freebsd pf squid прозрачный
Я сломал свой мозг, имея дело с этим. Squid был собран из портов /usr/ports/www/squid32 с включенным PF_TP.
У меня есть интернет, но, как ни странно, он обходит кальмаров. Очевидно, что логи squid пусты.
Я не уверен, что не так. Конфиги вроде бы в порядке.
Вот мой конфиг SQUID
1 # Squid normally listens to port 8080
2 http_port 127.0.0.1:8080 intercept
3 #http_port 8080
4
5 # Squid hostname
6 visible_hostname hqproxy.nis.edu.kz
7 cache_mgr root@nis.edu.kz
8
9 cache_dir ufs /squid 20000 64 128
10 coredump_dir /var/squid/cache/squid
11 cache_mem 8 MB
12 maximum_object_size 50960 KB
13 maximum_object_size_in_memory 32 KB
14
15 cache_log /var/log/squid/cache.log
16 cache_store_log /var/log/squid/store.log
17 cache_access_log /var/log/squid/access.log
18 cache_effective_user squid
19 cache_effective_group squid
20
21 #server_persistent_connections on
22 #client_persistent_connections on
23
24 #dead_peer_timeout 30 seconds
25
26 #hierarchy_stoplist cgi-bin php asp conf ?
27 #acl QUERY urlpath_regex cgi-bin \? \.php$ \.asp$ \.shtml$ \.cfm$ \.cfml$ \.phtml$ \.php3$ \.conf$
28 #no_cache deny QUERY
29 #acl myself dst 127.0.0.1 192.168.1.68
30 #always_direct allow myself
31 #always_direct allow QUERY
32
33 #negative_ttl 5 minutes
34 #positive_dns_ttl 6 hours
35 #negative_dns_ttl 1 minute
36 #connect_timeout 60 seconds
37 #request_timeout 3 minutes
38 #persistent_request_timeout 1 minute
39 #read_timeout 15 minutes
40 #client_lifetime 1 day
41 #half_closed_clients off
42 #pconn_timeout 2 minutes
43 #shutdown_lifetime 1 seconds
44
45 #Configure downloading even after aborted requests.
46 #quick_abort_min 0 KB
47 #quick_abort_max 0 KB
48
49 acl localnet src 192.168.1.0/24
50 acl SSL_ports port 443
51 acl Safe_ports port 80 # http
52 acl Safe_ports port 21 # ftp
53 acl Safe_ports port 443 # https
54 acl Safe_ports port 70 # gopher
55 acl Safe_ports port 210 # wais
56 acl Safe_ports port 1025-65535 # unregistered ports
57 acl Safe_ports port 280 # http-mgmt
58 acl Safe_ports port 488 # gss-http
59 acl Safe_ports port 591 # filemaker
60 acl Safe_ports port 777 # multiling http
61 acl CONNECT method CONNECT
62
63 #include /usr/local/etc/squid/auth.conf
64
65 http_access allow localnet
66 http_access deny !Safe_ports
67 http_access deny CONNECT !SSL_ports
68 http_access deny all
Вот конфиг PF
1 ## --- VARS ----------------------------------------------------------------- ##
2
3 if_int="em1"
4 if_ext="em0"
5 if_vpn="tun0"
6
7 ip_ext="a.a.a.a/32"
8 ip_int="192.168.1.68/32"
9
10 ports_client = "{ 21, 22, 25, 110, 123, 80, 443, 53, 3389,8080, >=49151 }"
11 ports_ext_tcp = "{ 22, 8329 }"
12 ports_ext_udp = "{ 1194 }"
13
14 net_local = "192.168.1.0/24"
15 net_tunvpn = "10.0.1.0/24"
16 net_semfm = "10.18.0.0/24"
17 net_noroute= "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, 0.0. 0.0/8, 240.0.0.0/4 }"
18
19 state_mod = "flags S/SA modulate state"
20 state_syn = "flags S/SA synproxy state"
21
22 ## --- OPTIONS ------------------------------------------------------------------ ##
23
24 set block-policy drop
25 set state-policy floating
26 set loginterface $if_ext
27 set optimization normal
28 set skip on lo0
29
30 ## --- NORMALIZATION ------------------------------------------------------------- ##
31
32 scrub in all
33 scrub on $if_ext all reassemble tcp
34
35 ## --- QUEUEING ------------------------------------------------------------------ ##
36
37 altq on $if_ext cbq bandwidth 40Mb queue {normal, high, top}
38 queue normal bandwidth 40% priority 1 cbq (default borrow)
39 queue high bandwidth 50% priority 5 cbq (borrow ecn)
40 queue top bandwidth 10% priority 7 cbq (borrow)
41
42
43 ## --- NAT RDR ------------------------------------------------------------------- ##
44
45 nat on $if_ext from $net_local to any -> ($if_ext)
46 ## redirect all www to squid 8080
47 rdr on $if_ext inet proto tcp from $net_local to any port {80, 443} -> 127.0.0.1 port 8080
48
49 ## --- FILTERING -----------------------------------------------------------------
50
51 antispoof quick for $if_int
52
53
54 block log all
55 pass in on $if_ext inet proto icmp all icmp-type echoreq
56
57 pass in on $if_ext inet proto tcp from any to any port $ports_ext_tcp flags S/SA keep state
58 pass in on $if_ext inet proto udp from any to any port $ports_ext_udp keep state
59
60 pass out on $if_ext keep state
61
62 pass in quick on $if_int route-to lo0 inet proto tcp from $net_local to 127.0.0.1 port 8080 keep state
63 pass in on $if_int inet proto icmp all icmp-type echoreq
64 pass in on $if_int inet proto {tcp,udp} from $net_local to any port $ports_client keep state
65 pass out on $if_int keep state
1 ответ
Решение
Изменить:
rdr on $if_ext inet proto tcp from $net_local to any port {80, 443} -> 127.0.0.1 port 8080
чтобы:
rdr on $if_int inet proto tcp from $net_local to any port {80, 443} -> 127.0.0.1 port 8080