From owner-freebsd-net@FreeBSD.ORG Mon Apr 20 17:12:09 2009 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0A84E1065676 for ; Mon, 20 Apr 2009 17:12:09 +0000 (UTC) (envelope-from steve@ibctech.ca) Received: from ibctech.ca (v6.ibctech.ca [IPv6:2607:f118::b6]) by mx1.freebsd.org (Postfix) with SMTP id A9E838FC33 for ; Mon, 20 Apr 2009 17:12:08 +0000 (UTC) (envelope-from steve@ibctech.ca) Received: (qmail 52079 invoked by uid 89); 20 Apr 2009 17:06:06 -0000 Received: from unknown (HELO ?IPv6:2607:f118::5?) (steve@ibctech.ca@2607:f118::5) by 2607:f118::b6 with ESMTPA; 20 Apr 2009 17:06:06 -0000 Message-ID: <49ECAB57.8000708@ibctech.ca> Date: Mon, 20 Apr 2009 13:05:27 -0400 From: Steve Bertrand User-Agent: Thunderbird 2.0.0.17 (Windows/20080914) MIME-Version: 1.0 To: Adrian Chadd References: <49EA4FBC.4040202@ibctech.ca> In-Reply-To: X-Enigmail-Version: 0.95.7 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: FreeBSD Net Subject: Re: Route traffic on a gateway through SSH tunnel X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 20 Apr 2009 17:12:09 -0000 Adrian Chadd wrote: > G'day; > > 2009/4/19 Steve Bertrand : > >> I have a Squid proxy/content filter at my office that I would like to >> route all 80/443 traffic from my home connection, through the proxy. The >> proxy and the termination point of my home connection are located in two >> different PoPs, within different ASs. > > Eww. People still use Squid? hmmm... I'm trying to figure out what you are implying here. If Squid is "eww", what do you recommend? >> Does anyone have any suggestions or comments they can share regarding >> such a setup? > > Well, i'd first look at what you're doing with the "fwd" next-hop > rewriting. All ipfw fwd does is next-hop rewriting with an optional > redirect-to-local-socket-termination feature. > > You need to redirect to a local squid or some other proxy which can do > the DNS lookups as required (if required!) and bounce the request > upstream. > > I'd suggest setting up Squid on your local CPE to handle the "ipfw fwd > any 127.0.0.1:3128" redirection (and use http_port 127.0.0.1:3128 > transparent in squid.conf) and then configure squid with a parent > proxy (cache_peer, disable never_direct, etc) to talk exclusively to > your upstream proxy(ies). Thanks for the great feedback Adrian. I've done what you recommended, and things work exactly as I originally desired, from PC through the parent proxy. The only thing that doesn't work properly, is SSL proxying, but that's something I can fiddle with. BTW, I am using Squid as a backend to DansGuardian. Both reside on the same box, at my office. The only user of this configuration is my home connection. Steve