Ok, I think I finally got this working. It took a combination of using divert-to in the pf.conf, and intercept (rather than tproxy or transparent) in squid.conf. At any rate, basic functionality appears to be restored. So now I just need to expand the system to the full level of functionality that I need. Thanks for bearing with me!
-----------------------------------------------
Israel Brewster
Systems Analyst II
Ravn Alaska
5245 Airport Industrial Rd
Fairbanks, AK 99709
(907) 450-7293
-----------------------------------------------
On Jul 25, 2014, at 8:38 AM, Israel Brewster <israel_at_ravnalaska.net> wrote:
> On Jul 25, 2014, at 3:32 AM, Amos Jeffries <squid3_at_treenet.co.nz> wrote:
>
>> On 25/07/2014 10:15 a.m., Israel Brewster wrote:
>>> I have been using Squid 2.9 on OpenBSD 5.0 for a while as a transparent proxy. PF on the proxy box rdr-to redirects all web requests not destined for the box itself to squid running on port 3128. Squid then processes the request based on a series of ACLs, and either allows the request or redirects (deny_info ... all) the request to a page on the proxy box.
>>>
>>
>> There are some big changes in OpenBSD between those versions. Have you
>> tried divert-to in the PF rules and tproxy option on the Squid http_port ?
>>
>> Amos
>
> I figured as much. Thus the reason I am going back to just trying to get a basic setup working. So I have now gone back to the default config files for pf and squid.
>
> First, I set up PF to just do basic routing (no squid) and made sure that worked by adding the single line (along with some macros):
>
> match out on $outsideIF from !(outsideIF:network) nat-to $OutsideIP
>
> I was then able to properly access webpages through the box. So far so good. I then followed this guide: http://wiki.squid-cache.org/ConfigExamples/Intercept/OpenBsdPf, which uses tproxy and divert-to, as you suggested. Other than the changes listed in the guide, I also stripped down the squid http_access rules to the basic "block all but a few" set I listed earlier, and added an extra http_port line (with no modifiers) to avoid errors on startup. The only set skip rule I have in PF is set skip on lo, which should be fine (I think).
>
> At this point, from what I can tell, everything was broken. Attempting to connect to a website through the box now returns (using firefox) "Unable to connect. Firefox can't establish a connection to the server at ..." regardless of the site I attempt to connect to. Perhaps more to the point, squid running in debug mode shows no indication of an attempted connection.
>
> looking at the PF.log shows the following when I attempt to connect to a webpage:
>
> 08:28:50.954386 rule 0/(match) match in on em0: 192.168.10.51.49635 > 96.30.50.156.80: S 2366946536:2366946536(0) win 65535 <mss 1460,nop,wscale 4,nop,nop,timestamp 721039242 0,sackOK,eol> (DF)
> 08:28:50.954393 rule 2/(match) pass in on em0: 192.168.10.51.49635 > 96.30.50.156.80: S 2366946536:2366946536(0) win 65535 <mss 1460,nop,wscale 4,nop,nop,timestamp 721039242 0,sackOK,eol> (DF)
> 08:28:50.954398 rule 2/(match) pass in on em0: 192.168.10.51.49635 > 96.30.50.156.80: S 2366946536:2366946536(0) win 65535 <mss 1460,nop,wscale 4,nop,nop,timestamp 721039242 0,sackOK,eol> (DF)
>
> Where rule 0 is the logging rule (match log (matches) inet from 192.168.10.0/24 to any) and rule 2 is the divert-to rule (pass in quick inet proto tcp from 192.168.10.0/24 to any port = 80 flags S/SA divert-to 127.0.0.1 port 3129)
>
> Squid debugging output shows nothing, as I mentioned - no attempted connection, no activity of any kind, although the startup sequence does show "Accepting TPROXY intercepted HTTP Socket connections at local=127.0.0.1:3129 remote=[::] FD 9 flags=25", which would appear to indicate that it IS listening on port 3129, which is what PF is (supposedly) diverting to. Using rdr-to in pf, at least I saw the attempted connection in squid, and got a return page from squid, although it never let anything through (perhaps due to the redirection loop?).
