From owner-freebsd-stable@FreeBSD.ORG Wed Apr 18 12:05:15 2007 Return-Path: X-Original-To: freebsd-stable@freebsd.org Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 6B91916A400 for ; Wed, 18 Apr 2007 12:05:15 +0000 (UTC) (envelope-from volker@vwsoft.com) Received: from frontmail.ipactive.de (frontmail.maindns.de [85.214.95.103]) by mx1.freebsd.org (Postfix) with ESMTP id C426813C458 for ; Wed, 18 Apr 2007 12:05:14 +0000 (UTC) (envelope-from volker@vwsoft.com) Received: from mail.vtec.ipme.de (Q7dc1.q.ppp-pool.de [89.53.125.193]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by frontmail.ipactive.de (Postfix) with ESMTP id 1B636128829 for ; Wed, 18 Apr 2007 14:05:08 +0200 (CEST) Received: from [192.168.16.3] (cesar.sz.vwsoft.com [192.168.16.3]) by mail.vtec.ipme.de (Postfix) with ESMTP id 20AB73F9F0; Wed, 18 Apr 2007 14:04:21 +0200 (CEST) Message-ID: <4626094C.20207@vwsoft.com> Date: Wed, 18 Apr 2007 14:04:28 +0200 From: Volker User-Agent: Thunderbird 1.5.0.10 (X11/20070306) MIME-Version: 1.0 To: zen References: <46247471.9030503@tk-pttuntex.com> <200704172129.22275.sanya-spb@list.ru> <20070418095903.12432@caamora.com.au> <462575D4.2010801@tk-pttuntex.com> In-Reply-To: <462575D4.2010801@tk-pttuntex.com> X-Enigmail-Version: 0.94.0.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-VWSoft-MailScanner: Found to be clean X-MailScanner-From: volker@vwsoft.com X-ipactive-MailScanner-Information: Please contact the ISP for more information X-ipactive-MailScanner: Found to be clean X-ipactive-MailScanner-From: volker@vwsoft.com Cc: jonathan michaels , freebsd-stable@freebsd.org Subject: Re: Re: tproxy on freebsd X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 18 Apr 2007 12:05:15 -0000 On 12/23/-58 20:59, zen wrote: >> i don't have a problem with this but i am going to be setting up a >> similar setup and would appreciate the help a working setup would >> provide. >> > any help will be appreciated, i could use a sample configuration file > regarding this problem. zen & others, building a transparent proxy using pf + squid is an easy topic and well documented on the net. In detail, it's going that way: pf (assuming nve0 is your local IF): rdr on nve0 from any to any port 80 -> 127.0.0.1 port 3128 pass in on nve0 from any to any port 80 keep state pass in on nve0 from any to 127.0.0.1 port 3128 keep state Now, compile squid with transparent support and use: 'http_port 3128 transparent' in your squid.conf (assuming you're running squid >= 2.6). I'm running several hosts with a setup like that. Also you may want to check out www/havp and use it as a transparent proxy + squid as upstream proxy. That way you also have virus protection for your internal users while surfing the web (I'm also doing things like that as I found it a better solution that squidclam or the like - YMMV). > FYI i already running transparent proxy with ipf+ipnat,: > > rdr nve0 0.0.0.0/0 port 80 -> 122.x.x.x port 3128 tcp > > but with that configuration, still the proxy ip address that visible > when my client using the proxy. Don't understand that sentence. What address is visible to whom? And which address do you want to 'hide'? If you don't want to leak your internal addresses to any outside webserver, this is a squid issue and there should (?) be configuration options for squid. > is it me or just i cant achieve that with FreeBSD? > because i hate to switch to other OS only because of this. No need to switch! :) You may find tons of infos using google or in the ML archives pf@. Also pf@ or isp@ would be the appropriate list for questions like that. HTH, Volker