From owner-freebsd-pf@FreeBSD.ORG Thu Aug 28 03:56:18 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E2F08106564A for ; Thu, 28 Aug 2008 03:56:18 +0000 (UTC) (envelope-from jdc@koitsu.dyndns.org) Received: from QMTA07.westchester.pa.mail.comcast.net (qmta07.westchester.pa.mail.comcast.net [76.96.62.64]) by mx1.freebsd.org (Postfix) with ESMTP id 91FE18FC0A for ; Thu, 28 Aug 2008 03:56:18 +0000 (UTC) (envelope-from jdc@koitsu.dyndns.org) Received: from OMTA08.westchester.pa.mail.comcast.net ([76.96.62.12]) by QMTA07.westchester.pa.mail.comcast.net with comcast id 7dGE1a0020Fqzac57fmG3T; Thu, 28 Aug 2008 03:46:16 +0000 Received: from koitsu.dyndns.org ([67.180.253.227]) by OMTA08.westchester.pa.mail.comcast.net with comcast id 7fmF1a0054v8bD73UfmFTB; Thu, 28 Aug 2008 03:46:16 +0000 X-Authority-Analysis: v=1.0 c=1 a=LSr4VaG-Lp4A:10 a=XHmrTfkXgsYA:10 a=BKUZnpncAAAA:8 a=QycZ5dHgAAAA:8 a=WhtsX7SljIoDVcUFZpwA:9 a=Y6BxsMWn1w3_PGQ7gzgA:7 a=F7edkQCx2TdVHVU90_DiXgN2ws8A:4 a=31jpz_uetaAA:10 a=EoioJ0NPDVgA:10 a=gBuvGuxN0mQA:10 a=SV7veod9ZcQA:10 a=rPt6xJ-oxjAA:10 Received: by icarus.home.lan (Postfix, from userid 1000) id F318517B81A; Wed, 27 Aug 2008 20:46:14 -0700 (PDT) Date: Wed, 27 Aug 2008 20:46:14 -0700 From: Jeremy Chadwick To: freebsd-pf@freebsd.org Message-ID: <20080828034614.GA11207@icarus.home.lan> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.5.18 (2008-05-17) Subject: Fwd: Re: Squid/ Danguardian + Transparent Bridge X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Aug 2008 03:56:19 -0000 ----- Forwarded message from James Shupe ----- > From: James Shupe > To: Jeremy Chadwick > Date: Wed, 27 Aug 2008 20:26:59 -0500 > Subject: Re: Squid/ Danguardian + Transparent Bridge > > I've tried this, and it works with NAT but not when the interfaces are > in a bridge. I'll re-attempt this tomorrow though, just in case I'm wrong. > > Thank you, > James Shupe > > Jeremy Chadwick wrote: > > On Wed, Aug 27, 2008 at 07:29:09PM -0500, James Shupe wrote: > >> I've been trying to get pf to transparently redirect all incoming > >> traffic on port 80 to port 8080 on a bridge to pass through to > >> Dansguardian. This machine is a replacement for a Linux box which did > >> the same thing with IPtables flawlessly, but I can't seem to get it work > >> with PF. I've tried using dozens of rulesets, including route-to > >> statements, and have had no success. I was wondering if anybody has a > >> working ruleset that they could share as an example, as I've seen lots > >> of questions in mailing list archives regarding this, but no positive fixes. > > > > You mean something like this? > > > > rdr pass proto tcp from any to port 80 -> 127.0.0.1 port 8080 > > > > Assuming ipofyourbox is 4.4.4.4, this will transparently redirect > > incoming connections to 4.4.4.4 port 80 to 127.0.0.1 port 8080. > > Response packets will also be remapped appropriately (meaning the remote > > user will see the response packets coming from 4.4.4.4 port 80). > > > > This is under the assumption that Dansguardian is listening on 127.0.0.1 > > port 8080. It might just be listening on INADDR_ANY port 8080, in which > > case you should probably configure it to bind to 127.0.0.1 -- or if > > you cannot, set up an appropriate firewall rule in pf to block that > > traffic (so people on the Internet cannot connect to 4.4.4.4 port 8080 > > and talk to Dansguardian directly). > > > > Hope this helps. > > > > Thank you, > -- > James Shupe > HermeTek Network Solutions > http//www.hermetek.com > 1.866.325.6207 ----- End forwarded message ----- James forgot to CC the list when replying; I got his permission to forward this. His problem seems to be when using rdr while a bridge is in use. -- | Jeremy Chadwick jdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB |