OpenBSD 5.7에서 Transparent Squid 3.4.13을 구성할 때 패킷을 pf로 전송할 수 없습니다.

OpenBSD 5.7에서 Transparent Squid 3.4.13을 구성할 때 패킷을 pf로 전송할 수 없습니다.

pf 방화벽이 있는 OpenBSD 5.7에서 squid를 사용하여 투명 프록시를 구축하려고 합니다.

옵션을 사용하여 소스에서 오징어를 컴파일합니다.


$ squid -v
Squid Cache: Version **3.4.13**
configure options:  
--prefix=/usr/local/squid
--with-default-user=squid 
--enable-icmp
--enable-storeio=ufs,aufs
--enable-removal-policies=lru,heap
--disable-snmp
--disable-wccp 
--disable-wccpv2
--enable-pf-transparent
--enable-ipv6
--enable-referer-log
--with-nat-devpf
--enable-debug-cbdata
--enable-useragent-log
--enable-refererlog
--enable-cache-digests
--with-large-files
--with-pthreads
--without-mit-krb5
--without-heimdal-krb5
--without-gnugss
--disable-eui
--disable-auth
--enable-ltdl-convenience

$ uname -a
OpenBSD dns.localdomain 5.7 GENERIC#825 amd64

내 squid.conf:


visible_hostname dns.local 
acl localnet src 192.168.1.0/24 # RFC1918 possible internal network

acl SSL_ports port 443
acl Safe_ports port 80      # http
acl Safe_ports port 21      # ftp
acl Safe_ports port 443     # https
acl CONNECT method CONNECT

http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports

# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager

#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#

# allow
http_access allow localnet
http_access allow localhost

# And finally deny all other access to this proxy
http_access deny all

# Squid normally listens to port 3128
http_port 3128
http_port 127.0.0.1:3129 intercept 

# disk cache directory.
cache_dir ufs /usr/local/squid/var/cache/squid 100 16 256

# Leave coredumps in the first cache dir
coredump_dir /usr/local/squid/var/cache/squid

#
# Add any of your own refresh_pattern entries above these.
#
refresh_pattern ^ftp:       1440    20% 10080
refresh_pattern ^gopher:    1440    0%  1440
refresh_pattern -i (/cgi-bin/|\?) 0 0%  0
refresh_pattern .       0   20% 4320

인터넷에 연결하려면 게이트웨이를 활성화하십시오.


net.inet.ip.forwarding=1
net.inet6.ip6.forwarding=1

pf.conf:


int_if = "vic1"
ext_if = "vic0"

lan_net = "192.168.1.0/24"

# Settings

set block-policy return
set loginterface egress
set skip on lo

# NAT 

match out on egress inet from !(egress:network) to any nat-to (egress:0)

pass in quick log on $ext_if inet proto tcp from 192.168.1.0/24 to port www divert-to 127.0.0.1 port 3129
pass out quick log inet from 192.168.1.0/24 divert-reply

# 
# Rules 
#
block all

# allow dns
pass quick on {$int_if, $ext_if} inet proto udp from {self, $lan_net} to any port 53

# allow local access to web
pass quick on $ext_if inet proto tcp from {self} to any port 80

# allow icmp
pass quick on $int_if inet proto icmp from $lan_net to any

# allow ssh from $ext_if
pass quick on $ext_if inet proto tcp from any to ($ext_if) port 22

pf 규칙에 문제가 있는 것 같습니다. pf가 패킷을 포트 3129로 전달할 수 없기 때문에? 다음 명령을 사용하여 테스트했지만 nc -l 3129 HTTP 헤더로 응답하지 않습니다. 규칙은 다음과 같습니다오징어 위키구문 오류로 인해 pf에 적용할 수 없습니다.

미리 감사드립니다

관련 정보