Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Squid не работает как прозрачный прокси на 1 инт

    Scheduled Pinned Locked Moved Russian
    3 Posts 2 Posters 1.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      mobil1
      last edited by

      Все это прекрасно работает в Centos 6.5 + Squid собраный из портов
      Более подробна проблема описана тут http://www.anticisco.ru/forum/viewtopic.php?f=2&t=6961

      вывод pfctl -sn && pfctl -sr

      no nat proto carp all
      nat-anchor "natearly/*" all
      nat-anchor "natrules/*" all
      nat on em0 inet from 192.168.56.10 port = isakmp to any port = isakmp -> 192.168.56.5 port 500
      nat on em0 inet from 127.0.0.0/8 port = isakmp to any port = isakmp -> 192.168.56.5 port 500
      nat on em0 inet from 0.0.0.0 port = isakmp to any port = isakmp -> 192.168.56.5 port 500
      nat on em0 inet from 192.168.56.10 to any -> 192.168.56.5 port 1024:65535
      nat on em0 inet from 127.0.0.0/8 to any -> 192.168.56.5 port 1024:65535
      nat on em0 inet from 0.0.0.0 to any -> 192.168.56.5 port 1024:65535
      no rdr proto carp all
      rdr-anchor "relayd/*" all
      rdr-anchor "tftp-proxy/*" all
      rdr on em0 inet proto gre from any to 192.168.56.5 -> 127.0.0.1
      rdr on em0 inet proto tcp from any to 192.168.56.5 port = http -> 127.0.0.1 port 3129
      rdr-anchor "miniupnpd" all
      scrub on em0 all max-mss 1420 fragment reassemble
      anchor "relayd/*" all
      anchor "openvpn/*" all
      anchor "ipsec/*" all
      block drop in log quick inet6 all label "Block all IPv6"
      block drop out log quick inet6 all label "Block all IPv6"
      block drop in log inet all label "Default deny rule IPv4"
      block drop out log inet all label "Default deny rule IPv4"
      block drop in log inet6 all label "Default deny rule IPv6"
      block drop out log inet6 all label "Default deny rule IPv6"
      pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type echorep keep state
      pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routersol keep state
      pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routeradv keep state
      pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type echorep keep state
      pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routersol keep state
      pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routeradv keep state
      pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type echoreq keep state
      pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routersol keep state
      pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routeradv keep state
      pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type echoreq keep state
      pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routersol keep state
      pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routeradv keep state
      pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type echoreq keep state
      pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type routersol keep state
      pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type routeradv keep state
      pass quick inet6 proto ipv6-icmp all icmp6-type unreach keep state
      pass quick inet6 proto ipv6-icmp all icmp6-type toobig keep state
      pass quick inet6 proto ipv6-icmp all icmp6-type neighbrsol keep state
      pass quick inet6 proto ipv6-icmp all icmp6-type neighbradv keep state
      block drop quick inet proto tcp from any port = 0 to any
      block drop quick inet proto tcp from any to any port = 0
      block drop quick inet proto udp from any port = 0 to any
      block drop quick inet proto udp from any to any port = 0
      block drop quick inet6 proto tcp from any port = 0 to any
      block drop quick inet6 proto tcp from any to any port = 0
      block drop quick inet6 proto udp from any port = 0 to any
      block drop quick inet6 proto udp from any to any port = 0
      block drop quick from <snort2c>to any label "Block snort2c hosts"
