# Squid 3.5.24  Access Denied FreeBSD 11



## ObiektywNy (Feb 28, 2017)

Hi
I am trying to make Squid working on FreeBSD 11
I have two NIC's internal INT_IF and external EXT_IF.

My NAT is working but I am not sure if this is redirection issue or squid.conf

--- /etc/pf.conf

```
nat on $EXT_IF from !($EXT_IF)->($EXT_IF:0)
rdr on $INT_IF inet proto tcp from any to any port www -> 127.0.0.1 port 3128

pass in  on $INT_IF inet proto tcp from any to 127.0.0.1 port 3128 keep state
pass out on $EXT_IF inet proto tcp from any to any port www keep state


pass in quick on { lo0 $INT_IF } all
pass out quick on $EXT_IF inet proto {tcp,udp} from any to any keep state

pass out quick on $EXT_IF inet proto { tcp,udp,icmp} all
```


---`pfctl -s s` ---

```
nat on em0 from ! (em0) to any -> (em0:0)
rdr on bge0 inet proto tcp from any to any port = http -> 127.0.0.1 port 3128
pass in on bge0 inet proto tcp from any to 127.0.0.1 port = 3128 flags S/SA keep state
pass out on em0 inet proto tcp from any to any port = http flags S/SA keep state
pass out quick on em0 inet proto tcp all flags S/SA keep state
pass out quick on em0 inet proto udp all keep state
pass out quick on em0 inet proto icmp all keep state
pass in quick on lo0 all flags S/SA keep state
pass in quick on bge0 all flags S/SA keep state
```


-- squid.conf---

```
maximum_object_size 30000 KB
maximum_object_size_in_memory 40 KB

acl localnet src 10.1.0.0/24
acl localnet src 172.16.15.0/24

acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT

http_access deny !Safe_ports

http_access deny CONNECT !SSL_ports

http_access allow localhost manager
http_access deny manager

http_access allow localnet
http_access allow localhost

http_access deny all

http_port 3128 intercept


cache_peer 172.16.15.15 parent 3128 3130 no-netdb-exchange

cache_mem 1000 MB
cache_swap_low 90
cache_swap_high 95
cache_dir ufs /var/squid/cache 45000 16 256
coredump_dir /var/squid/cache


access_log stdio:/var/log/squid/access.log squid
cache_log stdio:/var/log/squid/cache.log
cache_store_log stdio:/var/log/squid/store.log


refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern .               0       20%     4320


logfile_rotate 0

debug_options ALL,2

log_mime_hdrs on
strip_query_terms off
visible_hostname www.imservicesgroup.internal.com
```


