help with my freebsd+ipfw+ipnat+squid 3.0

HI my name is Eliseo Acosta i'm mexican and my english is not good....but i have a problem.

this is my topology

ISP
|
|
2wire(modem ip:192.168.1.254)
|
|
DD-WRT(Router ip: 192.168.1.100 and ip:192.168.2.1)
|
|
firewall(freebsd,ipfw,ipnat,squid. ip:192.168.2.2 and ip 192.168.3.1)
|
|
Clients (192.168.3.0/24)

////////Script /etc/ipfw.rules//////////
Code:
$cmd 00090 allow all from any to any via $outside
////////etc/ipnat.rules///////
Code:
map em0 192.168.3.0/24 -> 0/32 portmap tcp/udp auto
///////squid.conf/////////
Code:
http_port 3128 trasparent
acl mired 192.168.3.0/255.255.255.0
acl deny_site "/usr/local/etc/squid/deny_site"

http_access allow mired
http_access deny deny_site
////kernel/////
Code:
options IPFIREWALL
options IPFIREWALL_VERBOSE
options IPFIREWALL_VERBOSE_LIMIT=5
options IPFIREWALL_DEFAULT_TO_ACCEPT
options IPDIVERT
my ipnat and ipfw works well....but the squid don't filter the sites....anf if i check y the access.log is emty......i need a help y don't hnow where the problem
 
There's a typo in
Code:
http_port 3128 trasparent
to begin with (transparent). And transparent proxying is normally done on localhost

Code:
http_port 127.0.0.1:3128 transparent

using a firewall rule to redirect traffic to port 80 to localhost:3128.
 
I haven't used ipfw in a long time, but that rule looks ass-backwards. Something like this looks more logical:
Code:
$cmd 00080 fwd 127.0.0.1,3128 tcp from any to any 80
I suggest you Google around for "squid transparent ipfw".
 
Code:
/sbin/ipfw add 1000 fwd 172.21.0.1,8080 tcp from any to any 80 via rl0

172.21.0.1 - your internal card ethernat
rl0 - your internal card ethernat
 
cheoac said:
I try with this rules and dosen't works.....this rules block my www service.....

So it redirects http traffic, just like you wanted -- but it's not being picked up by Squid. Is Squid actually running on 127.0.0.1:3128?
 
If I'm not mistaken you should also specify outgoing address in squid.conf
Code:
tcp_outgoing_address 192.168.2.2
and you don't need to nat traffic going to 80 port
 
No. You need something on your FreeBSD box to forward http requests to squid. So in IPFW you need a command like DutchDemon told
Code:
$cmd 00080 fwd 127.0.0.1,3128 tcp from any to any 80
It will redirect all requests to Squid, then Squid passes packets via specified outgoing address. You can also specify interface to listen for Squid by adding interface address to config file. Then http_port parameter will look like this
Code:
http_port 192.168.3.1:3128
Then DutchDemon rule would be
Code:
$cmd 00080 fwd 192.168.3.1,3128 tcp from any to any 80
Give it a try
 
ADDED

If it doesn't work you should look your IPFW logs in /var/log/security to analyze how packets move in your system. Maybe specify some rules with in/out interfaces to avoid endless looping when incoming packets going to 80 port are forwarding to squid and outgoing packets from squid (they are still sent to 80) are forwarding to squid again. I'm very far from UNIX master level but configured Squid few days ago and these problems were the problems I've met
 
cheoac said:
i 've a question squid can work without ipnat and ipfw??????

1. Why do you use ipant with ipfw? You can always switch to ipfw with natd.
2. Is your squid working? If you don't have http_port 192.168.3.1:3128 and only http_port 3128 it will be working on all your ips.

Check squid with
Code:
telnet 192.168.3.1 3128
or
Code:
lynx/links/elinks http://192.168.3.1:3128

3. I will put my squid and first line of firewall config for you on http://zse.ath.cx/cheoac/
 
hi i tried with this rules but it dosen't works
Code:
http_port 192.168.3.1:3128 transparent
Code:
$cmd 00080 fwd 192.168.3.1,3128 tcp from any to any 80
Code:
freebsd# ipfw -a list
00080    9    432 fwd 192.168.3.1,3128 tcp from any to any dst-port 80
00090   23   1915 allow ip from any to any via em0
65535 2620 320111 allow ip from any to any
Code:
freebsd# ipfw list
00080 fwd 192.168.3.1,3128 tcp from any to any dst-port 80
00090 allow ip from any to any via em0
65535 allow ip from any to any
freebsd#

all the trafic http it's block but not with the squid.....
 
Again: is Squid actually running, and what's in the logfiles (usually /usr/local/squid/logs/[access.log|cache.log])?
 
ok i identificate my first problem...the squid did't work but i fixed.....now in all my web sites apear " The request or reply is too large"
 
Did you run [cmd=]squid -k reconfigure[/cmd] after the changes were made?
 
Back
Top