Date: Thu, 28 Aug 2008 03:12:45 +0200 From: Max Laier <max@love2party.net> To: freebsd-pf@freebsd.org Subject: Re: Squid/ Danguardian + Transparent Bridge Message-ID: <200808280312.45587.max@love2party.net> In-Reply-To: <20080828010332.GA8172@icarus.home.lan> References: <48B5F155.3000107@hermetek.com> <20080828010332.GA8172@icarus.home.lan>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thursday 28 August 2008 03:03:32 Jeremy Chadwick wrote: > On Wed, Aug 27, 2008 at 07:29:09PM -0500, James Shupe wrote: > > I've been trying to get pf to transparently redirect all incoming > > traffic on port 80 to port 8080 on a bridge to pass through to > > Dansguardian. This machine is a replacement for a Linux box which did > > the same thing with IPtables flawlessly, but I can't seem to get it work > > with PF. I've tried using dozens of rulesets, including route-to > > statements, and have had no success. I was wondering if anybody has a > > working ruleset that they could share as an example, as I've seen lots > > of questions in mailing list archives regarding this, but no positive > > fixes. > > You mean something like this? > > rdr pass proto tcp from any to <ipofyourbox> port 80 -> 127.0.0.1 port 8080 > > Assuming ipofyourbox is 4.4.4.4, this will transparently redirect > incoming connections to 4.4.4.4 port 80 to 127.0.0.1 port 8080. > Response packets will also be remapped appropriately (meaning the remote > user will see the response packets coming from 4.4.4.4 port 80). > > This is under the assumption that Dansguardian is listening on 127.0.0.1 > port 8080. It might just be listening on INADDR_ANY port 8080, in which > case you should probably configure it to bind to 127.0.0.1 -- or if > you cannot, set up an appropriate firewall rule in pf to block that > traffic (so people on the Internet cannot connect to 4.4.4.4 port 8080 > and talk to Dansguardian directly). Note that software that wants to do transparent proxying needs to be aware of the pf redirection. For squid you can enable code to do that by enabling the port option SQUID_PF (see make config). I have no idea if Dansguardian has support for pf or if squid or Dansguardian is the first to look at the traffic. If squid is the first you should be good ... otherwise you must talk to the Dansguardian people about pf support. -- /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200808280312.45587.max>