[FUG-BR] Squid Transparente + IPFW [RESOLVIDO]
Sergio Augusto Vladisauskis
sergiovl em gmail.com
Terça Outubro 23 11:53:55 BRST 2007
Resolvi com o PF e coloquei estas opções no kernel:
# Squid
options MSGMNB=16384
options MSGMNI=41
options MSGSEG=2049
options MSGSSZ=64
options MSGTQL=512
options SHMSEG=16
options SHMMNI=32
options SHMMAX=2097152
options SHMALL=3096
# Package Filter
device pf
device pflog
device pfsync
device carp
# Ponte de rede
options BRIDGE
# Filtros de TCP/IP
options TCP_DROP_SYNFIN # drop TCP packets with SYN+FIN
/etc/pf.conf
ext_if="vr0"
int_if="xl0"
internal_net="192.168.0.0/24"
nat on $ext_if from $internal_net to any -> ($ext_if)
table <rede> { 192.168.0.0/24 }
rdr on $int_if inet proto tcp from <rede> to any port http -> 127.0.0.1
port 3128
Tá funcinando o squid 2.6.16, só não sei pq o squidGuard parou de
filtrar os endereços, mas se eu realizar um teste assim:
# echo "http://www.playboy.com/ 127.0.0.1/- - GET" |
/usr/local/bin/squidGuard -c /usr/local/etc/squid/squidGuard.conf -d
funciona de boa.
ThOLOko escreveu:
--
Sergio Augusto Vladisauskis
-> Analista de Sistemas e Administrador de Rede
-> Fone: +55 81 3229 1224
-> Celular: +55 81 9288 2803
-> Skype: sergiovl-aktua
-> Registered Linux User: 305281
> Galerinha conseguimos fazer rodar aqui....
>
> Recompilei o kernel com estas opções
>
> options MROUTING # Multicast routing
> options IPFIREWALL #firewall
> options IPFIREWALL_VERBOSE #print information about
> options IPFIREWALL_FORWARD #enable transparent proxy support
> options IPFIREWALL_VERBOSE_LIMIT=100 #limit verbosity
> options IPFIREWALL_DEFAULT_TO_ACCEPT #allow everything by
> options IPDIVERT #divert sockets
> options IPFILTER #ipfilter support
> options IPFILTER_LOG #ipfilter logging
> options IPSTEALTH #support for stealth forwarding
> options TCPDEBUG
> options ACCEPT_FILTER_DATA
> options ACCEPT_FILTER_HTTP
> options TCP_DROP_SYNFIN #drop TCP packets with SYN+FIN
> options DUMMYNET
> options BRIDGE
>
> e depois instalei o squid colocando somente o transparent na frente do
> http_port....
>
> no ipfw
>
> ipfw add 400 forward 127.0.0.1,3128 tcp from any to any dst-port 80 via rl0
>
>
> Vlw pela ajuda... era algo faltando no kernel... ctz...
>
> Abraçossss...
>
> Em 22/10/07, joao jamaicabsd <jamaicabsd em gmail.com> escreveu:
>> Em 22/10/07, ThOLOko <tholoko em gmail.com> escreveu:
>>> mas na parte do sysctl.conf seriam somente minhas config de performance
>>> correto???
>>>
>>> Estou reinstalando o squid novamente... dei um make config e soh
>> coloquei
>>> a
>>> mais a opção de transparet proxy para ipf
>>>
>>> Abraços!
