Hi,
I am trying to get squid working in transparent mode on a bridge. With
hints from previous emails on the list to use "route-to", by all
appearances, the packets are getting redirected properly, they just
don't arrive at the destination.?? This isn't production yet, or
vulnerable, so don't stress about my pf rules :-). I have also tried to
eliminate Squid from the equation by using "nc"... please read below for
my troubleshooting to date.
Here's my config:
# sysctl net.inet.ip.forwarding
net.inet.ip.forwarding=0
# head /etc/rc.conf.local
pf=YES # Packet filter / NAT
# cat /etc/pf.conf
ext_if="fxp0"
int_if="rl0"
# Squid proxy
rdr on $int_if inet proto tcp from any to any port www -> 127.0.0.1 port
3128
pass in all
pass out all
pass in log quick on $int_if route-to lo0 proto tcp from any to
127.0.0.1 port 3128
# cat /etc/hostname.fxp0 ** Closest to default gateway (outside/external)
up
# cat /etc/hostname.rl0 ** Inside/internal
inet 10.5.2.143 255.255.255.0 10.5.2.255 up
# cat /etc/bridgename.bridge0
add fxp0
add rl0
up
I have a PC attached to rl0 (inside) interface. When I try to use a web
browser, it just times out. If I tweak squid to listen on 10.5.2.143
and configure the web browser to use the proxy at 10.5.2.143 port 3128,
it works 100%.
Here is what I see on the OpenBSD system when I try to access the
Internet with my PC running Firefox (behind the transparent bridge)
# tcpdump -ni rl0 port 80 (bridge interface closest to my PC)
17:08:15.094629 10.5.2.46.4814 > 66.35.250.150.80: S
1268146009:1268146009(0) win 65535 <mss 1260,nop,nop,sackOK> (DF)
# tcpdump -ni pflog0 (I have logging on for this rule in the pf.conf)
17:08:15.094656 10.5.2.46.4814 > 127.0.0.1.3128: [|tcp] (DF)
# tcpdump -ni lo0 port 3128
17:08:15.094693 10.5.2.46.4814 > 127.0.0.1.3128: S
1268146009:1268146009(0) win 65535 <mss 1260,nop,nop,sackOK> (DF)
However, Squid ( squid-2.6.STABLE9-transparent ) never seems to see the
packet come in. I have turned on debugging in squid around the
"comm_select:" routine and it never sees any data. ( I have done
"ALL,9" as well, but nothing jumps out at me as wrong, but there's so
much data it's hard to sort through)
Per the documentation, I have:
http_port 127.0.0.1:3128 transparent
and to prove it's doing the "right" thing:
# netstat -an | grep 3128
tcp 0 0 127.0.0.1.3128 *.* LISTEN
So, thinking that Squid might be the problem, I did some reading on
"nc", which I have seen referred to as the "swiss army" tool. Seems
simple enough:
# squid -k shutdown
# nc -l 127.0.0.1 3128
Then from another window I "telnet localhost 3128" and what I type in
the one window shows up in the "nc" window.
On my PC behind the bridge, I try a "telnet 66.225.135.194 80". I would
think I should have gotten connected to my "nc" sessions. I can see the
packet getting routed to 127.0.0.1:
17:18:03.050119 10.5.2.46.4864 > 127.0.0.1.3128: S
2290476346:2290476346(0) win 65535 <mss 1260,nop,nop,sackOK> (DF)
but nothing happens and the telnet session times out & fails :-(
By using nc & telnet, I think I have eliminated application level
configuration problems. Does anyone have any ideas?? This is driving
me crazy. It shouldn't be so difficult, but then again, it's a computer ;-)
I will include my entire squid.conf & dmesg below:
Thanks for any assistance,
Steve Williams
http_port 127.0.0.1:3128 transparent
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
cache_mem 100 MB
cache_dir ufs /squid/cache 5000 256 256
access_log /squid/logs/access.log squid
cache_log /squid/logs/cache.log
cache_store_log /squid/logs/store.log
pid_filename /squid/logs/squid.pid
debug_options 5,9
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny all
http_reply_access allow all
icp_access allow all
coredump_dir /var/squid/cache
#
and my dmesg just in case.. can't imagine it's relevant at all, but who
knows.