>
> So to summarize, at this point I have added the following three lines to pf.conf (my inside network is 192.168.10.0/24, and the interface IP on the inside NIC is 192.168.10.1):
>
> match out on $outsideIF from !(outsideIF:network) nat-to $OutsideIP
> pass in quick inet proto tcp from 192.168.10.0/24 to port www divert-to 127.0.0.1 port 3129
> pass out quick inet from 192.168.10.0/24 divert-reply
>
> And my squid.conf contains the following:
>
> acl authorized_hosts dstdomain .google.com
> acl authorized_hosts dstdomain .wunderground.com
> acl authorized_hosts dstdomain .noaa.gov
>
> http_access allow authorized_hosts
> http_access deny to_localhost
> http_access deny all
>
> http_port 3129 tproxy
> http_port 3128
>
> coredump_dir /var/squid/cache
>
> refresh_pattern ^ftp: 1440 20% 10080
> refresh_pattern ^gopher: 1440 0% 1440
> refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
> refresh_pattern . 0 20% 4320
>
> deny_info http://192.168.10.1/login.py all
>
> Although as I said it doesn't appear to me that squid is getting the traffic at all. When running squid in debug mode, I see the following:
>
> # squid -d8 -N
> 2014/07/25 08:10:58| Set Current Directory to /var/squid/cache
> 2014/07/25 08:10:58| Starting Squid Cache version 3.4.2 for i386-unknown-openbsd5.5...
> 2014/07/25 08:10:58| Process ID 28065
> 2014/07/25 08:10:58| Process Roles: master worker
> 2014/07/25 08:10:58| With 128 file descriptors available
> 2014/07/25 08:10:58| Initializing IP Cache...
> 2014/07/25 08:10:58| DNS Socket created at [::], FD 5
> 2014/07/25 08:10:58| DNS Socket created at 0.0.0.0, FD 6
> 2014/07/25 08:10:58| Adding nameserver 8.8.8.8 from /etc/resolv.conf
> 2014/07/25 08:10:58| Adding nameserver 8.8.4.4 from /etc/resolv.conf
> 2014/07/25 08:10:58| Logfile: opening log daemon:/var/squid/logs/access.log
> 2014/07/25 08:10:58| Logfile Daemon: opening log /var/squid/logs/access.log
> 2014/07/25 08:10:58| Store logging disabled
> 2014/07/25 08:10:58| Swap maxSize 0 + 262144 KB, estimated 20164 objects
> 2014/07/25 08:10:58| Target number of buckets: 1008
> 2014/07/25 08:10:58| Using 8192 Store buckets
> 2014/07/25 08:10:58| Max Mem size: 262144 KB
> 2014/07/25 08:10:58| Max Swap size: 0 KB
> 2014/07/25 08:10:58| Using Least Load store dir selection
> 2014/07/25 08:10:58| Set Current Directory to /var/squid/cache
> 2014/07/25 08:10:58| Finished loading MIME types and icons.
> 2014/07/25 08:10:58| HTCP Disabled.
> 2014/07/25 08:10:58| Adaptation support is off.
> 2014/07/25 08:10:58| Accepting TPROXY intercepted HTTP Socket connections at local=[::]:3129 remote=[::] FD 9 flags=25
> 2014/07/25 08:10:58| Accepting TPROXY intercepted HTTP Socket connections at local=0.0.0.0:3129 remote=[::] FD 10 flags=25
> 2014/07/25 08:10:58| Accepting HTTP Socket connections at local=[::]:3128 remote=[::] FD 11 flags=9
> 2014/07/25 08:10:58| Accepting HTTP Socket connections at local=0.0.0.0:3128 remote=[::] FD 12 flags=9
> 2014/07/25 08:10:59| storeLateRelease: released 0 objects
>
> And that's all she wrote, even when attempting access through the box. Note that the https:// protocol does still work, since I am not attempting to send that through squid (yet at any rate). One final note: it looks to me as though squid is doing something with ipv6. While this shouldn't be a problem, we do not have ipv6 anywhere in our network, nor will we ever, so it would make me feel better if I could just turn that off completely.
>
> Thanks for any help/suggestions.
>
> -----------------------------------------------
> Israel Brewster
> Systems Analyst II
> Ravn Alaska
> 5245 Airport Industrial Rd
> Fairbanks, AK 99709
> (907) 450-7293
> -----------------------------------------------
>
This archive was generated by hypermail 2.2.0 : Sat Jul 26 2014 - 12:00:05 MDT