>>>
>>> Em 19/10/07, Vitor Renato Alves de Brito <vrbrito em artefinal.com.br>
>>> escreveu:
>>>> Olá,
>>>>
>>>> Entao realmente nao sei te falar. Se o seu kernel foi compilado
>>>> corretamente, seu ipfw tá ok e o squid.conf tb. só pode ser outra
>>>> coisa. Veja o meu sysctl.conf:
>>>>
>>>> net.link.ether.bridge.enable=1
>>>> net.link.ether.bridge.ipfw=1
>>>> net.link.ether.bridge.ipf=1
>>>> net.link.ether.bridge.config=xl0,xl1
>>>> net.inet.ip.fw.one_pass=0
>>>> net.inet.ip.fw.verbose_limit=10000
>>>> net.inet.ip.forwarding=1
>>>> net.inet.ip.fastforwarding=1
>>>> net.inet.tcp.delayed_ack=0
>>>> net.inet.tcp.sendspace=65536
>>>> net.inet.tcp.recvspace=65536
>>>> net.inet.udp.recvspace=65536
>>>> net.link.ether.inet.log_arp_wrong_iface=0
>>>> net.link.ether.inet.log_arp_movements=0
>>>> kern.ipc.somaxconn=512
>>>> kern.maxfiles=65536
>>>> kern.maxfilesperproc=32768
>>>> net.inet.ip.portrange.last=65535
>>>> net.inet.ip.intr_queue_maxlen=100
>>>>
>>>> Kernel:
>>>> options MROUTING # Multicast routing
>>>> options IPFIREWALL #firewall
>>>> options IPFIREWALL_VERBOSE #print information about
>>>> options IPFIREWALL_FORWARD #enable transparent proxy
>>> support
>>>> options IPFIREWALL_VERBOSE_LIMIT=100 #limit verbosity
>>>> options IPFIREWALL_DEFAULT_TO_ACCEPT #allow everything by
>>>> options IPDIVERT #divert sockets
>>>> options IPFILTER #ipfilter support
>>>> options IPFILTER_LOG #ipfilter logging
>>>> options IPSTEALTH #support for stealth
>> forwarding
>>>> options TCPDEBUG
>>>> options ACCEPT_FILTER_DATA
>>>> options ACCEPT_FILTER_HTTP
>>>> options TCP_DROP_SYNFIN #drop TCP packets with SYN+FIN
>>>> options DUMMYNET
>>>> options BRIDGE
>>>> Além de tuning de memoria para squid.
>>>>
>>>> Se tiver nat, desativa o nat e ve se vai.
>>>>
>>>> Falou.
>>>>
>>>> On Fri, 19 Oct 2007, ThOLOko wrote:
>>>>
>>>>> SIm carinha,,, na minha maquina cliente configurei o ip e o gateway
>> é
>>> a
>>>>> interface LAN do proxy...
>>>>>
>>>>> Em 19/10/07, Vitor Renato Alves de Brito <vrbrito em artefinal.com.br>
>>>>> escreveu:
>>>>>> Olá,
>>>>>>
>>>>>> Tira o vhost e deixa o resto como esta tanto no squid.conf quanto
>> no
>>>> ipfw.
>>>>>> SÓ QUE O IP DO SEU SQUID TEM QUE SER O DEFAULT GATEWAY DA SUA
>> REDE.
>>>>>> Senao nao funciona transparente. Ou seja, no micro na hora de
>>>> configurar o
>>>>>> gateway tem que colocar o IP do squid.
>>>>>>
>>>>>> Aqui uso:
>>>>>> Squid Cache: Version 2.6.STABLE16-20071005
>>>>>> configure options: '--enable-large-cache-files'
>>>>>> '--prefix=/usr/local/squid' '--enable-snmp'
>>>>>> '--enable-storeio=coss,ufs,aufs,diskd'
>>>>>> '--enable-removal-policies=lru,heap'
>>>> '--enable-err-language=Portuguese'
>>>>>> '--enable-default-err-language=Portuguese' '--enable-delay-pools'
>>>>>> '--enable-underscores' '--enable-dlmalloc'
>>> '--disable-hostname-checks'
>>>>>> '--enable-follow-x-forwarded-for' '--enable-coss-aio-ops'
>>>>>> '--with-large-files'
>>>>>>
>>>>>> e funciona beleza.
>>>>>>
>>>>>> Falou.
