Bridge FreeBSD, PF and transparent squid

O

ozanus

Hello,
I want running squid transparent on bridge freebsd system.
My network schema, squid and pf configuration;

http://www.cehturkiye.com/bridge_pf_and_transparent_squid-_eng.jpg

its passing through bridged mode Pf, while Squid logs that TCP_Denied but doesnt blocks the web site.
or
Using Chrome > Proxy settings for squid > 192.168.5.11 80
squid logs Tcp_Denied and blocks the web site ! Why ?

I'm try pf rule and listening squid other interface (vr0,fxp0,bridge0) but results did not change :\

How i can solve my problem ?
are you suggest any document ?
Thanks you for relation
 
The whole point about a transparent proxy is that you don't point your web browser to it .. It doesn't even need to be on an IP address, just run it on localhost and redirect http traffic to it on the LAN interface (with a route-to statement, or it won't work on a bridge).

There are dozens of Transparent Squid + PF manuals, with or without bridges. Just Google.

Just some simple pointers (I am not going to configure your machine for you!)

squid.conf

Code: 
http_port 127.0.0.1:3128 transparent
[..]
acl our_networks src 10.10.0.0/255.255.255.0 (whatever your $lan is)

pf.conf

Code: 
rdr on $int_if inet proto tcp from $lan to any port { 80 443 } -> 127.0.0.1 port 3128
pass in quick on $int_if [B]route-to lo0[/B] inet proto tcp from $lan to 127.0.0.1 port 3128 keep state

So long as you allow outbound traffic and have a default gateway, this will work. Don't use a proxy setting in your web browser, or you might as well just use the much less complicated non-transparent setup.

Good luck.
 
Hello Dear DutchDaemon,
I now new configuration pf and squid. Now wonderful running :)

My network schema;
Client(5.137) -- pf&squid(5.12)-- modem(5.254)-- internet

getanddump.jpg


blockedbysquid.jpg


I'm now write a document and share forum.
Thansk for advance.
 
How to enable the server sees the client ip address, not the proxy ip address?
I use SO_BINDANY for the sockets. But the socket cannot receive SYN ACK after it connects to the remote server.
It seems the pf rule "divert-to" and "divert-reply" do not work as it said.


DutchDaemon said:
The whole point about a transparent proxy is that you don't point your web browser to it .. It doesn't even need to be on an IP address, just run it on localhost and redirect http traffic to it on the LAN interface (with a route-to statement, or it won't work on a bridge).

There are dozens of Transparent Squid + PF manuals, with or without bridges. Just Google.

Just some simple pointers (I am not going to configure your machine for you!)

squid.conf

Code: 
http_port 127.0.0.1:3128 transparent
[..]
acl our_networks src 10.10.0.0/255.255.255.0 (whatever your $lan is)

pf.conf

Code: 
rdr on $int_if inet proto tcp from $lan to any port { 80 443 } -> 127.0.0.1 port 3128
pass in quick on $int_if route-to lo0 inet proto tcp from $lan to 127.0.0.1 port 3128 keep state

So long as you allow outbound traffic and have a default gateway, this will work. Don't use a proxy setting in your web browser, or you might as well just use the much less complicated non-transparent setup.

Good luck.
Click to expand...
 
You must log in or register to reply here.
Back
Top