我想在我的路由器前面使用OpenBSD 5.7作为过滤桥,并且运行透明代理(squid 3.5.1)来pipe理Web访问。 我已经build立了openbsd机器作为桥梁,这工作正常。 但是,我不能让pf转移networkingstream量到鱿鱼。
这是我的networking外观
[Internet] | | [OpenBSD] | | [ (Router) ] | | | | [Wired Workstations] [Wi-Fi] 如果我将OpenBSD机器连接到我的networking并手动configuration工作站将其用作代理,那么squid可以正常工作。 我在我的鱿鱼configuration以下,以启用透明拦截
http_port 127.0.0.1:3129 tproxy
这是我的pfconfiguration:
# internet facing ext_if = "em1" # internal facing int_if = "em0" #scrub provides a measure of protection against certain kinds of attacks based on incorrect handling of packet fragments match in all scrub (no-df max-mss 1440) # Prevent spoofing antispoof log for $ext_if label "antispoof" # Block anything coming form source we have no back routes for block in log from no-route to any label "no back route" # Proxy http pass in quick on $int_if inet proto tcp to port www divert-to 127.0.0.1 port 3129 pass out quick from 127.0.0.1 divert-reply pass in on $int_if pass out on $int_if pass in on $ext_if pass out on $ext_if
有谁知道为什么我的转移规则不起作用? 我看过日志
pass in quick on em0 inet proto tcp from any to any port = 80 flags S/SA divert-to 127.0.0.1 port 3129 [ Evaluations: 36248 Packets: 544 Bytes: 355122 States: 29 ] [ Inserted: uid 0 pid 15666 State Creations: 29 ]
将评论发送给朋友[评论:72399包数:0字节数:0状态:0] [插入:uid 0 pid 15666 State Creations:0]将127.0.0.1快速inet传递给任何标志S / SA divert-
我可以看到规则是“正常”,但是在鱿鱼日志中什么都没有显示,我仍然可以访问网站。 这基本上是由鱿鱼推荐的规则如何。 我试过使用这个规则
pass in log quick on $int_if inet proto tcp from any to any port www rdr-to 127.0.0.1 port 3129
当我使用这个,我看到规则redirect发生,但没有什么显示在鱿鱼日志。 也请求网站超时。
pass in log quick on em0 inet proto tcp from any to any port = 80 flags S/SA rdr-to 127.0.0.1 port 3129 [ Evaluations: 25213 Packets: 8 Bytes: 496 States: 1 ]
这是来自ifconfig的输出
使用ifconfig
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 32768 priority: 0 groups: lo inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4 inet6 ::1 prefixlen 128 inet 127.0.0.1 netmask 0xff000000 em0: flags=8b43<UP,BROADCAST,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST> mtu 1500 lladdr 00:e8:4c:68:1a:f1 priority: 0 groups: egress media: Ethernet autoselect (1000baseT full-duplex,rxpause,txpause) status: active em1: flags=8b43<UP,BROADCAST,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST> mtu 1500 lladdr 00:e8:4c:68:1a:f2 priority: 0 media: Ethernet autoselect (100baseTX full-duplex,rxpause,txpause) status: active enc0: flags=0<> priority: 0 groups: enc status: active bridge0: flags=41<UP,RUNNING> groups: bridge priority 32768 hellotime 2 fwddelay 15 maxage 20 holdcnt 6 proto rstp em0 flags=7<LEARNING,DISCOVER,BLOCKNONIP> port 1 ifpriority 0 ifcost 0 em1 flags=7<LEARNING,DISCOVER,BLOCKNONIP> port 2 ifpriority 0 ifcost 0 pflog0: flags=141<UP,RUNNING,PROMISC> mtu 33144 priority: 0 groups: pflog
我怎样才能使这个工作? 我的规则有什么问题?
这有点奇怪
如果我使用
pass in quick log on $int_if inet proto tcp to port 80 divert-to 127.0.0.1 port 3129 pass out quick log from 127.0.0.1 divert-reply
我在日志中得到以下内容:
rule 3/(match) pass in on em0: 233.297.39.227.32880 > 153.94.152.119.87: S 2656450467:2656450467(0) win 65535 <mss 1460,nop,wscale 5,nop,nop,timestamp 605332037 0,[|tcp]> (DF)
如果我改变它
pass in quick log on $int_if inet proto tcp to port 80 rdr-to 127.0.0.1 port 3129 pass out quick log from 127.0.0.1 divert-reply
我在日志中得到以下内容,但是在鱿鱼日志中没有显示出来,不出所料地请求网站超时
rule 3/(match) pass in on em0: 233.297.39.227.39091 > 127.0.0.1.3129: S 409217949:409217949(0) win 65535 <mss 1460,nop,wscale 5,nop,nop,timestamp 605394683 0,[|tcp]> (DF)
如果你有OpenBSD 4.1或4.3 ,你必须这样做:
rdr pass inet proto tcp from 192.168.231.0/24 to any port 80 -> 192.168.231.1 port 3129 block in pass in quick on $int_if pass in quick on $wi_if pass out keep state
如果你有OpenBSD 4.4或更高版本你必须这样做:
set skip on $int_if set skip on $wi_if IPv6: pass in quick inet6 proto tcp from 2001:DB8::/32 to port www divert-to ::1 port 3129 pass out quick inet6 from 2001:DB8::/32 divert-reply IPv4: pass in quick on inet proto tcp from 192.0.2.0/24 to port www divert-to 127.0.0.1 port 3129 pass out quick inet from 192.0.2.0/24 divert-reply
更新:
当然,您需要根据您的界面进行一些更改。