The goal is to come up with a transparent bridge with antivirus scanning for http for approximately 180 users. The bridge part was easy; I used the handbook and followed exactly the instructions here (http://www.freebsd.org). First, I understand that I need to get squid working, so this thread will focus on getting squid working (transparently) on a bridge.
1. I do not have IP addresses assigned to the individual cards, but I do have an IP assigned to the bridge0. (should I?)
em0 is the int_if no IP assigned
xl0 is the ext_if no IP assigned
bridge0 has 10.0.10.47 (for management)
I went with ipnat(ipfirewall) for the transparent redirect. For ipnat.rules, do I need to specify IP addresses to the interface(s) in order for the rules to apply, or in the case of a bridged connection, do I use the bridge0 for the interface?
I am not married to IPF, so if using a different firewall is easier or more efficient (esp with a bridged connection) I am open to suggestions.
I have installed squid 2.7 and changed the squid.conf file with:
Nothing comes up in the /usr/local/squid/cache when browsing on systems behind the bridge, so I'm not sure if it is even doing anything.
My squid -v looks like:
# squid -v
This is the first time I've played with squid on a bridge; I did get squid to work once on a router, but that was just messing around, so I might be missing something fundamental.
Please offer some guidance.
EDIT: I swapped out the em0 interface for bridge0 in the ipnat.rules file, and now it appears to be doing something, but nothing good.
All pages are timing out, and I don't see anything in the access.log.
1. I do not have IP addresses assigned to the individual cards, but I do have an IP assigned to the bridge0. (should I?)
em0 is the int_if no IP assigned
xl0 is the ext_if no IP assigned
bridge0 has 10.0.10.47 (for management)
I went with ipnat(ipfirewall) for the transparent redirect. For ipnat.rules, do I need to specify IP addresses to the interface(s) in order for the rules to apply, or in the case of a bridged connection, do I use the bridge0 for the interface?
Code:
# cat /etc/ipnat.rules
rdr em0 0.0.0.0/0 port 80 -> 127.0.0.1 port 3128 tcp
I am not married to IPF, so if using a different firewall is easier or more efficient (esp with a bridged connection) I am open to suggestions.
I have installed squid 2.7 and changed the squid.conf file with:
Code:
http_port 3128 transparent
Nothing comes up in the /usr/local/squid/cache when browsing on systems behind the bridge, so I'm not sure if it is even doing anything.
My squid -v looks like:
# squid -v
Code:
Squid Cache: Version 2.7.STABLE6
configure options: '--bindir=/usr/local/sbin' '--sbindir=/usr/local/sbin' '--datadir=/usr/local/etc/squid' '--libexecdir=/usr/local/libexec/squid'
'--localstatedir=/usr/local/squid' '--sysconfdir=/usr/local/etc/squid' '--enable-removal-policies=lru heap' '--disable-linux-netfilter'
'--disable-linux-tproxy' '--disable-epoll' '--enable-auth=basic digest negotiate ntlm' '--enable-basic-auth-helpers=DB NCSA PAM MSNT SMB YP'
'--enable-digest-auth-helpers=password' '--enable-external-acl-helpers=ip_user session unix_group wbinfo_group' '--enable-ntlm-auth-
helpers=SMB' '--enable-negotiate-auth-helpers=squid_kerb_auth' '--enable-storeio=ufs diskd null' '--enable-ipf-transparent' '--enable-
err-languages=Armenian Azerbaijani Bulgarian Catalan Czech Danish Dutch English Estonian Finnish French German Greek Hebrew Hungarian
Italian Japanese Korean Lithuanian Polish Portuguese Romanian Russian-1251 Russian-koi8-r Serbian Simplify_Chinese Slovak Spanish Swedish
Traditional_Chinese Turkish Ukrainian-1251 Ukrainian-koi8-u Ukrainian-utf8' '--enable-default-err-language=English' '--prefix=/usr/local'
'--mandir=/usr/local/man' '--infodir=/usr/local/info/' '--build=i386-portbld-freebsd7.1' 'build_alias=i386-portbld-freebsd7.1' 'CC=cc'
'CFLAGS=-O2 -fno-strict-aliasing -pipe' 'LDFLAGS=' 'CPPFLAGS='
This is the first time I've played with squid on a bridge; I did get squid to work once on a router, but that was just messing around, so I might be missing something fundamental.
Please offer some guidance.
EDIT: I swapped out the em0 interface for bridge0 in the ipnat.rules file, and now it appears to be doing something, but nothing good.
All pages are timing out, and I don't see anything in the access.log.