# struggling with bridge transparent squid



## soylentgreen (Jul 15, 2009)

The goal is to come up with a transparent bridge with antivirus scanning for http for approximately 180 users.  The bridge part was easy; I used the handbook and followed exactly the instructions here (http://www.freebsd.org).  First, I understand that I need to get squid working, so this thread will focus on getting squid working (transparently) on a bridge.

1. I do not have IP addresses assigned to the individual cards, but I do have an IP assigned to the bridge0.  (should I?)

em0 is the int_if no IP assigned
xl0 is the ext_if no IP assigned
bridge0 has 10.0.10.47 (for management)

I went with ipnat(ipfirewall) for the transparent redirect.  For ipnat.rules, do I need to specify IP addresses to the interface(s) in order for the rules to apply, or in the case of a bridged connection, do I use the bridge0 for the interface?


```
# cat /etc/ipnat.rules
rdr em0 0.0.0.0/0 port 80 -> 127.0.0.1 port 3128 tcp
```

I am not married to IPF, so if using a different firewall is easier or more efficient (esp with a bridged connection) I am open to suggestions.

I have installed squid 2.7 and changed the squid.conf file with:

```
http_port 3128 transparent
```

Nothing comes up in the /usr/local/squid/cache when browsing on systems behind the bridge, so I'm not sure if it is even doing anything.

My squid -v looks like:
# squid -v

```
Squid Cache: Version 2.7.STABLE6
configure options:  '--bindir=/usr/local/sbin' '--sbindir=/usr/local/sbin' '--datadir=/usr/local/etc/squid' '--libexecdir=/usr/local/libexec/squid' 
'--localstatedir=/usr/local/squid' '--sysconfdir=/usr/local/etc/squid' '--enable-removal-policies=lru heap' '--disable-linux-netfilter' 
'--disable-linux-tproxy' '--disable-epoll' '--enable-auth=basic digest negotiate ntlm' '--enable-basic-auth-helpers=DB NCSA PAM MSNT SMB YP' 
'--enable-digest-auth-helpers=password' '--enable-external-acl-helpers=ip_user session unix_group wbinfo_group' '--enable-ntlm-auth-
helpers=SMB' '--enable-negotiate-auth-helpers=squid_kerb_auth' '--enable-storeio=ufs diskd null' '--enable-ipf-transparent' '--enable-
err-languages=Armenian Azerbaijani Bulgarian Catalan Czech Danish  Dutch English Estonian Finnish French German Greek  Hebrew Hungarian 
Italian Japanese Korean Lithuanian  Polish Portuguese Romanian Russian-1251 Russian-koi8-r  Serbian Simplify_Chinese Slovak Spanish Swedish  
Traditional_Chinese Turkish Ukrainian-1251  Ukrainian-koi8-u Ukrainian-utf8' '--enable-default-err-language=English' '--prefix=/usr/local' 
'--mandir=/usr/local/man' '--infodir=/usr/local/info/' '--build=i386-portbld-freebsd7.1' 'build_alias=i386-portbld-freebsd7.1' 'CC=cc' 
'CFLAGS=-O2 -fno-strict-aliasing -pipe' 'LDFLAGS=' 'CPPFLAGS='
```

This is the first time I've played with squid on a bridge; I did get squid to work once on a router, but that was just messing around, so I might be missing something fundamental. 

Please offer some guidance.

EDIT: I swapped out the em0 interface for bridge0 in the ipnat.rules file, and now it appears to be doing something, but nothing good.

All pages are timing out, and I don't see anything in the access.log.


----------



## DutchDaemon (Jul 15, 2009)

Try 
	
	



```
http_port 127.0.0.1:3128 transparent
```

I use PF, and it needs a specific routing statement on a bridge, or it will not work -- packets will arrive at localhost, but there it ends. No idea about IPF.


```
rdr on $int_if inet proto tcp from any to any port 80 -> 127.0.0.1 port 3128
pass in quick on $int_if [B]route-to lo0[/B] inet proto tcp from any to 127.0.0.1 port 3128 keep state
```


----------



## soylentgreen (Jul 15, 2009)

Thank you for your reply.

I recompiled squid from ports without the IPF option and with the PF option for transparency.

I changed the line in squid.conf to

```
http_port 127.0.0.1:3128 transparent
```

I removed the ipnat lines from /etc/rc.conf and added:

```
pf_enable="YES"
pf_rules="/etc/pf.conf"
pf_flags=""
pflog_enable="YES"
pflog_logfile="/var/log/pflog"
pflog_flags=""
```
With a /etc/pf.conf of:

```
rdr on em0 inet proto tcp from any to any port 80 -> 127.0.0.1 port 3128
pass in quick on em0 route-to lo0 inet proto tcp from any to 127.0.0.1 port 3128 keep state
```

The squid appears to be working now.  I am getting stuff in cache, and the access.log reflects the pages visited.  Thank you very much for your assistance.

I did not enable any of the ALTQ settings and I get messages that those are disabled, do I need to worry about that?


