RE: [squid-users] Fwd: HTTP Transparent Proxy on OpenBSD 4.2

From: Chris Benesch <[email protected]>
Date: Mon, 28 Apr 2008 22:23:12 -0700

Hi,

First of all, you should change any to any to something more restrictive
like 10.0.0.0/8 to any. I don't think squid needs to read the packet filter
device, I've got a similar setup with 4.1 and it doesn't need to access the
packet filter directly.

To make OpenBSD reload the configuration file, the easiest way is to just
issue a pfctl -e -f /etc/pf.conf and it should reload the rules. Just to
make sure you can do pfctl -d; pfctl -e -f /etc/pf.conf. It will stop then
start pf again.

-----Original Message-----
From: Indunil Jayasooriya [mailto:indunil75@gmail.com]
Sent: Monday, April 28, 2008 8:38 PM
To: squid-users
Subject: [squid-users] Fwd: HTTP Transparent Proxy on OpenBSD 4.2

> What command I have to issue to complete this task with PF on OpenBSD
4.2?
> What should I do?

 Configuring pf
 The pf configuration is /etc/pf.conf. The file is documented in
 pf.conf(5). This is a minimal example of the required rdr rule. Make
 sure you also allow the redirected connections to pass, they'll have
 destination address 127.0.0.1 when the filter rules are evaluated.
 Redirection does not automatically imply passing. Also, the proxy must
 be able to establish outgoing connections to external web servers.

 int_if="gem0"
 ext_if="kue0"

 rdr on $int_if inet proto tcp from any to any port www -> 127.0.0.1 port
3128

 pass in on $int_if inet proto tcp from any to 127.0.0.1 port 3128 keep
state
 pass out on $ext_if inet proto tcp from any to any port www keep state

 Note that squid needs to open /dev/pf in order to query the packet
 filter. The default permissions for this file allow access only to
 root. squid is running as user _squid, group _squid, so one way to
 allow access to squid is by changing the group ID of the file to
 _squid and make it group-accessable:

 # chgrp _squid /dev/pf
 # chmod g+rw /dev/pf

 pls click below URL for more

 http://www.benzedrine.cx/transquid.html

 --
 Thank you
 Indunil Jayasooriya

-- 
Thank you
Indunil Jayasooriya
Received on Tue Apr 29 2008 - 05:23:45 MDT

This archive was generated by hypermail 2.2.0 : Thu May 01 2008 - 12:00:04 MDT