Site Navigation

Date:      Fri, 02 Feb 2001 06:53:55 -0800
From:      Julian Elischer <julian@elischer.org>
To:        Joao Carlos Mendes Luis <jonny@jonny.eng.br>
Cc:        mi@aldan.algebra.com, questions@FreeBSD.ORG, net@FreeBSD.ORG
Subject:   Re: transparent proxying through a separate machine
Message-ID:  <3A7ACA03.BA4D3F31@elischer.org>
References:  <200102012307.f11N7iP51027@misha.privatelabs.com> <3A7AAA2F.70CDFDAA@jonny.eng.br>

---

next in thread | previous in thread | raw e-mail | index | archive | help

---

Joao Carlos Mendes Luis wrote:

> >         ipfw add allow ip from any to any out

the probele is the line above.

> >         ipfw add fwd localhost,3128 log tcp from any to any 3128 in

the above shoudl be 'out'.. FWD is not symetrical..
you can only fwd locally on 'in' and fwd remotly on 'out'. It says this in the
man page but it's a bit hard to read. I should fix it..

> 
>   Do not change the port in the first machine.  Maybe even better, do not
> change the port at all, and let squid listen on port 80 also!

you need to have a rule on the squid machine too,
so you might as well set it to 3128 so that people can use it directly as well
not only as a transparent proxy..



> 
> >
> > = otherwise it will reflect the packet back at it's original destination
> > = as it still has headers saying it wants to go there. (It's unaltered).
> >
> > The firewall machine logs
> >
> > ipfw: 3000 Forward to squid.ip:3128 TCP client.ip:3977 web.server.ip:80 in via dc0
> >
> > But the client still talks to the web-server directly :( The squid's log
> > is quiet... Anything  I'm missing? Perhaps, I need  a user-space program
> > of some sort to run on the firewall to do the tunneling? Thanks!
> 
>   IIRC, ipfw fwd to another machine does not change tcp port number, that why
> I suggested the above.

yes the port to use is specified in the rule on the ipfw on the squid machine.
(it needs one too because it needs to capture a packet that is destined
some completely different place.)

> 
>                                         Jonny
> 
> --
> João Carlos Mendes Luís                 jonny@embratel.net.br
>   Networking Engineer                   jonny@jonny.eng.br
>  Internet via Embratel                  jcml@ieee.org

-- 
      __--_|\  Julian Elischer
     /       \ julian@elischer.org
    (   OZ    ) World tour 2000-2001
---> X_.---._/  
            v


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message

---

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3A7ACA03.BA4D3F31>

Legal Notices | © 1995-2024 The FreeBSD Project. All rights reserved.

Contact