# help with my freebsd+ipfw+ipnat+squid 3.0



## cheoac (May 21, 2009)

HI my name is Eliseo Acosta i'm mexican and my english is not good....but i have a problem.

this is my topology

ISP
 |
 |
2wire(modem ip:192.168.1.254)
 |
 |
DD-WRT(Router ip: 192.168.1.100 and ip:192.168.2.1)
 |
 |
firewall(freebsd,ipfw,ipnat,squid. ip:192.168.2.2 and ip 192.168.3.1)
 |
 |
Clients (192.168.3.0/24)

////////Script /etc/ipfw.rules//////////

```
$cmd 00090 allow all from any to any via $outside
```
////////etc/ipnat.rules///////

```
map em0 192.168.3.0/24 -> 0/32 portmap tcp/udp auto
```
///////squid.conf///////// 

```
http_port 3128 trasparent
acl mired 192.168.3.0/255.255.255.0
acl deny_site "/usr/local/etc/squid/deny_site"

http_access allow mired
http_access deny deny_site
```
////kernel/////

```
options IPFIREWALL
options IPFIREWALL_VERBOSE
options IPFIREWALL_VERBOSE_LIMIT=5
options IPFIREWALL_DEFAULT_TO_ACCEPT
options IPDIVERT
```
my ipnat and ipfw works well....but the squid don't filter the sites....anf if i check y the access.log is emty......i need a help y don't hnow where the problem


----------



## DutchDaemon (May 21, 2009)

There's a typo in 
	
	



```
http_port 3128 trasparent
```
 to begin with (tra*n*sparent). And transparent proxying is normally done on localhost


```
http_port 127.0.0.1:3128 transparent
```

using a firewall rule to redirect traffic to port 80 to localhost:3128.


----------



## cheoac (May 22, 2009)

i need redirect in my ipfw or in my Ipnat?????


----------



## cheoac (May 22, 2009)

I put in my ipfw.rules this line


> $cmd 00080 fwd 192.168.3.0,80 tcp from any to any 3128


 but dosent works and put in my ipnat.rules this line 





> rdr em0 0/0 port 80 -> 127.0.0.1 port 3128


 and dosent works......i don't now how....


----------



## DutchDaemon (May 22, 2009)

I haven't used ipfw in a long time, but that rule looks ass-backwards. Something like this looks more logical:

```
$cmd 00080 fwd 127.0.0.1,3128 tcp from any to any 80
```
I suggest you Google around for "squid transparent ipfw".


----------



## cheoac (May 22, 2009)

I try with this rules and dosen't works.....this rules block my www service.....


----------



## Abriel (May 22, 2009)

```
/sbin/ipfw add 1000 fwd 172.21.0.1,8080 tcp from any to any 80 via rl0
```

172.21.0.1 - your internal card ethernat
rl0 - your internal card ethernat


----------



## Abriel (May 22, 2009)

And i forgot


```
http_port 8080 transparent
```


----------



## DutchDaemon (May 22, 2009)

cheoac said:
			
		

> I try with this rules and dosen't works.....this rules block my www service.....



So it redirects http traffic, just like you wanted -- but it's not being picked up by Squid. Is Squid actually *running* on 127.0.0.1:3128?


----------



## DutchDaemon (May 22, 2009)

Abriel, you're adding confusion, not a solution.


----------



## Const (May 22, 2009)

If I'm not mistaken you should also specify outgoing address in squid.conf

```
tcp_outgoing_address 192.168.2.2
```
and you don't need to nat traffic going to 80 port


----------



## cheoac (May 23, 2009)

I disable the ipfw and ipnat and put 





> tcp_outgoing_address 192.168.2.2


 but i dont have results.....


----------



## cheoac (May 23, 2009)

i 've a question squid can work without ipnat and ipfw??????


----------



## Const (May 23, 2009)

No. You need something on your FreeBSD box to forward http requests to squid. So in IPFW you need a command like DutchDemon told

```
$cmd 00080 fwd 127.0.0.1,3128 tcp from any to any 80
```
It will redirect all requests to Squid, then Squid passes packets via specified outgoing address. You can also specify interface to listen for Squid by adding interface address to config file. Then http_port parameter will look like this

```
http_port 192.168.3.1:3128
```
Then DutchDemon rule would be

```
$cmd 00080 fwd 192.168.3.1,3128 tcp from any to any 80
```
Give it a try


----------



## Const (May 23, 2009)

ADDED

If it doesn't work you should look your IPFW logs in /var/log/security to analyze how packets move in your system. Maybe specify some rules with in/out interfaces to avoid endless looping when incoming packets going to 80 port are forwarding to squid and outgoing packets from squid (they are still sent to 80) are forwarding to squid again. I'm very far from UNIX master level but configured Squid few days ago and these problems were the problems I've met


----------



## Abriel (May 23, 2009)

cheoac said:
			
		

> i 've a question squid can work without ipnat and ipfw??????



