Hello,
I guess it is an easy setup but i can’t get it work.
The Setup looks like thank:
(Internet) ----- (DSL-Modem) ------ em0 [Soekris] em1----- (LAN)
- OpenBSD 5.3.
- Squid 3.2.7 (installation by pkg_add -i squid)
my /etc/squid.conf
#
# Recommended minimum Access Permission configuration:
#
# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager
# Deny requests to certain unsafe ports
http_access deny !Safe_ports
# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports
# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost
#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#
# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access allow localnet
http_access allow localhost
# And finally deny all other access to this proxy
http_access deny all
# Squid normally listens to port 3128
http_port 3128 transparent
# default cache_mem 256 MB
cache_mem 100 MB
# Uncomment and adjust the following to add a disk cache directory.
cache_dir ufs /var/squid/cache 200 16 256
# Added to footer of error pages.
cache_mgr marc@xxxxxxxxxxxxx
visible_hostname firewall.local
# Log client request activities ('squid' is the name of the log format to use)
access_log /var/squid/logs/access.log squid
# Log information about the cache's behavior
cache_log /var/squid/logs/cache.log
# Leave coredumps in the first cache dir
coredump_dir /var/squid/cache
# Add any of your own refresh_pattern entries above these.
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
and my /etc/pf.conf
# The internal interface (connected to the local network)
ext_if="em0"
# The external interfaces (connected to the ipv4 and ipv6 network)
int_if="em1"
## Options
set loginterface $ext_if
set optimization aggressive
# scrub incomming packets
match on egress scrub (no-df)
# Set the default policy to return RSTs or ICMPs for blocked traffic
set block-policy drop
# Ignore the loopback interface entirely
set skip on lo0
anchor "ftp-proxy/*"
pass in quick on $int_if inet proto tcp to any port ftp \
divert-to 127.0.0.1 port 8021
## Translation rules
# NAT traffic on the interface in the default egress interface group (to
# which the interface out of which the default route goes is assigned) from the
# local network
match out on egress inet from $int_if:network to any nat-to (egress)
## Filtering rules
# Default deny rule. which all blocked packets logged.
block log all
block in log on $ext_if all
antispoof log for egress
# Pass all traffic to and from the local network, using quick so that later
# rules are not evaluated if a packet match this. Some rulesets would restrict
# local traffic much further
pass quick on $int_if all
# Permit all traffic going out, keep state so that replies are
# automatically passed many rulesets would have many rules here,
# restricting traffic in an out on the external (egress) interface.
# (keep state is not needed on the newest version of pf)
pass out quick
pass in quick on $ext_if proto tcp from 192.168.2.0/24 to port www divert-to 127.0.0.1 port 3128
pass out quick inet from 192.168.2.0/24 divert-reply
I would like to setup squid as a transparent proxy.
Thank you!!!!!
Marc
--
Marc Sontowski
Attachment:
pgpPQyJ9hjsSn.pgp
Description: PGP signature
