Re: [FUGSPBR] Proxy Transparente ( SQUID) + Bridge (IPFW)... Tá d ifí cil! |CTM|

William Armstrong biosystems em gmail.com
Qua Nov 24 08:13:36 BRST 2004 

eu utilizo o ipfw pra  fazer ofirewall e o ipf  pra  fazer o  forward
do squid pra  ficar transparente e tb compilo o squid na mao

./configure --prefix=/usr/local/squid --enable-carp --with-pthreads 
--with-dl --with-aio --enable-storeio=diskd
--enable-removal-policies=heap --enable-icmp --enable-referer-log
--enable-useragent-log --enable-snmp
--enable-cachemgr-hostname=groundzero --with-openssl
--enable-cache-digests --enable-default-err-language=Portuguese
--enable-err-languages=Portuguese --disable-http-violations
--enable-ipf-transparent --enable-truncate --enable-underscores
--enable-x-accelerator-vary --enable-kill-parent-hack
--disable-ident-lookups --enable-htcp --enable-delay-pools
-enable-poll

ipnat
-----
rdr xl0 0.0.0.0/0 port 80 -> 10.0.1.1 port 3128 tcp
rdr dc0 0.0.0.0/0 port 80 -> 10.0.1.1 port 3128 tcp



squid.conf
-----
hierarchy_stoplist cgi-bin ?
forwarded_for on
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY

mime_table /usr/local/squid/etc/mime.conf

http_port 3128
wccp_router 10.0.1.1
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
httpd_accel_single_host off

cache_replacement_policy heap LFUDA
memory_replacement_policy heap LFUDA

redirect_rewrites_host_header off

buffered_logs on

coredump_dir /dev/null
pipeline_prefetch  on

maximum_object_size 30000 KB
store_avg_object_size 50 KB

cache_dir diskd /usr/local/squid/cache 600  16 256 Q1=64 Q2=72

#Recommended minimum configuration:
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255

acl SSL_ports port 443 563
acl Safe_ports port 80		# http
acl Safe_ports port 21		# ftp
acl Safe_ports port 443 563	# https, snews
acl Safe_ports port 70		# gopher
acl Safe_ports port 210		# wais
acl Safe_ports port 1025-65535	# unregistered ports
acl Safe_ports port 280		# http-mgmt
acl Safe_ports port 488		# gss-http
acl Safe_ports port 591		# filemaker
acl Safe_ports port 777		# multiling http
acl CONNECT method CONNECT

#Recommended minimum configuration:
# Only allow cachemgr access from localhost
http_access allow manager localhost
http_access deny manager

# Deny requests to unknown ports
http_access deny !Safe_ports

# Deny CONNECT to other than SSL ports
http_access deny CONNECT !SSL_ports

# And finally deny all other access to this proxy

acl httpallow url_regex "/usr/local/squid/etc/filter/httpallow.txt"
http_access allow  httpallow

# proibido 
acl httpdeny url_regex "/usr/local/squid/etc/filter/httpdeny.txt"
http_access deny  httpdeny

# And finally deny all other access to this proxy
acl permitidos url_regex "/usr/local/squid/etc/filter/permitidos.txt"
http_access allow permitidos

# proibido Pornografia
acl blporn url_regex "/usr/local/squid/etc/filter/porn.block.txt"
acl noporn url_regex "/usr/local/squid/etc/filter/porn.unblock.txt"
http_access deny blporn
http_access allow noporn

# proibido Palavras de baixo-Calao
acl badlang url_regex "/usr/local/squid/etc/filter/badlang.block.txt"
acl nobadla url_regex "/usr/local/squid/etc/filter/badlang.unblock.txt"
http_access deny badlang
http_access allow nobadla

# proibido Entretedimento
acl enterta url_regex "/usr/local/squid/etc/filter/entertain.block.txt"
acl noenter url_regex "/usr/local/squid/etc/filter/entertain.unblock.txt"
http_access deny enterta
http_access allow noenter

# proibido  games
acl games url_regex "/usr/local/squid/etc/filter/games.block.txt"
acl nogam url_regex "/usr/local/squid/etc/filter/games.unblock.txt"
http_access deny  games
http_access allow nogam

# proibido  mp3
acl mp3 url_regex "/usr/local/squid/etc/filter/mp3.block.txt"
http_access deny  mp3

# proibido  pirate
acl pirate url_regex "/usr/local/squid/etc/filter/pirate.block.txt"
acl nopira url_regex "/usr/local/squid/etc/filter/pirate.unblock.txt"
http_access deny  pirate
http_access allow nopira


acl paulista src 192.168.1.96/255.255.255.224
http_access allow paulista

http_access deny all

icp_access allow all

acl paulistanet src 192.168.1.96/27
miss_access allow paulistanet

miss_access deny  !paulistanet


cache_mgr bio em bsd-unix.com.br
cachemgr_passwd fury161 all

cache_effective_user nobody
cache_effective_group nobody

digest_generation on
digest_bits_per_entry 5
digest_rebuild_period 1 hour
digest_rewrite_period 1 hour
digest_swapout_chunk_size 4096 bytes
digest_rebuild_chunk_percentage 10

ie_refresh on


rc.local
----
ipnat -CF -f /etc/ipnat

sysctl -w kern.maxfiles=4096
sysctl -w kern.maxfilesperproc=4096

/sbin/squid -V -D -S -F


-- 
-=-=-=-=-=-=-=-=-=-
William David Armstrong
Bio Systems Security.
ICQ 10253747 MSN bio__wolf em hotmail.com
_______________________________________________________________
Para enviar um novo email para a lista: fugspbr em fugspbr.org
Sair da Lista: http://lists.fugspbr.org/listinfo.cgi
Historico: http://www4.fugspbr.org/lista/html/FUG-BR/

Mais detalhes sobre a lista de discussão freebsd