--- `tail -f /var/log/squid/access.log` ---


```
1488305300.734      1 10.1.0.5 TCP_MISS/403 4361 GET http://wwordpress.com/ - HIER_NONE/- text/html [Accept: text/html, application/xhtml+xml, image/jxr, */*\r\nAccept-Language: en-US\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.79 Safari/537.36 Edge/14.14393\r\nAccept-Encoding: gzip, deflate\r\nVia: 1.1 www.imservicesgroup.internal.com (squid/3.5.24)\r\nX-Forwarded-For: 10.1.0.100\r\nCache-Control: max-age=259200\r\nConnection: keep-alive\r\nHost: wwordpress.com\r\n] [HTTP/1.1 403 Forbidden\r\nServer: squid/3.5.24\r\nMime-Version: 1.0\r\nDate: Tue, 28 Feb 2017 18:08:20 GMT\r\nContent-Type: text/html;charset=utf-8\r\nContent-Length: 3915\r\nX-Squid-Error: ERR_ACCESS_DENIED 0\r\nVary: Accept-Language\r\nContent-Language: en-us\r\n\r]

1488305300.734      3 10.1.0.100 TCP_MISS/403 4529 GET http://wwordpress.com/ - ORIGINAL_DST/10.1.0.5 text/html [Accept: text/html, application/xhtml+xml, image/jxr, */*\r\nAccept-Language: en-US\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.79 Safari/537.36 Edge/14.14393\r\nAccept-Encoding: gzip, deflate\r\nConnection: Keep-Alive\r\nHost: wwordpress.com\r\n] [HTTP/1.1 403 Forbidden\r\nServer: squid/3.5.24\r\nMime-Version: 1.0\r\nDate: Tue, 28 Feb 2017 18:08:20 GMT\r\nContent-Type: text/html;charset=utf-8\r\nContent-Length: 3915\r\nX-Squid-Error: ERR_ACCESS_DENIED 0\r\nVary: Accept-Language\r\nContent-Language: en-us\r\nX-Cache: MISS from www.imservicesgroup.internal.com\r\nX-Cache-Lookup: MISS from www.imservicesgroup.internal.com:0\r\nVia: 1.1 www.imservicesgroup.internal.com (squid/3.5.24)\r\nConnection: keep-alive\r\n\r]

1488305300.741      1 10.1.0.100 TCP_DENIED/403 4432 GET http://www.imservicesgroup.internal.com:0/squid-internal-static/icons/SN.png - HIER_NONE/- text/html [Accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5\r\nReferer: http://wwordpress.com/\r\nAccept-Language: en-US\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.79 Safari/537.36 Edge/14.14393\r\nAccept-Encoding: gzip, deflate\r\nConnection: Keep-Alive\r\nHost: wwordpress.com\r\n] [HTTP/1.1 403 Forbidden\r\nServer: squid/3.5.24\r\nMime-Version: 1.0\r\nDate: Tue, 28 Feb 2017 18:08:20 GMT\r\nContent-Type: text/html;charset=utf-8\r\nContent-Length: 3986\r\nX-Squid-Error: ERR_ACCESS_DENIED 0\r\nVary: Accept-Language\r\nContent-Language: en-us\r\n\r]

1488305300.744      1 10.1.0.5 TCP_MISS/403 4406 GET http://wwordpress.com/favicon.ico - HIER_NONE/- text/html [Accept: */*\r\nAccept-Encoding: gzip, deflate\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.79 Safari/537.36 Edge/14.14393\r\nDNT: 1\r\nVia: 1.1 www.imservicesgroup.internal.com (squid/3.5.24)\r\nX-Forwarded-For: 10.1.0.100\r\nCache-Control: max-age=259200\r\nConnection: keep-alive\r\nHost: wwordpress.com\r\n] [HTTP/1.1 403 Forbidden\r\nServer: squid/3.5.24\r\nMime-Version: 1.0\r\nDate: Tue, 28 Feb 2017 18:08:20 GMT\r\nContent-Type: text/html;charset=utf-8\r\nContent-Length: 3963\r\nX-Squid-Error: ERR_ACCESS_DENIED 0\r\nVary: Accept-Language\r\nContent-Language: en\r\n\r]

1488305300.745      2 10.1.0.100 TCP_MISS/403 4574 GET http://wwordpress.com/favicon.ico - ORIGINAL_DST/10.1.0.5 text/html [Accept: */*\r\nAccept-Encoding: gzip, deflate\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.79 Safari/537.36 Edge/14.14393\r\nDNT: 1\r\nConnection: Keep-Alive\r\nHost: wwordpress.com\r\n] [HTTP/1.1 403 Forbidden\r\nServer: squid/3.5.24\r\nMime-Version: 1.0\r\nDate: Tue, 28 Feb 2017 18:08:20 GMT\r\nContent-Type: text/html;charset=utf-8\r\nContent-Length: 3963\r\nX-Squid-Error: ERR_ACCESS_DENIED 0\r\nVary: Accept-Language\r\nContent-Language: en\r\nX-Cache: MISS from www.imservicesgroup.internal.com\r\nX-Cache-Lookup: MISS from www.imservicesgroup.internal.com:0\r\nVia: 1.1 www.imservicesgroup.internal.com (squid/3.5.24)\r\nConnection: keep-alive\r\n\r]
```


