Getting TPROXY support on FreeBSD

Squid patch updated to match the squid-3.0.STABLE16 port (www/squid30).

FreeBSD 8 already support this, but you will need to change the IP_NONLOCALOK to IP_BINDANY in src/comm.cc (or libiapp/comm_ips_freebsd.c under lusca).

With FreeBSD 7 you still need the kernel patch. As an option you can try this backport of the IP_BINDANY commit (ip_bindany_stable.patch).

Lusca has integrated the tproxy support for FreeBSD.

We still don't know how much traffic the tproxy can handle, but as you can see here and here it should be ok for most of small/medium ISPs. Thanks again to Adrian for share this information.

  • Update your system to 7_STABLE
  • Fetch and install the kernel patch: 
    # cd /usr/src
# fetch http://tproxy.no-ip.org/freebsd-tproxy-sys.patch
# patch < freebsd-tproxy-sys.patch
  • (re)Compile your kernel and don't forget to add (recommend at least): 
    options         IPDIVERT
options         IPFIREWALL
options         IPFIREWALL_NAT
options         IPFIREWALL_VERBOSE
options         IPFIREWALL_FORWARD
options         IPFIREWALL_DEFAULT_TO_ACCEPT
options         MSGMNB=8192
options         MSGSSZ=64
options         MSGTQL=2048
options         SHMSEG=16
options         SHMALL=4096
options         IP_NONLOCALBIND
options		LIBALIAS
  • Install the new kernel and reboot the server
  • Update the in.h header: 
    # cp /usr/src/sys/netinet/in.h /usr/include/netinet
  • Fetch and install the squid and port patch: 
    # cd /usr/ports/www/squid30/files
# fetch http://tproxy.no-ip.org/freebsd-tproxy-squid.patch
# cd /usr/ports/www/squid30
# fetch http://tproxy.no-ip.org/freebsd-tproxy-port.patch
# patch < freebsd-tproxy-port.patch
# make config
    Select the options SQUID_TPROXY, SQUID_IPFW and any others options you need. 
    # make install clean
  • add this to /etc/sysctl.conf: 
    # echo net.inet.ip.nonlocalok=1 >> /etc/sysctl.conf
  • change/add the http_port on squid.conf to: 
    http_port XXX.INTERNAL.IP.XXX:3128 transparent tproxy
  • add these rules on ipfw: 
    # fxp0 -> External interface
# em0 -> Internal interface
# 200.200.200.1 -> Gateway (this is set on internal interface)
# 200.200.200.0/24 -> Clients network
ipfw add fwd 200.200.200.1,3128 tcp from 200.200.200.0/24 to any 80 in via em0 # default rule to transparent proxy
ipfw add fwd 200.200.200.1 tcp from any 80 to 200.200.200.0/24 in via fxp0 # catch the packets that come back using the clients IPs


  • Thats it! you are ready to go :)

  • Please report problems to loos.br at gmail dot com !

  • Thanks to Julian (Elischer ?) and Adrian Chadd (first ideas about tproxy on FreeBSD and the IP_NONLOCALBIND kernel patch)


    patchs:
    
freebsd-tproxy-sys.patch
MD5 (freebsd-tproxy-sys.patch) = 504c03c1a77c46e952f59fd26c9722ab
    
freebsd-tproxy-squid.patch
MD5 (freebsd-tproxy-squid.patch) = 66baa5fb8c8d49dd95de9e972404399e
    
freebsd-tproxy-port.patch
MD5 (freebsd-tproxy-port.patch) = 053e5c40b0f74a2e53956c46f9d1023a
    
ip_bindany_stable.patch
MD5 (ip_bindany_stable.patch) = a467928e171588ee490f6f9f190a5c70
    

Changelog:
    

2008-12-29: First release
    
2008-12-30: Fix sys patch - add missing files: NOTES and options
    
2009-01-24: Add a note about the update of in.h. Add a note about cacheboy, the recommend software for this.
    
2009-07-07: Update the squid patch to match port www/squid30 (squid-3.0.STABLE16). Add the link to ip_bindany_stable.patch.
    
2009-07-25: Add the LIBALIAS option in kernel example, so it don't fail to build with IPFIREWALL_NAT. Add the links to Adrian's blog.