DaemonForums  

Go Back   DaemonForums > FreeBSD > FreeBSD Ports and Packages

FreeBSD Ports and Packages Installation and upgrading of ports and packages on FreeBSD.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 20th December 2008
toolbox toolbox is offline
New User
 
Join Date: Dec 2008
Location: Busselton Western Australia
Posts: 1
Thanked 0 Times in 0 Posts
Default squid transparent questions

Hi all

I am trying to setup a transparent proxy here on my test rig at home before i set this up on my servers at work.

I have installed squid 2.7 from the ports tree, i was running 2.6. When i did make config i didn't see any options to compile the transparent side of it with ipfw which is what i am running.

just to give some details.

The Server's Internal card is 192.168.1.1. The Squid port number is 3128 the hostname / ip address option has the 192.168.1.1 ip and the option is transparent.

There are no errors on the console when i relaunched squid how ever i believe this is a issue with the firewall rules + i am not sure what to put in. From what i have read these were some of the things i tried

Quote:
transparent proxy
00400 add allow tcp from 192.168.1.1 to any 80
00400 add fwd 192.168.1.1,3128 tcp from any to any 80 via sis0
sis0 is my internal card
here are my firewall rules. I have no idea where to put this line above if it is valid

Quote:
#
# Define your variables
#
fwcmd="/sbin/ipfw" #leave as is if using ipfw
oif="fxp0" #set to outside interface name
onwr="10.10.10.0/90" #set to outside network range
oip="10.10.10.40" #set to outside ip address

iif="sis0" #set to internal interface name
inwr="192.168.1.0/24" #set to internal network range
iip="192.168.1.1" #set to internal ip address

ntp="202.72.191.202"
ns1="203.10.1.17" #set to primary name server best if = oif

#
# End of required user input if you only intend to allow ssh connections to
# this box from the outside. If other services are required, edit line 96
# as necessary.
#
# Rules with descriptions
#
#
# Force a flush of the current firewall rules before we reload
$fwcmd -f flush
#
# Allow your loop back to work
$fwcmd add allow all from any to any via lo0
#
# Prevent spoofing of your loopback
$fwcmd add deny log all from any to 127.0.0.0/8
#
# Stop spoofing of your internal network range
$fwcmd add deny log ip from $inwr to any in via $oif
#
# Stop spoofing from inside your private ip range
$fwcmd add deny log ip from not $inwr to any in via $iif
#
# Stop private networks (RFC1918) from entering the outside interface.
$fwcmd add deny log ip from 192.168.0.0/16 to any in via $oif
$fwcmd add deny log ip from 172.16.0.0/12 to any in via $oif
# $fwcmd add deny log ip from 10.0.0.0/8 to any in via $oif
$fwcmd add deny log ip from any to 192.168.0.0/16 in via $oif
$fwcmd add deny log ip from any to 172.16.0.0/12 in via $oif
# $fwcmd add deny log ip from any to 10.0.0.0/8 in via $oif

#
# Stop draft-manning-dsua-01.txt nets on the outside interface
$fwcmd add deny all from 0.0.0.0/8 to any in via $oif
$fwcmd add deny all from 169.254.0.0/16 to any in via $oif
$fwcmd add deny all from 192.0.2.0/24 to any in via $oif
$fwcmd add deny all from 224.0.0.0/4 to any in via $oif
$fwcmd add deny all from 240.0.0.0/4 to any in via $oif
$fwcmd add deny all from any to 0.0.0.0/8 in via $oif
$fwcmd add deny all from any to 169.254.0.0/16 in via $oif
$fwcmd add deny all from any to 192.0.2.0/24 in via $oif
$fwcmd add deny all from any to 224.0.0.0/4 in via $oif
$fwcmd add deny all from any to 240.0.0.0/4 in via $oif
$fwcmd add deny all from 210.22.175.130 to any in via $oif
$fwcmd add deny ip from me to table\(1\)
$fwcmd add deny ip from table\(1\) to me


# Divert all packets through natd
$fwcmd add divert natd all from any to any via $oif
# Checks packets against dynamic rule set below.
$fwcmd add check-state
#
#
# Allow all established connections to persist (setup required
# for new connections).
$fwcmd add allow tcp from any to any established

# Allow packets in via the VPN interface
$fwcmd add allow ip from any to any in recv ng0

# Allow the rest of the VPN data through
$fwcmd add allow gre from any to any
#
# Allow incoming requests to reach the following services:
# To allow multiple services you may list them separated
# by a coma, for example ...to $oip 22,25,110,80 setup
$fwcmd add allow log tcp from any to $oip 476 setup
# $fwcmd add allow log tcp from any to $oip 80 setup
# $fwcmd add allow tcp from any to $oip 25,53 setup
$fwcmd add allow tcp from any to $oip 21 setup
$fwcmd add allow tcp from any to $oip 110 setup
$fwcmd add allow log tcp from any to any $iop setup
$fwcmd add allow log tcp from any to $iop setup
$fwcmd add allow log tcp from any to any dst-port 1723 setup

#
# Allow DNS traffic from internet to query your DNS (for reverse
# lookups etc).
$fwcmd add allow udp from any to $ns1 53
#
# Allow time update traffic
$fwcmd add allow udp from $ntp 123 to $oip 123
#
# Allow UDP from local extrernal network so I can tracert from local servers

$fwcmd add allow udp from any 53 to any
$fwcmd add allow udp from any to any 53

# Allow icmp packets for diagnostic purposes (ping traceroute)
# you may wish to leave commented out.
# $fwcmd add allow icmp from any to any
#
# Allow required ICMP
$fwcmd add allow icmp from any to any icmptypes 0
$fwcmd add allow icmp from any to any icmptypes 3
$fwcmd add allow icmp from any to any icmptypes 4
$fwcmd add allow icmp from any to any icmptypes 8
$fwcmd add allow icmp from any to any icmptypes 11
#
# Allow any traffic from firewall ip to any going out the
# external interface
$fwcmd add allow ip from $oip to any keep-state out via $oif
#
# Allow any traffic from local network to any passing through the
# internal interface
$fwcmd add allow ip from $inwr to any keep-state via $iif
#
# Deny everything else
$fwcmd add 65435 deny log ip from any to any

If anyone could provide some information toward this that would be great

Cheers
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
squid 3.0 ccc FreeBSD Ports and Packages 4 16th February 2009 12:05 PM
Transparent bridge performance with PF northwoods FreeBSD General 3 30th January 2009 09:48 AM
ftp-proxy on transparent bridge mswall OpenBSD Security 4 7th July 2008 01:30 PM
Squid -> Privoxy -> Tor Peter_APIIT OpenBSD Security 3 17th June 2008 08:06 AM
OpenBSD 4.2 behind NAT and Squid mfaridi OpenBSD Security 8 19th May 2008 03:49 PM


All times are GMT. The time now is 12:05 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick