From owner-freebsd-pf@FreeBSD.ORG Thu Aug 28 01:12:55 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2805A106564A for ; Thu, 28 Aug 2008 01:12:55 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.171]) by mx1.freebsd.org (Postfix) with ESMTP id AFFEB8FC0A for ; Thu, 28 Aug 2008 01:12:54 +0000 (UTC) (envelope-from max@love2party.net) Received: from vampire.homelinux.org (dslb-088-066-042-111.pools.arcor-ip.net [88.66.42.111]) by mrelayeu.kundenserver.de (node=mrelayeu7) with ESMTP (Nemesis) id 0ML2xA-1KYW470Tel-0003Dx; Thu, 28 Aug 2008 03:12:49 +0200 Received: (qmail 21522 invoked from network); 28 Aug 2008 01:12:46 -0000 Received: from fbsd8.laiers.local (192.168.4.151) by router.laiers.local with SMTP; 28 Aug 2008 01:12:46 -0000 From: Max Laier Organization: FreeBSD To: freebsd-pf@freebsd.org Date: Thu, 28 Aug 2008 03:12:45 +0200 User-Agent: KMail/1.10.0 (FreeBSD/8.0-CURRENT; KDE/4.1.0; i386; ; ) References: <48B5F155.3000107@hermetek.com> <20080828010332.GA8172@icarus.home.lan> In-Reply-To: <20080828010332.GA8172@icarus.home.lan> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200808280312.45587.max@love2party.net> X-Provags-ID: V01U2FsdGVkX1+L0yk7h5eM1yHEul1912njjn3ZPK9WwyOf2AT PRRlGgglwGU6AWevITDi9b9uCwDlv+NfzvetPvcdtMkW310sYz 72CUgUhQ8ykfpJLoGAtcQ== Cc: Subject: Re: Squid/ Danguardian + Transparent Bridge X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Aug 2008 01:12:55 -0000 On Thursday 28 August 2008 03:03:32 Jeremy Chadwick wrote: > On Wed, Aug 27, 2008 at 07:29:09PM -0500, James Shupe wrote: > > I've been trying to get pf to transparently redirect all incoming > > traffic on port 80 to port 8080 on a bridge to pass through to > > Dansguardian. This machine is a replacement for a Linux box which did > > the same thing with IPtables flawlessly, but I can't seem to get it work > > with PF. I've tried using dozens of rulesets, including route-to > > statements, and have had no success. I was wondering if anybody has a > > working ruleset that they could share as an example, as I've seen lots > > of questions in mailing list archives regarding this, but no positive > > fixes. > > You mean something like this? > > rdr pass proto tcp from any to port 80 -> 127.0.0.1 port 8080 > > Assuming ipofyourbox is 4.4.4.4, this will transparently redirect > incoming connections to 4.4.4.4 port 80 to 127.0.0.1 port 8080. > Response packets will also be remapped appropriately (meaning the remote > user will see the response packets coming from 4.4.4.4 port 80). > > This is under the assumption that Dansguardian is listening on 127.0.0.1 > port 8080. It might just be listening on INADDR_ANY port 8080, in which > case you should probably configure it to bind to 127.0.0.1 -- or if > you cannot, set up an appropriate firewall rule in pf to block that > traffic (so people on the Internet cannot connect to 4.4.4.4 port 8080 > and talk to Dansguardian directly). Note that software that wants to do transparent proxying needs to be aware of the pf redirection. For squid you can enable code to do that by enabling the port option SQUID_PF (see make config). I have no idea if Dansguardian has support for pf or if squid or Dansguardian is the first to look at the traffic. If squid is the first you should be good ... otherwise you must talk to the Dansguardian people about pf support. -- /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News