Squid/ Danguardian + Transparent Bridge

Jeremy Chadwick koitsu at FreeBSD.org
Thu Aug 28 01:03:34 UTC 2008


On Wed, Aug 27, 2008 at 07:29:09PM -0500, James Shupe wrote:
> I've been trying to get pf to transparently redirect all incoming
> traffic on port 80 to port 8080 on a bridge to pass through to
> Dansguardian. This machine is a replacement for a Linux box which did
> the same thing with IPtables flawlessly, but I can't seem to get it work
> with PF. I've tried using dozens of rulesets, including route-to
> statements, and have had no success. I was wondering if anybody has a
> working ruleset that they could share as an example, as I've seen lots
> of questions in mailing list archives regarding this, but no positive fixes.

You mean something like this?

rdr pass proto tcp from any to <ipofyourbox> port 80 -> 127.0.0.1 port 8080

Assuming ipofyourbox is 4.4.4.4, this will transparently redirect
incoming connections to 4.4.4.4 port 80 to 127.0.0.1 port 8080.
Response packets will also be remapped appropriately (meaning the remote
user will see the response packets coming from 4.4.4.4 port 80).

This is under the assumption that Dansguardian is listening on 127.0.0.1
port 8080.  It might just be listening on INADDR_ANY port 8080, in which
case you should probably configure it to bind to 127.0.0.1 -- or if
you cannot, set up an appropriate firewall rule in pf to block that
traffic (so people on the Internet cannot connect to 4.4.4.4 port 8080
and talk to Dansguardian directly).

Hope this helps.

-- 
| Jeremy Chadwick                                jdc at parodius.com |
| Parodius Networking                       http://www.parodius.com/ |
| UNIX Systems Administrator                  Mountain View, CA, USA |
| Making life hard for others since 1977.              PGP: 4BD6C0CB |



More information about the freebsd-pf mailing list