Last active
March 1, 2022 12:34
-
-
Save timkofu/7137821 to your computer and use it in GitHub Desktop.
FreeBSD transparent proxy with PF + Squid
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Squid should be intercepting on port 2600 | |
# A cachaing dns server should be running on this box, with squid and clients all resolving through it. | |
# FreeBSD 9.2 RELEASE + Squid 3.3.9 from ports | |
# Timothy Makobu, 2013 | |
# Variables | |
admin_if = "igb0" | |
external_if = "igb1" | |
intraservices = "{ 22, 2600, 53 }" | |
forward_ports = "{ 443, 465, 6667, 22, 587, 5938, 2083, 2082, 2095, 2096, 5242, 4244, 5243, 9785 }" | |
table <blacklist> persist file "/root/code_base/blaquelist" | |
# Settings | |
set block-policy drop | |
set skip on lo | |
scrub in all | |
# NAT | |
nat on $external_if inet from $admin_if:network to any -> 196.200.18.30 | |
rdr pass on $admin_if proto tcp from $admin_if:network to any port 80 -> 127.0.0.1 port 2600 | |
# Filter | |
block in log | |
pass out quick keep state | |
antispoof quick for $admin_if | |
antispoof quick for $external_if | |
block quick to <blacklist> | |
block quick from <blacklist> | |
pass in quick on $admin_if inet proto tcp from $admin_if:network to any port $forward_ports flags S/SA keep state | |
pass in log quick inet proto tcp from any to any port 22 flags S/SA keep state (max-src-conn 10, max-src-conn-rate 7/60, overload <blacklist> flush global) | |
pass in quick on $admin_if inet proto { tcp, udp } to $admin_if port $intraservices keep state | |
pass in quick inet proto icmp all icmp-type echoreq keep state |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment