struggling with bridge transparent squid

The goal is to come up with a transparent bridge with antivirus scanning for http for approximately 180 users. The bridge part was easy; I used the handbook and followed exactly the instructions here (http://www.freebsd.org). First, I understand that I need to get squid working, so this thread will focus on getting squid working (transparently) on a bridge.

1. I do not have IP addresses assigned to the individual cards, but I do have an IP assigned to the bridge0. (should I?)

em0 is the int_if no IP assigned
xl0 is the ext_if no IP assigned
bridge0 has 10.0.10.47 (for management)

I went with ipnat(ipfirewall) for the transparent redirect. For ipnat.rules, do I need to specify IP addresses to the interface(s) in order for the rules to apply, or in the case of a bridged connection, do I use the bridge0 for the interface?

Code:
# cat /etc/ipnat.rules
rdr em0 0.0.0.0/0 port 80 -> 127.0.0.1 port 3128 tcp

I am not married to IPF, so if using a different firewall is easier or more efficient (esp with a bridged connection) I am open to suggestions.

I have installed squid 2.7 and changed the squid.conf file with:
Code:
http_port 3128 transparent

Nothing comes up in the /usr/local/squid/cache when browsing on systems behind the bridge, so I'm not sure if it is even doing anything.

My squid -v looks like:
# squid -v
Code:
Squid Cache: Version 2.7.STABLE6
configure options:  '--bindir=/usr/local/sbin' '--sbindir=/usr/local/sbin' '--datadir=/usr/local/etc/squid' '--libexecdir=/usr/local/libexec/squid' 
'--localstatedir=/usr/local/squid' '--sysconfdir=/usr/local/etc/squid' '--enable-removal-policies=lru heap' '--disable-linux-netfilter' 
'--disable-linux-tproxy' '--disable-epoll' '--enable-auth=basic digest negotiate ntlm' '--enable-basic-auth-helpers=DB NCSA PAM MSNT SMB YP' 
'--enable-digest-auth-helpers=password' '--enable-external-acl-helpers=ip_user session unix_group wbinfo_group' '--enable-ntlm-auth-
helpers=SMB' '--enable-negotiate-auth-helpers=squid_kerb_auth' '--enable-storeio=ufs diskd null' '--enable-ipf-transparent' '--enable-
err-languages=Armenian Azerbaijani Bulgarian Catalan Czech Danish  Dutch English Estonian Finnish French German Greek  Hebrew Hungarian 
Italian Japanese Korean Lithuanian  Polish Portuguese Romanian Russian-1251 Russian-koi8-r  Serbian Simplify_Chinese Slovak Spanish Swedish  
Traditional_Chinese Turkish Ukrainian-1251  Ukrainian-koi8-u Ukrainian-utf8' '--enable-default-err-language=English' '--prefix=/usr/local' 
'--mandir=/usr/local/man' '--infodir=/usr/local/info/' '--build=i386-portbld-freebsd7.1' 'build_alias=i386-portbld-freebsd7.1' 'CC=cc' 
'CFLAGS=-O2 -fno-strict-aliasing -pipe' 'LDFLAGS=' 'CPPFLAGS='

This is the first time I've played with squid on a bridge; I did get squid to work once on a router, but that was just messing around, so I might be missing something fundamental.

Please offer some guidance.

EDIT: I swapped out the em0 interface for bridge0 in the ipnat.rules file, and now it appears to be doing something, but nothing good.

All pages are timing out, and I don't see anything in the access.log.
 
Try
Code:
http_port 127.0.0.1:3128 transparent

I use PF, and it needs a specific routing statement on a bridge, or it will not work -- packets will arrive at localhost, but there it ends. No idea about IPF.

Code:
rdr on $int_if inet proto tcp from any to any port 80 -> 127.0.0.1 port 3128
pass in quick on $int_if [B]route-to lo0[/B] inet proto tcp from any to 127.0.0.1 port 3128 keep state
 
Thank you for your reply.

I recompiled squid from ports without the IPF option and with the PF option for transparency.

I changed the line in squid.conf to
Code:
http_port 127.0.0.1:3128 transparent

I removed the ipnat lines from /etc/rc.conf and added:
Code:
pf_enable="YES"
pf_rules="/etc/pf.conf"
pf_flags=""
pflog_enable="YES"
pflog_logfile="/var/log/pflog"
pflog_flags=""
With a /etc/pf.conf of:
Code:
rdr on em0 inet proto tcp from any to any port 80 -> 127.0.0.1 port 3128
pass in quick on em0 route-to lo0 inet proto tcp from any to 127.0.0.1 port 3128 keep state

The squid appears to be working now. I am getting stuff in cache, and the access.log reflects the pages visited. Thank you very much for your assistance.

I did not enable any of the ALTQ settings and I get messages that those are disabled, do I need to worry about that?
 
