From owner-freebsd-net Fri Oct 5 4:10:42 2001 Delivered-To: freebsd-net@freebsd.org Received: from daemon.kr.FreeBSD.org (daemon.kr.freebsd.org [211.176.62.31]) by hub.freebsd.org (Postfix) with ESMTP id 1F49237B401 for ; Fri, 5 Oct 2001 04:10:39 -0700 (PDT) Received: from gradius.wdb.co.kr (daemon [211.176.62.31]) by daemon.kr.FreeBSD.org (Postfix) with ESMTP id 0AC718F628; Fri, 5 Oct 2001 20:10:15 +0900 (KST) Received: (from cjh@localhost) by gradius.wdb.co.kr (8.11.6/8.11.6) id f95BA8D18326; Fri, 5 Oct 2001 20:10:08 +0900 (KST) (envelope-from cjh@wdb.co.kr) X-Authentication-Warning: gradius.wdb.co.kr: cjh set sender to cjh@wdb.co.kr using -f To: freebsd-net@freebsd.org Cc: cjh@kr.freebsd.org, khk@wdb.co.kr Subject: bridge + transparent proxy with 4-stable From: CHOI Junho Organization: Korea FreeBSD Users Group Date: 05 Oct 2001 20:10:08 +0900 Message-ID: <86u1xe4a27.fsf@gradius.wdb.co.kr> Lines: 58 User-Agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/20.7 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi, Recently I've installed new bridge+ipfw at office. It is configured as: outer network -- -- --
---> inner network I installed FreeBSD 4.4-RELEASE and immediately update to 4-stable. Kernel configuration has: options IPFIREWALL #firewall options IPFIREWALL_VERBOSE #print information about dropped packets options IPFIREWALL_FORWARD #enable transparent proxy support options IPFIREWALL_VERBOSE_LIMIT=100 #limit verbosity options IPFIREWALL_DEFAULT_TO_ACCEPT #allow everything by default options IPV6FIREWALL #firewall for IPv6 options IPV6FIREWALL_VERBOSE options IPV6FIREWALL_VERBOSE_LIMIT=100 options IPV6FIREWALL_DEFAULT_TO_ACCEPT options IPDIVERT #divert sockets options DUMMYNET options BRIDGE And this machine has fxp0(outer), fxp1(inner) interface. Only fxp1 has IP address. Bridged firewall was successful; it works nicely. I wish to try one more thing: Transparent proxy via Squid. I've installed www/squid24 port. squid.conf has: http_port 127.0.0.1:3128 httpd_accel_host virtual httpd_accel_port 80 httpd_accel_with_proxy on httpd_accel_uses_host_header on After running squid, I've added this rule at top of rules(output of ipfw -a list). 208.2.3.200(not real IP) is our firewall. 00500 0 0 allow tcp from 208.2.3.200 to any via fxp0 00550 173 11165 fwd 127.0.0.1,3128 tcp from 208.2.3.128/25 to any 80 via fxp1 As shown, rule 550 _filters_ packets, but it seems not to forward packets to 3128 ports(squid). All clients can go out with its IP, and nothing remains in squid log. Am I doing something wrong? I've searched many mailing lists(freebsd and squid) but I can't get good answers. p.s. I am doing NAT + Transparent Proxy in my home(ADSL). It works nicely. -- +++ Any opinions in this posting are my own and not those of my employers +++ CHOI Junho [sleeping now] [while sleeping] Korea FreeBSD Users Group Web Data Bank To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message