Squid не работает как прозрачный прокси на 1 инт
-
Все это прекрасно работает в Centos 6.5 + Squid собраный из портов
Более подробна проблема описана тут http://www.anticisco.ru/forum/viewtopic.php?f=2&t=6961вывод pfctl -sn && pfctl -sr
no nat proto carp all nat-anchor "natearly/*" all nat-anchor "natrules/*" all nat on em0 inet from 192.168.56.10 port = isakmp to any port = isakmp -> 192.168.56.5 port 500 nat on em0 inet from 127.0.0.0/8 port = isakmp to any port = isakmp -> 192.168.56.5 port 500 nat on em0 inet from 0.0.0.0 port = isakmp to any port = isakmp -> 192.168.56.5 port 500 nat on em0 inet from 192.168.56.10 to any -> 192.168.56.5 port 1024:65535 nat on em0 inet from 127.0.0.0/8 to any -> 192.168.56.5 port 1024:65535 nat on em0 inet from 0.0.0.0 to any -> 192.168.56.5 port 1024:65535 no rdr proto carp all rdr-anchor "relayd/*" all rdr-anchor "tftp-proxy/*" all rdr on em0 inet proto gre from any to 192.168.56.5 -> 127.0.0.1 rdr on em0 inet proto tcp from any to 192.168.56.5 port = http -> 127.0.0.1 port 3129 rdr-anchor "miniupnpd" all scrub on em0 all max-mss 1420 fragment reassemble anchor "relayd/*" all anchor "openvpn/*" all anchor "ipsec/*" all block drop in log quick inet6 all label "Block all IPv6" block drop out log quick inet6 all label "Block all IPv6" block drop in log inet all label "Default deny rule IPv4" block drop out log inet all label "Default deny rule IPv4" block drop in log inet6 all label "Default deny rule IPv6" block drop out log inet6 all label "Default deny rule IPv6" pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type echorep keep state pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routersol keep state pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routeradv keep state pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type echorep keep state pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routersol keep state pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routeradv keep state pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type echoreq keep state pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routersol keep state pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routeradv keep state pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type echoreq keep state pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routersol keep state pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routeradv keep state pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type echoreq keep state pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type routersol keep state pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type routeradv keep state pass quick inet6 proto ipv6-icmp all icmp6-type unreach keep state pass quick inet6 proto ipv6-icmp all icmp6-type toobig keep state pass quick inet6 proto ipv6-icmp all icmp6-type neighbrsol keep state pass quick inet6 proto ipv6-icmp all icmp6-type neighbradv keep state block drop quick inet proto tcp from any port = 0 to any block drop quick inet proto tcp from any to any port = 0 block drop quick inet proto udp from any port = 0 to any block drop quick inet proto udp from any to any port = 0 block drop quick inet6 proto tcp from any port = 0 to any block drop quick inet6 proto tcp from any to any port = 0 block drop quick inet6 proto udp from any port = 0 to any block drop quick inet6 proto udp from any to any port = 0 block drop quick from <snort2c>to any label "Block snort2c hosts" block drop quick from any to <snort2c>label "Block snort2c hosts" block drop in log quick proto tcp from <sshlockout>to any port = ssh label "sshlockout" block drop in log quick proto tcp from <webconfiguratorlockout>to any port = https label "webConfiguratorlockout" block drop in quick from <virusprot>to any label "virusprot overload table" block drop in on ! em0 inet from 192.168.56.0/24 to any block drop in inet from 192.168.56.5 to any block drop in on em0 inet6 from fe80::a00:27ff:fe80:7ee0 to any pass in on lo0 inet all flags S/SA keep state label "pass IPv4 loopback" pass out on lo0 inet all flags S/SA keep state label "pass IPv4 loopback" pass in on lo0 inet6 all flags S/SA keep state label "pass IPv6 loopback" pass out on lo0 inet6 all flags S/SA keep state label "pass IPv6 loopback" pass out inet all flags S/SA keep state allow-opts label "let out anything IPv4 from firewall host itself" pass out inet6 all flags S/SA keep state allow-opts label "let out anything IPv6 from firewall host itself" pass out route-to (em0 192.168.56.10) inet from 192.168.56.5 to ! 192.168.56.0/24 flags S/SA keep state allow-opts label "let out anything from firewall host itself" pass in quick on em0 proto tcp from any to (em0) port = https flags S/SA keep state label "anti-lockout rule" pass in quick on em0 proto tcp from any to (em0) port = ssh flags S/SA keep state label "anti-lockout rule" pass in inet all flags S/SA keep state label "NAT REFLECT: Allow traffic to localhost" tagged PFREFLECT anchor "userrules/*" all pass in quick on em0 reply-to (em0 192.168.56.10) inet proto tcp from 192.168.56.0/24 to any flags S/SA keep state label "USER_RULE" pass in quick on em0 reply-to (em0 192.168.56.10) inet proto udp from 192.168.56.0/24 to any keep state label "USER_RULE" pass in quick on em0 reply-to (em0 192.168.56.10) inet proto icmp from 172.16.34.167 to 192.168.56.5 icmp-type echoreq keep state label "USER_RULE: Easy Rule: Passed from Firewall Log View" pass in quick on em0 reply-to (em0 192.168.56.10) inet proto udp from 192.168.56.11 to 192.168.56.255 port = netbios-ns keep state label "USER_RULE: Easy Rule: Passed from Firewall Log View" pass in quick on em0 reply-to (em0 192.168.56.10) inet proto tcp from 192.168.56.11 to 192.168.56.5 port = 3128 flags S/SA keep state label "USER_RULE: Easy Rule: Passed from Firewall Log View" pass in quick on em0 reply-to (em0 192.168.56.10) inet proto gre from 192.168.56.10 to 192.168.56.5 keep state label "USER_RULE: Easy Rule: Passed from Firewall Log View" pass in log quick on em0 reply-to (em0 192.168.56.10) inet proto gre from 192.168.56.5 to 192.168.56.0/24 keep state label "USER_RULE" pass in quick on em0 reply-to (em0 192.168.56.10) inet proto gre all keep state label "USER_RULE" pass in quick on em0 reply-to (em0 192.168.56.10) inet proto tcp from any to 192.168.56.5 port = http flags S/SA no state label "USER_RULE" pass in quick on em0 route-to (em0 192.168.56.10) inet proto tcp from any to 192.168.56.5 port = 3129 flags S/SA no state label "USER_RULE" anchor "tftp-proxy/*" all</virusprot></webconfiguratorlockout></sshlockout></snort2c></snort2c>
-
Посмотрите в веб-морде Status->System Logs->Firewall и скриншот сюда. Ещё и скрины правил, опять же, из веб-морды не помешают
-