[squid-users] Running squid on a machine with only one network interface.

Amos Jeffries squid3 at treenet.co.nz
Wed Jun 29 01:02:46 UTC 2016 

On 29/06/2016 1:49 a.m., Ataro wrote:
> Hi and thanks for your help.
> 
> as for your request, here's the content of my IPFW rules and my squid configuration:
> 
> IPFW rules:
> 
> ipfw -f flush
> ipfw add 50 pass all from any to any via lo0
> ipfw add 100 pass all from any to any proto udp
> ipfw add 150 pass icmp from any to any
> ipfw add 200 fwd 127.0.0.1,3128 tag 1111 tcp from me to any
> ipfw add 250 pass all from 10.0.2.15 to any tagged 1111
> 

You said earlier there was a VM running Squid.

Do not use localhost IP addresses for any of this. Use the globally
routable IP assigned to the VM.

Do not tag the traffic in IPFW. Squid uses tcp_outgoing_tos or *_mark
directives to tag its outgoing the traffic. The firewall just uses those
tags for tags exceptions.



> squid.conf:
> 
> acl my_machine src 10.0.2.15 # this is the ip of my machine.

So what?..

> http_access allow my_machine
> 

... Ah. Open proxy!

And since this is in 10.*/8 the localnet ACL will also allow the traffic
through, but after some basic safety checks.

Which means the above ACL and rule are not useful.


> acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
> acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
> acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
> acl localnet src fc00::/7 # RFC 4193 local private network range
> acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
> 
<snip ...>
> 
> http_access deny !Safe_ports
> 
> http_access deny CONNECT !SSL_ports
> 
> 
> http_access allow localhost manager
> http_access deny manager
> 
> visible_hostname mynet.mydomain
> acl MYSITE dstdomain cnn.com


Matches http://cnn.com/* URLs.

I'm pointing that out to highlight that it wont match sub-domains like
www.cnn.com etc.

> acl MYSITE dstdomain 10.0.2.15

Matches http://10.0.2.15/* URLs.

> http_access allow MYSITE
> 

The MYSITE stuff is also not needed since traffic comes from a 10.*
machine. The "allow localnet" line right below will let that traffic
through, and much more.

> http_access allow localnet
> http_access allow localhost
> 
> http_access deny all
> 
> http_port 127.0.0.1:3128 intercept
> http_port 3129

Replace that with:
  http_port 3129 intercept
  http_port 3128

Why? 3128 is a well known port for proxy traffic. It can be very
dangerous to use a known port for intercept. There are also some changes
coming in future Squid that will prevent the registered ports being used
for special modes like intercept.


Notice that after the above changes that the only thing different from
the default squid.conf is your new "intercept" port line.

> 
> I'm almost surely that the problem is that as other people said here, the firewall redirect the traffic originated from the squid server back to squid and hence the forwarding loop.
> 
> I've tried to allow the traffic originated from the squid server by using the "tag/tagged" feature in the IPFW rules but this doesn't work, apparently because squid issue a new connection that is not tagged.

Yes.

> since squid and the firewall resides on the same machine I've no idea how to tell the firewall to allow the traffic which squid initiate.

You spoke earlier about Squid being inside a VM. In the above sentence
do you mean "same machine" as in hardware machine, or both are in the VM
? there is an important difference, and for this setup to work you need
to treat them as if they were different hardware communicating via
TCP/IP over a LAN.

Amos

More information about the squid-users mailing list