# Squid 3.2.7 and interception problem



## danaeckel (Feb 26, 2013)

After two days of trial and error, Google, reading forum threads, and now I am at a dead end. I have compiled my kernel with forwarding in mind, and installed Squid with the IPFW intercept option. If my have the intercept omitted from my Squid.conf, and point my browser to squid everything works great, however if I add intercept remove proxy settings from my browser it is as though I have no proxy. Can somebody tell me what I am doing wrong or list some commands I can do to see if forwarding is working, etc....

I feel it is my firewall, any thoughts? If anybody has thoughts for my firewall, please share.


```
#!/bin/sh
ipfw -q flush

add="ipfw -q add"

# Allow everything within the LAN
$add 10 allow ip from 192.168.255.0/24 to any via lo0
$add 20 allow ip from 192.168.255.0/24 to any via re1

# Catch spoofing from outside
$add 90 deny ip from any to any not antispoof in

$add 100 divert natd ip from any to any via re0 in
$add 101 check-state

$add 00080 fwd 127.0.0.1,3128 tcp from any to any 80 recv re1

# Rules for outgoing traffic - allow everything that is not explicitely denied
$add 1000 deny ip from not me to any 53, 25 via re0 out

# Allow all other outgoing connections
$add 2000 skipto 10000 tcp from any to any via re0 out setup keep-state
$add 2010 skipto 10000 udp from any to any via re0 out keep-state

# Rules for incomming traffic - deny everything that is not explicitely allowed
$add 5000 allow tcp from any to any 80, 443, 22 via re0 in setup limit src-addr 10

# Catch tcp/udp packets, but don't touch gre, esp, icmp traffic
$add 9998 deny tcp from any to any via re0
$add 9999 deny udp from any to any via re0

$add 10000 divert natd ip from any to any via re0 out

$add 65534 allow ip from any to any
```

Right here is my squid.conf. It is pieced together from various websites and forums. It was hard for me to follow configs because some was setup for Squid 2.5


```
#
# Recommended minimum configuration:
#
# Squid normally listens to port 3128
http_port 127.0.0.1:3128 intercept

# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
# acl localnet src 10.0.0.0/8	# RFC1918 possible internal network
# acl localnet src 172.16.0.0/12	# RFC1918 possible internal network
acl localnet src 192.168.255.0/24	# RFC1918 possible internal network
acl localnet src 127.0.0.1
acl localnet src fc00::/7       # RFC 4193 local private network range
acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged) machines

acl SSL_ports port 443
acl Safe_ports port 80		# http
acl Safe_ports port 21		# ftp
acl Safe_ports port 443		# https
acl Safe_ports port 70		# gopher
acl Safe_ports port 210		# wais
acl Safe_ports port 1025-65535	# unregistered ports
acl Safe_ports port 280		# http-mgmt
acl Safe_ports port 488		# gss-http
acl Safe_ports port 591		# filemaker
acl Safe_ports port 777		# multiling http
acl CONNECT method CONNECT

#
# Recommended minimum Access Permission configuration:
#
# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager

# Deny requests to certain unsafe ports
http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports

# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost

#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#

# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access allow localnet
http_access allow localhost

# And finally deny all other access to this proxy
http_access allow all

cache_mem 2048 MB

maximum_object_size 2048 MB

visible_hostname BSD-SRV

icap_enable on
	icap_send_client_ip on
	icap_send_client_username on
	icap_client_username_encode off
	icap_client_username_header X-Authenticated-User
	icap_preview_enable on
	icap_preview_size 1024
	icap_service service_req reqmod_precache bypass=1 icap://127.0.0.1:1344/squidclamav
	adaptation_access service_req allow all
	icap_service service_resp respmod_precache bypass=1 icap://127.0.0.1:1344/squidclamav
	adaptation_access service_resp allow all

# Uncomment and adjust the following to add a disk cache directory.
cache_dir ufs /var/squid/cache/squid 20000 16 256

# Leave coredumps in the first cache dir
coredump_dir /var/squid/cache/squid

# Add any of your own refresh_pattern entries above these.
refresh_pattern ^ftp:		1440	20%	10080
refresh_pattern ^gopher:	1440	0%	1440
refresh_pattern -i (/cgi-bin/|\?) 0	0%	0
refresh_pattern .		0	20%	4320
```


----------

