Re: Proxy server, mode intercept on NetBSD 7.0.1

To: netbsd-users%netbsd.org@localhost
Subject: Re: Proxy server, mode intercept on NetBSD 7.0.1
From: Rodolfo Edgar <sololistasdecorreo%gmail.com@localhost>
Date: Fri, 29 Jul 2016 12:34:58 -0500

Hi guys again, the problem is a bug of ipfilter 5, the same rules in
NetBSD 6.1.5 it works, version in NetBSD 6.1.5 of ipfilter is 4.


2016-07-27 5:05 GMT-05:00, Rodolfo Edgar <sololistasdecorreo%gmail.com@localhost>:
> Hi guys,
>
> Help me please, I have a small LAN in my office, the scenary is:
>
> Internet----Router ISP----(wm0-NetBSD-wm1,wm2)----LAN1, LAN2
>
> wm0=192.168.1.85/24
> wm1=192.168.2.85/24
> wm2=192.168.3.85/24
>
> I am going to do proxy on wm1, currently NetBSD is a firewall and
> router, I use ipfilter, my rules are:
>
> +ipf.conf (basic rules)
>
> pass in from any to any
> pass out from any to any
>
> +ipnat.conf
>
> #wm1 interface
> map wm0 192.168.2.0/24 -> 0/32 portmap tcp/udp auto
> map wm0 192.168.2.0/24 -> 0/32
>
> #wm2 interface
> map wm0 192.168.3.0/24 -> 0/32 portmap tcp/udp auto
> map wm0 192.168.3.0/24 -> 0/32
>
> #Proxy server
> rdr wm1 0/0 port 80 -> 192.168.2.85 port 3129 tcp
>
> My rc.conf:
> #Firewall
> ipfilter=YES
> ipfilter_flags=""
> ipnat=YES
>
> #Service
> squid=YES
>
> My sysctl.conf to forwarding ipv4 is enable
> net.inet.ip.forwarding=1
>
> NetBSD as router is OK, but as proxy I have some problem, the setup to
> squid is basic
> ...
> #My simple acl
> acl lan1 src 192.168.2.0/24
> acl expno url_regex "/usr/pkg/etc/squid/expno"
> acl dono dstdomain "/usr/pkg/etc/squid/dono"
>
> #My rules
> http_access allow localhost
>
> http_access deny expno
> http_access deny dono
> http_access allow lan1
>
> http_access deny all
>
> http_port 192.168.2.85:3129 intercept
>
> cache_dir ufs /var/squid/cache/squid 100 16 256
>
> cache_mem 128 MB
>
> ...
>
> The files expno and dono are into the path
>
> The proxy is running, but I think that some thing I need to add or
> modify, because when I want to use some url the log of cache.log say:
>
> ...ERROR: No forward-proxy ports configured.
> ERROR: NAT/TPROXY lookup failed to locate original IPs on
> local=192.168.2.85:3129 remote=192.168.2.85:65508 FD 22 flags=33...
>
> The message is when I put in the browser a url for example
> www.netbsd.org or another that no use https protocol, but when I use
> some url that I put in dstdomain rule into dono for example
> xvideos.com, the proxy works, access deny say, BUT WHEN PU SOME URL
> normal without https the message says:
>
> empty response (zero size)
>
> Help me please, what is my mistake? I try to change the port, also add
> http_port 3128 and http_port 3129 intercept, I read the squid-cache
> http://wiki.squid-cache.org/KnowledgeBase/NoForwardProxyPorts, but I
> THINK THAT I need to add some thing, I remember that I did a similar
> proxy in early version of NetBSD and it was working perfect with
> ipfilter, the same rule, the rule copy of ipnat.conf man page. Thanks
> in advice for you reply, please help me.
>

Follow-Ups:
- Re: Proxy server, mode intercept on NetBSD 7.0.1
  - From: metalliqaz

References:
- Proxy server, mode intercept on NetBSD 7.0.1
  - From: Rodolfo Edgar

Prev by Date: Re: Proxy server, mode intercept on NetBSD 7.0.1
Next by Date: Boot selector with GPT + BIOS
Previous by Thread: Re: Proxy server, mode intercept on NetBSD 7.0.1
Next by Thread: Re: Proxy server, mode intercept on NetBSD 7.0.1
Indexes:

Home | Main Index | Thread Index | Old Index