firewall rules for transparent proxy

chamba · Apr 19, 2010

Hi Folks,

i want to make my squid runs as transparent but when i activate my firewall rulles it stop ou blocks all trafic. So i need help to find out what did i made wrong on this file:

Code:

00010 allow ip from any to any via lo0
00020 deny ip from any to 127.0.0.0/8
00030 deny ip from 127.0.0.0/8 to any
00040 deny tcp from any to any frag
00050 check-state
00060 allow tcp from any to any established
00070 allow ip from any to any out keep-state
00080 allow icmp from any to any
00110 allow tcp from any to any dst-port 21 in
00120 allow tcp from any to any dst-port 21 out
00130 allow tcp from any to any dst-port 22 in
00140 allow tcp from any to any dst-port 22 out
00150 allow tcp from any to any dst-port 25 in
00160 allow tcp from any to any dst-port 25 out
00170 allow udp from any to any dst-port 53 in
00175 allow tcp from any to any dst-port 53 in
00180 allow udp from any to any dst-port 53 out
00185 allow tcp from any to any dst-port 53 out
00200 allow tcp from any to any dst-port 80 in
00210 allow tcp from any to any dst-port 80 out
00500 deny log ip from any to any
00700 deny ip from any to any dst-port 3128 via re0
00800 fwd 127.0.0.1,3128 tcp from 192.168.20.0/24 to any dst-port 80 via re0
00810 fwd 127.0.0.1,3128 ip from any to any dst-port 21 src-ip 192.168.20.0/24
00820 allow ip from any to any dst-port 3128 dst-ip 192.168.20.1 src-ip 192.168.20.0/24
65535 deny ip from any to any

so once again, i want to make my proxy runs as transparent and redirect all traffic to him.

cheers/
Nelson Chamba/

rhyous · Apr 21, 2010

Code:

00010 allow ip from any to any via lo0
00020 deny ip from any to 127.0.0.0/8
00030 deny ip from 127.0.0.0/8 to any
00040 deny tcp from any to any frag
00050 check-state
00060 allow tcp from any to any established
00070 allow ip from any to any out keep-state
00080 allow icmp from any to any

Look at line 00040. It may be the problem. I am not sure what the frag means, but line 0600 says established. Does frag mean fragmented packets or does it mean not established?

How can you ever reach the point of established if you drop these?

There should be some debug or loggin level that tells you which rule drops a packet, but it has been four years since I set up a transparent proxy so I don't remember how to configure the logging.

chamba · Apr 21, 2010

Hi rhyous,

I really don't want to configure logging i just want to make my squid runs as transparent because it's hard to type on browser settings.

can you share with me some straight forward ipfw rules that can fit my needs. Redirect all trafic going ou to my squid and from him to the internet so i can filter and cache evertything.

Do i need to put theses lines on my squid.conf?

Code:

httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on

regards/

chamba · Apr 21, 2010

tanx you all for the support,

my squid is working with as transparent, i'll copy down my ipwf.rules

regards/

chamba · May 18, 2010

hi, sorry but it's me again with the same problem, i realy don't know what is the problem but now it's not working again.

here is my ipfw.rules

Code:

## Minhas regras de firewall
IPF="ipfw -q add"
ipfw -q -f flush

#loopback
$IPF 10 allow all from any to any via lo0
$IPF 20 deny all from any to 127.0.0.0/8
$IPF 30 deny all from 127.0.0.0/8 to any
$IPF 40 deny tcp from any to any frag

# statefull
$IPF 50 check-state
$IPF 60 allow tcp from any to any established
$IPF 70 allow all from any to any out keep-state
$IPF 80 allow icmp from any to any

# open port ftp (20,21), ssh (22), mail (25)
# http (80), dns (53) etc
$IPF 110 allow tcp from any to any 21 in
$IPF 120 allow tcp from any to any 21 out
$IPF 130 allow tcp from any to any 22 in
$IPF 140 allow tcp from any to any 22 out
$IPF 150 allow tcp from any to any 25 in
$IPF 160 allow tcp from any to any 25 out
$IPF 170 allow udp from any to any 53 in
$IPF 175 allow tcp from any to any 53 in
$IPF 180 allow udp from any to any 53 out
$IPF 185 allow tcp from any to any 53 out
$IPF 200 allow tcp from any to any 80 in
$IPF 210 allow tcp from any to any 80 out

# deny and log everything
$IPF 500 deny log all from any to any

# Negar que qualquer outro host use o proxy
$IPF 700 deny ip from any to any 3128 via re0

# Regras para o squid transparente
# $IPF 800 fwd 127.0.0.1,3128 dst-port 80 src-ip 192.168.20.0/24
$IPF 800 fwd 127.0.0.1,3128 tcp from 192.168.20.0/24 to any 80 via re0
$IPF 810 fwd 127.0.0.1,3128 dst-port 21 src-ip 192.168.20.0/24
# $IPF add 65000 divert natd all from any to any via em0
$IPF 820 allow dst-port 3128 dst-ip 192.168.20.1 src-ip 192.168.20.0/24
# $IPF 900 deny dst-port 3128
#

regards/

DutchDaemon · May 18, 2010

Format your posts, chamba.

kvi · May 25, 2010

As far as I know, IPFW uses the first matching rule, so rule 500 denies all traffic and no packet ever reaches your 8xx rules.

kvi · May 25, 2010

And if I could edit my post, I would add this link to it: http://forums.freebsd.org/showpost.php?p=79718&postcount=3

There you will find my old ruleset (I no longer use IPFW). I had squid working as a transparent proxy with that ruleset. As you can see, the fwd rule was quite early on the list before anything else. And furthermore, you don't need those 4 lines to your squid.conf unless you run some ancient squid. You only need this line:

Code:

http_port 3128 transparent

firewall rules for transparent proxy

Administrator