Подскажите пожалуйста, возникла проблема в настройке связки PF с Squid.
Ядро собрано с опциями:
Код: Выделить всё
######### PF Filter & ALTQ #############
device pf
device pflog
device pfsync
options ALTQ
options ALTQ_CBQ
options ALTQ_RED
options ALTQ_RIO
options ALTQ_HFSC
options ALTQ_CDNR
options ALTQ_PRIQ
########################################
Код: Выделить всё
pf_enable="YES"
pf_rules="/etc/pf.conf"
pf_flags=""
pflog_enable="YES"
pflog_logfile="/srv/log/firewall/pflog"
pflog_flags=""
Код: Выделить всё
ext_if="fxp1"
int_if="fxp0"
internal_net="192.168.0.0/24"
internal_addr="192.168.0.1"
external_addr="111.111.111.111"
looplan="127.0.0.0/8"
lo0="127.0.0.1"
tcp_services = "{ 5999, 53, 443, 5190, 1723 }"
udp_services = "{ domain, ntp }"
icmp_types= "{ echoreq, unreach }"
serv_1c = "192.168.0.3"
rdp_port = "3389"
serv_ip = "{ 192.168.0.1, 192.168.0.2, 192.168.0.3, 192.168.0.4, 192.168.0.5, 192.168.0.6 }"
vip_ip = "{ 192.168.0.24, 192.168.0.25, 192.168.0.26, 192.168.0.27, 192.168.0.28, 192.168.0.29 }"
admin_ip = "{ 192.168.0.240, 192.168.0.241, 192.168.0.242 }"
usr1_ip = "{ 192.168.0.36, 192.168.0.37, 192.168.0.38, 192.168.0.39 }"
table <admin_home> const { 222.222.222.214 }
table <rfc1918> const { 127.0.0.0/8, 192.0.2.0/24, 172.16.0.0/12, 169.254.0.0/16, 0.0.0.0/8, 240.0.0.0/4, 192.168.0.0/16 }
table <bruteforce> persist
set state-policy if-bound
set block-policy return
set skip on lo0
set timeout { frag 10, tcp.established 3600 }
set fingerprints "/etc/pf.os"
set limit { states 10000, frags 5000 }
set skip on $int_if
set loginterface $ext_if
scrub in all fragment reassemble
altq on $ext_if cbq bandwidth 50Mb queue { main, smtp, admin, ssh, ack, icmp }
queue main bandwidth 50% priority 2 cbq(default borrow red)
queue smtp bandwidth 5% priority 3 cbq(borrow red)
queue admin bandwidth 14% priority 4 cbq(borrow red)
queue ssh bandwidth 5% priority 5 cbq(borrow red)
queue ack bandwidth 3% priority 6 cbq(borrow red)
queue icmp bandwidth 2% priority 0 cbq
nat on $ext_if proto icmp from $int_if:network to any -> $external_addr
nat on $ext_if from $vip_ip to any -> $external_addr
nat on $ext_if from $admin_ip to any -> $external_addr
nat on $ext_if from $serv_ip to any -> $external_addr
nat on $int_if proto tcp from $usr1_ip to any port $tcp_services -> $external_addr
nat on $ext_if proto tcp from $usr1_ip to any port $udp_services -> $external_addr
rdr on $int_if inet proto tcp from $usr1_ip to any port { 21, 80, 8080 } -> 127.0.0.1 port 3128
pass in on $int_if inet proto tcp from $adm_ip to 127.0.0.1 port 3128 keep state
pass out on $ext_if inet proto tcp from any to any port { 21, 80, 8080 } keep state
pass out proto tcp to any port domain keep state
pass proto udp to any port domain keep state
antispoof quick for $ext_if
pass quick on lo0 all
block quick log from any os NMAP
block log on { $ext_if, $int_if } all
block log quick from <bruteforce>
block drop in quick log on $ext_if from <rfc1918> to any
block drop out quick log on { $ext_if , $int_if } from any to <rfc1918>
pass in quick on $ext_if inet proto tcp from <admin_home> to $ext_if port 23775 queue (ssh, ack) modulate state
pass in on $ext_if inet proto tcp from any to $ext_if port 2375 queue (ssh, ack) synproxy state \
(max-src-conn 10, max-src-conn-rate 5/30, overload bruteforce> flush global)
pass in proto { tcp, udp } from any to any port { 20, 21 } keep state
pass out proto { tcp, udp } from any to any port { 20, 21 } keep state
pass in quick proto tcp from any to any port $tcp_services flags S/SA keep state
pass out proto tcp from any to any port $tcp_services flags S/SA keep state
pass quick inet proto udp to any port $udp_services keep state
pass out proto udp to any port $udp_services keep state
pass in log on $int_if proto tcp from $internal_net to $int_if port 80 flags S/SA
pass out log on $int_if proto tcp from any to $internal_net port 80 flags S/SA
pass in on $ext_if proto tcp from any to $ext_if port 80 keep state flags S/SA
pass out on $ext_if proto tcp from $ext_if to any port 80 keep state flags S/SA
pass in on $int_if from $int_if:network to any
pass in on $int_if inet proto tcp from $int_if:network to $int_if port 3128 keep state
pass in on $int_if inet proto udp from $int_if:network to $int_if port 53 keep state
pass out on $ext_if inet to any queue (main, ack) modulate state
pass out on $ext_if from $usr1_ip to any keep state
pass out on $ext_if from $serv_ip to any keep state
pass out on $ext_if from $vip_ip to any keep state
pass out on $ext_if from $admin_ip to any keep state
Браузер не отображает страницу при этом. Если в ручную ставить в настройках браузера то все нормально.
Я слабоват пока в PF, но надеюсь что в недалёком будущем смогу с уверенностью оспорить это заявление.
Зарание спасибо за помощь.
Конфиг PF я значительно сократил, потому как групп usr_ip у меня 7 и в них в ручную забита потовина сети, потому как не понел как в PF указать диапазоны IP. Допустим от 192.168.0.56 до 192.168.0.117.
Но правила для них всех одинаковые.