From owner-freebsd-questions@FreeBSD.ORG Mon Sep 13 16:15:27 2010 Return-Path: Delivered-To: questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8C1F7106566C for ; Mon, 13 Sep 2010 16:15:27 +0000 (UTC) (envelope-from nvidican@m2.vidican.com) Received: from mail-ww0-f50.google.com (mail-ww0-f50.google.com [74.125.82.50]) by mx1.freebsd.org (Postfix) with ESMTP id 2C3FB8FC12 for ; Mon, 13 Sep 2010 16:15:26 +0000 (UTC) Received: by wwb18 with SMTP id 18so7608677wwb.31 for ; Mon, 13 Sep 2010 09:15:26 -0700 (PDT) MIME-Version: 1.0 Received: by 10.216.176.8 with SMTP id a8mr2768173wem.93.1284393206914; Mon, 13 Sep 2010 08:53:26 -0700 (PDT) Sender: nvidican@m2.vidican.com Received: by 10.216.181.70 with HTTP; Mon, 13 Sep 2010 08:53:26 -0700 (PDT) X-Originating-IP: [136.1.1.105] Date: Mon, 13 Sep 2010 11:53:26 -0400 X-Google-Sender-Auth: reuuSJhigOEVzcfbtO6EeEMEp5w Message-ID: From: Nathan Vidican To: questions@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: Subject: ipfw fwd for transparent proxy (squid) - but, not on loopback X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 Sep 2010 16:15:27 -0000 Hey all - I've been trying to implement a transparent proxy for all outgoing traffic to port 80 to forward to a proxy server. The problem is that the proxy itself resides on a different host than the forward rule does. Has anyone done something similar? Ideally I'd like to implement with ipfw, but not opposed to other suggestions? Internet -> firewall/gateway -> proxy server -> LAN/clients Where the firewall/gateway is the central router for multiple networks, including the public subnet which 'proxy server' gets it's external IP for. So ideally I would like something along the lines of this (assuming the proxy server is running on 10.1.1.12:3128): ipfw add 600 fwd 10.1.1.12,3128 tcp from 10.1.2.0/24 to any 80 via 10.1.2.254 ipfw add 600 fwd 10.1.1.12,3128 tcp from 10.1.3.0/24 to any 80 via 10.1.3.254 ipfw add 600 fwd 10.1.1.12,3128 tcp from 10.1.1.0/26 to any 80 via 10.1.1.1 I have tried the identical rules to above using 127.0.0.1,3128 - of course starting up squid on the gateway machine too... the problem is that machine simply doesn't have the resources and I'd prefer to run squid on a different host. Any suggestions or referrals to RTFM somewhere would be greatly appreciated. Thanks. -- Nathan Vidican nathan@vidican.com