--- `tail cache.log` ----- 

```
</head><body id="ERR_ACCESS_DENIED">
<div id="titles">
<h1>ERROR</h1>
<h2>The requested URL could not be retrieved</h2>
</div>
<hr>

<div id="content">
<p>The following error was encountered while trying to retrieve the URL: <a href="http://wwordpress.com/">http://wwordpress.com/</a></p>

<blockquote id="error">
<p><b>Access Denied.</b></p>
</blockquote>

<p>Access control configuration prevents your request from being allowed at this time. Please contact your service provider if you feel this is incorrect.</p>


<hr>
<div id="footer">
<p>Generated Tue, 28 Feb 2017 18:12:43 GMT by www.imservicesgroup.internal.com (squid/3.5.24)</p>
<!-- ERR_ACCESS_DENIED -->
</div>
</body></html>

----------
2017/02/28 12:12:43.460 kid1| ctx: exit level  0
2017/02/28 12:12:43.460 kid1| 20,2| store.cc(980) checkCachable: StoreEntry::checkCachable: NO: not cachable
2017/02/28 12:12:43.460 kid1| 20,2| store.cc(980) checkCachable: StoreEntry::checkCachable: NO: not cachable
2017/02/28 12:12:43.460 kid1| ERROR: No forward-proxy ports configured.
2017/02/28 12:12:43.460 kid1| 88,2| client_side_reply.cc(2067) processReplyAccessResult: The reply for GET http://wwordpress.com/ is ALLOWED, because it matched (access_log stdio:/var/log/squid/access.log line)
2017/02/28 12:12:43.460 kid1| 11,2| client_side.cc(1408) sendStartOfMessage: HTTP Client local=10.1.0.5:3128 remote=10.1.0.102:61124 FD 12 flags=33
2017/02/28 12:12:43.460 kid1| 11,2| client_side.cc(1409) sendStartOfMessage: HTTP Client REPLY:
---------
HTTP/1.1 403 Forbidden
Server: squid/3.5.24
Mime-Version: 1.0
Date: Tue, 28 Feb 2017 18:12:43 GMT
Content-Type: text/html;charset=utf-8
Content-Length: 3915
X-Squid-Error: ERR_ACCESS_DENIED 0
Vary: Accept-Language
Content-Language: en-us
X-Cache: MISS from www.imservicesgroup.internal.com
X-Cache-Lookup: MISS from www.imservicesgroup.internal.com:0
X-Cache: MISS from www.imservicesgroup.internal.com
X-Cache-Lookup: MISS from www.imservicesgroup.internal.com:0
Via: 1.1 www.imservicesgroup.internal.com (squid/3.5.24), 1.1 www.imservicesgroup.internal.com (squid/3.5.24)
Connection: keep-alive


----------
2017/02/28 12:12:43.461 kid1| 20,2| store.cc(980) checkCachable: StoreEntry::checkCachable: NO: not cachable
2017/02/28 12:12:43.461 kid1| 20,2| store.cc(980) checkCachable: StoreEntry::checkCachable: NO: not cachable
2017/02/28 12:12:43.461 kid1| 20,2| store.cc(980) checkCachable: StoreEntry::checkCachable: NO: not cachable
2017/02/28 12:12:43.467 kid1| 11,2| client_side.cc(2364) parseHttpRequest: HTTP Client local=10.1.0.5:3128 remote=10.1.0.102:61124 FD 12 flags=33
2017/02/28 12:12:43.467 kid1| 11,2| client_side.cc(2365) parseHttpRequest: HTTP Client REQUEST:
---------
GET /squid-internal-static/icons/SN.png HTTP/1.1
Accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5
Referer: http://wwordpress.com/
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.79 Safari/537.36 Edge/14.14393
Accept-Encoding: gzip, deflate
Host: wwordpress.com
Connection: Keep-Alive


----------
2017/02/28 12:12:43.467 kid1| 33,2| client_side.cc(2741) clientProcessRequest: internal URL found: http://wwordpress.com:80 (global_internal_static on)
2017/02/28 12:12:43.467 kid1| ERROR: No forward-proxy ports configured.
2017/02/28 12:12:43.467 kid1| 85,2| client_side_request.cc(744) clientAccessCheckDone: The request GET http://wwordpress.com/squid-internal-static/icons/SN.png is DENIED; last ACL checked: Safe_ports
2017/02/28 12:12:43.468 kid1| 20,2| store.cc(980) checkCachable: StoreEntry::checkCachable: NO: not cachable
2017/02/28 12:12:43.468 kid1| 20,2| store.cc(980) checkCachable: StoreEntry::checkCachable: NO: not cachable
2017/02/28 12:12:43.468 kid1| 20,2| store.cc(980) checkCachable: StoreEntry::checkCachable: NO: not cachable
2017/02/28 12:12:43.468 kid1| ERROR: No forward-proxy ports configured.
2017/02/28 12:12:43.468 kid1| 88,2| client_side_reply.cc(2067) processReplyAccessResult: The reply for GET http://www.imservicesgroup.internal.com:0/squid-internal-static/icons/SN.png is ALLOWED, because it matched Safe_ports
2017/02/28 12:12:43.468 kid1| 11,2| client_side.cc(1408) sendStartOfMessage: HTTP Client local=10.1.0.5:3128 remote=10.1.0.102:61124 FD 12 flags=33
2017/02/28 12:12:43.468 kid1| 11,2| client_side.cc(1409) sendStartOfMessage: HTTP Client REPLY:
---------
HTTP/1.1 403 Forbidden
Server: squid/3.5.24
Mime-Version: 1.0
Date: Tue, 28 Feb 2017 18:12:43 GMT
Content-Type: text/html;charset=utf-8
Content-Length: 3986
X-Squid-Error: ERR_ACCESS_DENIED 0
Vary: Accept-Language
Content-Language: en-us
X-Cache: MISS from www.imservicesgroup.internal.com
X-Cache-Lookup: NONE from www.imservicesgroup.internal.com:0
Via: 1.1 www.imservicesgroup.internal.com (squid/3.5.24)
Connection: keep-alive


----------
2017/02/28 12:12:43.468 kid1| 20,2| store.cc(980) checkCachable: StoreEntry::checkCachable: NO: not cachable
2017/02/28 12:12:43.490 kid1| 33,2| client_side.cc(3345) clientReadRequest: local=10.1.0.5:3128 remote=10.1.0.102:61124 FD 12 flags=33: got flag -1; (54) Connection reset by peer
2017/02/28 12:12:43.490 kid1| 33,2| client_side.cc(832) swanSong: local=10.1.0.5:3128 remote=10.1.0.102:61124 flags=33
```


