Proxy Transparente com Squid e PF no OpenBSD

Matheus

E ai pessoal, tudo certo?

Então, aqui vamos dar uma olhada na instalação e configuração de um proxy Squid operando como transparente e também as regras que serão necessárias adicionar nas regras de firewall (PF).

Vamo lá..

Instalação

Realizei a instalação pelo package manager do OpenBSD onde tem os pacotes pré-compilados, mas nada impede de você instalar pelo Ports.

Package Manager (pkg_add)

Primeiro de tudo vamos exportar a variável com o mirror onde se encontra os pacotes:

# export PKG_PATH=ftp://ftp.das.ufsc.br/pub/OpenBSD/4.4/packages/i386/

Vamos instalar o pacote:

# pkg_add -i -v squid

A versão do Squid que instalei aqui foi a squid-2.7.STABLE3-ldap.

Ports

# cd /usr/ports/www/squid
# env FLAVOR=transparent make install

Configuração

Squid

Vamos configurar o Squid para subir no boot.

Edite o arquivo /etc/rc.local com seu editor de texto e adicione as linhas abaixo logo após # Add your local startup actions here.

# Squid
/usr/local/sbin/squid

Vamos editar agora o arquivo de configuração do Squid, que é o /etc/squid/squid.conf.

Faremos uma configuração básica do Squid.

http_port 3128 transparent

visible_hostname pr0xy.conceicao.eti.br

error_directory /usr/local/share/squid/errors/Portuguese

# Logs
cache_access_log /var/log/squid/access.log
cache_log /var/log/squid/cache.log

# SVN
extension_methods REPORT MERGE MKACTIVITY CHECKOUT PROPFIND

# ACLs
acl all src 0.0.0.0/0.0.0.0
acl rede src 192.168.1.0/24
acl SSL_Ports port 443 563 2096
acl Safe_ports port 80 21 443 563 70 210 1025-65535
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT

#Pessoas com acesso total
acl vips arp "/etc/squid/controle.vips"

#BlackList
acl blacklist dstdomain "/etc/squid/controle.blacklist"

##
# Permite ou Nega

http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports

http_access allow vips
http_access deny blacklist

http_access allow rede
http_access deny all
##

Obs.: Crie os arquivos /etc/squid/controle.vips e /etc/squid/controle.blacklist

Agora temos que iniciar o Squid com a opção -z para que seja criado os diretórios de swap.

# /usr/local/sbin/squid -z

Pronto, agora já podemos iniciar o squid!

# /usr/local/sbin/squid

Sempre que for feita uma alteração no arquivo de configuração do Squid, devemos executar o comando a seguir para que as configurações sejam recarregadas:

# /usr/local/sbin/squid -k reconfigure

PF

O arquivo de configuração do PF é o /etc/pf.conf (padrão). Adicione/adapte as seguintes regras:

rdr on $int_if  inet proto tcp from any to any port www-> 127.0.0.1 port 3128

pass in on $int_if inet proto tcp from any to 127.0.0.1 port 3128
pass out on $ext_if inet proto tcp from any to any port www

É preciso também liberar o acesso do Squid ao /dev/pf para que o mesmo consulte o filtro de pacotes já que o padrão é somente o root ter acesso. O Squid roda com o grupo _squid.

# chgrp _squid /dev/pf
# chmod g+rw /dev/pf

Então é isso.. qualquer coisa é só dar um grito. =]

T+

Referência: http://www.openbsd-br.org/index.php?q=node/15

Tags: Firewall, lusca, OpenBSD, PF, Ports, Proxy, Squid, transparente

This entry was posted on Friday, April 17th, 2009 at 11:05and is filed under OpenBSD, Tutorial. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

8 Responses to “Proxy Transparente com Squid e PF no OpenBSD”

meble Says:
May 12th, 2011 at 10:56
I conceive you have observed some very interesting points , thanks for the post.
Valrie Cernota Says:
October 23rd, 2011 at 03:38
Good day, are you the owner of this website? I have some important news. Please don’t get tricked by scammers trying to buy your site for only a few bucks…you’re sitting on a huge GOLDMINE. You see, I have a couple websites myself, and since I inserted a few small lines of code in them (found here —> http://doiop.com/ComissionCommando <—-), they have been making me a steady $200-$600 a day. Each day, whether or not I feel like working. CNN and BBC have dubbed it the most revolutionary cash system in 2011, I strongly recommend you listed to the guy's story all the way to the end. It won't cost you a thing to see how he transformed himself by using this powerful tool: http://doiop.com/ComissionCommando
Kraig Dougall Says:
November 29th, 2011 at 19:09
I got what you mean , saved to favorites , very nice website .
Sung Go Says:
December 7th, 2011 at 06:06
It does look unreal, but it is real
Spanish Language and Culture Says:
January 23rd, 2012 at 03:44
An fascinating dialogue is worth comment. I feel that it is best to write extra on this topic, it may not be a taboo subject however usually individuals are not sufficient to talk on such topics. To the next. Cheers
JDM auto Says:
February 1st, 2012 at 10:53
I am very happy to read this. This is the kind of details that needs to be given and not the random misinformation that’s at the other blogs. Appreciate your sharing this greatest doc.
Ringia Says:
February 2nd, 2012 at 11:04
Keep up the good work , I read few articles on this site and I believe that your weblog is real interesting and has got sets of wonderful info .
JDM Bikes Says:
February 2nd, 2012 at 13:19
Obviously I like your website, but you have to take a look at the spelling on several of your posts. Several of them are rife with spelling issues and I find it very troublesome to tell you. Nevertheless I’ll certainly come back again!

Matheus Conceição