From owner-freebsd-questions@FreeBSD.ORG Fri Jun 20 22:49:10 2003 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B050D37B401 for ; Fri, 20 Jun 2003 22:49:10 -0700 (PDT) Received: from mx1.au.itouchnet.net (nat2.au.itouchnet.net [144.135.23.100]) by mx1.FreeBSD.org (Postfix) with ESMTP id F297C43F93 for ; Fri, 20 Jun 2003 22:49:08 -0700 (PDT) (envelope-from ajthomson@optushome.com.au) Received: from nobody by mx1.au.itouchnet.net with scanned_ok (Exim 3.36 #1) id 19TbFJ-000Cvh-00 for freebsd-questions@freebsd.org; Sat, 21 Jun 2003 15:49:05 +1000 X-TLS: TLSv1:DES-CBC3-SHA:168 athomson.prv.au.itouchnet.net -> mx1.au.itouchnet.net Received: from athomson.prv.au.itouchnet.net ([192.168.13.55]) by mx1.au.itouchnet.net with esmtp (TLSv1:DES-CBC3-SHA:168) (Exim 3.36 #1) id 19TbFJ-000Cva-00 for freebsd-questions@freebsd.org; Sat, 21 Jun 2003 15:49:05 +1000 Received: from localhost ([127.0.0.1] helo=athomson.prv.au.itouchnet.net) by athomson.prv.au.itouchnet.net with esmtp (Exim 4.20) id 19TbFY-000KeA-Fy for freebsd-questions@freebsd.org; Sat, 21 Jun 2003 15:49:20 +1000 Received: (from ajt@localhost)h5L5nJLa079369 for freebsd-questions@freebsd.org; Sat, 21 Jun 2003 15:49:19 +1000 (EST) X-Authentication-Warning: athomson.prv.au.itouchnet.net: ajt set sender to ajthomson@optushome.com.au using -f Date: Sat, 21 Jun 2003 15:49:19 +1000 From: Andrew Thomson To: Freebsd-Questions Message-ID: <20030621054919.GB79173@athomson.prv.au.itouchnet.net> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.4.1i X-Checked: Scanned for any viruses and unauthorized attachments at mx1.au.itouchnet.net X-iScan-ID: 49701-1056174545-30265@mx1.au.itouchnet.net version $Name: REL_2_0_2 $ Subject: Re: Transparent Proxy going astray X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 21 Jun 2003 05:49:11 -0000 Paul, You'd probably have noticed a few posts from me on this very subject. The good news is I did end up getting it all working.. but there were definitely a few hurdles in the way. I assume your firewall is also running the squid proxy? For some reason, I got away with just putting rule 60 in! I also added a dst port of 80 so just my http traffic got forwarded. If this is your firewall, then you'd probably want to change rule 50 to something like: skipto 70 tcp from 192.168.0.10 to any 192.168.0.10 is your firewall?? >From my understanding, an add rule will stop moving through the ruleset however you still need your requests to go through nat etc etc.. Let me know how you get on. You can be restassured that it is possible. I have now setup transparent proxies with the proxy running on the firewall and also with the proxy running on another box. I've also used 4.7 and 5.0 in seperate instances sucessfully too! good luck, ajt. On Sat, Jun 21, 2003 at 01:34:17PM +0800, Paul Hamilton wrote: > Hi all, > > I have watched/lurked on this list for sometime now, and see a Transparent > Proxy question every now or then. None of them have answered my problem. I > give it a bash every now and then to see if I will trip over the answer. It > hasn't worked, so I will try this list again. > > I run FreeBSD 4.8 on the gateway, Squid Cache: Version 2.4.STABLE4 > > Squid.conf has the required lines: > > http_port 8080 > httpd_accel_port 80 > httpd_accel_host virtual > httpd_accel_with_proxy on > httpd_accel_uses_host_header on > > and the required ipfw2 firewall rules: > > 00050 271 27520 allow tcp from 192.168.0.10 to any > 00060 3 144 fwd 127.0.0.1,8080 tcp from any to any dst-port > 80 > > Interestingly enough when watching the ip traffic on the gateway, I see this > on my inside NIC: > > 08:27:18.735861 192.168.0.2.3276 > 203.10.1.17.53: 1093+ A? > www.google.com.au. (35) > 08:27:18.922217 203.10.1.17.53 > 192.168.0.2.3276: 1093 2/4/4 > CNAME[|domain] > 08:27:18.923667 192.168.0.2.3277 > 216.239.39.99.80: S > 813553086:813553086(0) win 16384 (DF) > 08:27:18.923722 216.239.39.99.80 > 192.168.0.2.3277: R 0:0(0) ack 813553087 > win 0 > 08:27:19.397657 192.168.0.2.3277 > 216.239.39.99.80: S > 813553086:813553086(0) win 16384 (DF) > 08:27:19.397697 216.239.39.99.80 > 192.168.0.2.3277: R 0:0(0) ack 1 win 0 > 08:27:19.906095 192.168.0.2.3277 > 216.239.39.99.80: S > 813553086:813553086(0) win 16384 (DF) > 08:27:19.906153 216.239.39.99.80 > 192.168.0.2.3277: R 0:0(0) ack 1 win 0 > > > and this on my outside NIC: > > 08:27:18.736970 202.72.147.43.3276 > 203.10.1.17.53: 1093+ A? > www.google.com.au. (35) > 08:27:18.922026 203.10.1.17.53 > 202.72.147.43.3276: 1093 2/4/4 CNAME > www.google.com., (215) > > The cache_access.log doesn't show any traffic, yet (something) is pretending > to be the google website, as there is a reply from 216.239.39.99.80. I have > tried to run tcpdump -ni lo0 but there isn't any traffic. > > Should I be able to see traffic on lo0? > > Any thoughts on what I am missing? > > Cheers, > > Paul Hamilton > > > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org" >