Re: [squid-users] Fwd: HTTP Transparent Proxy on OpenBSD 4.2

From: Amos Jeffries <[email protected]>
Date: Thu, 01 May 2008 00:39:05 +1200

Chris Benesch wrote:
> Hi,
>
> First of all, you should change any to any to something more restrictive
> like 10.0.0.0/8 to any. I don't think squid needs to read the packet filter
> device, I've got a similar setup with 4.1 and it doesn't need to access the
> packet filter directly.

Squid uses system calls to connect up ip-filter and ioctls for PF.
It does this at the highest priority it has available (root when able,
or the effective-user).
If anything has changed in 4.2 to break this, we'd like to know.

>
> To make OpenBSD reload the configuration file, the easiest way is to just
> issue a pfctl -e -f /etc/pf.conf and it should reload the rules. Just to
> make sure you can do pfctl -d; pfctl -e -f /etc/pf.conf. It will stop then
> start pf again.
>
> -----Original Message-----
> From: Indunil Jayasooriya [mailto:indunil75@gmail.com]
> Sent: Monday, April 28, 2008 8:38 PM
> To: squid-users
> Subject: [squid-users] Fwd: HTTP Transparent Proxy on OpenBSD 4.2
>
>> What command I have to issue to complete this task with PF on OpenBSD
> 4.2?
> > What should I do?
>
> Configuring pf
> The pf configuration is /etc/pf.conf. The file is documented in
> pf.conf(5). This is a minimal example of the required rdr rule. Make
> sure you also allow the redirected connections to pass, they'll have
> destination address 127.0.0.1 when the filter rules are evaluated.
> Redirection does not automatically imply passing. Also, the proxy must
> be able to establish outgoing connections to external web servers.
>
> int_if="gem0"
> ext_if="kue0"
>
> rdr on $int_if inet proto tcp from any to any port www -> 127.0.0.1 port
> 3128
>
> pass in on $int_if inet proto tcp from any to 127.0.0.1 port 3128 keep
> state
> pass out on $ext_if inet proto tcp from any to any port www keep state
>
> Note that squid needs to open /dev/pf in order to query the packet
> filter. The default permissions for this file allow access only to
> root. squid is running as user _squid, group _squid, so one way to
> allow access to squid is by changing the group ID of the file to
> _squid and make it group-accessable:
>
> # chgrp _squid /dev/pf
> # chmod g+rw /dev/pf
>
> pls click below URL for more
>
> http://www.benzedrine.cx/transquid.html
>
>
> --
> Thank you
> Indunil Jayasooriya
>
>
>

-- 
Please use Squid 2.6.STABLE19 or 3.0.STABLE4
Received on Wed Apr 30 2008 - 12:38:29 MDT

This archive was generated by hypermail 2.2.0 : Thu May 01 2008 - 12:00:04 MDT