On Mon, 08 Aug 2011 09:49:18 -0700, azael.reyes wrote:
> Hello
>
> We needed to create a serverbox to act as a router, and have squid in
> it so it filter the computers on our lan.
>
> We have internet access on the lan now and the proxy seems to work
> when we put it on the browser (manually)
> its just not doing it transparent at all and we dont want to do this
> manually on all computers
>
> hope someone can help
>
> this is our configuration files:
>
> we have done.
>
> 1. enabled root access via ssh.
> modify file /etc/ssh/sshd_config with the entry of
> Code:
>
> PermitRootLogin yes
>
> 2. enable bridge
> modify file /etc/rc.conf with
> Code:
>
> cloned_interfaces="bridge0"
> ifconfig_bridge0="addm bge1 addm bge0 up"
>
> 3. enable bridge with sysctl values
> modify file /etc/sysctl.conf with
> Code:
>
> net.inet.ip.forwarding=1
>
> 4. modify /boot/loader.conf with
> Code:
>
> if_bridge_load="YES"
>
> With this we created the firewall part and are our gateway just
> works..
>
> Now this is the squid conf:
>
>
> ##########################
> http_port 3128 transparent
> icp_port 0
> hierarchy_stoplist cgi-bin ?
> acl QUERY urlpath_regex cgi-bin \?
> no_cache deny QUERY
hierarchy_stopl, no_cache and QUERY acl lines can all die.
> cache_mem 128 MB
>
> maximum_object_size 80000 KB
> ipcache_size 1024
> ipcache_low 90
> ipcache_high 95
> cache_dir diskd /usr/squid 28000 32 512 Q1=72 Q2=64
>
> log_fqdn off
> dns_nameservers 67.138.104.249
>
> auth_param basic children 5
> auth_param basic realm Squid proxy-caching web server
> auth_param basic credentialsttl 2 hours
> refresh_pattern ^ftp: 1440 20% 10080
> refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
> refresh_pattern . 0 20% 4320
>
> #next, remove
> acl localnet src 192.168.211.0/255.255.255.0
> acl localhost src 127.0.0.1/255.255.255.255
> acl to_localhost dst 127.0.0.0/8
>
> acl SSL_ports port 443 563
> acl Safe_ports port 80 21 443 563 210 1025-65535 280 488 591 777
> acl CONNECT method CONNECT
> acl all src 0.0.0.0/0.0.0.0
acl all src all
>
> #blacklist acl
> external_acl_type eatFilter children=2 %URI /opt/squidacl/bin/filter
> /opt/squida
> cl/data/blacklist
> acl aeFilter external eatFilter
> http_access deny aeFilter
> deny_info http://blocked.saintapp.com aeFilter
>
> http_access deny !Safe_ports
>
> http_access allow localnet
> http_reply_access allow all
> visible_hostname localhost
>
> #http_access allow all
> coredump_dir /usr/local/squid/cache
>
>
> And this are our ipfw config : ( on debian we did iptables just to
> route the lan ips to port 3128 I'm not sure what will work on BSD):
>
> 00100 fwd 127.0.0.1,3128 tcp from any to any dst-port 80 in recv bce1
> 00200 fwd 127.0.0.1,8080 tcp from any to any dst-port 80 in recv bce1
> 65535 allow ip from any to any
>
>
>
> We are not sure if its the gateway part thats not working or the
> squid config, we have installed squid 2.7, 3.0 and 3.1 followed at
> most 10 tutorials and no luck getting a transparent proxy :(
Sounds like you forgot to build Squid with --enable-transparent-ipfw
Or possibly you set the box up as a bridge instead of a router.
Amos
Received on Mon Aug 08 2011 - 23:50:58 MDT
This archive was generated by hypermail 2.2.0 : Thu Aug 11 2011 - 12:00:01 MDT