Question regarding packet forwarding and Squid

Ermal Luçi eri at freebsd.org
Tue Jul 10 20:49:45 UTC 2012 

On Tue, Jul 10, 2012 at 3:31 AM, Hao Bryan Cheng <hbcheng at berkeley.edu> wrote:
> Hello all,
>
> I am working on converting a captive portal system from ipfw to pf (in
> order to support port-block allocation in many-to-one NAT) on systems
> currently running FreeBSD 8.2.
>
> Most of the firewall rewrite went without incident. However, I am having
> trouble replicating the fwd functionality of ipfw in pf.
>
> Our ipfw firewall uses the fwd rule to send packets from the private side
> of the portal to a squid instance running on 127.0.0.1:3128. From there,
> squid runs our url_rewrite script. The nice thing about this setup is that
> the fwd rule does not rewrite either the destination IP or port of the
> packet, meaning that the url_rewrite script can easily extract this
> information from the input line that squid provides (myip corresponding to
> the destination IP address of the original HTTP request). We then add the
> IP address to a firewall table to grant HTTPS access to the destination
> host bypassing squid entirely.
>
> I was able to get traffic into squid via pf using a rdr rule. However this
> rule rewrites the destination IP and port of the request which means that
> the url_rewrite script is no longer aware of the original destination IP.
> While there are several options for changing the url_rewrite script to
> accommodate this change, I would like to avoid unnecessary (and redundant)
> nameserver lookups.
>
> Is there a rule in pf that behaves similarly to ipfw's fwd rule? I have
> heard mentions of a divert-to rule, but I was unsuccessful in finding any
> official documentation on the subject anywhere online.
>
> Any help would be greatly appreciated.
>
You will not find such a functionality easily or without tricky requirements.

> Thanks,
>
> Hao Bryan Cheng
> _______________________________________________
> freebsd-pf at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-pf
> To unsubscribe, send any mail to "freebsd-pf-unsubscribe at freebsd.org"



-- 
Ermal

More information about the freebsd-pf mailing list