Re: PF and SQUID

[eculp]

Quoting Miguel Alcántara <[EMAIL PROTECTED]>:

Hi everybody, I'm having a problem for a week. I have to setup PF + SQUID in
a P2 machine, with 128RAM and 6GB hard disk and just one nic. I virtualized
an interface with an ip 192.168.1.80 and it has squid, the nic has
192.168.1.60 and all the lan is 192.168.1.0/24.
My problem is that I can´t browse some sites the must be permitted.

pf.conf

#rules for firewall
ext_nic = "dc0"
yo = "192.168.1.0/24"

As Max suggested, it might be easier for Miguel in his native language  
but we aren't sure which language that is but I'm going to take a shot  
in Spanish and see if that helps.  Apologies to the list and Miguel  
can take other questions offline should he feel more comfortable in  
Spanish.

Hola Miguel,

Por tu nombre, tal vez será más fácil apoyarte en español.  Te acabo  
de hacer una configuracion basica para squid y otro para pf que espero  
que te ayudan.  Los tome de una configuración mía pero eliminando lo  
que no tiene que ver con un firewall basico o la operación de squid.   
Espero que te ayuda.

http://encontacto.net/SHARE/pf.conf.BASICA.txt
http://encontacto.net/SHARE/squid.conf.BASICA.txt

Agregé unos # comentarios que espero que sean utiles.

Suerte y saludos,

ed


table <dns_cautivo> {208.67.220.220, 208.67.222.222}
#SQUID CONFIGURATION
rdr pass on $ext_nic inet proto tcp from $yo to any port www ->
192.168.1.80port 3128
nat on $ext_nic from $yo to any -> ($ext_nic)
#FILTER
block all
#pass in on $ext_nic from $yo
pass out on $ext_nic from any to <dns_cautivo>

squid.conf

#Recommended minimum configuration:
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT
#/////////
acl special_client src 192.168.1.0/24
#acl lista_permitidos url_regex "/usr/local/etc/squid/free.squid"

#acl special_url url_regex ucci
acl hotmail dstdomain .hotmail.com
acl mail dstdomain .blu134.mail.live.com
acl mailhot dstdom_regex -i mail
acl hotmail_mail dstdomain .hotmail.msn.com
acl passport dstdomain .passport.net
acl msn dstdomain .msn.com
acl ie6 browser MSIE[[:space:]]6
acl permitidos url_regex "/usr/local/etc/squid/free.squid"
acl palabra urlpath_regex -i login.srt
acl numconn maxconn 80
acl browse_hotmail url_regex www.hotmail.com
acl browse_ulima url_regex www.ulima.edu.pe
acl browse_yahoo url_regex www.yahoo.com

http_access allow manager localhost
http_access deny manager
# Deny requests to unknown ports
http_access deny !Safe_ports
# Deny CONNECT to other than SSL ports
http_access deny CONNECT !SSL_ports
##http_access allow special_client lista_permitidos
##http_access allow special_client hotmail
##http_access allow special_client mailhot
##http_access allow special_client mail
#http_access deny special_url
#http_access allow special_client

http_access allow special_client permitidos
http_access allow special_client hotmail
http_access allow special_client mail
http_access allow special_client mailhot
http_access allow special_client Safe_ports
http_access allow special_client hotmail_mail
http_access allow special_client palabra
http_access allow special_client browse_hotmail
http_access allow special_client browse_ulima
http_access allow special_client browse_yahoo
#http_access allow special_client special_url
http_access deny all


Well, it doens`t work, when I try to surf in any domain name listed above in
squid squid sends me a message:

ERROR The requested URL could not be retrieved
------------------------------

While trying to retrieve the URL: http://www.yahoo.com/

The following error was encountered:

   - * Connection to Failed *

 The system returned:

*    (1) Operation not permitted*

 The remote host or network may be down. Please try the request again.

Your cache administrator is webmaster.
------------------------------
 Generated Thu, 27 Dec 2007 13:12:36 GMT by pf (squid/2.6.STABLE16)


*Then in logs from squid I can see an 503 error TCP_MISS.

I use FBSD 7 and SQUID 2.6, obviously with PF. Ah!, squid was compiled with
pf habilities or something like that.

Plz, what I am doing wrong.
*


--
Atte.

Miguel Alcántara A.



_______________________________________________
freebsd-pf@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "[EMAIL PROTECTED]"