[squid-users] OpenBSD and pf - Transparent proxy

From: Chris Benesch <chris@dont-contact.us>
Date: Mon, 28 Apr 2008 06:21:36 -0700

This is how to set up a transparent proxy with OpenBSD, pf, and Squid.

A transparent proxy is a proxy that intercepts all connections out of a
network on port 80. The reason that I wanted to have a transparent proxy is
because I wanted to cache all IPv4 traffic and allow IPv6 traffic to flow
unimpeded. I have the OpenBSD box running a NAT with the cable company,
serving a web site, and acting as a router for an IPv6 tunnel and my own /64
I was assigned by my tunnel broker.

I am using squid-2.6STABLE19 and OpenBSD 4.1, MP kernel.

<root:openbsd> [/root]
> uname -a
OpenBSD maricopacomputer.com 4.1 GENERIC.MP#1225 i386

First, compile and install Squid. I used the following options ./configure
--prefix=/var/squid --with-pthreads --enable-pf-transparent obviously
prefix is entirely up to the users choice.

Then inside squid.conf, all of the options are pretty much boilerplate
except for the following:

acl our_networks src >><< http_access allow

You must add to your acl.

# Squid normally listens to port 3128
http_port transparent
>>http_port transparent<<

I had to have it listen on two ip addresses, one of which being localhost.
Also note the transparent keyword at the end.

Then in pf.conf, the following changes need to be made.

In the top portion where you set skip on your internal interfaces, remove
those lines. Those lines tell the pf filter not to do any processing on
packets coming in on an internal interface.
#set skip on $int_if << These lines commented out
#set skip on $wi_if

# redirect only IPv4 web traffic to squid
rdr pass inet proto tcp from to any port 80 ->
port 3128

block in
pass in quick on $int_if
pass in quick on $wi_if
pass out keep state

Some pointers:

1 . Use "rdr pass" instead of "rdr on ..." part of the way that pf
evaluates packets, it would drop through and be allowed as is instead of
redirected if you don't use "rdr pass"
2 . Make sure and add the pass in quick lines. Myself I have two internal
interfaces, one for wired and one for wireless internet. Although there is
a bridge configured, strange things happen sometimes when you don't
explicitly allow all traffic on both interfaces. If you don't add these
lines, you will lose local network connectivity and have to go to the
console to figure it out.
3 . If it seems to be ignoring your changes and no redirection is happening,
make sure you removed the set skip on ... lines.
4 . To test if it worked, use the nc utility. From the command line type in
(as root) nc -l 3128 (with squid stopped of course) and then try to navigate
to a page with it running. You should see an output like this:

<root:openbsd> [/root]
> nc -l 3128
GET /mail/?ui=pb HTTP/1.1
User-Agent: Mozilla/5.0 (compatible; GNotify
Host: mail.google.com
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: GV=XXXXXXXX...You get the picture

From there on out, just set your browsers up normally with no proxy server,
and you should see the cache fill up and your browsing speed up.
Received on Mon Apr 28 2008 - 13:21:44 MDT

This archive was generated by hypermail 2.2.0 : Thu May 01 2008 - 12:00:04 MDT