Date: Thu, 4 May 2006 07:32:59 +0200 From: Max Laier <max@love2party.net> To: freebsd-pf@freebsd.org Subject: Re: Something is wrong Message-ID: <200605040733.06283.max@love2party.net> In-Reply-To: <20060504034002.20589.qmail@web31609.mail.mud.yahoo.com> References: <20060504034002.20589.qmail@web31609.mail.mud.yahoo.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--nextPart1636130.clto1tu9Ea
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
On Thursday 04 May 2006 05:40, Aguiar Magalhaes wrote:
> I have a lot of Windows Internet Explorer browsers in
> the
> LAN and they are marked to use the proxy at 3128 port.
>
> The pf and squid are in the same machine. I'm not
> using transparent proxy on pf. I don't have any
> redirections to proxy.
and there is your problem. If your client is configured to use the proxy i=
t=20
will just do that. That means it won't even attempt to make a direct=20
connection to any server. IIRC you can configure ie to exclude certain IP=
=20
ranges or domains from being proxied. That would be one way to go. Anothe=
r=20
one is to fix the configuration of your proxy. The last one is to use=20
transparent proxying, in which case you can use pf to decide wether or not=
=20
the proxy should be used.
> Some applications in intranet pages use ports like
> 19336 or 8081 and they don't support the proxy.
>
> I need to tell to pf doesn't send the packages to the
> proxy, if the users are accessing those applications
> pages, but I'm not have success..
>
> My firewall has only two NICs: $int_if and $ext_if
>
> Could you help me ? Thanks, Aguiar
>
> The rules are:
>
> - - - - - - - -
> internal_net =3D "172.16.0.0/12"
> fw_ip_int =3D "172.16.0.9"
> fw_ip_ext =3D "200.x.x.x"
> lan_to_int =3D "{ 25 123 ... etc }
>
> set optimization aggressive
> scrub in all
> nat on $ext_if from $internal_net to any -> $fw_ip_ext
> rdr on $int_if proto tcp from $internal_net to any
> port 21 -> 127.0.0.1 port 8081
> pass quick on lo0 all
> antispoof for $ext_if inet
>
> block log all
> pass in on $int_if inet proto tcp from $internal_net
> to 127.0.0.1 port 8081 keep state
> pass in on $int_if inet proto tcp from $internal_net
> to { $fw_ip_int $fw_ip_ext } port 3128 keep state
> pass in on $int_if inet proto udp from $internal_net
> to any port 53 keep state
> pass in on $int_if inet proto tcp from $internal_net
> to any port $lan_to_int keep state
>
> # Access permitted out of the proxy (not is ok...)
> pass inet proto tcp from { 172.16.1.16 172.16.1.165
> 172.16.1.203 } to 201.x.x.x port { 80 3128 8081 } keep
> state
>
> pass out from $fw_ip_ext to any keep state
> - - - - - - - - - - - -
>
>
>
> _______________________________________________________
> Novo Yahoo! Messenger com voz: Instale agora e fa=E7a liga=E7=F5es de gra=
=E7a.
> http://br.messenger.yahoo.com/
> _______________________________________________
> freebsd-pf@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-pf
> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org"
=2D-=20
/"\ Best regards, | mlaier@freebsd.org
\ / Max Laier | ICQ #67774661
X http://pf4freebsd.love2party.net/ | mlaier@EFnet
/ \ ASCII Ribbon Campaign | Against HTML Mail and News
--nextPart1636130.clto1tu9Ea
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (FreeBSD)
iD8DBQBEWZISXyyEoT62BG0RAiPFAJ91cfGqZnjnZiq+hZrOzXiUE+To0ACfXXIc
Ee/akmSe2v+BWPeIb0zwS58=
=4TPa
-----END PGP SIGNATURE-----
--nextPart1636130.clto1tu9Ea--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200605040733.06283.max>