to port 80
divert-to 127.0.0.1 port 3129
pass out quick on $int_if inet from 192.168.200.0/24 divert-reply
# Allow TerminalServer
pass quick inet proto tcp from any to any port 3389 keep state
# Allow SSH
pass quick inet proto tcp from any to 192.168.200.253 port ssh
# NTP
pass out quick proto udp from $int_if to any port 123 keep state
# Allow mail
pass out quick proto tcp from $int_if to any port { 25, 143, 993, 995 } keep
state
# Allow Ping/Traceroute/DNS
pass quick inet proto udp from any to any port domain
pass quick inet proto tcp from any to any port domain flags S/SA synproxy
state
pass quick inet proto icmp all icmp-type { echoreq, unreach } keep state
#===
# Squid configuration
#===
# Only usefull for Squid 2.7
#acl localhost src 127.0.0.1/32
#acl manager proto cache_object
#acl all src 0.0.0.0/0.0.0.0
# Interfacage avec SquidGuard
url_rewrite_program /usr/local/bin/squidGuard -c
/etc/squidguard/squidguard.conf
# Number of redirector processes to spawn
url_rewrite_children 5
# To prevent loops, don't send requests from localhost to the redirector
url_rewrite_accessdeny localhost
# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager
# Define sources
acl localnet src 192.168.200.0/24
# Define ports
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
# Deny requests to certain unsafe ports
http_access deny !Safe_ports
# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports
# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access allow localnet
http_access allow localhost
# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on localhost is a local user
#http_access deny to_localhost
# And finally deny all other access to this proxy
http_access deny all
# Squid normally listens to port 3128
http_port 3128
http_port 127.0.0.1:3129 tproxy
# Real squid memory cache
cache_mem 1500 MB
maximum_object_size_in_memory 8 MB
# Squid disk cache cache_dir ufs /var/squid/cache 1500 16 64
minimum_object_size 3 KB
maximum_object_size 8 MB
# Uncomment and adjust the following to add a disk cache directory.
cache_dir ufs /var/squid/cache 200 16 256
# IP DNS names memory cache
ipcache_size 5120
fqdncache_size 5120
# File descriptor number
#max_filedescriptors 4096
# Public exposed hostname
visible_hostname openfw.local
# Added to footer of error pages.
cache_mgr em...@test.net
# Log client request activities
access_log /var/squid/logs/access.log squid
# Log information about the cache's behavior
cache_log /var/squid/logs/cache.log
# Leave coredumps in the first cache dir
coredump_dir /var/squid/cache
# Add any of your own refresh_pattern entries above these.
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
Transparent proxy with Squid on OpenBSD 5.4
Hi,
Im trying to do a transparent webfiltering bridge with squid.
Ive used the packages for 5.4 which are squid-3.3.8 and squidGuard-1.4p6
Squid is working fine when the browser uses the vether0 administration
interface of the bridge.
I mean sites are cached and squidGuard is filtering according to my tests
rules.
But its not working when using the bridge as a transparent proxy (without
specifying a proxy server).
If someony could give me some advice that would be really helpfull.
Here is my /etc/pf.conf
# Macros Tables
ext_if=bge0
int_if=bge1
# Options
set skip on lo
set skip on {pfsync}
set reassemble yes no-df
# Redirect www to our transparent squid proxy
pass in quick log on $ext_if inet proto tcp to port 80 divert-to 127.0.0.1
port 3128
pass out quick from 127.0.0.1 divert-reply
# Allow SSH
pass quick inet proto tcp from any to 192.168.200.253 port ssh
# Allow mail
pass out quick proto tcp from $int_if to any port { 25, 143, 993, 995 } keep
state
# Allow Ping/Traceroute/DNS
pass quick inet proto udp from any to any port domain
pass quick inet proto tcp from any to any port domain flags S/SA synproxy
state
pass quick inet proto icmp all icmp-type { echoreq, unreach } keep state
Ive tried almost every tutorial on the net but I had no luck with any of
them using OpenBSD 5.4 and Squid 3.3.8
So Im posting to know if anybody has done this kind of configuration
successfully.
Happy New Year
Romain
In /etc/squid/squid.conf I have configured ports like that :
http_port 3128
http_port 127.0.0.1:3129 intercept