An interesting side-note regarding my bridge. When I have the following line in my /etc/rc.conf, I can't ping anything after a reboot / reload of /etc/rc.d/netif restart && /etc/rc.d/routing restart, and nothing works
Code:
ifconfig_bridge0="inet 10.0.10.47 netmask 255.255.255.0"

But if I comment out that line, then just type in the following after reboot, everything works.
Code:
ifconfig bridge0 10.0.10.47/24&&/etc/rc.d/routing restart

Which makes things not very good when I have to reboot the system remotely, as I would have to be at the console to get everything working again.

Am I calling the ifconfig_bridge0 line incorrectly in my /etc/rc.conf?

full /etc/rc.conf (original way that does not work after reboot)
Code:
sshd_enable="YES"
cloned_interfaces="bridge0"
ifconfig_bridge0="addm xl0 addm em0 up"
ifconfig_xl0="up"
ifconfig_em0="up"
ifconfig_bridge0="inet 10.0.10.47 netmask 255.255.255.0"
defaultrouter="10.0.10.1"
#havp_enable=YES
clamav_freshclam_enable=YES
squid_enable=YES
pf_enable="YES"
pf_rules="/etc/pf.conf"
pf_flags=""
pflog_enable="YES"
pflog_logfile="/var/log/pflog"
pflog_flags=""
webmin_enable=YES
 
soylentgreen said:
I did not enable any of the ALTQ settings and I get messages that those are disabled, do I need to worry about that?

No, nothing to worry about. That's actually one of my PF peeves as well.
 
I seem to remember that putting two 'ifconfig_bridge0=' lines in /etc/rc.conf doesn't work as expected. Try replacing the second one (the one putting the IP address on the bridge) with 'ifconfig_bridge0_alias0='
 
[solved]

DutchDaemon said:
I seem to remember that putting two 'ifconfig_bridge0=' lines in /etc/rc.conf doesn't work as expected. Try replacing the second one (the one putting the IP address on the bridge) with 'ifconfig_bridge0_alias0='

Code:
ifconfig_bridge0="addm xl0 addm em0 up"
ifconfig_xl0="up"
ifconfig_em0="up"
ifconfig_bridge0_alias0="inet 10.0.10.47 netmask 255.255.255.0"
worked.

Thank you.
 
soylentgreen said:
Code:
ifconfig_bridge0="addm xl0 addm em0 up"
ifconfig_xl0="up"
ifconfig_em0="up"
ifconfig_bridge0_alias0="inet 10.0.10.47 netmask 255.255.255.0"
worked.

Thank you.

Or you can try:
Code:
ifconfig_bridge0="inet 1.2.3.4/24 addm xl0 addm em0 up"
 
soylentgreen said:
Code:
ifconfig_bridge0="addm xl0 addm em0 up"
ifconfig_xl0="up"
ifconfig_em0="up"
ifconfig_bridge0_alias0="inet 10.0.10.47 netmask 255.255.255.0"
worked.

Thank you.

hmmm hi soy if you dont mind can you post and share your whole squid.conf hehe :) im gonna try this setup by tomorow, thanks
 
unless I am mistaken, the only lines I changed on squid.conf other than the default settings are:

Code:
cache_mem 64 MB
http_port 127.0.0.1:3128 transparent
pipeline_prefetch on
shutdown_lifetime 1 second
no_cache deny all
http_port 127.0.0.1:8081
cache_peer localhost parent 8080 0 no-query no-digest no-netdb-exchange default
visible_hostname thebridge.domain.com
url_rewrite_program /usr/local/bin/squidGuard -c /usr/local/etc/squid/squidGuard.conf
 
Thank You

Thank you so very much for this thread, I actually have a bridged install up and running doing caching perfectly.

Is it possible to do use the rdr command to setup possibly a transparent mail filter as well?
I am presuming I would just rdr port 25 to Postfix and setup Postfix to do all the filtering/spam detection and anti-virus scans.

There already is a Linux solution for intercepting smtp/pop email transparently but I really want to add this to my FreeBSD bridge.

I really love the idea of having this "inline" filter/cache that sits between my PFsense embedded install and my network. If this "IFACS" server goes down I simply take it out of the path and can continue using the internet minus the filtering/anti-virus/caching.

I really didn't mean to hijack this thread if it comes off like that. I just think this fits in with the transparent bridge subject.
 
Haven't tested this with SMTP, but I have done this with DNS (rdr every outbound DNS request to localhost with a local BIND doing the actual DNS lookups). I see no real reason why redirecting SMTP to a local mailserver wouldn't work (so long as you configure relaying correctly). The only thing that makes transparent http proxies a hassle is the Host: header that needs to be accounted for, and the impossibility to redirect https. So it's a protocol thing that makes it slightly more difficult. DNS and SMTP, however, are simple 'connect to IP:pORT' situations without anything in the protocols needing special attention.
 
Back
Top