On Mon, 4 Nov 2013 20:15:17 +0100
Marc Sontowski <marc_at_sontowski.net> wrote:
> # The internal interface (connected to the local network)
> ext_if="em0"
> # The external interfaces (connected to the ipv4 and ipv6 network)
> int_if="em1"
Strangely enough, your interface macro names are switched in regard to
their corresponding comments. ext_if should be external interface
facing the ISP (while comment says it is internal which means facing
the LAN), and int_if should be internal interface facing the LAN (while
comment says it is external which means facing the ISP).
You say in reality em0 is ISP and em1 is LAN so this shouldn't be the
issue as comments do not influence configuration - they should be used
to make things more understandable. However, in your case they are
causing confusion. Either correct them or remove them.
Now, as for the filtering rules, I would avoid quick keyword in the
beginning until I make things work. I would go with something like:
# default block from internet to our network
block in log on $ext_if
# pass what you need (ssh to firewall or whatever)
pass in on $ext_if inet proto tcp from any to $ext_if port ssh
# pass everything out on external interface (we filter on internal)
pass out on $ext_if all
# default block from lan to the internet
block in log on $int_if
# redirect all web traffic to squid
pass in on $int_if inet proto tcp from any to any port { 80 443 } \
divert-to 127.0.0.1 port 3128
# pass what you need (dns to google's public dns server or whatever)
pass in on $int_if inet proto { tcp udp } from any to 8.8.8.8 port 53
# pass everything out on internal interface (if it already entered on ext)
pass out on $int_if all
Pay attention to the 'log' directive in default blocks, as it will log
all blocked packets to pflog0 interface. Next, get familiar with
tcpdump to inspect what gets blocked in real time. Type in terminal:
tcpdump -n -e -q -ttt -i pflog0
Or for inspection of logs:
tcpdump -n -e -q -ttt -r /var/log/pflog
Check your filtering rules with pfctl -vvsr to see if packets hit your
pass rules.
Now, I doubt any of this is relevant to squid, more like pf.
-- Marko CupaćReceived on Mon Nov 04 2013 - 20:27:45 MST
This archive was generated by hypermail 2.2.0 : Tue Nov 05 2013 - 12:00:55 MST