From owner-freebsd-pf@FreeBSD.ORG Sat Aug 20 02:28:29 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AA8A216A41F for ; Sat, 20 Aug 2005 02:28:29 +0000 (GMT) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (insomnia.benzedrine.cx [62.65.145.30]) by mx1.FreeBSD.org (Postfix) with ESMTP id D966D43D46 for ; Sat, 20 Aug 2005 02:28:28 +0000 (GMT) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (dhartmei@localhost [127.0.0.1]) by insomnia.benzedrine.cx (8.13.4/8.12.11) with ESMTP id j7K2SPTk004947 (version=TLSv1/SSLv3 cipher=DHE-DSS-AES256-SHA bits=256 verify=NO); Sat, 20 Aug 2005 04:28:25 +0200 (MEST) Received: (from dhartmei@localhost) by insomnia.benzedrine.cx (8.13.4/8.12.10/Submit) id j7K2SOMi003459; Sat, 20 Aug 2005 04:28:24 +0200 (MEST) Date: Sat, 20 Aug 2005 04:28:24 +0200 From: Daniel Hartmeier To: sephiroth Message-ID: <20050820022824.GC31370@insomnia.benzedrine.cx> References: <4306DCFB.1070200@gmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <4306DCFB.1070200@gmail.com> User-Agent: Mutt/1.5.6i Cc: freebsd-pf@freebsd.org Subject: Re: Bypass transparent proxy X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 20 Aug 2005 02:28:29 -0000 On Sat, Aug 20, 2005 at 02:34:19PM +0700, sephiroth wrote: > i have question about transparent proxy. I read the manual in > http://benzedrin.cx about transparent proxy with squid. I have network > with 20 client connect to internet and i have implement that manual in > my server. I want my client only use proxy in my server. My question is > why the client still can bypass my proxy using another anonymous proxy. If a client tries to reach another (external) proxy through port 80, it won't bypass your proxy. In this case, the HTTP connection will pass through the chain of your proxy (first) and then the external one. This is not considered bypassing :) A client might use an external proxy using a different port (not 80), in which case the pf rdr rule will simply not apply and won't redirect through your proxy. If that's what you want to prevent, you'll have to either a) block all connections to ports other than 80 or b) redirect connections to ANY port to your proxy, i.e. remove the 'port www' part of the 'rdr' rule Either of those will obviously break connections used for other applications and protocols. Daniel