On Mon, 08 Aug 2011 09:49:18 -0700, azael.reyes wrote:
Hello
We needed to create a serverbox to act as a router, and have squid in
it so it filter the computers on our lan.
We have internet access on the lan now and the proxy seems to work
when we put it on the browser (manually)
its just not doing it transparent at all and we dont want to do this
manually on all computers
hope someone can help
this is our configuration files:
we have done.
1. enabled root access via ssh.
modify file /etc/ssh/sshd_config with the entry of
Code:
PermitRootLogin yes
2. enable bridge
modify file /etc/rc.conf with
Code:
cloned_interfaces="bridge0"
ifconfig_bridge0="addm bge1 addm bge0 up"
3. enable bridge with sysctl values
modify file /etc/sysctl.conf with
Code:
net.inet.ip.forwarding=1
4. modify /boot/loader.conf with
Code:
if_bridge_load="YES"
With this we created the firewall part and are our gateway just
works..
Now this is the squid conf:
##########################
http_port 3128 transparent
icp_port 0
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
hierarchy_stopl, no_cache and QUERY acl lines can all die.
cache_mem 128 MB
maximum_object_size 80000 KB
ipcache_size 1024
ipcache_low 90
ipcache_high 95
cache_dir diskd /usr/squid 28000 32 512 Q1=72 Q2=64
log_fqdn off
dns_nameservers 67.138.104.249
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
#next, remove
acl localnet src 192.168.211.0/255.255.255.0
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl Safe_ports port 80 21 443 563 210 1025-65535 280 488 591 777
acl CONNECT method CONNECT
acl all src 0.0.0.0/0.0.0.0
acl all src all
#blacklist acl
external_acl_type eatFilter children=2 %URI /opt/squidacl/bin/filter
/opt/squida
cl/data/blacklist
acl aeFilter external eatFilter
http_access deny aeFilter
deny_info http://blocked.saintapp.com aeFilter
http_access deny !Safe_ports
http_access allow localnet
http_reply_access allow all
visible_hostname localhost
#http_access allow all
coredump_dir /usr/local/squid/cache
And this are our ipfw config : ( on debian we did iptables just to
route the lan ips to port 3128 I'm not sure what will work on BSD):
00100 fwd 127.0.0.1,3128 tcp from any to any dst-port 80 in recv bce1
00200 fwd 127.0.0.1,8080 tcp from any to any dst-port 80 in recv bce1
65535 allow ip from any to any
We are not sure if its the gateway part thats not working or the
squid config, we have installed squid 2.7, 3.0 and 3.1 followed at
most 10 tutorials and no luck getting a transparent proxy :(
Sounds like you forgot to build Squid with --enable-transparent-ipfw
Or possibly you set the box up as a bridge instead of a router.
Amos
