tag:blogger.com,1999:blog-32797070.post115622370969928408..comments2024-03-03T10:06:40.354-07:00Comments on Warner's Random Hacking Blog: FreeBSD Transparent Web Proxie with SquidWarner Loshhttp://www.blogger.com/profile/11922167595789336900noreply@blogger.comBlogger6125tag:blogger.com,1999:blog-32797070.post-1156357996322589742006-08-23T12:33:00.000-06:002006-08-23T12:33:00.000-06:00Ah, the quest for knowledge.I'm probably a little ...Ah, the quest for knowledge.<BR/><BR/>I'm probably a little biased against Squid because of the times I have been caught behind a proxy and it has caused me problems.<BR/><BR/>Have fun :)Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-32797070.post-1156288280813094182006-08-22T17:11:00.000-06:002006-08-22T17:11:00.000-06:00Well ok, I must truly say I haven't checked pf's m...Well ok, I must truly say I haven't checked pf's manpage about that detail but from my memories I would like to swear I already did something like that using pf. I'm really damned quite sure but I might be wrong.<BR/><BR/>I used a technique like that to give internal users access to a box on the internal net which had been addressed by an outside IP address. So I rdr'd packets to this (outside) IP address on the internal network back again into the internal network (instead of letting them out).<BR/><BR/>I'm sure it worked but it's 1,5 years ago when I managed to do that.<BR/><BR/>When using a squid proxy your next project should be to have a virus filtering proxy... didn't you already think about it? :)<BR/>I've checked many but I don't like to have ph, p5, or whatever scripting language you imagine to have my squid relying on.<BR/><BR/>There are two solutions, but both are not yet ready for production: squidclam and havp (both are in your ports tree).<BR/><BR/>It should be a must if you're having windoze users running through your gateway.<BR/><BR/>Have fun with it! :)<BR/><BR/>VolkerAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-32797070.post-1156287072609048912006-08-22T16:51:00.000-06:002006-08-22T16:51:00.000-06:00why not pfpf.conf states "Redirections cannot refl...<B>why not pf</B><BR/><BR/>pf.conf states "Redirections cannot reflect packets back through the interface they arrive on" which is exactly what I wanted to do. ipfw did this redirection flawlessly. pf is restricted to redirection out a different interface, or to the firewall. The Soekris box cannot handle squid. I had no machines outside the firewall I could redirect to. The documentation also implied that the destination IP address was rewritten, destroying information about where the connection was headed when it was intercepted, but to be honest I didn't verify this aspect of the problem.<BR/><BR/>I originally wanted to use pf to solve this problem, but couldn't discover a way to do so and have the topology I wanted. Early in my search for information, I discovered Daniel Hartmeier's <A HREF="http://www.benzedrine.cx/transquid.html" REL="nofollow">Transparent Squid</A> page, but that relied on pf and squid being colocated on the same box.Warner Loshhttps://www.blogger.com/profile/11922167595789336900noreply@blogger.comtag:blogger.com,1999:blog-32797070.post-1156286295468494452006-08-22T16:38:00.000-06:002006-08-22T16:38:00.000-06:00Why did you use `ipfw' if you can do the same with...Why did you use `ipfw' if you can do the same with `pf'?<BR/><BR/>IMHO pf is better with redirections (ipfw is limited with that).<BR/><BR/>With pf for example I'm using redirects through NAT gateways from the public world into internal networks (crossing interfaces) and changing dst-IP-addr and port (you can't do thinks like this that simple with ipfw).Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-32797070.post-1156285775986455242006-08-22T16:29:00.000-06:002006-08-22T16:29:00.000-06:00Why not just use a caching DNS server?That's certa...<B><BR/>Why not just use a caching DNS server?<BR/></B><BR/><BR/>That's certainly an option. It would likely be sufficient for the site I wish to block because it has redirects to one of several servers that it uses to serve up content. Entering an IP address would work for some sites, but not this one, I don't think. The individual being blocked likely isn't sophisticated enough to know about IP addresses, and how to enter them. <BR/><BR/>Since the person I wanted to limit is coming from a windows box that he has control over, I wanted to implement a solution that he couldn't undo on his box. Again, I don't think he's sophisticated enough to do that today, but there may come a day that he is.<BR/><BR/>There were a number of reasons I wanted to go with squid. I've wanted to see if caching web servers help my bandwidth utilization or not. I wanted the ability to have tailored error messages for visiting forbidden sites. I wanted a log of all activity to be generated on a machine that had enough disk to store it.<BR/>Finally, I wanted to know how to do something like this, as it is a cool thing to be able to do. There may be applications to this technology in products I work on at my day job.<BR/><BR/>Good comment/question.Warner Loshhttps://www.blogger.com/profile/11922167595789336900noreply@blogger.comtag:blogger.com,1999:blog-32797070.post-1156281212181292452006-08-22T15:13:00.000-06:002006-08-22T15:13:00.000-06:00Why not just use a caching DNS server and block it...Why not just use a caching DNS server and block it there? You might already have one of those.. and squid seems a bit heavyweight. Also depending on the user you might just be able to put something for www.dom.tld in /etc/hosts on the machine they use.Anonymousnoreply@blogger.com