Re: Hiding NATs with PF
From: Greg Hennessy (me_at_privacy.org)
Date: 09/28/05
- Next message: ?: "Re: Hiding NATs with PF"
- Previous message: Greg Hennessy: "Re: Hiding NATs with PF"
- In reply to: Max Bolingbroke: "Re: Hiding NATs with PF"
- Next in thread: Max Bolingbroke: "Re: Hiding NATs with PF"
- Reply: Max Bolingbroke: "Re: Hiding NATs with PF"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Date: Wed, 28 Sep 2005 21:15:50 +0100
On 28 Sep 2005 10:35:26 -0700, "Max Bolingbroke"
<batterseapower@hotmail.com> wrote:
>
>Ah, really? Even with my transparent squid setup I still get OpenBSD
>detected (which I guess is what I expected, since its the OpenBSD
>router which will be initating the connections to be proxied back to
>the client).
Try adding the following to your OpenBSD recipe :-)
~ # grep -i scrub /etc/pf.conf
scrub on $Ext all reassemble tcp random-id max-mss 1438
The MSS figure may not be optimal for your network, do experiment as
appropriate.
~ # grep -i inet /etc/sysctl.conf | grep -v "^#"
net.inet.tcp.recvspace=262144
net.inet.tcp.sendspace=262144
Cant remember if the sysctls share the same OID's on Open.
So you may have to tweak.
>Is there particular squid configuration directives I
>should be looking at to get your behaviour?
Here's what's different in my squid.conf when compared to the default one.
/usr/local/etc/squid # diff -u squid.conf.default squid.conf | egrep -v\
"#|^\@@" | grep "^\+[a-z].*"
+http_port 127.0.0.1:3128
+icp_port 0
+udp_incoming_address 127.0.0.1
+cache_mem 256 MB
+maximum_object_size 32768 KB
+maximum_object_size_in_memory 4096 KB
+fqdncache_size 2048
+cache_replacement_policy heap GDSF
+memory_replacement_policy heap GDSF
+cache_dir diskd /usr/local/squid/cache 2000 16 256
+cache_store_log none
+acl snmppublic snmp_community somecommunitystring
+acl our_networks src 192.168.0.0/24 192.168.1.0/24 127.0.0.0/8
+acl intellitxt dstdom_regex .intellitxt.com
+acl contextclick dstdom_regex .contextclick.com
+acl kontera dstdom_regex .kontera.com
+acl digitalmediaonline dstdom_regex .digitalmediaonlineinc.com
+http_access deny intellitxt
+http_access deny contextclick
+http_access deny kontera
+http_access deny digitalmediaonline
+http_access allow our_networks
+http_access deny to_localhost
+icp_access deny all
+visible_hostname cache
+httpd_accel_host virtual
+httpd_accel_port 0
+httpd_accel_with_proxy on
+httpd_accel_uses_host_header on
+forwarded_for off
+snmp_access allow snmppublic localhost
+snmp_incoming_address 127.0.0.1
+wccp_incoming_address 127.0.0.1
>> If you're using win32 on the LAN side of your network adding sockscap to
>> the mix makes using it seamless from all applications.
>
>Ah, I forgot totally about sockscap! I'll certainly look into that,
>thank you.
Strictly speaking, a multi homed unix box with Socks on one interface and
routing disabled between them cannot be described as a 'router' per-ce.
Think of it as obeying the letter rather than spirit of the directive LOL.
greg
-- "Access to a waiting list is not access to health care"
- Next message: ?: "Re: Hiding NATs with PF"
- Previous message: Greg Hennessy: "Re: Hiding NATs with PF"
- In reply to: Max Bolingbroke: "Re: Hiding NATs with PF"
- Next in thread: Max Bolingbroke: "Re: Hiding NATs with PF"
- Reply: Max Bolingbroke: "Re: Hiding NATs with PF"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