>>>>>>
>>>>>> On Fri, 19 Oct 2007, ThOLOko wrote:
>>>>>>
>>>>>>> Complementando:
>>>>>>> squid
>>>>>>> 2007/10/19 11:16:30| Can't be both a transparent proxy and web
>>>> server
>>>>>>> accelerator on the same port
>>>>>>> FATAL: Bungled squid.conf line 4: http_port 3128 transparent
>> vhost
>>>>>>> Squid Cache (Version 2.6.STABLE16): Terminated abnormally.
>>>>>>>
>>>>>>>
>>>>>>> 2007/10/19, ThOLOko <tholoko em gmail.com>:
>>>>>>>> Bom dia galerinha,,, Me desculpem por esse tópico, sei que
>>> existem
>>>>>> varios
>>>>>>>> mas mesmo seguindo vários deles (muitos sem fim) não consegui
>>>> fazer
>>>>>> rodar o
>>>>>>>> SQUID Transparente + IPFW...
>>>>>>>>
>>>>>>>> Segue abaixo meu squid.conf
>>>>>>>>
>>>>>>>> http_port 3128
>>>>>>>> visible_hostname firewall
>>>>>>>>
>>>>>>>> redirect_rewrites_host_header off
>>>>>>>> http_port 7.8.9.254:3128 transparent
>>>>>>>>
>>>>>>>> #tamanho do cache na memoria RAM
>>>>>>>> cache_mem 50 MB
>>>>>>>>
>>>>>>>> shutdown_lifetime 3 seconds
>>>>>>>> icp_port 0
>>>>>>>>
>>>>>>>> #tamanho maximo dos objetos na memoria RAM
>>>>>>>> maximum_object_size_in_memory 64 KB
>>>>>>>>
>>>>>>>> #tamanho maximo do objetos no cache
>>>>>>>> maximum_object_size 20 MB
>>>>>>>>
>>>>>>>> #tamanho minimo do objetos no cache
>>>>>>>> minimum_object_size 0 KB
>>>>>>>>
>>>>>>>> cache_swap_low 90
>>>>>>>> cache_swap_high 95
>>>>>>>>
>>>>>>>> #diretorio do cache
>>>>>>>> cache_dir ufs /usr/local/squid/cache 3000 16 256
>>>>>>>> cache_access_log /usr/local/squid/logs/access.log
>>>>>>>>
>>>>>>>> #atualizacao do cache
>>>>>>>> refresh_pattern ^ftp: 15 20% 2280
>>>>>>>> refresh_pattern ^gopher: 15 0% 2280
>>>>>>>> refresh_pattern . 15 20% 2280
>>>>>>>>
>>>>>>>> #ACLs
>>>>>>>> acl all src 0.0.0.0/0.0.0.0
>>>>>>>> acl manager proto cache_object
>>>>>>>> acl localhost src 127.0.0.1/255.255.255.255
>>>>>>>>
>>>>>>>> acl SSL_ports port 445 443 441 563
>>>>>>>> acl Safe_ports port 80 # http
>>>>>>>> acl Safe_ports port 21 # ftp
>>>>>>>> acl Safe_ports port 445 443 441 563 # https, snews
>>>>>>>> acl Safe_ports port 70 # gopher
>>>>>>>> acl Safe_ports port 210 # wais
>>>>>>>> acl Safe_ports port 1025-65535 # unregistered ports
>>>>>>>> acl Safe_ports port 280 # http-mgmt
>>>>>>>> acl Safe_ports port 488 # gss-http
>>>>>>>> acl Safe_ports port 591 # filemaker
>>>>>>>> acl Safe_ports port 777 # multiling http
>>>>>>>> acl Safe_ports port 901 # SWAT
>>>>>>>> acl purge method PURGE
>>>>>>>> acl CONNECT method CONNECT
>>>>>>>>
>>>>>>>> acl redeinterna src 7.8.9.0/24
>>>>>>>> acl admin src 7.8.9.248
>>>>>>>>
>>>>>>>> #acl restritos dstdom_regex "/usr/local/etc/squid/restritos"
