Network Filtering by Operating System
Subject:   error on setting up PF with SQUID (transparent proxy)
Date:   2006-02-24 07:37:10
From:   rezmuh
I'm fairly new to FreeBSD, but I've been using OpenBSD for a while. I was trying to setup SQUID to do transparent proxy with PF in FreeBSD but it wouldn't work. The setup was rather similar to what I'm using in OpenBSD (similar squid.conf and pf.conf). It seems that when clients are trying to browse, it's not redirected to PF, instead it will browse directly. Here's what I did with my setup:

Installing Squid with PF transparent proxy:
# cd /usr/ports/www/squid/
# make WITH_SQUID=PF=YES install

cache_mem 20 MB
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY

auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off

refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320

acl all src
acl manager proto cache_object
acl localhost src
acl to_localhost dst
acl SSL_ports port 443 563
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http

http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports

http_access deny CONNECT !SSL_ports
http_reply_access allow all
icp_access allow all

coredump_dir /var/squid/cache

http_access deny to_localhost
acl our_networks src

http_access allow our_networks
http_access deny all
visible_hostname blowfish
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on


# queue
altq on $ext_if priq bandwidth 1000Kb queue { q_pri, q_def }
queue q_pri priority 7
queue q_def priority 1 priq(default)

set skip on lo

# nat
nat on $ext_if from $internal -> ($ext_if:0)
rdr on $int_if inet proto tcp from any to any port www -> port 3128

antispoof quick for { lo $int_if }

pass in on $int_if inet proto tcp from any to port 3128 keep state
pass out on $ext_if inet proto tcp from any to any port www keep state
pass out on $ext_if proto tcp from $ext_if to any flags S/SA \
keep state queue (q_def, q_pri)

pass in on $ext_if proto tcp from any to $ext_if flags S/SA \
keep state queue (q_def, q_pri)

#pass in on $ext_if proto tcp to ($ext_if) port > 49151 user proxy keep state

Can anyone point me out on what I did wrong? I assume I didn't install Squid the right way (support for PF is not enabled?) Because other PF rules works OK, and also, if I run squid not in transparent mode (user has to explicitly enter the proxy server's address), it also works fine.

Btw, the machine is running FreeBSD 5.4-RELEASE-p11.