From owner-freebsd-questions@FreeBSD.ORG Mon Nov 19 14:52:40 2007 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E6CAF16A418 for ; Mon, 19 Nov 2007 14:52:40 +0000 (UTC) (envelope-from sat@cenkes.org) Received: from heka.cenkes.org (heka.cenkes.org [208.79.80.110]) by mx1.freebsd.org (Postfix) with ESMTP id C8F8313C46E for ; Mon, 19 Nov 2007 14:52:40 +0000 (UTC) (envelope-from sat@cenkes.org) Received: from amilo.cenkes.org (ppp85-141-134-127.pppoe.mtu-net.ru [85.141.134.127]) (Authenticated sender: sat) by heka.cenkes.org (Postfix) with ESMTP id 8EB6E242F83C; Mon, 19 Nov 2007 17:52:09 +0300 (MSK) Date: Mon, 19 Nov 2007 17:52:06 +0300 From: Andrew Pantyukhin To: Steve Bertrand Message-ID: <20071119145205.GE57722@amilo.cenkes.org> References: <473DD804.1020502@ibctech.ca> <20071118151716.GA57722@amilo.cenkes.org> <4741968A.3010009@ibctech.ca> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <4741968A.3010009@ibctech.ca> X-OS: FreeBSD 8.0-CURRENT amd64 User-Agent: Mutt/1.5.16 (2007-06-09) Cc: freebsd-questions@freebsd.org Subject: Re: FreeBSD router and WCCP X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: infofarmer@FreeBSD.org List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 Nov 2007 14:52:41 -0000 On Mon, Nov 19, 2007 at 08:58:34AM -0500, Steve Bertrand wrote: > Andrew Pantyukhin wrote: > > On Fri, Nov 16, 2007 at 12:48:52PM -0500, Steve Bertrand wrote: > >> Does anyone know of a way to configure WCCP redirect support into a > >> FreeBSD based router without having to install squid? > > > > I've only used FreeBSD as a WCCPv1/v2 sink (receiver), but you > > can try sending out packets out of gre(4). That should probably > > work. > > > > If you're trying to redirect traffic to another machine running > > squid, consider avoiding WCCP, it's not a very bright protocol.j > > Thanks for the response. > > We are deploying a commercial appliance as a content filter, so I can > only assume that it is running a customized version of Squid but I don't > know. > > Do you have any recommendation on what I should use if WCCP is not > recommended? ipfw forwarding is a very easy way to redirect traffic without changing it. PF has similar functionality. It all depends on what the appliance supports. If wccp is the only way it can eat packets, try playing with gre(4). But maybe it'll consume just plain packets with "wrong" IP destinations arriving on its MAC address, just the way squid on FreeBSD does. BTW, if the appliance supports ICAP, you'll be much better off running squid on a FreeBSD box and filtering content through ICAP. > The filter will not be inline, and it will be an opt-in type service, so > only certain traffic will need to be redirected. You'll be able to use ipfw or pf to tune the policies to a very fine degree.