Re: [squid-users] FreeBSD & Transparent

From: Thomas-Martin Seck <tmseck-lists@dont-contact.us>
Date: Fri, 2 Apr 2004 19:39:32 +0200

* Jay W. Reffner (reffner@findlay.edu):

(I am the maintainer of the FreeBSD squid port)

> Does anyone know if you're supposed to use ipfilter or ipnat on FreeBSD
> 5.1 to get Squid to work in transparent mode? Also, does anyone have a
> simple rule file they wouldn't mind sharing to aid me in configuring
> mine? Thanks a bunch in advance.

You cannot build squid with ipfilter support (unless you know what you
are doing) on FreeBSD nowadays; see the FreeBSD-PR 60700 for details.
You can, however, use ipfw(4). If you update your FreeBSD installation
to 5-CURRENT you could also use pf(4) which was recently imported from
OpenBSD; I added experimental support but did not try whether it does
the right thing and got no user feedback yet.

I was told that the following ipfw(4) setup should do the trick by
a user recently via personal mail (BTW, could someone (hno?) update the
FAQ regarding transparent proxying on FreeBSD?):

| In ipfw I have two rules:
|
| fwd 127.0.0.1,8888 tcp from any to any dst-port 80 out recv fxp0 xmit bge0
| // Squid proxy //
| fwd 127.0.0.1,8888 tcp from any to any dst-port 8080 out recv fxp0 xmit bge0
| // Squid proxy on 8080 //
|
| one is catching connections to port 80, another one to port 8080
| 127.0.0.1 - 8888 is the interface where squid is listening,
| fxp0 - interface to LAN
| and bge0 - interface to Internet.
|
| and few changes to squid.conf - but this is I am sure is documented.
| I also have runing apache on my host, to which I can connect
| without touching the proxy.
|
| I checked the squid faq,
| ipfw add 50 fwd 127.0.0.1,3128 tcp from any to any 80
| This doesn't work, because it would catch the outgoing connections
| which squid try to establish to web server, and redirect again
| back to him.
| as well as there is not correct
| httpd_accel_port ... in FAQ is set 80,
| but it has to be 0.. otherwise if I catch connections to 8080,
| squid try to connect to port 80 on web server - and it doesn't
| work.
|
| squid faq should be updated I think..
Received on Fri Apr 02 2004 - 10:39:39 MST

This archive was generated by hypermail pre-2.1.9 : Fri Apr 30 2004 - 12:00:01 MDT