----------



## SirDice (Feb 28, 2017)

ObiektywNy said:


> ```
> 2017/02/28 12:12:43.467 kid1| ERROR: No forward-proxy ports configured.
> ```


This appears to be the reason

```
This error occurs when port 3128 has been incorrectly altered into a interception port.
```
http://wiki.squid-cache.org/KnowledgeBase/NoForwardProxyPorts


----------



## ObiektywNy (Feb 28, 2017)

Even if I add 3130 I have the same Access denied error.

```
http_port 3130
http_port 3128 intercept
```


cache.log gives me this with above configuration

```
---------
HTTP/1.1 403 Forbidden
Server: squid/3.5.24
Mime-Version: 1.0
Date: Tue, 28 Feb 2017 21:18:20 GMT
Content-Type: text/html;charset=utf-8
Content-Length: 4023
X-Squid-Error: ERR_ACCESS_DENIED 0

Vary: Accept-Language
Content-Language: en-us
X-Cache: MISS from www.imservicesgroup.internal.com
X-Cache-Lookup: MISS from www.imservicesgroup.internal.com:3130
Via: 1.1 www.imservicesgroup.internal.com (squid/3.5.24)
Connection: keep-alive


<html><head>
<meta type="copyright" content="Copyright (C) 1996-2017 The Squid Software Foundation and contributors">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<title>ERROR: The requested URL could not be retrieved</title>
<style type="text/css"><!--



</head><body id="ERR_ACCESS_DENIED">
<div id="titles">
<h1>ERROR</h1>
<h2>The requested URL could not be retrieved</h2>
</div>
<hr>

<div id="content">
<p>The following error was encountered while trying to retrieve the URL: <a href="http://www.tarlink.com/category/network/">http://www.tarlink.com/category/network/</a></p>

<blockquote id="error">
<p><b>Access Denied.</b></p>
</blockquote>

<p>Access control configuration prevents your request from being allowed at this time. Please contact your service provider if you feel this is incorrect.</p>


<hr>
<div id="footer">
<p>Generated Tue, 28 Feb 2017 21:18:20 GMT by www.imservicesgroup.internal.com (squid/3.5.24)</p>
<!-- ERR_ACCESS_DENIED -->
</div>
</body></html>



----------
2017/02/28 15:18:20.996 kid1| 85,2| client_side_request.cc(744) clientAccessCheckDone: The request GET http://clients3.google.com/generate_204 is ALLOWED; last ACL checked: localnet
2017/02/28 15:18:20.996 kid1| 85,2| client_side_request.cc(720) clientAccessCheck2: No adapted_http_access configuration. default: ALLOW
2017/02/28 15:18:20.996 kid1| 85,2| client_side_request.cc(744) clientAccessCheckDone: The request GET http://clients3.google.com/generate_204 is ALLOWED; last ACL checked: localnet
2017/02/28 15:18:20.996 kid1| 17,2| FwdState.cc(133) FwdState: Forwarding client request local=10.1.0.5:3128 remote=10.10.0.101:58557 FD 26 flags=33, url=http://clients3.google.com/generate_204
2017/02/28 15:18:20.996 kid1| 44,2| peer_select.cc(280) peerSelectDnsPaths: Found sources for 'http://clients3.google.com/generate_204'
2017/02/28 15:18:20.996 kid1| 44,2| peer_select.cc(281) peerSelectDnsPaths:   always_direct = DENIED
2017/02/28 15:18:20.996 kid1| 44,2| peer_select.cc(282) peerSelectDnsPaths:    never_direct = DENIED
2017/02/28 15:18:20.996 kid1| 44,2| peer_select.cc(288) peerSelectDnsPaths:    ORIGINAL_DST = local=0.0.0.0 remote=10.1.0.5:3128 flags=1
2017/02/28 15:18:20.996 kid1| 44,2| peer_select.cc(295) peerSelectDnsPaths:        timedout = 0
