Date: Fri, 02 Feb 2001 06:47:57 -0800 From: Julian Elischer <julian@elischer.org> To: mi@aldan.algebra.com Cc: questions@freebsd.org, net@freebsd.org Subject: Re: transparent proxying through a separate machine Message-ID: <3A7AC89D.771FF88B@elischer.org> References: <200102012307.f11N7iP51027@misha.privatelabs.com>
next in thread | previous in thread | raw e-mail | index | archive | help
mi@aldan.algebra.com wrote:
>
> On 1 Feb, Julian Elischer wrote:
> = > We have a single firewall machine and a _separate_ machine running
> = > squid proxy (both servers are on the same network wire).
> = >
> = > How do I catch all of the outgoing http requests and send them
> = > through squid?
> = >
> = > I tried
> = >
> = > ipfw add fwd squid,3128 tcp from any to any http
> = >
> = > but it does not seem to work -- squid never gets contacted. All of
> = > the recipes out there describe the setups with squid and the
> = > firewall being on the same machine. What else do I need to do?
> =
> = I assume squid is the name of the other machine? you need to have the
> = same rule in the ipfw on that machine too.
>
> Yes. Ok. This is what I just added to the squid-machine:
>
> ipfw add allow ip from any to any out
> ipfw add fwd localhost,3128 log tcp from any to any 3128 in
>
> = otherwise it will reflect the packet back at it's original destination
> = as it still has headers saying it wants to go there. (It's unaltered).
>
> The firewall machine logs
>
> ipfw: 3000 Forward to squid.ip:3128 TCP client.ip:3977 web.server.ip:80 in via dc0
here's the rules (approx) I just gave someone else:
-----------------BEGIN QUOTED MAIL------
> After adding the command:
>
> ipfw add 100 fwd 192.168.10.1 tcp from any to any 80 in via fxp0
>
> I see no packet arrive at host 192.168.10.1. Do forwarded packets
> re-enter the firewall for a given outgoing interface? In this case
> ed1 ? Or are they somehow skipped and just routed out the interface after
> a match is made?
The man page says:
fwd ipaddr[,port]
Change the next-hop on matching packets to ipaddr, which
can be an IP address in dotted quad or a host name. If
ipaddr is not a directly-reachable address, the route as
found in the local routing table for that IP is used in-
stead. If ipaddr is a local address, then on a packet
entering the system from a remote host it will be divert-
ed to port on the local machine, keeping the local ad-
dress of the socket set to the original IP address the
packet was destined for. This is intended for use with
transparent proxy servers. If the IP is not a local ad-
dress then the port number (if specified) is ignored and
the rule only applies to packets leaving the system.
This will also map addresses to local ports when packets
are generated locally. The search terminates if this
rule matches. If the port number is not given then the
port number in the packet is used, so that a packet for
an external machine port Y would be forwarded to local
port Y. The kernel must have been compiled with the
IPFIREWALL_FORWARD option.
>
> After changing the above ipfw command to 'out via xl0' I start seeing
> incoming packets on the 192.168.10.1 host. Do IPFW Forward rules only
> apply to outgoing style rules?
yes, read the paragraph above:
If the IP is not a local ad-
dress then the port number (if specified) is ignored and
the rule only applies to packets leaving the system.
and
If ipaddr is a local address, then on a packet
entering the system from a remote host it will be divert-
ed to port on the local machine, keeping the local ad-
dress of the socket set to the original IP address the
packet was destined for.
In other words, you want a rule with
'fwd 192.168.10.1 tcp from any to any 80 out rcv fxp0 xmit xl0'
on the gateway
so that it only matches http requests from clients on the local net
but NOT requests from your proxy.
then on the proxy you must have the rule:
'fwd 127.0.0.1:3187 tcp from 192.168.20.0/24 80 in rcv [interface]'
so that the packet are 'captured' on that machine instead of being dumped.
-----------------
>
> But the client still talks to the web-server directly :( The squid's log
> is quiet... Anything I'm missing? Perhaps, I need a user-space program
> of some sort to run on the firewall to do the tunneling? Thanks!
>
> -mi
--
__--_|\ Julian Elischer
/ \ julian@elischer.org
( OZ ) World tour 2000-2001
---> X_.---._/
v
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3A7AC89D.771FF88B>