From owner-freebsd-pf@freebsd.org Thu Jun 16 12:15:54 2016 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id DF815A71AD7 for ; Thu, 16 Jun 2016 12:15:54 +0000 (UTC) (envelope-from 000.fbsd@quip.cz) Received: from elsa.codelab.cz (elsa.codelab.cz [94.124.105.4]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id A03401E0B; Thu, 16 Jun 2016 12:15:54 +0000 (UTC) (envelope-from 000.fbsd@quip.cz) Received: from elsa.codelab.cz (localhost [127.0.0.1]) by elsa.codelab.cz (Postfix) with ESMTP id 5521D2840C; Thu, 16 Jun 2016 14:15:51 +0200 (CEST) Received: from illbsd.quip.test (ip-86-49-16-209.net.upcbroadband.cz [86.49.16.209]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by elsa.codelab.cz (Postfix) with ESMTPSA id 9CBB828423; Thu, 16 Jun 2016 14:15:49 +0200 (CEST) Message-ID: <57629875.1000509@quip.cz> Date: Thu, 16 Jun 2016 14:15:49 +0200 From: Miroslav Lachman <000.fbsd@quip.cz> User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:35.0) Gecko/20100101 Firefox/35.0 SeaMonkey/2.32 MIME-Version: 1.0 To: atar CC: Gary Palmer , "freebsd-pf@freebsd.org" Subject: Re: Filter connections based on the hostname. References: <5858A82C-FB66-4D67-A676-47EABED976CE@gmail.com> <57600481.6080204@quip.cz> <08195C33-DC97-4ADD-9C0A-D9493E2C29F7@gmail.com> <57602DEC.6080201@quip.cz> <969F8F1C-E992-4F47-89F9-759FD8CE2B91@gmail.com> <20160614202243.GA81528@in-addr.com> <545E509D-7851-4D1E-9547-2B20D36DD04E@gmail.com> <57625D52.1030607@quip.cz> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 16 Jun 2016 12:15:55 -0000 atar wrote on 06/16/2016 13:38: >> atar wrote on 06/16/2016 09:15: >>> Can you give me any hint how to cause PF to redirect all the traffic through the squid proxy? I'm pretty new in them both (PF and squid). >> >> You can find basic config here >> http://wiki.squid-cache.org/ConfigExamples/Intercept/FreeBsdPf >> >> Squid can be installed from ports / packages >> http://www.freshports.org/www/squid/ >> >> Miroslav Lachman > > Hi and thanks for your willing to help. > > Unfortunately, I didn't succeed to redirect the network traffic through the squid server. > > I've putted the following line in my pf.conf: > > rdr pass inet proto tcp from any to any -> 127.0.0.1 port 3128 > > since the squid server is listening on port 3128, but the traffic isn't going through it. > > I've also verified that no traffic is redirected to port 3128 by running the command: nc -l 3128. > > I've no idea what is wrong here. Are you trying to block traffic originating on machine with PF and Squid or is this machine firewall for LAN? I think you need to add port www (or port {80, 443}) to your rdr rule and also specify on which interface you want to do this translation. If you need to filter traffic from your LAN to outside world you need to specify LAN interface. Something like this rdr on $int_if inet proto tcp from any to any port www -> 127.0.0.1 port 3128 pass in on $int_if inet proto tcp from any to 127.0.0.1 port 3128 keep state pass out on $ext_if inet proto tcp from any to any port www keep state More resources can be found here http://serverfault.com/questions/490926/freebsd-pf-squid-transparent http://www.benzedrine.ch/transquid.html https://forums.freebsd.org/threads/10874/ Miroslav Lachman