[squid-br] OpenBSD 4.7 e squid transparente

Tue, 10 Aug 2010 09:27:46 -0700 

Lista Squid-BR

Estou tentando montar um proxy transparente com o Squid em um gateway/firewall 
OpenBSD 4.7. 
Até agora fiz o seguinte:

### Comando ###
   # pkg_add squid-x.x.STABLExx-snmp.tgz

### /etc/squid/squid.conf ###
   http_port  3128 transparent

   cache_dir   ufs /var/squid/cache 100 16 256
   cache_mgr   [email protected]
   cache_effective_user    _squid
   cache_effective_group   _squid

   ftp_user    [email protected]

   # Define the access log format
   logformat squid  %ts.%03tu %6tr %>a %Ss/%03Hs %<st %rm %ru %un %Sh/%<A %mt
   # Log client request activities ('squid' is the name of the log format to 
use)
   access_log       /var/squid/logs/access.log squid
   # Log information about the cache's behavior
   cache_log        /var/squid/logs/cache.log
   # Log the activities of the storage manager
   cache_store_log  /var/squid/logs/store.log

   # Classes
   acl  all           src    all               # Any IP address
   acl  localhost     src    127.0.0.0/8       # Localhost
   acl  lan           src    192.168.79.0/24     # LAN where authorized clients 
reside
   acl  manager       proto  cache_object      # Cache object protocol
   acl  to_localhost  dst    127.0.0.0/8       # Requests to localhost
   acl  SSL_ports     port   443               # https port
   acl  Safe_ports    port   80 21 443         # http, ftp, https ports
   acl  CONNECT       method CONNECT           # SSL CONNECT method

   # Only allow cachemgr access from localhost
   http_access  allow  manager localhost
   http_access  deny   manager
   # Deny requests to unknown ports
   http_access  deny   !Safe_ports
   # Deny CONNECT to other than SSL ports
   http_access  deny   CONNECT !SSL_ports
   # Prevent access to local web applications from remote users
   http_access  deny   to_localhost
   # Allow access from the local network
   http_access  allow  lan
   # Default deny (this must be the last rule)
   http_access  deny   all

### Comando ###

   # /usr/local/sbin/squid -z
   # /usr/local/sbin/squid -d 1 -N
   # /etc/rc.local
     if [ -x /usr/local/sbin/squid ]; then
         echo -n ' squid'
         /usr/local/sbin/squid
     fi

### /etc/pf.conf ###
   # macros #
   ext_if="em0"
   int_if="em1"

   tcp_services="{ 22, 113 }"
   icmp_types="echoreq"

   # options #
   set block-policy return
   set loginterface em0
   set skip on lo

   # match rules #
   match out on egress inet from !(egress:network) to any nat-to (egress:0)

   # filter rules #
   #block in log
   pass out quick

   antispoof quick for { lo $int_if }

   pass in on egress inet proto tcp from any to (egress) port $tcp_services

   pass in on em0 proto tcp from any to any port 2225 rdr-to 192.168.79.5 port 
22
   pass in on em0 proto tcp from any to any port 2220 rdr-to 192.168.79.100 
port 22

   pass in on em1 proto tcp from any to any port 80 rdr-to 127.0.0.1 port 3128

   pass in inet proto icmp all icmp-type $icmp_types

   pass in on $int_if

O problema é que eu fico monitorando a placa de rede em1 (interna) e a porta 80 
e 3128. Pela 
porta 3128 não passa nenhum trafego, já pela porta 80 passa todo trafego web. O 
arquivo 
access.log esta em branco.

Alguem saberia me dizer o que eu estou fazendo errado?

Obrigado.

Responder a