From owner-freebsd-net  Thu Feb  1 15: 8:21 2001
Delivered-To: freebsd-net@freebsd.org
Received: from privatecube.privatelabs.com (unknown [63.114.185.254])
	by hub.freebsd.org (Postfix) with ESMTP
	id 1805037B699; Thu,  1 Feb 2001 15:08:01 -0800 (PST)
Received: from misha.privatelabs.com (root@misha.plten [10.0.0.106])
	by privatecube.privatelabs.com (8.9.3/8.9.2) with ESMTP id SAA18434;
	Thu, 1 Feb 2001 18:28:02 -0500
Received: from virtual-estates.net (mi@localhost [127.0.0.1])
	by misha.privatelabs.com (8.11.1/8.9.3) with ESMTP id f11N7iP51027;
	Thu, 1 Feb 2001 18:07:46 -0500 (EST)
	(envelope-from mi@virtual-estates.net)
Message-Id: <200102012307.f11N7iP51027@misha.privatelabs.com>
Date: Thu, 1 Feb 2001 18:07:43 -0500 (EST)
From: mi@aldan.algebra.com
Subject: Re: transparent proxying through a separate machine
To: Julian Elischer <julian@elischer.org>
Cc: questions@freebsd.org, net@freebsd.org
In-Reply-To: <3A79D157.A18270EB@elischer.org>
MIME-Version: 1.0
Content-Type: TEXT/plain; CHARSET=US-ASCII
Sender: owner-freebsd-net@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On  1 Feb, Julian Elischer wrote:
= > We have a  single firewall machine and a  _separate_ machine running
= > squid proxy (both servers are on the same network wire).
= >
= > How  do I  catch all  of the  outgoing http  requests and  send them
= > through squid?
= > 
= > I tried
= > 
= >         ipfw add fwd squid,3128 tcp from any to any http
= > 
= > but it does not  seem to work -- squid never  gets contacted. All of
= > the  recipes  out there  describe  the  setups  with squid  and  the
= > firewall  being on  the same  machine. What  else do  I need  to do?
= 
= I assume squid is the name of  the other machine? you need to have the
= same rule in the ipfw on that machine too.

Yes. Ok. This is what I just added to the squid-machine:

	ipfw add allow ip from any to any out
	ipfw add fwd localhost,3128 log tcp from any to any 3128 in

= otherwise it will reflect the packet back at it's original destination
= as it still has headers saying it wants to go there. (It's unaltered).

The firewall machine logs

ipfw: 3000 Forward to squid.ip:3128 TCP client.ip:3977 web.server.ip:80 in via dc0

But the client still talks to the web-server directly :( The squid's log
is quiet... Anything  I'm missing? Perhaps, I need  a user-space program
of some sort to run on the firewall to do the tunneling? Thanks!

	-mi




To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message