On OpenBSD i'm not using the configuration you mentioned for squid with OpenBSD (5.2). Here is mine: # Normal for with WPAD http_port 3128 # http redirected port http_port 3129 intercept # https redirected port https_port 3130 intercept ssl-bump cert=/etc/ssl/squid.crt key=/etc/ssl/squid.key -- Best regards, Loïc BLOT, UNIX systems, security and network engineer http://www.unix-experience.fr Le lundi 04 novembre 2013 à 21:27 +0100, Marko Cupać a écrit : > On Mon, 4 Nov 2013 20:15:17 +0100 > Marc Sontowski <marc@xxxxxxxxxxxxx> wrote: > > > # The internal interface (connected to the local network) > > ext_if="em0" > > # The external interfaces (connected to the ipv4 and ipv6 network) > > int_if="em1" > Strangely enough, your interface macro names are switched in regard to > their corresponding comments. ext_if should be external interface > facing the ISP (while comment says it is internal which means facing > the LAN), and int_if should be internal interface facing the LAN (while > comment says it is external which means facing the ISP). > > You say in reality em0 is ISP and em1 is LAN so this shouldn't be the > issue as comments do not influence configuration - they should be used > to make things more understandable. However, in your case they are > causing confusion. Either correct them or remove them. > > Now, as for the filtering rules, I would avoid quick keyword in the > beginning until I make things work. I would go with something like: > > # default block from internet to our network > block in log on $ext_if > # pass what you need (ssh to firewall or whatever) > pass in on $ext_if inet proto tcp from any to $ext_if port ssh > # pass everything out on external interface (we filter on internal) > pass out on $ext_if all > # default block from lan to the internet > block in log on $int_if > # redirect all web traffic to squid > pass in on $int_if inet proto tcp from any to any port { 80 443 } \ > divert-to 127.0.0.1 port 3128 > # pass what you need (dns to google's public dns server or whatever) > pass in on $int_if inet proto { tcp udp } from any to 8.8.8.8 port 53 > # pass everything out on internal interface (if it already entered on ext) > pass out on $int_if all > > Pay attention to the 'log' directive in default blocks, as it will log > all blocked packets to pflog0 interface. Next, get familiar with > tcpdump to inspect what gets blocked in real time. Type in terminal: > tcpdump -n -e -q -ttt -i pflog0 > > Or for inspection of logs: > tcpdump -n -e -q -ttt -r /var/log/pflog > > Check your filtering rules with pfctl -vvsr to see if packets hit your > pass rules. > > Now, I doubt any of this is relevant to squid, more like pf.
Attachment:
signature.asc
Description: This is a digitally signed message part