      block drop quick from any to <snort2c>label "Block snort2c hosts"
      block drop in log quick proto tcp from <sshlockout>to any port = ssh label "sshlockout"
      block drop in log quick proto tcp from <webconfiguratorlockout>to any port = https label "webConfiguratorlockout"
      block drop in quick from <virusprot>to any label "virusprot overload table"
      block drop in on ! em0 inet from 192.168.56.0/24 to any
      block drop in inet from 192.168.56.5 to any
      block drop in on em0 inet6 from fe80::a00:27ff:fe80:7ee0 to any
      pass in on lo0 inet all flags S/SA keep state label "pass IPv4 loopback"
      pass out on lo0 inet all flags S/SA keep state label "pass IPv4 loopback"
      pass in on lo0 inet6 all flags S/SA keep state label "pass IPv6 loopback"
      pass out on lo0 inet6 all flags S/SA keep state label "pass IPv6 loopback"
      pass out inet all flags S/SA keep state allow-opts label "let out anything IPv4 from firewall host itself"
      pass out inet6 all flags S/SA keep state allow-opts label "let out anything IPv6 from firewall host itself"
      pass out route-to (em0 192.168.56.10) inet from 192.168.56.5 to ! 192.168.56.0/24 flags S/SA keep state allow-opts label "let out anything from firewall host itself"
      pass in quick on em0 proto tcp from any to (em0) port = https flags S/SA keep state label "anti-lockout rule"
      pass in quick on em0 proto tcp from any to (em0) port = ssh flags S/SA keep state label "anti-lockout rule"
      pass in inet all flags S/SA keep state label "NAT REFLECT: Allow traffic to localhost" tagged PFREFLECT
      anchor "userrules/*" all
      pass in quick on em0 reply-to (em0 192.168.56.10) inet proto tcp from 192.168.56.0/24 to any flags S/SA keep state label "USER_RULE"
      pass in quick on em0 reply-to (em0 192.168.56.10) inet proto udp from 192.168.56.0/24 to any keep state label "USER_RULE"
      pass in quick on em0 reply-to (em0 192.168.56.10) inet proto icmp from 172.16.34.167 to 192.168.56.5 icmp-type echoreq keep state label "USER_RULE: Easy Rule: Passed from Firewall Log View"
      pass in quick on em0 reply-to (em0 192.168.56.10) inet proto udp from 192.168.56.11 to 192.168.56.255 port = netbios-ns keep state label "USER_RULE: Easy Rule: Passed from Firewall Log View"
      pass in quick on em0 reply-to (em0 192.168.56.10) inet proto tcp from 192.168.56.11 to 192.168.56.5 port = 3128 flags S/SA keep state label "USER_RULE: Easy Rule: Passed from Firewall Log View"
      pass in quick on em0 reply-to (em0 192.168.56.10) inet proto gre from 192.168.56.10 to 192.168.56.5 keep state label "USER_RULE: Easy Rule: Passed from Firewall Log View"
      pass in log quick on em0 reply-to (em0 192.168.56.10) inet proto gre from 192.168.56.5 to 192.168.56.0/24 keep state label "USER_RULE"
      pass in quick on em0 reply-to (em0 192.168.56.10) inet proto gre all keep state label "USER_RULE"
      pass in quick on em0 reply-to (em0 192.168.56.10) inet proto tcp from any to 192.168.56.5 port = http flags S/SA no state label "USER_RULE"
      pass in quick on em0 route-to (em0 192.168.56.10) inet proto tcp from any to 192.168.56.5 port = 3129 flags S/SA no state label "USER_RULE"
      anchor "tftp-proxy/*" all</virusprot></webconfiguratorlockout></sshlockout></snort2c></snort2c> 
      
      1 Reply Last reply Reply Quote 0
      • X
        xoma922
        last edited by

        Посмотрите в веб-морде Status->System Logs->Firewall и скриншот сюда. Ещё и скрины правил, опять же, из веб-морды не помешают

        1 Reply Last reply Reply Quote 0
        • M
          mobil1
          last edited by

          вот пара скринов
          https://www.dropbox.com/s/j6oi40667sj7xo8/%D0%A1%D0%BA%D1%80%D0%B8%D0%BD%D1%88%D0%BE%D1%82%202014-08-18%2015.42.49.png
          https://www.dropbox.com/s/w4e8mu9u7nmogra/%D0%A1%D0%BA%D1%80%D0%B8%D0%BD%D1%88%D0%BE%D1%82%202014-08-18%2015.43.49.png

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.