NAT & RDR rules for jailed proxy services
Beeblebrox
zaphod at berentweb.com
Fri Dec 20 16:55:05 UTC 2013
Good news is I have some progress and it seems to work like this:
# Begin NAT & RDR rules
# For the dns jail
nat on $JaIf proto {tcp,udp} from !($JaIf) to $JaIf port domain tag NAT_DNS
-> $jdns port domain
nat on $JaIf proto {tcp,udp} from $jdns to !($JaIf) port domain tag NAT_DNS
-> $JaIf port domain
# For the privoxy jail
nat on $JaIf proto tcp from !($JaIf) to $JaIf port 8118 tag NAT_PRVX ->
$jprvx port 8118
nat on $JaIf proto tcp from $jprvx to !($JaIf) port 80 tag NAT_PRVX ->
$JaIf port 80
Now the bad news:
1. "nat pass in/out quick on <interface>" gives syntax error - probably my
misunderstanding of your message content
2. Unless the client's /etc/resolv.conf for dns and proxy settings from
browser are changed, packets are not "forced" into the jailed proxy
structure. I will have to place pass/block filters on ExtIf, and each client
will have to make adjustment to their machine. I don't get a "silent
redirect" for these packets, UNLESS I tested incorrectly.
Regards.
-----
FreeBSD-11-current_amd64_root-on-zfs_RadeonKMS
--
View this message in context: http://freebsd.1045724.n5.nabble.com/NAT-RDR-rules-for-jailed-proxy-services-tp5869777p5870346.html
Sent from the freebsd-pf mailing list archive at Nabble.com.
More information about the freebsd-pf
mailing list