2 minutes
Transparent proxy using Squid and PF on OpenBSD
How to install and configure Squid on transparent mode and the necessary (PF) rules.
1. Install
You can using the pre-compiled packages (pkg_add) or from the source using Ports.
Via Package Manager (pkg_add)
Set the repository mirror:
export PKG_PATH=ftp://ftp.das.ufsc.br/pub/OpenBSD/4.4/packages/i386/
Install the package:
pkg_add -i -v squid
Selected version was: squid-2.7.STABLE3-ldap.
Via Ports
cd /usr/ports/www/squid
env FLAVOR=transparent make install
2. Configuration
2.1. Squid
To make squid start on boot, edit the file /etc/rc.local and append the following files after # Add your local startup actions here:
# Squid
/usr/local/sbin/squid
Now, edit the Squid configuration file /etc/squid/squid.conf, you can use a configuration like the following:
http_port 3128 transparent
visible_hostname neatproxy.myorg.corp
error_directory /usr/local/share/squid/errors/Portuguese
# Logs
cache_access_log /var/log/squid/access.log
cache_log /var/log/squid/cache.log
# SVN
extension_methods REPORT MERGE MKACTIVITY CHECKOUT PROPFIND
# ACLs
acl all src 0.0.0.0/0.0.0.0
acl localnet src 192.168.1.0/24
acl SSL_Ports port 443 563 2096
acl Safe_ports port 80 21 443 563 70 210 1025-65535
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
# Full access users
acl vips arp "/etc/squid/users.vips"
# BlackList
acl blacklist dstdomain "/etc/squid/domains.blacklist"
##
# Allow and deny rules
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow vips
http_access deny blacklist
http_access allow localnet
http_access deny all
##
Create the /etc/squid/users.vips e /etc/squid/domains.blacklist if used.
Run Squid with the -z flag in order to init swap directories:
/usr/local/sbin/squid -z
Start the Squid service:
/usr/local/sbin/squid
After configuration changes, run the following command to reload rules:
/usr/local/sbin/squid -k reconfigure
2.2. PF
Edit PF configuration file /etc/pf.conf and use/adapt the following rules:
rdr on $int_if inet proto tcp from any to any port www -> 127.0.0.1 port 3128
pass in on $int_if inet proto tcp from any to 127.0.0.1 port 3128
pass out on $ext_if inet proto tcp from any to any port www
Permissions for Squid to access /dev/pf:
chgrp _squid /dev/pf
chmod g+rw /dev/pf
Reference: