Squid_ The Definitive Guide - Duane Wessels [81]
/sbin/ipfw add allow tcp from any 80 to any out
/sbin/ipfw add fwd 127.0.0.1,3128 tcp from any to any 80 in
/sbin/ipfw add allow tcp from any 80 to 172.16.102.66 in
The first rule matches packets originating from the Squid host. It ensures that outgoing TCP connections won't be redirected back to Squid.[3] The second rule matches TCP packets sent from Squid back to the clients. I've added it here in case you have additional ipfw rules later that would deny these packets. The third rule is the one that actually redirects incoming connections to Squid. The fourth rule matches packets coming back from origin servers to Squid. Again, this is in case you have subsequent deny rules.
If you're also running an HTTP server on the Squid host, you must add another rule that passes, rather than redirects, TCP packets destined for the origin server. The following rule goes before the fwd rule:
/sbin/ipfw add allow tcp from any to 172.16.102.66 80 in
FreeBSD typically stores ipfw rules in /etc/rc.firewall. Once you get your rule set working properly, be sure to save them. Add this line to /etc/rc.conf to make FreeBSD automatically run the /etc/rc.firewall script when it boots:
firewall_enable="YES"
FreeBSD and WCCP
FreeBSD Version 4.8 and later have built-in support for GRE and WCCP. Earlier versions require patches, which you can still find at http://www.squid-cache.org/WCCP-support/FreeBSD/. The built-in implementation is much better, however, as it is written by real kernel gurus. You'll probably need to make a new kernel that supports GRE. Add this line to your kernel configuration:
pseudo-device gre
For FreeBSD-5, use device instead of pseudo-device. Of course, you also need the FIREWALL options mentioned in the preceding section.
After installing and booting from the new kernel, you must configure a GRE tunnel to accept GRE packets from the router. For example:
# ifconfig gre0 create
# ifconfig gre0 172.16.102.66 172.16.102.65 netmask 255.255.255.255 up
# ifconfig gre0 tunnel 172.16.102.66 172.16.102.65
# route delete 172.16.102.65
The ifconfig command adds a routing table entry for the router (172.16.102.65) over the gre0 interface. I found it necessary to delete that route so that Squid can talk to the router.
You may want or need to add an ipfw rule for the GRE packets coming from the router:
/sbin/ipfw add allow gre from 172.16.102.65 to 172.16.102.66
OpenBSD
The examples in this section are based on OpenBSD 3.3.
To enable packet forwarding, uncomment or add this line in /etc/sysctl.conf:
net.inet.ip.forwarding=1
Now, configure the packet filter rules for interception by adding lines like these to /etc/pf.conf:
rdr inet proto tcp from any to any port = www -> 127.0.0.1 port 3128
pass out proto tcp from 172.16.102.66 to any
pass out proto tcp from any port = 80 to any
pass in proto tcp from any port = 80 to 172.16.102.66
If you aren't already using OpenBSD's packet filter, you need to enable it with this line in /etc/rc.conf.local:
pf=YES
OpenBSD and WCCP
First, tell the system to accept and process GRE and WCCP packets by adding these lines to /etc/sysctl.conf:
net.inet.gre.allow=1
net.inet.gre.wccp=1
Then, configure a GRE interface with commands like these:
# ifconfig gre0 172.16.102.66 172.16.102.65 netmask 255.255.255.255 up
# ifconfig gre0 tunnel 172.16.102.66 172.16.102.65
# route delete 172.16.102.65
As with FreeBSD, I found it necessary to delete the route that is automatically added by ifconfig. Finally, depending on your packet filter configuration, you may need to add a rule that allows the GRE packets:
pass in proto gre from 172.16.102.65 to 172.16.102.66
IPFilter on NetBSD and Others
The examples in this section are based on NetBSD 1.6.1. They might also work on Solaris, HP-UX, IRIX, and Tru64 since IPFilter runs on those systems as well.
To enable packet forwarding (on NetBSD), add this line to /etc/sysctl.conf:
net.inet.ip.forwarding=1
Then, insert a line like this into the NAT (network address translation) configuration file,