1. Why do you use ipant with ipfw? You can always switch to ipfw with natd.
2. Is your squid working? If you don't have http_port 192.168.3.1:3128 and only http_port 3128 it  will be working on all your ips.

Check squid with 
	
	



```
telnet 192.168.3.1 3128
```
 or 

```
lynx/links/elinks http://192.168.3.1:3128
```

3. I will put my squid and first line of firewall config for you on http://zse.ath.cx/cheoac/


----------



## cheoac (May 25, 2009)

hi i tried with this rules but it dosen't works

```
http_port 192.168.3.1:3128 transparent
```


```
$cmd 00080 fwd 192.168.3.1,3128 tcp from any to any 80
```


```
freebsd# ipfw -a list
00080    9    432 fwd 192.168.3.1,3128 tcp from any to any dst-port 80
00090   23   1915 allow ip from any to any via em0
65535 2620 320111 allow ip from any to any
```


```
freebsd# ipfw list
00080 fwd 192.168.3.1,3128 tcp from any to any dst-port 80
00090 allow ip from any to any via em0
65535 allow ip from any to any
freebsd#
```

all the trafic http it's block but not with the squid.....


----------



## DutchDaemon (May 25, 2009)

Again: is Squid actually *running*, and what's in the logfiles (usually /usr/local/squid/logs/[access.log|cache.log])?


----------



## cheoac (May 25, 2009)

anf if i put this command


> telnet 192.168.3.1 3128


the machine refuse telnet.....


> /usr/local/etc/rc.d/squid start


but dosen't work


----------



## DutchDaemon (May 25, 2009)

```
/usr/local/etc/rc.d/squid rcvar
```


----------



## cheoac (May 25, 2009)

ok i identificate  my first problem...the squid did't work but i fixed.....now in all my web sites apear " The request or reply is too large"


----------



## cheoac (May 25, 2009)

I try with reply_body_max_size 0 and dosen't works apper "The request or reply is too large"


----------



## DutchDaemon (May 25, 2009)

There's also request_body_max_size

http://www.visolve.com/squid/squid30/contents.php


----------



## DutchDaemon (May 25, 2009)

Did you run [cmd=]squid -k reconfigure[/cmd] after the changes were made?


----------



## cheoac (May 25, 2009)

no i did't...but i put this command and the problem is the same


----------



## DutchDaemon (May 25, 2009)

By the way, reply_body_max_size and request_body_max_size are not set to anything in the default squid.conf, so there should be no reason to adjust them. Unless you're using some cut & paste off the 'net instead of making your own.


----------



## Abriel (May 25, 2009)

Use:

```
squid -k check
```

and please give us


```
squid -v
```


----------



## cheoac (May 25, 2009)

I put in my squid.conf 





> request_body_max_size 0


 but the problem is there......


----------



## cheoac (May 25, 2009)

now i desativate de reply_body_max_size and request_body_max_size like a dutch daemon say.....but appear in all my web sites "the request or reply is too large" and my squid -v

```
freebsd# squid -v
Squid Cache: Version 3.0.STABLE8
configure options:  '--with-default-user=squid' '--bindir=/usr/local/sbin' '--sbindir=/usr/local/sbin' '--datadir=/usr/local/etc/squid' '--libexecdir=/usr/local/libexec/squid' '--localstatedir=/usr/local/squid' '--sysconfdir=/usr/local/etc/squid' '--enable-removal-policies=lru heap' '--disable-linux-netfilter' '--disable-linux-tproxy' '--disable-epoll' '--enable-auth=basic ntlm digest' '--enable-basic-auth-helpers=DB NCSA PAM MSNT SMB squid_radius_auth YP' '--enable-digest-auth-helpers=password' '--enable-external-acl-helpers=ip_user session unix_group wbinfo_group' '--enable-ntlm-auth-helpers=SMB' '--enable-storeio=ufs diskd null' '--enable-ipfw-transparent' '--enable-kqueue' '--enable-err-languages=Armenian Azerbaijani Bulgarian Catalan Czech Danish  Dutch English Estonian Finnish French German Greek  Hebrew Hungarian Italian Japanese Korean Lithuanian  Polish Portuguese Romanian Russian-1251 Russian-koi8-r  Serbian Simplify_Chinese Slovak Spanish Swedish  Traditional_Chinese Turkish Ukrainian-1251  Ukrainian-koi8-u Ukrainian-utf8' '--enable-default-err-language=English' '--prefix=/usr/local' '--mandir=/usr/local/man' '--infodir=/usr/local/info/' '--build=i386-portbld-freebsd7.1' 'build_alias=i386-portbld-freebsd7.1' 'CC=cc' 'CFLAGS=-O2 -fno-strict-aliasing -pipe' 'LDFLAGS=' 'CPPFLAGS=' 'CXX=c++' 'CXXFLAGS=-O2 -fno-strict-aliasing -pipe'
```