2017/02/28 15:18:20.996 kid1| 11,2| http.cc(2230) sendRequest: HTTP Server local=10.1.0.5:44349 remote=10.1.0.5:3128 FD 20 flags=1
2017/02/28 15:18:20.996 kid1| 11,2| http.cc(2231) sendRequest: HTTP Server REQUEST:
---------
GET /generate_204 HTTP/1.1
User-Agent: Dalvik/1.6.0 (Linux; U; Android 4.3; SAMSUNG-SGH-I337 Build/JSS15J)
Host: clients3.google.com
Via: 1.1 www.imservicesgroup.internal.com (squid/3.5.24)
X-Forwarded-For: 10.10.0.101
Cache-Control: max-age=259200
Connection: keep-alive


----------
2017/02/28 15:18:20.996 kid1| 11,2| client_side.cc(2364) parseHttpRequest: HTTP Client local=10.1.0.5:3128 remote=10.1.0.5:44349 FD 23 flags=33
2017/02/28 15:18:20.996 kid1| 11,2| client_side.cc(2365) parseHttpRequest: HTTP Client REQUEST:
---------
GET /generate_204 HTTP/1.1
User-Agent: Dalvik/1.6.0 (Linux; U; Android 4.3; SAMSUNG-SGH-I337 Build/JSS15J)
Host: clients3.google.com
Via: 1.1 www.imservicesgroup.internal.com (squid/3.5.24)
X-Forwarded-For: 10.10.0.101
Cache-Control: max-age=259200
Connection: keep-alive


----------
2017/02/28 15:18:20.996 kid1| 85,2| client_side_request.cc(744) clientAccessCheckDone: The request GET http://clients3.google.com/generate_204 is ALLOWED; last ACL checked: localnet
2017/02/28 15:18:20.996 kid1| 85,2| client_side_request.cc(720) clientAccessCheck2: No adapted_http_access configuration. default: ALLOW
2017/02/28 15:18:20.996 kid1| 85,2| client_side_request.cc(744) clientAccessCheckDone: The request GET http://clients3.google.com/generate_204 is ALLOWED; last ACL checked: localnet
2017/02/28 15:18:20.996 kid1| WARNING: Forwarding loop detected for:
GET /generate_204 HTTP/1.1
User-Agent: Dalvik/1.6.0 (Linux; U; Android 4.3; SAMSUNG-SGH-I337 Build/JSS15J)
Via: 1.1 www.imservicesgroup.internal.com (squid/3.5.24)
X-Forwarded-For: 10.10.0.101
Cache-Control: max-age=259200
Connection: keep-alive
Host: clients3.google.com


2017/02/28 15:18:20.996 kid1| 4,2| errorpage.cc(1261) BuildContent: No existing error page language negotiated for ERR_ACCESS_DENIED. Using default error file.
2017/02/28 15:18:20.997 kid1| 20,2| store.cc(980) checkCachable: StoreEntry::checkCachable: NO: not cachable
2017/02/28 15:18:20.997 kid1| 20,2| store.cc(980) checkCachable: StoreEntry::checkCachable: NO: not cachable
2017/02/28 15:18:20.997 kid1| 20,2| store.cc(980) checkCachable: StoreEntry::checkCachable: NO: not cachable
2017/02/28 15:18:20.997 kid1| 88,2| client_side_reply.cc(2067) processReplyAccessResult: The reply for GET http://clients3.google.com/generate_204 is ALLOWED, because it matched localnet
--More--(byte 16844)


----------
2017/02/28 15:18:20.883 kid1| ctx: exit level  0
2017/02/28 15:18:20.883 kid1| 20,2| store.cc(980) checkCachable: StoreEntry::checkCachable: NO: not cachable
2017/02/28 15:18:20.883 kid1| 20,2| store.cc(980) checkCachable: StoreEntry::checkCachable: NO: not cachable
2017/02/28 15:18:20.883 kid1| 88,2| client_side_reply.cc(2067) processReplyAccessResult: The reply for GET http://www.tarlink.com/category/network/ is ALLOWED, because it matched (access_log stdio:/var/log/squid/access.log line)
2017/02/28 15:18:20.883 kid1| 11,2| client_side.cc(1408) sendStartOfMessage: HTTP Client local=10.1.0.5:3128 remote=10.1.0.102:61332 FD 19 flags=33
2017/02/28 15:18:20.883 kid1| 11,2| client_side.cc(1409) sendStartOfMessage: HTTP Client REPLY:
```


