Anyone using squid and pf?

Damien Fleuriot ml at my.gd
Fri Nov 30 08:54:55 UTC 2012 

On 30 Nov 2012, at 08:30, Leslie Jensen <leslie at eskk.nu> wrote:

> 
> 
> Damien Fleuriot skrev 2012-11-29 00:28:
>> On 27 November 2012 22:01, Leslie Jensen <leslie at eskk.nu> wrote:
>>> 
>>> 
>> 
>> 
>> Well, that depends on what you want to do.
>> 
>> If you want FTP traffic to go to ftp-proxy running on the firewall,
>> then redirect to 8021.
>> If you want it to go to your squid proxy, then send it to port 8080 on $proxy.
>> 
>> 
>> 
>> Let's redo your redirects correctly.
>> I'll expand upon Volodymyr's idea of not confusing normal rules with
>> ones matching a packet that was redirected, through the use of tags.
>> 
>> 
>> 
>> # 1/ redirect web traffic to the proxy $proxy on port $proxyport
>> rdr in on $int_if inet proto tcp from !$proxy to any port 80 -> $proxy
>> port $proxyport tag rdr_proxy
>> 
>> # 2/ redirect FTP traffic to the ftp-proxy running on the local
>> machine on port 8021
>> rdr in on $int_if inet proto tcp from $int_if:network to any port 21
>> -> 127.0.0.1 port 8021 tag rdr_ftp
>> 
>> # 3/ access rule to allow traffic from the local net to your proxy
>> pass in quick on $int_if inet proto tcp flags S/SAFR tagged rdr_proxy
>> 
>> # 4/ access rule to allow traffic from the local net to your FTP proxy
>> pass in quick on $int_if inet proto tcp flags S/SAFR tagged rdr_ftp
>> 
>> # 5/ access rule to allow your proxy to do whatever it wants in a very
>> limited fashion
>> pass in quick on $int_if inet proto tcp from $proxy to any port { 80
>> 443 } flags S/SAFR
>> 
>> 
>> 
>> I liked Volodymyr's original intent behind the "rdr pass", the use of
>> tags here allows you to setup actual pass/block rules and still match
>> packets coming from a redirect.
>> This has many advantages, including:
>> - quick keyword
>> - flags matching
>> - use of labels to keep stats, if you'd like to
>> 
>> Well basically it only has advantages.
>> 
>> 
>> Let me know if that helped.
>> _______________________________________________
>> freebsd-questions at freebsd.org mailing list
>> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
>> To unsubscribe, send any mail to "freebsd-questions-unsubscribe at freebsd.org"
>> 
> 
> Thank you Damien.
> 
> I'll try out your suggestions and report back.
> 
> Thanks :-)
> 
> /Leslie
> 

The rdr rules should read:
Rdr in on $int_if from !$proxy to any port 80 tag rdr_proxy -> $proxy port $proxyport

Notice the packet gets tagged before the "-> destination" syntax.
Otherwise, should be just fine.

More information about the freebsd-questions mailing list