----------



## Abriel (May 25, 2009)

One more thing, copy my squid.conf from 
	
	



```
http://zse.ath.cx/cheoac/
```
 and try with it. Change only
	
	



```
http_port 8080 transparent
```
 to your and 
	
	



```
dns_nameservers  83.238.114.6 #change to your isp DNS
```
 and 
	
	



```
acl siec src 172.21.0.0/255.255.0.0  #change to you internal ip
```

Put somewhere your squid.conf as a link.


----------



## cheoac (May 26, 2009)

my problem continue....my squid block it my web sites like http://www.youtube.com but a can't access to all the web sites the message continue.....


----------



## Abriel (May 26, 2009)

cheoac said:
			
		

> my problem continue....my squid block it my web sites like http://www.youtube.com but a can't access to all the web sites the message continue.....



I need your squid.conf, put it on rapidshare.com a paste a link here.


----------



## Const (May 26, 2009)

Check your IPFW logs and make sure your packets doesn't get in endless loop as I mentioned. These are the squid rules from my firewall

```
a="ipfw add"
l="log logamount 10000"
squid_ports=http

ipfw -f flush
$a check-state

$a allow all from any to any via lo0

# SQUID

$a fwd $squid $l all from $my_net to any $squid_ports in via $in_if
$a allow $l all from $out_if to any $squid_ports out via $out_if
$a allow $l all from any $squid_ports to $out_if in via $out_if
$a allow $l all from any $squid_ports to $my_net out via $in_if
```
$out_if is 192.168.2.2 in your case
$in_if is 192.168.3.1


----------



## cheoac (May 26, 2009)

i know what is my problem...my problem it's forwardinf loop


```
2009/05/26 08:56:33| WARNING: Forwarding loop detected for:
X-Forwarded-For: 192.168.3.2, 192.168.2.2, 192.168.2.2, 192.168.2.2, 192.168.2.2, 192.168.2.2, 192.168.2.2, 192.168.2.2, 192.168.2.2, 192.168.2.2, 192.168.2.
```

this is my cache.log


----------



## DutchDaemon (May 26, 2009)

Do yourself a favour: run Squid on 127.0.0.1. There's a reason why transparent proxying usually takes place on localhost.


----------



## cheoac (May 26, 2009)

this is my ipfw.rules


> #!/bin/sh
> 
> ipfw -q flush
> 
> ...


----------



## cheoac (May 26, 2009)

this is my http_port


> http_port 3128 transparent


----------



## DutchDaemon (May 26, 2009)

Deja Voodoo ..

Use 
	
	



```
http_port 127.0.0.1:3128 transparent
```


----------



## cheoac (May 26, 2009)

now my http_port


> http_port 127.0.0.1:3128 transparent


 and the problem persist.....


----------



## cheoac (May 26, 2009)

i think tha  my problem is my ipfw.rules because exist a loop.....


----------



## DutchDaemon (May 26, 2009)

Try adding to that rule:


```
in recv $nic
```

Replace $nic with the network card you're redirecting the port 80 traffic on. I'm assuming you have a default gateway correctly set up, so that Squid knows where to go for internet connectivity?


----------



## cheoac (May 26, 2009)

my default gateway it's correct and all my route's correct...but i don't know where paste tuis rules 





> in recv $nic


 because my ipfw dosen't understand this rule....


----------



## cheoac (May 26, 2009)

i know waht is my problem....this is a solution


> $cmd 00080 fwd 127.0.0.1,3128 tcp from not me to any 80


----------



## DutchDaemon (May 26, 2009)

I meant:


```
$cmd 00080 fwd 127.0.0.1,3128 tcp from any to any 80 in recv $int_nic
```

Which is probably the same.


----------



## cheoac (May 26, 2009)

thanks for all you infomation and you patience....


----------



## DutchDaemon (May 26, 2009)

Does that mean it works?


----------



## cheoac (May 26, 2009)

yes it's works.....


----------



## DutchDaemon (May 26, 2009)

Good. Set to [solved].


----------

