Re: My ipfw rules doesn't work

From: Ezra Banoba (ebanoba_at_one2net.co.ug)
Date: 07/11/04

Next message: services_at_unison.ie: "Unison.ie Support Ticket Opened [#566524]"

Previous message: Ezra Banoba: "Re: My ipfw rules doesn't work"
Maybe in reply to: Ezra Banoba: "Re: My ipfw rules doesn't work"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

To: freebsd-isp@freebsd.org
Date: Sat, 10 Jul 2004 19:58:34 -0700

In order for your squid to perform as a transparent proxy, you will have
to first successfully compile it with transparent proxy support.
If you passed -enable-ipf-transparent to your configure script, it looks
for files; ip_nat.h, ip_fil.h, and ip_compat.h in /usr/include/
you could locate these files and copy them over into that directory ...
better still; cd to /usr/src/ and make installincludes,
then recompile and install your squid with transparent proxy support.
That should do it.
Regards.
On Sat, 2004-07-10 at 09:33, Carlos Alarcón wrote:
> I configured squid with transparent-proxy support, but i think this
> configuration fails when i compiled it, i probed with squid 2.5 but it
> doesnt compile on my freebsd.
> when i compile squid the output on the transparent proxy is this:
> -enable-ipf-transparent
> WARNING: Cannot find necessary IP-Filter header files
> Transparent Proxy support WILL NOT be enabled
> I use ipfw, when this happened i put ipf support but it was the same thing.
>
> -enable-pf-transparent
> WARNING: Cannot find necessary Pf header files
> Transparent Proxy support WILL NOT be enabled
>
> With the client browser settings set to point to the proxy my redirection
> rule increase. when client settings proxy is not set, this rules doesn't
> increase.
> is my redirection rule ok??
>
> 00012 1587 1148100 fwd 172.16.1.33,3128 tcp from any to any
> dst-port 80
>
> On Sat, 10 Jul 2004 11:09:56 -0700, Ezra Banoba <ebanoba@one2net.co.ug>
> wrote:
>
> > Did you configure your squid with transparent-proxy support?
> > I'm not sure about how the BSD protocol stack handles this but assuming
> > the redirection is dealt with before the bridging, then there should be
> > no problem.
> > On Fri, 2004-07-09 at 14:48, Carlos Alarcón wrote:
> >
> >> who have
> >> the proxy's configuration fails giving me this
> >> message
> >>
> >> You are not authorized to view this page
> >> You might not have permission to view this directory or page using the
> >> credentials you supplied.
> >
> > Does this also happen with the client browser settings set to point to
> > the proxy?
> >
> >> i add the ipfw output
> >>
> >> 00012 1587 1148100 fwd 172.16.1.33,3128 tcp from any to any
> >> dst-port 80
> >> 00100 9257210 6707379406 pipe 1 ip from any to any in via xl0
> >> 00200 1558457 715268891 pipe 2 ip from any to any out via xl0
> >> 01300 2027 101248 deny ip from 10.0.0.0/8 to any in via xl0
> >> 01400 2315 96466 deny ip from 192.168.0.0/16 to any in via xl0
> >> 01500 14882804 10144500248 allow tcp from 172.16.1.33 to any setup
> >> keep-state
> >> 01600 437760 84307478 allow udp from 172.16.1.33 to any keep-state
> >> 01700 53564 13382458 allow ip from 172.16.1.33 to any
> >> 01800 89927607 52765076360 allow tcp from any to any in via xl1 setup
> >> keep-state
> >> 01900 18918311 2483412584 allow udp from any to any in via xl1
> >> keep-state
> >> 02000 3629310 116342293 allow ip from any to any in via xl1
> >> 02500 830 41582 allow icmp from any to any icmptypes 8
> >> keep-state
> >> 02600 568996 61796292 allow icmp from any to any icmptypes 3
> >> 02700 15888 1527232 allow icmp from any to any icmptypes 11
> >> 02800 9118822 2306878168 allow ip from any to any
> >> 65535 352 10550 deny ip from any to any
> >>
> >> part of my kernel configuration file
> >>
> >> options IPFIREWALL
> >> options IPFIREWALL_FORWARD
> >> options IPFIREWALL_VERBOSE_LIMIT
> >> options DUMMYNET
> >> options BRIDGE
> >> options PFIL_HOOKS
> >> options MSGMNB=8192
> >> options MSGMNI=40
> >> options MSGSEG=512
> >> options MSGSSZ=64
> >> options MSGTQL=2048
> >> options HZ=1000
> >> options IPDIVERT
> >>
> >>
> >> > Which bad results are these?

-- 
Ezra Banoba 
Network Engineer
one2net
www.one2net.co.ug
"Doing well is a result of Doing good. That's what capitalism is all about."
_______________________________________________
freebsd-isp@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-isp
To unsubscribe, send any mail to "freebsd-isp-unsubscribe@freebsd.org"

Next message: services_at_unison.ie: "Unison.ie Support Ticket Opened [#566524]"

Previous message: Ezra Banoba: "Re: My ipfw rules doesn't work"
Maybe in reply to: Ezra Banoba: "Re: My ipfw rules doesn't work"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Relevant Pages

Re: [Full-Disclosure] Recommendations for a Passive Web Content Monitoring solution?
... One way to do it is to use squid running in transparent proxy mode (http ... packets to the transparent proxy. ... Monitoring solution? ...
(Full-Disclosure)
Re: iptables+squid+dhcp+USER_AUTHENTICATION
... >iptables (for transparent proxy and to route non-http traffic) ... >if i only use squid then i can provide user authentication, ... requires the extra control. ...
(comp.os.linux.security)
configuring Squid as a Transparent proxy in BSD with ipfw
... Does anyone knows how can i configure Squid as a Transparent proxy ... using IPFW assuming that i have already configured Squid with Samba ... authentication and get the internet connection ...
(freebsd-questions)
Squid cache size? (was Re: Linux firewall vs Windows and Hardware based firewalls)
... then use iptables to make it a transparent proxy and save ... how much space are you dedicating to your Squid cache? ... Windows Refund Day II: fight for your right to refund ...
(Debian-User)