i installed openbsd4.4 with squid with pf enabled; <br>forwarding is enabled in syscontl.conf<br><br>the following is pf.conf:<br>................................................................<br>ext_if = "dc0" # macro for external interface <br>
int_if = "fxp0" # macro for internal interface<br>localnet = $int_if:network<br><br># ext_if IP address could be dynamic, hence ($ext_if)<br>nat on $ext_if from $localnet to any -> ($ext_if)<br><br>set skip on lo0<br>
<br>block all<br>pass from { lo0, $localnet } to any keep state<br><br>$tcp_services = "{ ftp-data, ftp, ssh, domain, pop3, auth, nntp, http,\<br>https, smtp, imap, imap3, imaps }"<br><br>pass inet proto tcp from $localnet to any port $tcp_services<br>
pass in inet proto tcp from any to any port ssh<br><br><br>udp_services = "{ domain, ntp }"<br>pass quick inet proto { tcp, udp } to any port $udp_services<br><br><br>icmp_types = "{ echoreq, unreach }"<br>
pass inet proto icmp all icmp-type $icmp_types keep state<br><br># allow out the default range for traceroute(8):<br># "base+nhops*nqueries-1" (33434+64*3-1)<br>pass out on $ext_if inet proto udp from any to any port 33433 >< 33626 keep state<br>
<br>insiders = "{ <a href="http://127.0.0.0/8">127.0.0.0/8</a>, <a href="http://192.168.0.0/16">192.168.0.0/16</a>, <a href="http://172.16.0.0/12">172.16.0.0/12</a>, \<br><a href="http://10.0.0.0/8">10.0.0.0/8</a>, <a href="http://169.254.0.0/16">169.254.0.0/16</a>, <a href="http://192.0.2.0/24">192.0.2.0/24</a>, \<br>
<a href="http://0.0.0.0/8">0.0.0.0/8</a>, <a href="http://240.0.0.0/4">240.0.0.0/4</a> }"<br><br>block in quick on $ext_if from $insiders to any<br>block out quick on $ext_if from any to $insiders<br><br>table <bruteforce> persist<br>
block quick from <bruteforce><br><br>pass inet proto tcp from any to $localnet port $tcp_services \<br>keep state (max-src-conn 100, max-src-conn-rate 15/5, \<br>overload <bruteforce> flush global)<br><br>pass quick proto { tcp, udp } from any to any port ssh \<br>
keep state (max-src-conn 15, max-src-conn-rate 5/3, \<br>overload <bruteforce> flush global)<br>............................................................<br><br>my problem is squid doesn't work and tells no route to host (when i type any website url at client machine)<br>
if i disable pf squid is ok ;<br>help appreciated<br><br><br><br><br>