Date: Fri, 30 Nov 2012 08:30:41 +0100 From: Leslie Jensen <leslie@eskk.nu> To: Damien Fleuriot <ml@my.gd> Cc: Volodymyr Kostyrko <c.kworr@gmail.com>, freebsd questions list <freebsd-questions@freebsd.org> Subject: Re: Anyone using squid and pf? Message-ID: <50B860A1.6080503@eskk.nu> In-Reply-To: <CAE63ME6NOY0XFNteK=-YOy_NT7j-xLxFd4YETpTvLBTp7gh47w@mail.gmail.com> References: <50B0EA28.7060904@eskk.nu> <50B338B2.3090600@gmail.com> <50B3B788.6040801@eskk.nu> <50B3D603.6050904@gmail.com> <50B52A1A.6070103@eskk.nu> <CAE63ME6NOY0XFNteK=-YOy_NT7j-xLxFd4YETpTvLBTp7gh47w@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Damien Fleuriot skrev 2012-11-29 00:28:
> On 27 November 2012 22:01, Leslie Jensen <leslie@eskk.nu> wrote:
>>
>>
>
>
> Well, that depends on what you want to do.
>
> If you want FTP traffic to go to ftp-proxy running on the firewall,
> then redirect to 8021.
> If you want it to go to your squid proxy, then send it to port 8080 on $proxy.
>
>
>
> Let's redo your redirects correctly.
> I'll expand upon Volodymyr's idea of not confusing normal rules with
> ones matching a packet that was redirected, through the use of tags.
>
>
>
> # 1/ redirect web traffic to the proxy $proxy on port $proxyport
> rdr in on $int_if inet proto tcp from !$proxy to any port 80 -> $proxy
> port $proxyport tag rdr_proxy
>
> # 2/ redirect FTP traffic to the ftp-proxy running on the local
> machine on port 8021
> rdr in on $int_if inet proto tcp from $int_if:network to any port 21
> -> 127.0.0.1 port 8021 tag rdr_ftp
>
> # 3/ access rule to allow traffic from the local net to your proxy
> pass in quick on $int_if inet proto tcp flags S/SAFR tagged rdr_proxy
>
> # 4/ access rule to allow traffic from the local net to your FTP proxy
> pass in quick on $int_if inet proto tcp flags S/SAFR tagged rdr_ftp
>
> # 5/ access rule to allow your proxy to do whatever it wants in a very
> limited fashion
> pass in quick on $int_if inet proto tcp from $proxy to any port { 80
> 443 } flags S/SAFR
>
>
>
> I liked Volodymyr's original intent behind the "rdr pass", the use of
> tags here allows you to setup actual pass/block rules and still match
> packets coming from a redirect.
> This has many advantages, including:
> - quick keyword
> - flags matching
> - use of labels to keep stats, if you'd like to
>
> Well basically it only has advantages.
>
>
> Let me know if that helped.
> _______________________________________________
> freebsd-questions@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"
>
Thank you Damien.
I'll try out your suggestions and report back.
Thanks :-)
/Leslie
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?50B860A1.6080503>