From owner-freebsd-questions  Fri Feb  2  6:54:51 2001
Delivered-To: freebsd-questions@freebsd.org
Received: from urban.iinet.net.au (urban.iinet.net.au [203.59.24.231])
	by hub.freebsd.org (Postfix) with ESMTP
	id A68E937B491; Fri,  2 Feb 2001 06:54:27 -0800 (PST)
Received: from muzak.iinet.net.au (muzak.iinet.net.au [203.59.24.237])
	by urban.iinet.net.au (8.8.7/8.8.7) with ESMTP id WAA16039;
	Fri, 2 Feb 2001 22:54:24 +0800
Received: from elischer.org (reggae-14-13.nv.iinet.net.au [203.59.77.13])
	by muzak.iinet.net.au (8.8.5/8.8.5) with ESMTP id WAA02613;
	Fri, 2 Feb 2001 22:51:59 +0800
Message-ID: <3A7ACA03.BA4D3F31@elischer.org>
Date: Fri, 02 Feb 2001 06:53:55 -0800
From: Julian Elischer <julian@elischer.org>
X-Mailer: Mozilla 4.7 [en] (X11; U; FreeBSD 5.0-CURRENT i386)
X-Accept-Language: en, hu
MIME-Version: 1.0
To: Joao Carlos Mendes Luis <jonny@jonny.eng.br>
Cc: mi@aldan.algebra.com, questions@FreeBSD.ORG, net@FreeBSD.ORG
Subject: Re: transparent proxying through a separate machine
References: <200102012307.f11N7iP51027@misha.privatelabs.com> <3A7AAA2F.70CDFDAA@jonny.eng.br>
Content-Type: text/plain; charset=iso-8859-15
Content-Transfer-Encoding: 8bit
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

Joao Carlos Mendes Luis wrote:

> >         ipfw add allow ip from any to any out

the probele is the line above.

> >         ipfw add fwd localhost,3128 log tcp from any to any 3128 in

the above shoudl be 'out'.. FWD is not symetrical..
you can only fwd locally on 'in' and fwd remotly on 'out'. It says this in the
man page but it's a bit hard to read. I should fix it..

> 
>   Do not change the port in the first machine.  Maybe even better, do not
> change the port at all, and let squid listen on port 80 also!

you need to have a rule on the squid machine too,
so you might as well set it to 3128 so that people can use it directly as well
not only as a transparent proxy..



> 
> >
> > = otherwise it will reflect the packet back at it's original destination
> > = as it still has headers saying it wants to go there. (It's unaltered).
> >
> > The firewall machine logs
> >
> > ipfw: 3000 Forward to squid.ip:3128 TCP client.ip:3977 web.server.ip:80 in via dc0
> >
> > But the client still talks to the web-server directly :( The squid's log
> > is quiet... Anything  I'm missing? Perhaps, I need  a user-space program
> > of some sort to run on the firewall to do the tunneling? Thanks!
> 
>   IIRC, ipfw fwd to another machine does not change tcp port number, that why
> I suggested the above.

yes the port to use is specified in the rule on the ipfw on the squid machine.
(it needs one too because it needs to capture a packet that is destined
some completely different place.)

> 
>                                         Jonny
> 
> --
> João Carlos Mendes Luís                 jonny@embratel.net.br
>   Networking Engineer                   jonny@jonny.eng.br
>  Internet via Embratel                  jcml@ieee.org

-- 
      __--_|\  Julian Elischer
     /       \ julian@elischer.org
    (   OZ    ) World tour 2000-2001
---> X_.---._/  
            v


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message