在OpenBSD 5.7上配置透明squid 3.4.13时,无法将数据包转移到pf

时间:2015-07-09 08:46:43

标签: squid openbsd

我正在尝试使用pf防火墙在OpenBSD 5.7上使用squid构建透明代理。

我使用以下选项从源代码编译squid:

$ squid -v
Squid Cache: Version **3.4.13**
configure options:  
--prefix=/usr/local/squid
--with-default-user=squid 
--enable-icmp
--enable-storeio=ufs,aufs
--enable-removal-policies=lru,heap
--disable-snmp
--disable-wccp 
--disable-wccpv2
--enable-pf-transparent
--enable-ipv6
--enable-referer-log
--with-nat-devpf
--enable-debug-cbdata
--enable-useragent-log
--enable-refererlog
--enable-cache-digests
--with-large-files
--with-pthreads
--without-mit-krb5
--without-heimdal-krb5
--without-gnugss
--disable-eui
--disable-auth
--enable-ltdl-convenience

$ uname -a
OpenBSD dns.localdomain 5.7 GENERIC#825 amd64

我的squid.conf:

visible_hostname dns.local 
acl localnet src 192.168.1.0/24 # RFC1918 possible internal network

acl SSL_ports port 443
acl Safe_ports port 80      # http
acl Safe_ports port 21      # ftp
acl Safe_ports port 443     # https
acl CONNECT method CONNECT

http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports

# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager

#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#

# allow
http_access allow localnet
http_access allow localhost

# And finally deny all other access to this proxy
http_access deny all

# Squid normally listens to port 3128
http_port 3128
http_port 127.0.0.1:3129 intercept 

# disk cache directory.
cache_dir ufs /usr/local/squid/var/cache/squid 100 16 256

# Leave coredumps in the first cache dir
coredump_dir /usr/local/squid/var/cache/squid

#
# Add any of your own refresh_pattern entries above these.
#
refresh_pattern ^ftp:       1440    20% 10080
refresh_pattern ^gopher:    1440    0%  1440
refresh_pattern -i (/cgi-bin/|\?) 0 0%  0
refresh_pattern .       0   20% 4320

启用网关连接互联网:

net.inet.ip.forwarding=1
net.inet6.ip6.forwarding=1

pf.conf文件:

int_if = "vic1"
ext_if = "vic0"

lan_net = "192.168.1.0/24"

# Settings

set block-policy return
set loginterface egress
set skip on lo

# NAT 

match out on egress inet from !(egress:network) to any nat-to (egress:0)

pass in quick log on $ext_if inet proto tcp from 192.168.1.0/24 to port www divert-to 127.0.0.1 port 3129
pass out quick log inet from 192.168.1.0/24 divert-reply

# 
# Rules 
#
block all

# allow dns
pass quick on {$int_if, $ext_if} inet proto udp from {self, $lan_net} to any port 53

# allow local access to web
pass quick on $ext_if inet proto tcp from {self} to any port 80

# allow icmp
pass quick on $int_if inet proto icmp from $lan_net to any

# allow ssh from $ext_if
pass quick on $ext_if inet proto tcp from any to ($ext_if) port 22

我认为pf规则中的问题。因为pf无法将数据包转移到端口3129?我用命令测试过: nc -l 3129 但它没有响应任何HTTP标头。 Squid wiki中的规则无法应用于pf,因为语法错误。

提前谢谢

1 个答案:

答案 0 :(得分:0)

也许你的意思是$int_if而不是$ext_if? :

pass in quick log on $ext_if inet proto tcp from 192.168.1.0/24 to port www divert-to 127.0.0.1 port 3129

据我了解,您希望将从内部网络传输的流量转移到本地端口3129。

相关问题
最新问题