Squid/ Danguardian + Transparent Bridge

Max Laier max at love2party.net
Thu Aug 28 01:12:55 UTC 2008


On Thursday 28 August 2008 03:03:32 Jeremy Chadwick wrote:
> On Wed, Aug 27, 2008 at 07:29:09PM -0500, James Shupe wrote:
> > I've been trying to get pf to transparently redirect all incoming
> > traffic on port 80 to port 8080 on a bridge to pass through to
> > Dansguardian. This machine is a replacement for a Linux box which did
> > the same thing with IPtables flawlessly, but I can't seem to get it work
> > with PF. I've tried using dozens of rulesets, including route-to
> > statements, and have had no success. I was wondering if anybody has a
> > working ruleset that they could share as an example, as I've seen lots
> > of questions in mailing list archives regarding this, but no positive
> > fixes.
>
> You mean something like this?
>
> rdr pass proto tcp from any to <ipofyourbox> port 80 -> 127.0.0.1 port 8080
>
> Assuming ipofyourbox is 4.4.4.4, this will transparently redirect
> incoming connections to 4.4.4.4 port 80 to 127.0.0.1 port 8080.
> Response packets will also be remapped appropriately (meaning the remote
> user will see the response packets coming from 4.4.4.4 port 80).
>
> This is under the assumption that Dansguardian is listening on 127.0.0.1
> port 8080.  It might just be listening on INADDR_ANY port 8080, in which
> case you should probably configure it to bind to 127.0.0.1 -- or if
> you cannot, set up an appropriate firewall rule in pf to block that
> traffic (so people on the Internet cannot connect to 4.4.4.4 port 8080
> and talk to Dansguardian directly).

Note that software that wants to do transparent proxying needs to be aware of 
the pf redirection.  For squid you can enable code to do that by enabling the 
port option SQUID_PF (see make config).  I have no idea if Dansguardian has 
support for pf or if squid or Dansguardian is the first to look at the 
traffic.  If squid is the first you should be good ... otherwise you must talk 
to the Dansguardian people about pf support.

-- 
/"\  Best regards,                      | mlaier at freebsd.org
\ /  Max Laier                          | ICQ #67774661
 X   http://pf4freebsd.love2party.net/  | mlaier at EFnet
/ \  ASCII Ribbon Campaign              | Against HTML Mail and News


More information about the freebsd-pf mailing list