freebsd pf squid 透明

freebsd pf squid 透明

我绞尽脑汁处理这个问题。Squid 是从端口 /usr/ports/www/squid32 构建的,并启用了 PF_TP。

我有互联网,但奇怪的是它绕过了 squid。显然,squid 日志是空的。

我不确定哪里出了问题。配置似乎没问题。

这是我的 SQUID 配置

  1 # Squid normally listens to port 8080
  2 http_port 127.0.0.1:8080 intercept
  3 #http_port 8080
  4
  5 # Squid hostname
  6 visible_hostname hqproxy.nis.edu.kz
  7 cache_mgr [email protected]
  8
  9 cache_dir ufs /squid 20000 64 128
 10 coredump_dir /var/squid/cache/squid
 11 cache_mem 8 MB
 12 maximum_object_size 50960 KB
 13 maximum_object_size_in_memory 32 KB
 14
 15 cache_log /var/log/squid/cache.log
 16 cache_store_log /var/log/squid/store.log
 17 cache_access_log /var/log/squid/access.log
 18 cache_effective_user squid
 19 cache_effective_group squid
 20
 21 #server_persistent_connections on
 22 #client_persistent_connections on
 23
 24 #dead_peer_timeout 30 seconds
 25
 26 #hierarchy_stoplist cgi-bin php asp conf ?
 27 #acl QUERY urlpath_regex cgi-bin \? \.php$ \.asp$ \.shtml$ \.cfm$ \.cfml$ \.phtml$ \.php3$ \.conf$
 28 #no_cache deny QUERY
 29 #acl myself dst 127.0.0.1 192.168.1.68
 30 #always_direct allow myself
 31 #always_direct allow QUERY
 32
 33 #negative_ttl 5 minutes
 34 #positive_dns_ttl 6 hours
 35 #negative_dns_ttl 1 minute
 36 #connect_timeout 60 seconds
 37 #request_timeout 3 minutes
 38 #persistent_request_timeout 1 minute
 39 #read_timeout 15 minutes
 40 #client_lifetime 1 day
 41 #half_closed_clients off
 42 #pconn_timeout 2 minutes
 43 #shutdown_lifetime 1 seconds
 44
 45 #Configure downloading even after aborted requests.
 46 #quick_abort_min 0 KB
 47 #quick_abort_max 0 KB
 48
 49 acl localnet src 192.168.1.0/24
 50 acl SSL_ports port 443
 51 acl Safe_ports port 80      # http
 52 acl Safe_ports port 21      # ftp
 53 acl Safe_ports port 443     # https
 54 acl Safe_ports port 70      # gopher
 55 acl Safe_ports port 210     # wais
 56 acl Safe_ports port 1025-65535  # unregistered ports
 57 acl Safe_ports port 280     # http-mgmt
 58 acl Safe_ports port 488     # gss-http
 59 acl Safe_ports port 591     # filemaker
 60 acl Safe_ports port 777     # multiling http
 61 acl CONNECT method CONNECT
 62
 63 #include /usr/local/etc/squid/auth.conf
 64
 65 http_access allow localnet
 66 http_access deny !Safe_ports
 67 http_access deny CONNECT !SSL_ports
 68 http_access deny all

这是 PF 配置

  1 ## --- VARS ----------------------------------------------------------------- ##
  2
  3 if_int="em1"
  4 if_ext="em0"
  5 if_vpn="tun0"
  6
  7 ip_ext="a.a.a.a/32"
  8 ip_int="192.168.1.68/32"
  9
 10 ports_client = "{ 21, 22, 25, 110, 123, 80, 443, 53, 3389,8080, >=49151 }"
 11 ports_ext_tcp = "{ 22, 8329 }"
 12 ports_ext_udp = "{ 1194 }"
 13
 14 net_local = "192.168.1.0/24"
 15 net_tunvpn = "10.0.1.0/24"
 16 net_semfm = "10.18.0.0/24"
 17 net_noroute= "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, 0.0.         0.0/8, 240.0.0.0/4 }"
 18
 19 state_mod = "flags S/SA modulate state"
 20 state_syn = "flags S/SA synproxy state"
 21
 22 ## --- OPTIONS ------------------------------------------------------------------ ##
 23
 24 set block-policy drop
 25 set state-policy floating
 26 set loginterface $if_ext
 27 set optimization normal
 28 set skip on lo0
 29
 30 ## --- NORMALIZATION ------------------------------------------------------------- ##
 31
 32 scrub in all
 33 scrub on $if_ext all reassemble tcp
 34
 35 ## --- QUEUEING ------------------------------------------------------------------ ##
 36
 37 altq on $if_ext cbq bandwidth 40Mb queue {normal, high, top}
 38 queue normal    bandwidth 40% priority 1 cbq (default borrow)
 39 queue high      bandwidth 50% priority 5 cbq (borrow ecn)
 40 queue top       bandwidth 10% priority 7 cbq (borrow)
 41
 42
 43 ## --- NAT RDR ------------------------------------------------------------------- ##
 44
 45 nat on $if_ext from $net_local to any -> ($if_ext)
 46 ## redirect all www to squid 8080
 47 rdr on $if_ext inet proto tcp from $net_local to any port {80, 443} -> 127.0.0.1 port 8080
 48
 49 ## --- FILTERING ----------------------------------------------------------------- 
50
 51 antispoof quick for $if_int
 52
 53
 54 block log all
 55 pass in on $if_ext inet proto icmp all icmp-type echoreq
 56
 57 pass in on $if_ext inet proto tcp from any to any port $ports_ext_tcp flags S/SA keep state
 58 pass in on $if_ext inet proto udp from any to any port $ports_ext_udp keep state
 59
 60 pass out on $if_ext keep state
 61
 62 pass in quick on $if_int route-to lo0 inet proto tcp from $net_local to 127.0.0.1 port 8080 keep state
 63 pass in on $if_int inet proto icmp all icmp-type echoreq
 64 pass in on $if_int inet proto {tcp,udp} from $net_local to any port $ports_client keep state
 65 pass out on $if_int keep state

答案1

改变:

rdr on $if_ext inet proto tcp from $net_local to any port {80, 443} -> 127.0.0.1 port 8080

到:

rdr on $if_int inet proto tcp from $net_local to any port {80, 443} -> 127.0.0.1 port 8080

相关内容