----------



## SirDice (Feb 28, 2017)

Never set up Squid transparently  before but I think you're supposed to make the alternative port the 'intercept' port so Squid can call back into itself on the default port.


----------



## ObiektywNy (Feb 28, 2017)

Even with 

```
http_port 3130 intercept
http_port 3128 intercept
```
I have the same denied result. It does need to be transparent. I had it working on Linux with IPTABLES but can not replicate the same configuration on FreeBSD PF.


----------



## SirDice (Mar 1, 2017)

Remove the 'intercept' from port 3128 and forward to port 3130 with PF.


----------



## ObiektywNy (Mar 1, 2017)

That change gave me Invalid URL 

```
EXT_IF=em0
EXT_IP=172.16.15.15

INT_IF=bge0
INT_IP=10.1.0.5
INT_NET="{ 10.1.0.0/24 }"
WEBPORT="{ 80 }"


####################
#   NAT & RDR      #
####################

nat on $EXT_IF from !($EXT_IF)->($EXT_IF:0)
rdr on $INT_IF inet proto tcp from any to any port www -> 127.0.0.1 port 3130

pass in  on $INT_IF inet proto tcp from any to 127.0.0.1 port 3130 keep state
pass out on $EXT_IF inet proto tcp from any to any port www keep state


pass in quick on { lo0 $INT_IF } all
pass out quick on $EXT_IF inet proto {tcp,udp} from any to any keep state

pass out quick on $EXT_IF inet proto { tcp,udp,icmp} all
```

Do you know the way to configure it to one of the EXT_IF or INT_IF instead 127.0.0.1 ?


----------



## SirDice (Mar 1, 2017)

Well, I would try to set up a "plain" Squid first, nothing transparent. Once you have that working you can move onto making it transparent.


----------



## ObiektywNy (Mar 1, 2017)

So what RDR rules I need to apply to make it "plain"?
With this is the part I am confused a little with PF as previously I used IPTALBES with 

```
-A PREROUTING -i bge0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 172.16.5.5:3128
-A PREROUTING -i em0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
-A POSTROUTING -o eth0 -j MASQUERADE
-A POSTROUTING -o eth1 -j MASQUERADE
```


----------



## SirDice (Mar 2, 2017)

ObiektywNy said:


> So what RDR rules I need to apply to make it "plain"?


None. You simply configure Firefox for example to use your Squid as a proxy.


----------



## ObiektywNy (Mar 2, 2017)

This is working fine, My whole point was to pass traffic through FreeBSD and redirect port 80 to 3128 so proxy could grab it on the fly. Something like interface SPAN (mirroring)


----------



## SirDice (Mar 3, 2017)

ObiektywNy said:


> This is working fine,


That's good. That means at least the basic configuration is correct and working.


----------

