From owner-freebsd-pf@FreeBSD.ORG  Thu May  4 05:33:13 2006
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
X-Original-To: freebsd-pf@freebsd.org
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 43A1D16A400
	for <freebsd-pf@freebsd.org>; Thu,  4 May 2006 05:33:13 +0000 (UTC)
	(envelope-from max@love2party.net)
Received: from moutng.kundenserver.de (moutng.kundenserver.de
	[212.227.126.188])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 8A93343D49
	for <freebsd-pf@freebsd.org>; Thu,  4 May 2006 05:33:10 +0000 (GMT)
	(envelope-from max@love2party.net)
Received: from [88.64.177.15] (helo=amd64.laiers.local)
	by mrelayeu.kundenserver.de (node=mrelayeu0) with ESMTP (Nemesis),
	id 0MKwh2-1FbWSb15zP-0003rC; Thu, 04 May 2006 07:33:09 +0200
From: Max Laier <max@love2party.net>
Organization: FreeBSD
To: freebsd-pf@freebsd.org
Date: Thu, 4 May 2006 07:32:59 +0200
User-Agent: KMail/1.9.1
References: <20060504034002.20589.qmail@web31609.mail.mud.yahoo.com>
In-Reply-To: <20060504034002.20589.qmail@web31609.mail.mud.yahoo.com>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="nextPart1636130.clto1tu9Ea";
	protocol="application/pgp-signature"; micalg=pgp-sha1
Content-Transfer-Encoding: 7bit
Message-Id: <200605040733.06283.max@love2party.net>
X-Provags-ID: kundenserver.de abuse@kundenserver.de
	login:61c499deaeeba3ba5be80f48ecc83056
Cc: 
Subject: Re: Something is wrong
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
	\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 04 May 2006 05:33:13 -0000

--nextPart1636130.clto1tu9Ea
Content-Type: text/plain;
  charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

On Thursday 04 May 2006 05:40, Aguiar Magalhaes wrote:
> I have a lot of Windows Internet Explorer browsers in
> the
> LAN and they are marked to use the proxy at 3128 port.
>
> The pf and squid are in the same machine. I'm not
> using transparent proxy on pf. I don't have any
> redirections to proxy.

and there is your problem.  If your client is configured to use the proxy i=
t=20
will just do that.  That means it won't even attempt to make a direct=20
connection to any server.  IIRC you can configure ie to exclude certain IP=
=20
ranges or domains from being proxied.  That would be one way to go.  Anothe=
r=20
one is to fix the configuration of your proxy.  The last one is to use=20
transparent proxying, in which case you can use pf to decide wether or not=
=20
the proxy should be used.

> Some applications in intranet pages use ports like
> 19336 or 8081 and they don't support the proxy.
>
> I need to tell to pf doesn't send the packages to the
> proxy, if the users are accessing those applications
> pages, but I'm not have success..
>
> My firewall has only two NICs: $int_if and $ext_if
>
> Could you help me ?  Thanks, Aguiar
>
> The rules are:
>
> - - - - - - - -
> internal_net =3D "172.16.0.0/12"
> fw_ip_int =3D "172.16.0.9"
> fw_ip_ext =3D "200.x.x.x"
> lan_to_int =3D "{ 25 123 ... etc }
>
> set optimization aggressive
> scrub in all
> nat on $ext_if from $internal_net to any -> $fw_ip_ext
> rdr on $int_if proto tcp from $internal_net to any
> port 21 -> 127.0.0.1 port 8081
> pass quick on lo0 all
> antispoof for $ext_if inet
>
> block log all
> pass in on $int_if inet proto tcp from $internal_net
> to 127.0.0.1 port 8081 keep state
> pass in on $int_if inet proto tcp from $internal_net
> to { $fw_ip_int $fw_ip_ext } port 3128 keep state
> pass in on $int_if inet proto udp from $internal_net
> to any port 53 keep state
> pass in on $int_if inet proto tcp from $internal_net
> to any port $lan_to_int keep state
>
> # Access permitted out of the proxy (not is ok...)
> pass inet proto tcp from { 172.16.1.16 172.16.1.165
> 172.16.1.203 } to 201.x.x.x port { 80 3128 8081 } keep
> state
>
> pass out from $fw_ip_ext to any keep state
> - - - - - - - - - - - -
>
>
>
> _______________________________________________________
> Novo Yahoo! Messenger com voz: Instale agora e fa=E7a liga=E7=F5es de gra=
=E7a.
> http://br.messenger.yahoo.com/
> _______________________________________________
> freebsd-pf@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-pf
> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org"

=2D-=20
/"\  Best regards,                      | mlaier@freebsd.org
\ /  Max Laier                          | ICQ #67774661
 X   http://pf4freebsd.love2party.net/  | mlaier@EFnet
/ \  ASCII Ribbon Campaign              | Against HTML Mail and News

--nextPart1636130.clto1tu9Ea
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (FreeBSD)

iD8DBQBEWZISXyyEoT62BG0RAiPFAJ91cfGqZnjnZiq+hZrOzXiUE+To0ACfXXIc
Ee/akmSe2v+BWPeIb0zwS58=
=4TPa
-----END PGP SIGNATURE-----

--nextPart1636130.clto1tu9Ea--