Date: Fri, 20 Dec 2013 08:55:04 -0800 (PST) From: Beeblebrox <zaphod@berentweb.com> To: freebsd-pf@freebsd.org Subject: Re: NAT & RDR rules for jailed proxy services Message-ID: <1387558504074-5870346.post@n5.nabble.com> In-Reply-To: <1387553794487-5870320.post@n5.nabble.com> References: <1387383838536-5869777.post@n5.nabble.com> <52B4463F.3080900@innolan.dk> <1387553794487-5870320.post@n5.nabble.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Good news is I have some progress and it seems to work like this:
# Begin NAT & RDR rules
# For the dns jail
nat on $JaIf proto {tcp,udp} from !($JaIf) to $JaIf port domain tag NAT_DNS
-> $jdns port domain
nat on $JaIf proto {tcp,udp} from $jdns to !($JaIf) port domain tag NAT_DNS
-> $JaIf port domain
# For the privoxy jail
nat on $JaIf proto tcp from !($JaIf) to $JaIf port 8118 tag NAT_PRVX ->
$jprvx port 8118
nat on $JaIf proto tcp from $jprvx to !($JaIf) port 80 tag NAT_PRVX ->
$JaIf port 80
Now the bad news:
1. "nat pass in/out quick on <interface>" gives syntax error - probably my
misunderstanding of your message content
2. Unless the client's /etc/resolv.conf for dns and proxy settings from
browser are changed, packets are not "forced" into the jailed proxy
structure. I will have to place pass/block filters on ExtIf, and each client
will have to make adjustment to their machine. I don't get a "silent
redirect" for these packets, UNLESS I tested incorrectly.
Regards.
-----
FreeBSD-11-current_amd64_root-on-zfs_RadeonKMS
--
View this message in context: http://freebsd.1045724.n5.nabble.com/NAT-RDR-rules-for-jailed-proxy-services-tp5869777p5870346.html
Sent from the freebsd-pf mailing list archive at Nabble.com.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1387558504074-5870346.post>