Fwd: Re: Squid/ Danguardian + Transparent Bridge

Jeremy Chadwick koitsu at FreeBSD.org
Thu Aug 28 03:56:19 UTC 2008


----- Forwarded message from James Shupe <shupej at hermetek.com> -----

> From: James Shupe <shupej at hermetek.com>
> To: Jeremy Chadwick <koitsu at FreeBSD.org>
> Date: Wed, 27 Aug 2008 20:26:59 -0500
> Subject: Re: Squid/ Danguardian + Transparent Bridge
> 
> I've tried this, and it works with NAT but not when the interfaces are
> in a bridge. I'll re-attempt this tomorrow though, just in case I'm wrong.
> 
> Thank you,
> James Shupe
> 
> Jeremy Chadwick wrote:
> > On Wed, Aug 27, 2008 at 07:29:09PM -0500, James Shupe wrote:
> >> I've been trying to get pf to transparently redirect all incoming
> >> traffic on port 80 to port 8080 on a bridge to pass through to
> >> Dansguardian. This machine is a replacement for a Linux box which did
> >> the same thing with IPtables flawlessly, but I can't seem to get it work
> >> with PF. I've tried using dozens of rulesets, including route-to
> >> statements, and have had no success. I was wondering if anybody has a
> >> working ruleset that they could share as an example, as I've seen lots
> >> of questions in mailing list archives regarding this, but no positive fixes.
> > 
> > You mean something like this?
> > 
> > rdr pass proto tcp from any to <ipofyourbox> port 80 -> 127.0.0.1 port 8080
> > 
> > Assuming ipofyourbox is 4.4.4.4, this will transparently redirect
> > incoming connections to 4.4.4.4 port 80 to 127.0.0.1 port 8080.
> > Response packets will also be remapped appropriately (meaning the remote
> > user will see the response packets coming from 4.4.4.4 port 80).
> > 
> > This is under the assumption that Dansguardian is listening on 127.0.0.1
> > port 8080.  It might just be listening on INADDR_ANY port 8080, in which
> > case you should probably configure it to bind to 127.0.0.1 -- or if
> > you cannot, set up an appropriate firewall rule in pf to block that
> > traffic (so people on the Internet cannot connect to 4.4.4.4 port 8080
> > and talk to Dansguardian directly).
> > 
> > Hope this helps.
> > 
> 
> Thank you,
> -- 
> James Shupe
> HermeTek Network Solutions
> http//www.hermetek.com
> 1.866.325.6207
----- End forwarded message -----

James forgot to CC the list when replying; I got his permission to
forward this.

His problem seems to be when using rdr while a bridge is in use.

-- 
| Jeremy Chadwick                                jdc at parodius.com |
| Parodius Networking                       http://www.parodius.com/ |
| UNIX Systems Administrator                  Mountain View, CA, USA |
| Making life hard for others since 1977.              PGP: 4BD6C0CB |



More information about the freebsd-pf mailing list