Хочу настроить transparent proxy уже 2 день и не как не заработает, подскажите пожалуйста, что не так?
У меня FreeBSD 8.4, Squid 3.4 и PF.
Вот конфиги:
rc.conf
#FONT
font8x14="cp866-8x14"
font8x16="cp866b-8x16"
font8x8="cp866-8x8"
#HOST
hostname="c1.any.com"
ifconfig_em0="inet 192.168.10.100 netmask 255.255.255.0"
ifconfig_em1="inet 10.10.10.10 netmask 255.255.255.0"
defaultrouter="192.168.10.1"
#KEYBORD
keymap="ru.koi8-r"
keyrate="fast"
scrnmap="koi8-r2cp866"
#NTP
ntpd_enable="YES"
#ntpdate_hosts="europe.pool.ntp.org"
#SSH
sshd_enable="YES"
#DNS
named_enable="YES"
named_program="/usr/sbin/named"
named_flags="-c /etc/namedb/named.conf"
named_pidfile="/var/run/named/pid"
named_uid="bind"
named_chrootdir="/var/named"
named_chroot_autoupdate="YES"
#DHCP
dhcpd_enable="yes"
dhcpd_iface="em1"
#INET
inetd_enable="yes"
#SENDMAIL
sendmail_enable="yes"
#SQUID
squid_enable="yes"
#PF
pf_enable="YES"
pf_rules="/etc/pf.conf"
pf_flags=""
pflog_enable="YES"
pflog_logfile="/var/log/pflog"
pflog_flags=""
pf.conf
ext_if = "em0" # macro for external interface - use tun0 for PPPoE
int_if = "em1" # macro for internal interface
nat on $ext_if from $int_if:network to any -> ($ext_if)
tcp_services = "{ ssh, smtp, domain, 953, http, https, 110, 821, 1723, 3128, 3129, nfsd, rpcbind }"
ftp_ports = "{ ftp, ftp-data }"
udp_services = "{ domain, ntp, rpcbind, 821, 1723, nfsd, 3130 }"
#block in all
pass quick inet proto gre to any keep state
pass quick inet proto { tcp, udp } from any to any port $ftp_ports keep state
pass quick inet proto { tcp, udp } from any to any port > 18000 keep state
pass quick inet proto udp to any port $udp_services keep state
pass quick inet proto tcp to any port $tcp_services keep state
pass quick inet proto { tcp, udp, icmp } from $int_if:network to any keep state
pass quick inet proto icmp from any to any
pass out on $ext_if inet proto udp from any to any port 33433 >< 33626 keep state
pass quick inet proto { tcp, udp } from any to port { nfsd, rpcbind } keep state
pass quick inet proto { tcp, udp } from any to port 883 keep state
pass quick inet proto { tcp, udp } from any to port 884 keep state
pass quick inet proto { tcp, udp } from any to port 885 keep state
block in log all
rdr proto tcp from 10.10.10.0/24 to any port 80 -> 127.0.0.1 port 3129
squid.conf
auth_param basic program /usr/local/libexec/squid/basic_ncsa_auth /usr/local/etc
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
acl passwd proxy_auth REQUIRED
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
acl myhost src 192.168.10.100 10.10.10.10
acl mynet src 192.168.10.0/24 10.10.10.0/24
acl vk dstdomain .vk.com
acl wt time 10:00-23:00
acl ya dstdomain .ya.ru .yandex.ru
acl media urlpath_regex -i \.mpg$ \.avi$ \.mp3$
#
# Recommended minimum Access Permission configuration:
#
# Deny requests to certain unsafe ports
http_access deny !Safe_ports
# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports
# Only allow cachemgr access from localhost
http_access allow localhost manager
http_access deny manager
# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost
#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#
# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
#http_access allow localnet
http_access allow localhost
# Mysettings
http_access allow myhost
http_access deny vk
http_access allow ya passwd
http_access deny ya
http_access allow mynet wt
# And finally deny all other access to this proxy
http_access deny all
# Squid normally listens to port 3128
http_port 3128
http_port 3129 transparent
# Uncomment and adjust the following to add a disk cache directory.
cache_dir ufs /var/squid/cache 100 16 256
# Leave coredumps in the first cache dir
coredump_dir /var/squid/cache
delay_pools 1
delay_class 1 1
delay_parameters 1 400/400
delay_access 1 allow media
delay_access 1 deny all
#
# Add any of your own refresh_pattern entries above these.
#
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
sysctl.conf
# $FreeBSD: release/8.4.0/etc/sysctl.conf 112200 2003-03-13 18:43:50Z mux $
#
# This file is read when going to multi-user and its contents piped thru
# ``sysctl'' to adjust kernel values. ``man 5 sysctl.conf'' for details.
#
# Uncomment this to prevent users from seeing information about processes that
# are being run under another UID.
#security.bsd.see_other_uids=0
net.inet.ip.forwarding=1
net.inet6.ip6.forwarding=1
При том если отключить прозрачное прокси и в браузере выставить настройки прокси все отлично работает. Squid ставил с портов при конфигурации выбрал Transparent proxy with PF.
Заранее спасибо!