Date: Sat, 29 Jun 2002 13:10:42 +0700 (NOVST) From: Alexey Privalov <lucky@land3.nsu.ru> To: Jaime <jaime@snowmoon.com> Cc: freebsd-questions@freebsd.org Subject: Re: transparent proxying Message-ID: <20020629130657.H66384-100000@land3.nsu.ru> In-Reply-To: <20020628082314.M9991-100000@malkav.snowmoon.com>
next in thread | previous in thread | raw e-mail | index | archive | help
hi use a 'ipfw forward' for transparent proxyig, like this: 00040 fwd 127.0.0.1,8888 tcp from any to any 80,8100,8101,8102,8103 in recv fxp1 but you must remember that, If the IP is not a local address then the port number (if specified) is ignored. best regards, Alexey. On Fri, 28 Jun 2002, Jaime wrote: > Date: Fri, 28 Jun 2002 08:23:39 -0400 (EDT) > From: Jaime <jaime@snowmoon.com> > To: freebsd-questions@freebsd.org > Subject: transparent proxying > > I know how to make a transparent proxy with squid and ipfw. I've > done it before. But now that I have to use dansguardian (damn CIPA > rules), I'm having some trouble. My network looks something like: > > (ISP) -- (Router) -- (Firewall) -- (Core switch) > > The firewall looks something like: > > [ipfw] <--> [transproxy] <--> [dansguardian] <--> [squid] <--> [Web] > > I'm trying to get transproxy out of the mix, because its making > all traffic to dansguardian into 127.0.0.1. This prevents me from > tracking anything down or exempting certain IPs from the filters. > > My current attempts are more like this: > > [ipfw divert] <-> [natd] <-> dansguardian] <-> [squid] <-> [Web] > > I'm not sure how to configure natd, though. The firewall's inside > interface is fxp1 and the outside is fxp0. I've tried each of the > following ways to start natd, but none have seemed to work. Sometimes it > ends up blocking all traffic and other times it lets all traffic through > but it doesn't filter it. > > /sbin/natd -proxy_only -proxy_rule port 80 server 127.0.0.1:8080 -interface fxp0 > /sbin/natd -proxy_only -proxy_rule encode_ip_hdr port 80 server 127.0.0.1:8080 -interface fxp0 > /sbin/natd -proxy_only -proxy_rule encode_tcp_stream port 80 server 127.0.0.1:8080 -interface fxp0 > /sbin/natd -reverse -proxy_only -proxy_rule port 80 server 127.0.0.1:8080 -interface fxp0 > /sbin/natd -reverse -proxy_only -proxy_rule encode_ip_hdr port 80 server 127.0.0.1:8080 -interface fxp0 > /sbin/natd -reverse -proxy_only -proxy_rule encode_tcp_stream port 80 server 127.0.0.1:8080 -interface fxp0 > /sbin/natd -reverse -proxy_only -proxy_rule port 80 server 127.0.0.1:8080 -interface fxp1 > /sbin/natd -reverse -proxy_only -proxy_rule encode_ip_hdr port 80 server 127.0.0.1:8080 -interface fxp1 > /sbin/natd -reverse -proxy_only -proxy_rule encode_tcp_stream port 80 server 127.0.0.1:8080 -interface fxp1 > /sbin/natd -proxy_only -proxy_rule port 80 server 127.0.0.1:8080 -interface fxp1 > /sbin/natd -proxy_only -proxy_rule encode_ip_hdr port 80 server 127.0.0.1:8080 -interface fxp1 > /sbin/natd -proxy_only -proxy_rule encode_tcp_stream port 80 server 127.0.0.1:8080 -interface fxp1 > > These were all with ipfw rules like this: > /sbin/ipfw add 00050 divert natd tcp from 10.0.0.0/8 to not 10.0.0.0/8 80 > > Can anyone offer any insights? It doesn't even have to be a > solution. I just feel like I'm missing a detail somewhere. Though I > wouldn't turn down a solution! :) > > Thanks in advance, > Jaime > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020629130657.H66384-100000>