Date: Fri, 30 Nov 2012 09:54:10 +0100 From: Damien Fleuriot <ml@my.gd> To: Leslie Jensen <leslie@eskk.nu> Cc: Volodymyr Kostyrko <c.kworr@gmail.com>, freebsd questions list <freebsd-questions@freebsd.org> Subject: Re: Anyone using squid and pf? Message-ID: <E78FAD6D-6BA6-4C69-897E-E31B72C5251A@my.gd> In-Reply-To: <50B860A1.6080503@eskk.nu> References: <50B0EA28.7060904@eskk.nu> <50B338B2.3090600@gmail.com> <50B3B788.6040801@eskk.nu> <50B3D603.6050904@gmail.com> <50B52A1A.6070103@eskk.nu> <CAE63ME6NOY0XFNteK=-YOy_NT7j-xLxFd4YETpTvLBTp7gh47w@mail.gmail.com> <50B860A1.6080503@eskk.nu>
next in thread | previous in thread | raw e-mail | index | archive | help
On 30 Nov 2012, at 08:30, Leslie Jensen <leslie@eskk.nu> wrote:
>=20
>=20
> Damien Fleuriot skrev 2012-11-29 00:28:
>> On 27 November 2012 22:01, Leslie Jensen <leslie@eskk.nu> wrote:
>>>=20
>>>=20
>>=20
>>=20
>> Well, that depends on what you want to do.
>>=20
>> If you want FTP traffic to go to ftp-proxy running on the firewall,
>> then redirect to 8021.
>> If you want it to go to your squid proxy, then send it to port 8080 on $p=
roxy.
>>=20
>>=20
>>=20
>> Let's redo your redirects correctly.
>> I'll expand upon Volodymyr's idea of not confusing normal rules with
>> ones matching a packet that was redirected, through the use of tags.
>>=20
>>=20
>>=20
>> # 1/ redirect web traffic to the proxy $proxy on port $proxyport
>> rdr in on $int_if inet proto tcp from !$proxy to any port 80 -> $proxy
>> port $proxyport tag rdr_proxy
>>=20
>> # 2/ redirect FTP traffic to the ftp-proxy running on the local
>> machine on port 8021
>> rdr in on $int_if inet proto tcp from $int_if:network to any port 21
>> -> 127.0.0.1 port 8021 tag rdr_ftp
>>=20
>> # 3/ access rule to allow traffic from the local net to your proxy
>> pass in quick on $int_if inet proto tcp flags S/SAFR tagged rdr_proxy
>>=20
>> # 4/ access rule to allow traffic from the local net to your FTP proxy
>> pass in quick on $int_if inet proto tcp flags S/SAFR tagged rdr_ftp
>>=20
>> # 5/ access rule to allow your proxy to do whatever it wants in a very
>> limited fashion
>> pass in quick on $int_if inet proto tcp from $proxy to any port { 80
>> 443 } flags S/SAFR
>>=20
>>=20
>>=20
>> I liked Volodymyr's original intent behind the "rdr pass", the use of
>> tags here allows you to setup actual pass/block rules and still match
>> packets coming from a redirect.
>> This has many advantages, including:
>> - quick keyword
>> - flags matching
>> - use of labels to keep stats, if you'd like to
>>=20
>> Well basically it only has advantages.
>>=20
>>=20
>> Let me know if that helped.
>> _______________________________________________
>> freebsd-questions@freebsd.org mailing list
>> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
>> To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.o=
rg"
>>=20
>=20
> Thank you Damien.
>=20
> I'll try out your suggestions and report back.
>=20
> Thanks :-)
>=20
> /Leslie
>=20
The rdr rules should read:
Rdr in on $int_if from !$proxy to any port 80 tag rdr_proxy -> $proxy port $=
proxyport
Notice the packet gets tagged before the "-> destination" syntax.
Otherwise, should be just fine.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?E78FAD6D-6BA6-4C69-897E-E31B72C5251A>