Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 02 Feb 2001 10:38:07 -0200
From:      Joao Carlos Mendes Luis <jonny@jonny.eng.br>
To:        mi@aldan.algebra.com
Cc:        Julian Elischer <julian@elischer.org>, questions@FreeBSD.ORG, net@FreeBSD.ORG
Subject:   Re: transparent proxying through a separate machine
Message-ID:  <3A7AAA2F.70CDFDAA@jonny.eng.br>
References:  <200102012307.f11N7iP51027@misha.privatelabs.com>
next in thread | previous in thread | raw e-mail | index | archive | help 


mi@aldan.algebra.com wrote:
> 
> On  1 Feb, Julian Elischer wrote:
> = > We have a  single firewall machine and a  _separate_ machine running
> = > squid proxy (both servers are on the same network wire).
> = >
> = > How  do I  catch all  of the  outgoing http  requests and  send them
> = > through squid?
> = >
> = > I tried
> = >
> = >         ipfw add fwd squid,3128 tcp from any to any http
> = >
> = > but it does not  seem to work -- squid never  gets contacted. All of
> = > the  recipes  out there  describe  the  setups  with squid  and  the
> = > firewall  being on  the same  machine. What  else do  I need  to do?
> =
> = I assume squid is the name of  the other machine? you need to have the
> = same rule in the ipfw on that machine too.
> 
> Yes. Ok. This is what I just added to the squid-machine:
> 
>         ipfw add allow ip from any to any out
>         ipfw add fwd localhost,3128 log tcp from any to any 3128 in

  Do not change the port in the first machine.  Maybe even better, do not
change the port at all, and let squid listen on port 80 also!

> 
> = otherwise it will reflect the packet back at it's original destination
> = as it still has headers saying it wants to go there. (It's unaltered).
> 
> The firewall machine logs
> 
> ipfw: 3000 Forward to squid.ip:3128 TCP client.ip:3977 web.server.ip:80 in via dc0
> 
> But the client still talks to the web-server directly :( The squid's log
> is quiet... Anything  I'm missing? Perhaps, I need  a user-space program
> of some sort to run on the firewall to do the tunneling? Thanks!

  IIRC, ipfw fwd to another machine does not change tcp port number, that why
I suggested the above.

                                        Jonny

-- 
João Carlos Mendes Luís                 jonny@embratel.net.br
  Networking Engineer                   jonny@jonny.eng.br
 Internet via Embratel			jcml@ieee.org


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3A7AAA2F.70CDFDAA>