----------



## soylentgreen (Jul 15, 2009)

An interesting side-note regarding my bridge.  When I have the following line in my /etc/rc.conf, I can't ping anything after a reboot / reload of /etc/rc.d/netif restart && /etc/rc.d/routing restart, and nothing works

```
ifconfig_bridge0="inet 10.0.10.47 netmask 255.255.255.0"
```

But if I comment out that line, then just type in the following after reboot, everything works.

```
ifconfig bridge0 10.0.10.47/24&&/etc/rc.d/routing restart
```

Which makes things not very good when I have to reboot the system remotely, as I would have to be at the console to get everything working again.

Am I calling the ifconfig_bridge0 line incorrectly in my /etc/rc.conf?

full /etc/rc.conf (original way that does not work after reboot)

```
sshd_enable="YES"
cloned_interfaces="bridge0"
ifconfig_bridge0="addm xl0 addm em0 up"
ifconfig_xl0="up"
ifconfig_em0="up"
ifconfig_bridge0="inet 10.0.10.47 netmask 255.255.255.0"
defaultrouter="10.0.10.1"
#havp_enable=YES
clamav_freshclam_enable=YES
squid_enable=YES
pf_enable="YES"
pf_rules="/etc/pf.conf"
pf_flags=""
pflog_enable="YES"
pflog_logfile="/var/log/pflog"
pflog_flags=""
webmin_enable=YES
```


----------



## DutchDaemon (Jul 15, 2009)

soylentgreen said:
			
		

> I did not enable any of the ALTQ settings and I get messages that those are disabled, do I need to worry about that?



No, nothing to worry about. That's actually one of my PF peeves as well.


----------



## DutchDaemon (Jul 15, 2009)

I seem to remember that putting two 'ifconfig_bridge0=' lines in /etc/rc.conf doesn't work as expected. Try replacing the second one (the one putting the IP address on the bridge) with 'ifconfig_bridge0_alias0='


----------



## soylentgreen (Jul 15, 2009)

*[solved]*



			
				DutchDaemon said:
			
		

> I seem to remember that putting two 'ifconfig_bridge0=' lines in /etc/rc.conf doesn't work as expected. Try replacing the second one (the one putting the IP address on the bridge) with 'ifconfig_bridge0_alias0='




```
ifconfig_bridge0="addm xl0 addm em0 up"
ifconfig_xl0="up"
ifconfig_em0="up"
ifconfig_bridge0_alias0="inet 10.0.10.47 netmask 255.255.255.0"
```
worked. 

Thank you.


----------



## ddb (Jan 27, 2010)

soylentgreen said:
			
		

> ```
> ifconfig_bridge0="addm xl0 addm em0 up"
> ifconfig_xl0="up"
> ifconfig_em0="up"
> ...



Or you can try:

```
ifconfig_bridge0="inet 1.2.3.4/24 addm xl0 addm em0 up"
```


----------



## Myron (Jan 28, 2010)

soylentgreen said:
			
		

> ```
> ifconfig_bridge0="addm xl0 addm em0 up"
> ifconfig_xl0="up"
> ifconfig_em0="up"
> ...



hmmm hi soy if you dont mind can you post and share your whole squid.conf hehe  im gonna try this setup by tomorow, thanks


----------



## soylentgreen (Mar 2, 2010)

unless I am mistaken, the only lines I changed on squid.conf other than the default settings are:


```
cache_mem 64 MB
http_port 127.0.0.1:3128 transparent
pipeline_prefetch on
shutdown_lifetime 1 second
no_cache deny all
http_port 127.0.0.1:8081
cache_peer localhost parent 8080 0 no-query no-digest no-netdb-exchange default
visible_hostname thebridge.domain.com
url_rewrite_program /usr/local/bin/squidGuard -c /usr/local/etc/squid/squidGuard.conf
```


----------



## daevid (Jul 15, 2010)

*Thank You*

Thank you so very much for this thread, I actually have a bridged install up and running doing caching perfectly.

Is it possible to do use the rdr command to setup possibly a transparent mail filter as well?
I am presuming I would just rdr port 25 to Postfix and setup Postfix to do all the filtering/spam detection and anti-virus scans.

There already is a Linux solution for intercepting smtp/pop email transparently but I really want to add this to my FreeBSD bridge.

I really love the idea of having this "inline" filter/cache that sits between my PFsense embedded install and my network. If this "IFACS" server goes down I simply take it out of the path and can continue using the internet minus the filtering/anti-virus/caching.

I really didn't mean to hijack this thread if it comes off like that. I just think this fits in with the transparent bridge subject.


----------



## DutchDaemon (Jul 15, 2010)

Haven't tested this with SMTP, but I have done this with DNS (rdr every outbound DNS request to localhost with a local BIND doing the actual DNS lookups). I see no real reason why redirecting SMTP to a local mailserver wouldn't work (so long as you configure relaying correctly). The only thing that makes transparent http proxies a hassle is the Host: header that needs to be accounted for, and the impossibility to redirect https. So it's a _protocol_ thing that makes it slightly more difficult. DNS and SMTP, however, are simple 'connect to IPORT' situations without anything in the protocols needing special attention.


----------

