From owner-freebsd-isp Thu Dec 17 12:10:42 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id MAA10328 for freebsd-isp-outgoing; Thu, 17 Dec 1998 12:10:42 -0800 (PST) (envelope-from owner-freebsd-isp@FreeBSD.ORG) Received: from alpo.whistle.com (alpo.whistle.com [207.76.204.38]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id MAA10323 for ; Thu, 17 Dec 1998 12:10:41 -0800 (PST) (envelope-from julian@whistle.com) Received: (from daemon@localhost) by alpo.whistle.com (8.8.5/8.8.5) id MAA04188; Thu, 17 Dec 1998 12:01:46 -0800 (PST) Received: from current1.whistle.com(207.76.205.22) via SMTP by alpo.whistle.com, id smtpdQh4182; Thu Dec 17 20:01:38 1998 Date: Thu, 17 Dec 1998 12:01:35 -0800 (PST) From: Julian Elischer To: Steve Ames cc: freebsd-isp@FreeBSD.ORG Subject: Re: Transparent Proxy: FBSD 3.0, Squid and NAT In-Reply-To: <199812171517.KAA48213@vic.cioe.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-isp@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org If you are using FreeBSD 3.0 then why not use the kernel's built-in transproxy support? what machine is the proxy server running on? If on the gateway machine, then all you need is the firewall rule: ipfw add 2 fwd 127.0.0.1,3128 tcp from any to 0.0.0.0/0 80 in recv ed1 out xmit ed0 where ed0 is your internet interface, and ed1 is your internal interface 3128 is the squid listenning port. your kernel needs option IPFIREWALL_FORWARD On Thu, 17 Dec 1998, Steve Ames wrote: > > I'm trying to get transparent proxying to work on my home network > before trying to deploy it more widescale. My gateway machine is > running FBSD 3.0 (about a week after release). I have natd configured > and operational and am using an internal network of 192.168.9.0/24. > The gateway is 192.168.9.1. My real IP address is 204.120.165.254. > > OK. So FBSD is connecting to the net fine (using the real IP). The > rest of the machines on my network are working fine (using natd > via the gateway). I installed squid 2.0. I changed a copy of netscape > to use squid as a proxy server and that went pretty well. I chaned it > back to 'no proxy' and went to work on getting things to work > transparently. > > I start with the Squid page on transparent proxy (even has a section > on FreeBSD 3.0): http://squid.nlanr.net/Squid/FAQ/FAQ-17.html. > > This doesn't seem to address working while NAT is enabled but it > seemed a good starting place. My final configuration looked like > this: > > squid.conf > ---------- > http_port 80 > httpd_accel_host virtual > httpd_accel_port 80 > httpd_accel_with_proxy on > httpd_accel_uses_host_header on > > ipfw list > --------- > 00049 allow ip from 204.120.165.254 to any > 00050 fwd 127.0.0.1 tcp from 192.168.9.0/24 to any 80 > 00100 divert 8668 ip from any to any via ed0 > 00100 allow ip from any to any via lo0 > 00200 deny ip from any to 127.0.0.0/8 > 65000 allow ip from any to any > 65535 deny ip from any to any > > 49 & 50 are the ones I added. It would seem that you'd want to > do the proxy before natd got it via the divert. This worked... > kinda. It was really, really slow (much slower than just natd > alone). > > Thoughts? Please? Use the built in tproxy support? > > -Steve > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-isp" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message