Something is wrong

Max Laier max at love2party.net
Thu May 4 05:33:13 UTC 2006 

On Thursday 04 May 2006 05:40, Aguiar Magalhaes wrote:
> I have a lot of Windows Internet Explorer browsers in
> the
> LAN and they are marked to use the proxy at 3128 port.
>
> The pf and squid are in the same machine. I'm not
> using transparent proxy on pf. I don't have any
> redirections to proxy.

and there is your problem.  If your client is configured to use the proxy it 
will just do that.  That means it won't even attempt to make a direct 
connection to any server.  IIRC you can configure ie to exclude certain IP 
ranges or domains from being proxied.  That would be one way to go.  Another 
one is to fix the configuration of your proxy.  The last one is to use 
transparent proxying, in which case you can use pf to decide wether or not 
the proxy should be used.

> Some applications in intranet pages use ports like
> 19336 or 8081 and they don't support the proxy.
>
> I need to tell to pf doesn't send the packages to the
> proxy, if the users are accessing those applications
> pages, but I'm not have success..
>
> My firewall has only two NICs: $int_if and $ext_if
>
> Could you help me ?  Thanks, Aguiar
>
> The rules are:
>
> - - - - - - - -
> internal_net = "172.16.0.0/12"
> fw_ip_int = "172.16.0.9"
> fw_ip_ext = "200.x.x.x"
> lan_to_int = "{ 25 123 ... etc }
>
> set optimization aggressive
> scrub in all
> nat on $ext_if from $internal_net to any -> $fw_ip_ext
> rdr on $int_if proto tcp from $internal_net to any
> port 21 -> 127.0.0.1 port 8081
> pass quick on lo0 all
> antispoof for $ext_if inet
>
> block log all
> pass in on $int_if inet proto tcp from $internal_net
> to 127.0.0.1 port 8081 keep state
> pass in on $int_if inet proto tcp from $internal_net
> to { $fw_ip_int $fw_ip_ext } port 3128 keep state
> pass in on $int_if inet proto udp from $internal_net
> to any port 53 keep state
> pass in on $int_if inet proto tcp from $internal_net
> to any port $lan_to_int keep state
>
> # Access permitted out of the proxy (not is ok...)
> pass inet proto tcp from { 172.16.1.16 172.16.1.165
> 172.16.1.203 } to 201.x.x.x port { 80 3128 8081 } keep
> state
>
> pass out from $fw_ip_ext to any keep state
> - - - - - - - - - - - -
>
>
>
> _______________________________________________________
> Novo Yahoo! Messenger com voz: Instale agora e faça ligações de graça.
> http://br.messenger.yahoo.com/
> _______________________________________________
> freebsd-pf at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-pf
> To unsubscribe, send any mail to "freebsd-pf-unsubscribe at freebsd.org"

-- 
/"\  Best regards,                      | mlaier at freebsd.org
\ /  Max Laier                          | ICQ #67774661
 X   http://pf4freebsd.love2party.net/  | mlaier at EFnet
/ \  ASCII Ribbon Campaign              | Against HTML Mail and News
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-pf/attachments/20060504/7d32e606/attachment.pgp

More information about the freebsd-pf mailing list