From owner-freebsd-questions Fri Jun 28 23:24:30 2002 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1466937B401 for ; Fri, 28 Jun 2002 23:24:26 -0700 (PDT) Received: from mail.nsu.ru (mx.nsu.ru [193.124.215.71]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9B44E43E09 for ; Fri, 28 Jun 2002 23:24:24 -0700 (PDT) (envelope-from lucky@land3.nsu.ru) Received: from drweb by mail.nsu.ru with drweb-scanned (Exim 3.20 #1) id 17OBeX-0002Sc-00; Sat, 29 Jun 2002 13:24:13 +0700 Received: from uni.land3.nsu.ru ([193.124.213.230] helo=land3.nsu.ru) by mail.nsu.ru with esmtp (Exim 3.20 #1) id 17OBeW-0002SQ-00; Sat, 29 Jun 2002 13:24:12 +0700 Received: from land3.nsu.ru (localhost [127.0.0.1]) by land3.nsu.ru (8.12.3/8.11.6) with ESMTP id g5T6Ahqw092607; Sat, 29 Jun 2002 13:10:43 +0700 (NOVST) (envelope-from lucky@land3.nsu.ru) Received: from localhost (lucky@localhost) by land3.nsu.ru (8.12.3/8.12.3/Submit) with ESMTP id g5T6AgPV019272; Sat, 29 Jun 2002 13:10:43 +0700 (NOVST) Date: Sat, 29 Jun 2002 13:10:42 +0700 (NOVST) From: Alexey Privalov To: Jaime Cc: freebsd-questions@freebsd.org Subject: Re: transparent proxying In-Reply-To: <20020628082314.M9991-100000@malkav.snowmoon.com> Message-ID: <20020629130657.H66384-100000@land3.nsu.ru> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Envelope-To: jaime@snowmoon.com, freebsd-questions@freebsd.org Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG hi use a 'ipfw forward' for transparent proxyig, like this: 00040 fwd 127.0.0.1,8888 tcp from any to any 80,8100,8101,8102,8103 in recv fxp1 but you must remember that, If the IP is not a local address then the port number (if specified) is ignored. best regards, Alexey. On Fri, 28 Jun 2002, Jaime wrote: > Date: Fri, 28 Jun 2002 08:23:39 -0400 (EDT) > From: Jaime > To: freebsd-questions@freebsd.org > Subject: transparent proxying > > I know how to make a transparent proxy with squid and ipfw. I've > done it before. But now that I have to use dansguardian (damn CIPA > rules), I'm having some trouble. My network looks something like: > > (ISP) -- (Router) -- (Firewall) -- (Core switch) > > The firewall looks something like: > > [ipfw] <--> [transproxy] <--> [dansguardian] <--> [squid] <--> [Web] > > I'm trying to get transproxy out of the mix, because its making > all traffic to dansguardian into 127.0.0.1. This prevents me from > tracking anything down or exempting certain IPs from the filters. > > My current attempts are more like this: > > [ipfw divert] <-> [natd] <-> dansguardian] <-> [squid] <-> [Web] > > I'm not sure how to configure natd, though. The firewall's inside > interface is fxp1 and the outside is fxp0. I've tried each of the > following ways to start natd, but none have seemed to work. Sometimes it > ends up blocking all traffic and other times it lets all traffic through > but it doesn't filter it. > > /sbin/natd -proxy_only -proxy_rule port 80 server 127.0.0.1:8080 -interface fxp0 > /sbin/natd -proxy_only -proxy_rule encode_ip_hdr port 80 server 127.0.0.1:8080 -interface fxp0 > /sbin/natd -proxy_only -proxy_rule encode_tcp_stream port 80 server 127.0.0.1:8080 -interface fxp0 > /sbin/natd -reverse -proxy_only -proxy_rule port 80 server 127.0.0.1:8080 -interface fxp0 > /sbin/natd -reverse -proxy_only -proxy_rule encode_ip_hdr port 80 server 127.0.0.1:8080 -interface fxp0 > /sbin/natd -reverse -proxy_only -proxy_rule encode_tcp_stream port 80 server 127.0.0.1:8080 -interface fxp0 > /sbin/natd -reverse -proxy_only -proxy_rule port 80 server 127.0.0.1:8080 -interface fxp1 > /sbin/natd -reverse -proxy_only -proxy_rule encode_ip_hdr port 80 server 127.0.0.1:8080 -interface fxp1 > /sbin/natd -reverse -proxy_only -proxy_rule encode_tcp_stream port 80 server 127.0.0.1:8080 -interface fxp1 > /sbin/natd -proxy_only -proxy_rule port 80 server 127.0.0.1:8080 -interface fxp1 > /sbin/natd -proxy_only -proxy_rule encode_ip_hdr port 80 server 127.0.0.1:8080 -interface fxp1 > /sbin/natd -proxy_only -proxy_rule encode_tcp_stream port 80 server 127.0.0.1:8080 -interface fxp1 > > These were all with ipfw rules like this: > /sbin/ipfw add 00050 divert natd tcp from 10.0.0.0/8 to not 10.0.0.0/8 80 > > Can anyone offer any insights? It doesn't even have to be a > solution. I just feel like I'm missing a detail somewhere. Though I > wouldn't turn down a solution! :) > > Thanks in advance, > Jaime > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message