>>>>>>>> acl bloqueados dstdom_regex "/usr/local/etc/squid/bloqueados"
>>>>>>>>
>>>>>>>> acl manha time MTWHF 08:00-12:00
>>>>>>>> acl tarde time MTWHF 13:30-17:20
>>>>>>>> #S-Domingo, M-Segunda, T-Ter.a, W-Quarta, H-Quinta, F-Sexta,
>>>> A-Sabado
>>>>>>>> http_access allow manager localhost
>>>>>>>> http_access deny !Safe_ports
>>>>>>>> http_access deny CONNECT !SSL_ports
>>>>>>>> http_access deny manager
>>>>>>>> http_access allow purge localhost
>>>>>>>> http_access deny purge
>>>>>>>> http_access allow localhost
>>>>>>>>
>>>>>>>> http_access allow admin
>>>>>>>>
>>>>>>>> http_access deny bloqueados
>>>>>>>> #http_access deny manha restritos
>>>>>>>> #http_access deny tarde restritos
>>>>>>>>
>>>>>>>> http_access allow redeinterna
>>>>>>>>
>>>>>>>> http_access deny all
>>>>>>>>
>>>>>>>>
>>>>>>>> Agora minhas regras de IPFW:
>>>>>>>>
>>>>>>>> /sbin/ipfw -f flush
>>>>>>>>
>>>>>>>> ipfw add allow tcp from 7.8.9.254 to any 80 # evita loop
>>>>>>>> ipfw add fwd 7.8.9.254,3128 tcp from 7.8.9.0/24 to any 80
>>>>>>>>
>>>>>>>>
>>>>>>>> E já compilei o Kernel para rodar nat e ipfw... O NAT esta
>>> rodando
>>>>>>>> perfeitamente...
>>>>>>>>
>>>>>>>> Não sei se a opção correta é http_port 7.8.9.254:3128
>> transparent
>>>>>>>> Abraços!
>>>>>>>>
>>>>>>>> --
>>
>>
>> Cara esse ipfw aqui tá funfando que é uma belezinha
>>
>> ## Proxy Transparente
>> ipfw add fwd 127.0.0.1,3128 tcp from 192.168.1.0/24 to any 80 via rl1
>>
>> # NATD
>> ipfw add divert natd ip from any to any via rl0
>>
>> E já que o seu squid é o 6 então coloca assim
>>
>> http_port 127.0.0.1:Transparent
>> http_port 192.168.1.254
>>
>> Esse "transparent" se não não funfar passa para a de baixo, já fiz isso e
>> funfou, e lembrando q a linha de baixo é o gateway que será conf nos hosts
>>
>> Espero ter ajudado
>>
>> falow
>>
>>
>> E-mail: jamaicabsd em gmail.com
>> Aux Suporte de Sistemas (Universidade do Sul de Santa Catarina)
>> MSN: joaomaykonm em hotmail.com
>> Cel: (48) 9144 2326
>> -------------------------
>> Histórico: http://www.fug.com.br/historico/html/freebsd/
>> Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd
>>
>
>
>
--
[]'s
Sergio Augusto Vladisauskis (Animal-X®)
Jabber: sergiovl em jabber.org | Google Talk: sergiovl em gmail.com
Skype: animal-x | ICQ: 31967968
Linux User: 305281 | Linux, OpenSolaris, BSD's & Haiku
http://sergiovl.sytes.net
-------------- Próxima Parte ----------
Um anexo não texto foi limpo...
Nome : signature.asc
Tipo : application/pgp-signature
Tam : 252 bytes
Descr.: OpenPGP digital signature
Url : http://www.fug.com.br/historico/html/freebsd/attachments/20071023/9be1fb0f/attachment-0001.bin
Mais detalhes sobre a lista de discussão freebsd