OpenBSD 4.1 (GENERIC) #1435: Sat Mar 10 19:07:45 MST 2007
[EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: Intel Pentium III ("GenuineIntel" 686-class, 128KB L2 cache) 948 MHz
cpu0:
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,MMX,FXSR,SSE
real mem = 400912384 (391516K)
avail mem = 357761024 (349376K)
using 4278 buffers containing 20168704 bytes (19696K) of memory
mainbus0 (root)
bios0 at mainbus0: AT/286+ BIOS, date 09/21/00, BIOS32 rev. 0 @ 0xfda74,
SMBIOS rev. 2.3 @ 0xf0ea0 (57 entries)
bios0: Intel Corporation D815EEA
apm0 at bios0: Power Management spec V1.2 (BIOS mgmt disabled)
apm0: APM power management enable: unrecognized device ID (9)
apm0: APM engage (device 1): power management disabled (1)
apm0: AC on, battery charge unknown
apm0: flags b0102 dobusy 0 doidle 1
pcibios0 at bios0: rev 2.1 @ 0xf0000/0x10000
pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xf2bb0/224 (12 entries)
pcibios0: PCI Interrupt Router at 000:31:0 ("Intel 82371FB ISA" rev 0x00)
pcibios0: PCI bus #1 is the last bus
bios0: ROM list: 0xc0000/0xc000 0xcc000/0x1800
acpi at mainbus0 not configured
cpu0 at mainbus0
pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
pchb0 at pci0 dev 0 function 0 "Intel 82815 Hub" rev 0x02: rng active,
7Kb/sec
vga1 at pci0 dev 2 function 0 "Intel 82815 Graphics" rev 0x02: aperture
at 0xf8000000, size 0x4000000
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
ppb0 at pci0 dev 30 function 0 "Intel 82801BA AGP" rev 0x02
pci1 at ppb0 bus 1
fxp0 at pci1 dev 8 function 0 "Intel 82562" rev 0x01, i82562: irq 11,
address 00:03:47:3e:30:d4
inphy0 at fxp0 phy 1: i82562ET 10/100 PHY, rev. 0
rl0 at pci1 dev 9 function 0 "D-Link Systems 530TX+" rev 0x10: irq 11,
address 00:50:ba:c9:40:4f
rlphy0 at rl0 phy 0: RTL internal PHY
ichpcib0 at pci0 dev 31 function 0 "Intel 82801BA LPC" rev 0x02
pciide0 at pci0 dev 31 function 1 "Intel 82801BA IDE" rev 0x02: DMA,
channel 0 wired to compatibility, channel 1 wired to compatibility
wd0 at pciide0 channel 0 drive 0: <Maxtor 51536H2>
wd0: 16-sector PIO, LBA, 14655MB, 30015216 sectors
wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 5
atapiscsi0 at pciide0 channel 1 drive 0
scsibus0 at atapiscsi0: 2 targets
cd0 at scsibus0 targ 0 lun 0: <LG, CD-ROM CRD-8521B, 1.00> SCSI0 5/cdrom
removable
cd0(pciide0:1:0): using PIO mode 4, DMA mode 2
uhci0 at pci0 dev 31 function 2 "Intel 82801BA USB" rev 0x02: irq 11
usb0 at uhci0: USB revision 1.0
uhub0 at usb0
uhub0: Intel UHCI root hub, rev 1.00/1.00, addr 1
uhub0: 2 ports with 2 removable, self powered
ichiic0 at pci0 dev 31 function 3 "Intel 82801BA SMBus" rev 0x02: irq 9
iic0 at ichiic0
admtm0 at iic0 addr 0x2d: adm1025
uhci1 at pci0 dev 31 function 4 "Intel 82801BA USB" rev 0x02: irq 10
usb1 at uhci1: USB revision 1.0
uhub1 at usb1
uhub1: Intel UHCI root hub, rev 1.00/1.00, addr 1
uhub1: 2 ports with 2 removable, self powered
auich0 at pci0 dev 31 function 5 "Intel 82801BA AC97" rev 0x02: irq 9,
ICH2 AC97
ac97: codec id 0x41445360 (Analog Devices AD1885)
ac97: codec features headphone, Analog Devices Phat Stereo
audio0 at auich0
isa0 at ichpcib0
isadma0 at isa0
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pcppi0 at isa0 port 0x61
midi0 at pcppi0: <PC speaker>
spkr0 at pcppi0
lpt0 at isa0 port 0x378/4 irq 7
npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16
pccom0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
pccom1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo
fdc0 at isa0 port 0x3f0/6 irq 6 drq 2
biomask ff65 netmask ff65 ttymask ffe7
pctr: 686-class user-level performance counters enabled
mtrr: Pentium Pro MTRR support
uhub2 at uhub0 port 2
uhub2: Belkin Components product 0x3101, rev 2.00/0.01, addr 2
uhub2: 3 ports with 2 removable, self powered
uhidev0 at uhub2 port 1 configuration 1 interface 0
uhidev0: Microsoft Microsoft\M-. Digital Media Keyboard, rev 2.00/1.10,
addr 3, iclass 3/1
ukbd0 at uhidev0: 8 modifier keys, 6 key codes
wskbd1 at ukbd0 mux 1
wskbd1: connecting to wsdisplay0
uhidev1 at uhub2 port 1 configuration 1 interface 1
uhidev1: Microsoft Microsoft\M-. Digital Media Keyboard, rev 2.00/1.10,
addr 3, iclass 3/0
uhidev1: 3 report ids
uhid0 at uhidev1 reportid 1: input=7, output=0, feature=0
uhid1 at uhidev1 reportid 3: input=1, output=0, feature=0
uhidev2 at uhub2 port 2 configuration 1 interface 0
uhidev2: Belkin Corporation Flip KVM, rev 1.10/2.18, addr 4, iclass 3/0
uhidev2: 2 report ids
uhid2 at uhidev2 reportid 1: input=1, output=1, feature=0
uhid3 at uhidev2 reportid 2: input=1, output=0, feature=0
uhidev3 at uhub2 port 3 configuration 1 interface 0
uhidev3: Microsoft Microsoft 3-Button Mouse with IntelliEye(TM), rev
1.10/3.00, addr 5, iclass 3/1
ums0 at uhidev3: 3 buttons and Z dir.
wsmouse0 at ums0 mux 0
dkcsum: wd0 matches BIOS drive 0x80
root on wd0a
rootdev=0x0 rrootdev=0x300 rawdev=0x302
