Date: Thu, 17 Dec 1998 12:01:35 -0800 (PST) From: Julian Elischer <julian@whistle.com> To: Steve Ames <steve@ns1.cioe.com> Cc: freebsd-isp@FreeBSD.ORG Subject: Re: Transparent Proxy: FBSD 3.0, Squid and NAT Message-ID: <Pine.BSF.3.95.981217114615.2175B-100000@current1.whistle.com> In-Reply-To: <199812171517.KAA48213@vic.cioe.com>
next in thread | previous in thread | raw e-mail | index | archive | help
If you are using FreeBSD 3.0 then why not use the kernel's built-in transproxy support? what machine is the proxy server running on? If on the gateway machine, then all you need is the firewall rule: ipfw add 2 fwd 127.0.0.1,3128 tcp from any to 0.0.0.0/0 80 in recv ed1 out xmit ed0 where ed0 is your internet interface, and ed1 is your internal interface 3128 is the squid listenning port. your kernel needs option IPFIREWALL_FORWARD On Thu, 17 Dec 1998, Steve Ames wrote: > > I'm trying to get transparent proxying to work on my home network > before trying to deploy it more widescale. My gateway machine is > running FBSD 3.0 (about a week after release). I have natd configured > and operational and am using an internal network of 192.168.9.0/24. > The gateway is 192.168.9.1. My real IP address is 204.120.165.254. > > OK. So FBSD is connecting to the net fine (using the real IP). The > rest of the machines on my network are working fine (using natd > via the gateway). I installed squid 2.0. I changed a copy of netscape > to use squid as a proxy server and that went pretty well. I chaned it > back to 'no proxy' and went to work on getting things to work > transparently. > > I start with the Squid page on transparent proxy (even has a section > on FreeBSD 3.0): http://squid.nlanr.net/Squid/FAQ/FAQ-17.html. > > This doesn't seem to address working while NAT is enabled but it > seemed a good starting place. My final configuration looked like > this: > > squid.conf > ---------- > http_port 80 > httpd_accel_host virtual > httpd_accel_port 80 > httpd_accel_with_proxy on > httpd_accel_uses_host_header on > > ipfw list > --------- > 00049 allow ip from 204.120.165.254 to any > 00050 fwd 127.0.0.1 tcp from 192.168.9.0/24 to any 80 > 00100 divert 8668 ip from any to any via ed0 > 00100 allow ip from any to any via lo0 > 00200 deny ip from any to 127.0.0.0/8 > 65000 allow ip from any to any > 65535 deny ip from any to any > > 49 & 50 are the ones I added. It would seem that you'd want to > do the proxy before natd got it via the divert. This worked... > kinda. It was really, really slow (much slower than just natd > alone). > > Thoughts? Please? Use the built in tproxy support? > > -Steve > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-isp" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.95.981217114615.2175B-100000>