我想使用 OpenBSD 5.7 作为路由器前面的过滤桥,并作为其中的一部分运行透明代理 (squid 3.5.1) 来管理 Web 访问。我已将 openbsd 机器设置为桥接器,并且运行正常。但是,我无法让 pf 将 Web 流量转移到 squid。
这就是我的网络的样子
[Internet]
|
|
[OpenBSD]
|
|
[ (Router) ]
| |
| |
[Wired Workstations] [Wi-Fi]
如果我将 OpenBSD 计算机连接到我的网络并手动配置工作站以将其用作代理,则 Squid 可以正常工作。我在 Squid 配置中进行了以下配置以启用透明拦截
http_port 127.0.0.1:3129 tproxy
这是我的 pf 配置:
# internet facing
ext_if = "em1"
# internal facing
int_if = "em0"
#scrub provides a measure of protection against certain kinds of attacks based on incorrect handling of packet fragments
match in all scrub (no-df max-mss 1440)
# Prevent spoofing
antispoof log for $ext_if label "antispoof"
# Block anything coming form source we have no back routes for
block in log from no-route to any label "no back route"
# Proxy http
pass in quick on $int_if inet proto tcp to port www divert-to 127.0.0.1 port 3129
pass out quick from 127.0.0.1 divert-reply
pass in on $int_if
pass out on $int_if
pass in on $ext_if
pass out on $ext_if
有人知道为什么我的转移规则不起作用吗?我查看了日志
pass in quick on em0 inet proto tcp from any to any port = 80 flags S/SA divert-to 127.0.0.1 port 3129
[ Evaluations: 36248 Packets: 544 Bytes: 355122 States: 29 ]
[ Inserted: uid 0 pid 15666 State Creations: 29 ]
将快速 inet 从 127.0.0.1 传递到任何标志 S/SA divert-reply [评估:72399 数据包:0 字节:0 状态:0] [插入:uid 0 pid 15666 状态创建:0]
我可以看到规则“有效”,但是 squid 日志中没有显示任何内容,我仍然可以访问网站。这基本上是 squid 推荐的规则。我尝试使用此规则
pass in log quick on $int_if inet proto tcp from any to any port www rdr-to 127.0.0.1 port 3129
当我使用这个时,我看到规则重定向发生了,但是 squid 日志中没有显示任何内容。网站请求也超时了。
pass in log quick on em0 inet proto tcp from any to any port = 80 flags S/SA rdr-to 127.0.0.1 port 3129
[ Evaluations: 25213 Packets: 8 Bytes: 496 States: 1 ]
这是 ifconfig 的输出
是否配置
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 32768
priority: 0
groups: lo
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4
inet6 ::1 prefixlen 128
inet 127.0.0.1 netmask 0xff000000
em0: flags=8b43<UP,BROADCAST,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST> mtu 1500
lladdr 00:e8:4c:68:1a:f1
priority: 0
groups: egress
media: Ethernet autoselect (1000baseT full-duplex,rxpause,txpause)
status: active
em1: flags=8b43<UP,BROADCAST,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST> mtu 1500
lladdr 00:e8:4c:68:1a:f2
priority: 0
media: Ethernet autoselect (100baseTX full-duplex,rxpause,txpause)
status: active
enc0: flags=0<>
priority: 0
groups: enc
status: active
bridge0: flags=41<UP,RUNNING>
groups: bridge
priority 32768 hellotime 2 fwddelay 15 maxage 20 holdcnt 6 proto rstp
em0 flags=7<LEARNING,DISCOVER,BLOCKNONIP>
port 1 ifpriority 0 ifcost 0
em1 flags=7<LEARNING,DISCOVER,BLOCKNONIP>
port 2 ifpriority 0 ifcost 0
pflog0: flags=141<UP,RUNNING,PROMISC> mtu 33144
priority: 0
groups: pflog
我该如何让它工作?我的 pf 规则有什么问题?
更新
这有点奇怪
如果我使用
pass in quick log on $int_if inet proto tcp to port 80 divert-to 127.0.0.1 port 3129
pass out quick log from 127.0.0.1 divert-reply
我在日志中得到以下内容:
rule 3/(match) pass in on em0: 233.297.39.227.32880 > 153.94.152.119.87: S 2656450467:2656450467(0) win 65535 <mss 1460,nop,wscale 5,nop,nop,timestamp 605332037 0,[|tcp]> (DF)
如果我将其改为
pass in quick log on $int_if inet proto tcp to port 80 rdr-to 127.0.0.1 port 3129
pass out quick log from 127.0.0.1 divert-reply
我在日志中看到以下内容,但在 squid 日志中没有显示任何内容,并且不出所料,对网站的请求超时了
rule 3/(match) pass in on em0: 233.297.39.227.39091 > 127.0.0.1.3129: S 409217949:409217949(0) win 65535 <mss 1460,nop,wscale 5,nop,nop,timestamp 605394683 0,[|tcp]> (DF)
答案1
如果你有 OpenBSD4.1 或 4.3, 你必须做 :
rdr pass inet proto tcp from 192.168.231.0/24 to any port 80 -> 192.168.231.1 port 3129
block in
pass in quick on $int_if
pass in quick on $wi_if
pass out keep state
如果你有OpenBSD 4.4 或更高版本你必须做 :
set skip on $int_if
set skip on $wi_if
IPv6:
pass in quick inet6 proto tcp from 2001:DB8::/32 to port www divert-to ::1 port 3129
pass out quick inet6 from 2001:DB8::/32 divert-reply
IPv4:
pass in quick on inet proto tcp from 192.0.2.0/24 to port www divert-to 127.0.0.1 port 3129
pass out quick inet from 192.0.2.0/24 divert-reply
更新:
当然,您需要根据您的界面进行一些更改。