From owner-freebsd-questions@FreeBSD.ORG Fri Nov 30 08:54:55 2012 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 34AA8B5A for ; Fri, 30 Nov 2012 08:54:55 +0000 (UTC) (envelope-from ml@my.gd) Received: from mail-wg0-f52.google.com (mail-wg0-f52.google.com [74.125.82.52]) by mx1.freebsd.org (Postfix) with ESMTP id A5CC08FC17 for ; Fri, 30 Nov 2012 08:54:53 +0000 (UTC) Received: by mail-wg0-f52.google.com with SMTP id 12so101589wgh.31 for ; Fri, 30 Nov 2012 00:54:52 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=references:in-reply-to:mime-version:content-transfer-encoding :content-type:message-id:cc:x-mailer:from:subject:date:to :x-gm-message-state; bh=8yVV5LGqTOcvE+BsOkNdmYwBQC0iQR4002q0S6v/E4o=; b=JD8Ph3a1K6+3squtTwDuvnYUKWssT1OykP9cS5o4gR5B10QanTnpjPRvORA5VGcsGm /kCHnMqgC3ihw5Nn4GVV8ocAGYhfthqCgBCyRXejwu3DmPPEEkppenbZmeSvlUNeiELB qTxTLM2td2sRMf7KADVsBy2cuxn6+6yK2HR8ATNKKpkCwQ1OAYC+bAfQ1bHDY7pzEAdR 5q1JpjlCAcZFFvNyt99DJPkA48UfqGGP7Caufxep51rqB1XoNZnbG2rcSdmEcXp5/O5s rIXwQJ4PYRWZ+Ds9ePLUOy6ea6UCUuFmAint/m7z/nsefU5WVOc3nwOSxjK7N1nz/izJ HRoQ== Received: by 10.180.109.166 with SMTP id ht6mr810529wib.7.1354265692573; Fri, 30 Nov 2012 00:54:52 -0800 (PST) Received: from [10.132.124.62] ([92.90.16.49]) by mx.google.com with ESMTPS id ey2sm6047912wib.9.2012.11.30.00.54.50 (version=TLSv1/SSLv3 cipher=OTHER); Fri, 30 Nov 2012 00:54:51 -0800 (PST) References: <50B0EA28.7060904@eskk.nu> <50B338B2.3090600@gmail.com> <50B3B788.6040801@eskk.nu> <50B3D603.6050904@gmail.com> <50B52A1A.6070103@eskk.nu> <50B860A1.6080503@eskk.nu> In-Reply-To: <50B860A1.6080503@eskk.nu> Mime-Version: 1.0 (1.0) Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii Message-Id: X-Mailer: iPhone Mail (9A405) From: Damien Fleuriot Subject: Re: Anyone using squid and pf? Date: Fri, 30 Nov 2012 09:54:10 +0100 To: Leslie Jensen X-Gm-Message-State: ALoCoQmTEdke5zSlFeSLE+2loz5atoACqAmhEU+NjRmLMTWYatQciMaUTcYg6xSJbZd1dllYCPJH Cc: Volodymyr Kostyrko , freebsd questions list X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 30 Nov 2012 08:54:55 -0000 On 30 Nov 2012, at 08:30, Leslie Jensen wrote: >=20 >=20 > Damien Fleuriot skrev 2012-11-29 00:28: >> On 27 November 2012 22:01, Leslie Jensen wrote: >>>=20 >>>=20 >>=20 >>=20 >> Well, that depends on what you want to do. >>=20 >> If you want FTP traffic to go to ftp-proxy running on the firewall, >> then redirect to 8021. >> If you want it to go to your squid proxy, then send it to port 8080 on $p= roxy. >>=20 >>=20 >>=20 >> Let's redo your redirects correctly. >> I'll expand upon Volodymyr's idea of not confusing normal rules with >> ones matching a packet that was redirected, through the use of tags. >>=20 >>=20 >>=20 >> # 1/ redirect web traffic to the proxy $proxy on port $proxyport >> rdr in on $int_if inet proto tcp from !$proxy to any port 80 -> $proxy >> port $proxyport tag rdr_proxy >>=20 >> # 2/ redirect FTP traffic to the ftp-proxy running on the local >> machine on port 8021 >> rdr in on $int_if inet proto tcp from $int_if:network to any port 21 >> -> 127.0.0.1 port 8021 tag rdr_ftp >>=20 >> # 3/ access rule to allow traffic from the local net to your proxy >> pass in quick on $int_if inet proto tcp flags S/SAFR tagged rdr_proxy >>=20 >> # 4/ access rule to allow traffic from the local net to your FTP proxy >> pass in quick on $int_if inet proto tcp flags S/SAFR tagged rdr_ftp >>=20 >> # 5/ access rule to allow your proxy to do whatever it wants in a very >> limited fashion >> pass in quick on $int_if inet proto tcp from $proxy to any port { 80 >> 443 } flags S/SAFR >>=20 >>=20 >>=20 >> I liked Volodymyr's original intent behind the "rdr pass", the use of >> tags here allows you to setup actual pass/block rules and still match >> packets coming from a redirect. >> This has many advantages, including: >> - quick keyword >> - flags matching >> - use of labels to keep stats, if you'd like to >>=20 >> Well basically it only has advantages. >>=20 >>=20 >> Let me know if that helped. >> _______________________________________________ >> freebsd-questions@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-questions >> To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.o= rg" >>=20 >=20 > Thank you Damien. >=20 > I'll try out your suggestions and report back. >=20 > Thanks :-) >=20 > /Leslie >=20 The rdr rules should read: Rdr in on $int_if from !$proxy to any port 80 tag rdr_proxy -> $proxy port $= proxyport Notice the packet gets tagged before the "-> destination" syntax. Otherwise, should be just fine.