From owner-freebsd-pf@FreeBSD.ORG Tue Jul 10 01:47:12 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C05F41065672 for ; Tue, 10 Jul 2012 01:47:12 +0000 (UTC) (envelope-from hbcheng@berkeley.edu) Received: from cm04fe.IST.Berkeley.EDU (cm04fe.IST.Berkeley.EDU [169.229.218.145]) by mx1.freebsd.org (Postfix) with ESMTP id A9D3E8FC12 for ; Tue, 10 Jul 2012 01:47:12 +0000 (UTC) Received: from cm04ws.ist.berkeley.edu ([169.229.218.166] helo=calmail.berkeley.edu) by cm04fe.ist.berkeley.edu with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.76) (auth plain:hbcheng@berkeley.edu) (envelope-from ) id 1SoPIx-00017M-FD for freebsd-pf@freebsd.org; Mon, 09 Jul 2012 18:31:56 -0700 MIME-Version: 1.0 Received: from wifi-87-20.ResHall.Berkeley.EDU ([169.229.87.20]) by calmail.berkeley.edu with HTTP (HTTP/1.1 POST); Mon, 09 Jul 2012 18:31:55 -0700 Date: Mon, 09 Jul 2012 18:31:55 -0700 From: Hao Bryan Cheng To: Message-ID: <7b10a675fc6b44b4b93597d97036de31@berkeley.edu> X-Sender: hbcheng@berkeley.edu User-Agent: RoundCube Webmail/0.3.1.UCB1 Content-Transfer-Encoding: 8bit Content-Type: text/plain; charset=UTF-8 Subject: Question regarding packet forwarding and Squid X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 Jul 2012 01:47:12 -0000 Hello all, I am working on converting a captive portal system from ipfw to pf (in order to support port-block allocation in many-to-one NAT) on systems currently running FreeBSD 8.2. Most of the firewall rewrite went without incident. However, I am having trouble replicating the fwd functionality of ipfw in pf. Our ipfw firewall uses the fwd rule to send packets from the private side of the portal to a squid instance running on 127.0.0.1:3128. From there, squid runs our url_rewrite script. The nice thing about this setup is that the fwd rule does not rewrite either the destination IP or port of the packet, meaning that the url_rewrite script can easily extract this information from the input line that squid provides (myip corresponding to the destination IP address of the original HTTP request). We then add the IP address to a firewall table to grant HTTPS access to the destination host bypassing squid entirely. I was able to get traffic into squid via pf using a rdr rule. However this rule rewrites the destination IP and port of the request which means that the url_rewrite script is no longer aware of the original destination IP. While there are several options for changing the url_rewrite script to accommodate this change, I would like to avoid unnecessary (and redundant) nameserver lookups. Is there a rule in pf that behaves similarly to ipfw's fwd rule? I have heard mentions of a divert-to rule, but I was unsuccessful in finding any official documentation on the subject anywhere online. Any help would be greatly appreciated. Thanks, Hao Bryan Cheng