transparent proxy
Damien Fleuriot
ml at my.gd
Sun Jan 2 22:07:34 UTC 2011
On 1/2/11 10:59 PM, jay at experts-exchange.com wrote:
> From studying squid rules, I found the following pf rule set. Does this do
> something similar to what I'm after? I tried something like this but it
> didn't help.
>
> int_if="gem0"
> ext_if="kue0"
>
> rdr on $int_if inet proto tcp from any to any port www -> 127.0.0.1 port 3128
>
> pass in on $int_if inet proto tcp from any to 127.0.0.1 port 3128 keep state
> pass out on $ext_if inet proto tcp from any to any port www keep state
>
> http://www.benzedrine.cx/transquid.html
>
Allow me to explain the rules in detail.
1/ redirect all traffic that passes through us from anyone to anywhere
on port 80 to the local machine on port 3128
2/ Actually allow everyone to contact the local machine on port 3128
(this has the same effect as if you had written "rdr pass" in the first
rule)
3/ Allow outgoing traffic on our external interface to web servers
(which comes in use if you don't have a "pass out" rule for everything)
However regarding squid you need to compile it with the transparent
proxy for PF option, so there's likely special code to be enabled in squid.
I'm not sure your stunnel is gonna like it.
> Thanks
>
>> On 1/2/11 9:04 PM, jay at experts-exchange.com wrote:
>>> Here I want :
>>>
>>> nn:nn:nn.nnnnnn IP 127.0.0.1.51791 > 192.168.103.2.80: Flags [S], ack
>>> ...
>>>
>>> int_if="lo0"
>>> ext_if="ed0"
>>>
>>> pass in on $int_if route-to ($int_if 127.0.0.1) from 192.168.103.1 keep
>>> state
>>>
>>> But no good (it's not able to sync) :
>>>
>>
>> How do things go when using synproxy in your pass rule ?
>>
>> Something like: pass in log on $int_if route-to ($int_if 127.0.0.1) from
>> 192.168.103.1 synproxy state
>>
>>
>
>
More information about the freebsd-pf
mailing list