From owner-freebsd-pf@FreeBSD.ORG Tue Jul 10 20:49:45 2012 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B22B4106566B for ; Tue, 10 Jul 2012 20:49:45 +0000 (UTC) (envelope-from ermal.luci@gmail.com) Received: from mail-yx0-f182.google.com (mail-yx0-f182.google.com [209.85.213.182]) by mx1.freebsd.org (Postfix) with ESMTP id 6AC728FC14 for ; