From owner-freebsd-questions Fri Jun 28 5:23:48 2002 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A45BA37B400 for ; Fri, 28 Jun 2002 05:23:42 -0700 (PDT) Received: from malkav.snowmoon.com (malkav.snowmoon.com [209.23.60.62]) by mx1.FreeBSD.org (Postfix) with SMTP id 0281743E09 for ; Fri, 28 Jun 2002 05:23:42 -0700 (PDT) (envelope-from jaime@snowmoon.com) Received: (qmail 10287 invoked from network); 28 Jun 2002 12:23:40 -0000 Received: from localhost.snowmoon.com (HELO localhost) (127.0.0.1) by localhost.snowmoon.com with SMTP; 28 Jun 2002 12:23:40 -0000 Date: Fri, 28 Jun 2002 08:23:39 -0400 (EDT) From: Jaime To: freebsd-questions@freebsd.org Subject: transparent proxying Message-ID: <20020628082314.M9991-100000@malkav.snowmoon.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG I know how to make a transparent proxy with squid and ipfw. I've done it before. But now that I have to use dansguardian (damn CIPA rules), I'm having some trouble. My network looks something like: (ISP) -- (Router) -- (Firewall) -- (Core switch) The firewall looks something like: [ipfw] <--> [transproxy] <--> [dansguardian] <--> [squid] <--> [Web] I'm trying to get transproxy out of the mix, because its making all traffic to dansguardian into 127.0.0.1. This prevents me from tracking anything down or exempting certain IPs from the filters. My current attempts are more like this: [ipfw divert] <-> [natd] <-> dansguardian] <-> [squid] <-> [Web] I'm not sure how to configure natd, though. The firewall's inside interface is fxp1 and the outside is fxp0. I've tried each of the following ways to start natd, but none have seemed to work. Sometimes it ends up blocking all traffic and other times it lets all traffic through but it doesn't filter it. /sbin/natd -proxy_only -proxy_rule port 80 server 127.0.0.1:8080 -interface fxp0 /sbin/natd -proxy_only -proxy_rule encode_ip_hdr port 80 server 127.0.0.1:8080 -interface fxp0 /sbin/natd -proxy_only -proxy_rule encode_tcp_stream port 80 server 127.0.0.1:8080 -interface fxp0 /sbin/natd -reverse -proxy_only -proxy_rule port 80 server 127.0.0.1:8080 -interface fxp0 /sbin/natd -reverse -proxy_only -proxy_rule encode_ip_hdr port 80 server 127.0.0.1:8080 -interface fxp0 /sbin/natd -reverse -proxy_only -proxy_rule encode_tcp_stream port 80 server 127.0.0.1:8080 -interface fxp0 /sbin/natd -reverse -proxy_only -proxy_rule port 80 server 127.0.0.1:8080 -interface fxp1 /sbin/natd -reverse -proxy_only -proxy_rule encode_ip_hdr port 80 server 127.0.0.1:8080 -interface fxp1 /sbin/natd -reverse -proxy_only -proxy_rule encode_tcp_stream port 80 server 127.0.0.1:8080 -interface fxp1 /sbin/natd -proxy_only -proxy_rule port 80 server 127.0.0.1:8080 -interface fxp1 /sbin/natd -proxy_only -proxy_rule encode_ip_hdr port 80 server 127.0.0.1:8080 -interface fxp1 /sbin/natd -proxy_only -proxy_rule encode_tcp_stream port 80 server 127.0.0.1:8080 -interface fxp1 These were all with ipfw rules like this: /sbin/ipfw add 00050 divert natd tcp from 10.0.0.0/8 to not 10.0.0.0/8 80 Can anyone offer any insights? It doesn't even have to be a solution. I just feel like I'm missing a detail somewhere. Though I wouldn't turn down a solution! :) Thanks in advance, Jaime To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message