Re: FreeBSD question

On Mon, Mar 13, 2000 at 04:45:59PM -0500, Sean Lutner wrote:
> Clifton Royston wrote:
...
> > If you go through the FAQ sec 17 (Transparent Caching/Proxying) you
> > should see reference to ipfilter being required for squid under *BSD;
> > it's not enough to build it in to squid as an option, I think you have
> > to use it for your redirection. Also, do make sure you're using all
> > the required squid.conf options as listed there.
> >
> > See <http://www.squid-cache.org/Doc/FAQ/FAQ-17.html>, especially the
> > beginning (17 and 17.1), and Duane Wessels' section on FreeBSD
> > <http://www.squid-cache.org/Doc/FAQ/FAQ-17.html#ss17.6>
>
> Uhhh....right in that section of the FAQ it tells you to use ipfw. The
> issues were with older versions of FreeBSD. I read the FAQ several
> times.

  OK, you got me. It looks like we're both right and both wrong. If
you read the first two sections again it references ip filter/ipnat:

Section 17:

"2.Get your cache server to accept the packets. You have to configure
your cache host to accept the redirected packets - any IP
     address, on port 80 - and deliver them to your cache application.
This is typically done with IP filtering/forwarding features built into
     the kernel. On linux they call this ipfwadm. On FreeBSD and other
*BSD systems they call it ip filter or ipnat; on many systems, it
     may require rebuilding the kernel or adding a new loadable kernel
module.

"3. Compile and run a version of Squid which accepts connections for other
addresses. For some operating systems, you need to
     have configured and built a version of Squid which can recognize
the hijacked connections and discern the destination addresses. For
     Linux this seems to work automatically. For *BSD-based systems,
you probably have to configure squid with the
     --enable-ipf-transparent option. (Do a make clean if you
previously configured without that option, or the correct settings may
not
     be present.)"

In Section 17.1

"17.1 Transparent proxying for Solaris, SunOS, and BSD systems

Install IP Filter

First, get and install the IP Filter package.

Configure ipnat

Put these lines in /etc/ipnat.rules:

        # Redirect direct web traffic to local web server.
        rdr de0 1.2.3.4/32 port 80 -> 1.2.3.4 port 80 tcp

        # Redirect everything else to squid on port 8080
        rdr de0 0.0.0.0/0 port 80 -> 1.2.3.4 port 8080 tcp"

...

  However, on reading 17.6 again, I see that Duane did in fact do it
with ipfw, contrary to what I'd remembered, even though he mentioned IP
filter at the beginning. I haven't tried that config, so I don't know
if it works or what needs to be adjusted. I do know that doing it with
ipnat and the ip filter package works on a couple flavors of BSD, so
I'd recommend using that based on the instructions in 17.1 instead. IP
filter has been included in the standard FreeBSD distrib for a while.

  -- Clifton

-- 
 Clifton Royston  --  LavaNet Systems Architect --  cliftonr@lava.net
      The named which can be named is not the Eternal named.