Proxy server, mode intercept on NetBSD 7.0.1

To: netbsd-users%netbsd.org@localhost
Subject: Proxy server, mode intercept on NetBSD 7.0.1
From: Rodolfo Edgar <sololistasdecorreo%gmail.com@localhost>
Date: Wed, 27 Jul 2016 05:05:29 -0500

Hi guys,

Help me please, I have a small LAN in my office, the scenary is:

Internet----Router ISP----(wm0-NetBSD-wm1,wm2)----LAN1, LAN2

wm0=192.168.1.85/24
wm1=192.168.2.85/24
wm2=192.168.3.85/24

I am going to do proxy on wm1, currently NetBSD is a firewall and
router, I use ipfilter, my rules are:

+ipf.conf (basic rules)

pass in from any to any
pass out from any to any

+ipnat.conf

#wm1 interface
map wm0 192.168.2.0/24 -> 0/32 portmap tcp/udp auto
map wm0 192.168.2.0/24 -> 0/32

#wm2 interface
map wm0 192.168.3.0/24 -> 0/32 portmap tcp/udp auto
map wm0 192.168.3.0/24 -> 0/32

#Proxy server
rdr wm1 0/0 port 80 -> 192.168.2.85 port 3129 tcp

My rc.conf:
#Firewall
ipfilter=YES
ipfilter_flags=""
ipnat=YES

#Service
squid=YES

My sysctl.conf to forwarding ipv4 is enable
net.inet.ip.forwarding=1

NetBSD as router is OK, but as proxy I have some problem, the setup to
squid is basic
...
#My simple acl
acl lan1 src 192.168.2.0/24
acl expno url_regex "/usr/pkg/etc/squid/expno"
acl dono dstdomain "/usr/pkg/etc/squid/dono"

#My rules
http_access allow localhost

http_access deny expno
http_access deny dono
http_access allow lan1

http_access deny all

http_port 192.168.2.85:3129 intercept

cache_dir ufs /var/squid/cache/squid 100 16 256

cache_mem 128 MB

...

The files expno and dono are into the path

The proxy is running, but I think that some thing I need to add or
modify, because when I want to use some url the log of cache.log say:

...ERROR: No forward-proxy ports configured.
ERROR: NAT/TPROXY lookup failed to locate original IPs on
local=192.168.2.85:3129 remote=192.168.2.85:65508 FD 22 flags=33...

The message is when I put in the browser a url for example
www.netbsd.org or another that no use https protocol, but when I use
some url that I put in dstdomain rule into dono for example
xvideos.com, the proxy works, access deny say, BUT WHEN PU SOME URL
normal without https the message says:

empty response (zero size)

Help me please, what is my mistake? I try to change the port, also add
http_port 3128 and http_port 3129 intercept, I read the squid-cache
http://wiki.squid-cache.org/KnowledgeBase/NoForwardProxyPorts, but I
THINK THAT I need to add some thing, I remember that I did a similar
proxy in early version of NetBSD and it was working perfect with
ipfilter, the same rule, the rule copy of ipnat.conf man page. Thanks
in advice for you reply, please help me.

Follow-Ups:
- Re: Proxy server, mode intercept on NetBSD 7.0.1
  - From: Rodolfo Edgar
- Re: Proxy server, mode intercept on NetBSD 7.0.1
  - From: Stephen Borrill

Prev by Date: Identifying cause of crash, problem with crash(8)?
Next by Date: Re: Proxy server, mode intercept on NetBSD 7.0.1
Previous by Thread: Identifying cause of crash, problem with crash(8)?
Next by Thread: Re: Proxy server, mode intercept on NetBSD 7.0.1
Indexes:

Home | Main Index | Thread Index | Old Index