Check your net.inet.ip.fw.one_pass sysctl ("sysctl net.inet.ip.fw.one_pass"
at the command prompt). It sounds like it's at 1, change it to 0. What's
happening is that the packets are hitting the 400 rule, doing what it says,
and going out of the loop, so to speak. Setting this to 0 makes the rules
apply in order (unless you do a skipto). This is also necessary when you
apply pipes, which is very helpful for traffic shaping. dummynet(4) will
teach you more about that, as will ipfw(8). Search for
net.inet.ip.fw.one_pass in ipfw(8) for more info on what it does, along with
some other helpful sysctl's.
HTH,
Aaron
> -----Original Message-----
> From: Jason Bertolacci [mailto:jbertolacci@yahoo.com]
> Sent: Monday, June 10, 2002 2:53 PM
> To: squid-users@squid-cache.org
> Subject: [squid-users] FreeBSD and Transparent Proxy Trouble
>
>
> Having read the Squid FAQ and other documentation I
> added the recommended config to a working proxy server
> (when proxy options manually configured in the
> browser) in an attempt to get transparent proxy
> working.
>
> After configuring and compiling with
> "--enable-ipf-transparent" I added to squid.conf...
>
> http_port 3128
> httpd_accel_host virtual
> httpd_accel_port 80
> httpd_accel_uses_host_header on
> httpd_accel_with_proxy on
>
> And the following to rc.firewall...
>
> [Cc][Aa][Cc][Hh][Ee])
> setup_loopback
> ${fwcmd} add pass all from any to any
> ${fwcmd} add fwd 127.0.0.1,3128 tcp from any
> to any 80
> ;;
>
> The Squid machine receives traffic forwarded from the
> router but does not seem to deliver it to the proxy. I
> don't see any packets incrementing on the ipfw add fwd
> rule -- is this normal?
>
> 00400 14596 3099647 allow ip from any to any
> 00500 0 0 fwd 127.0.0.1,3128 tcp from any to
> any 80
>
> And if I connect via telnet to port 80 on the Squid
> server the connection is denied while if I connect to
> 3128 I get an error from Squid. The ipfw forwarding
> does not seem to be working...it is enabled in the
> kernel:
>
> options IPFIREWALL #firewall
> options IPFIREWALL_VERBOSE #enable
> logging to syslogd(8)
> options IPFIREWALL_FORWARD #enable
> transparent proxy support
>
> Anyone have thoughts or suggestions? Thanks.
>
> jason
>
>
>
>
> __________________________________________________
> Do You Yahoo!?
> Yahoo! - Official partner of 2002 FIFA World Cup
> http://fifaworldcup.yahoo.com
>
Received on Mon Jun 10 2002 - 17:36:45 MDT
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:08:38 MST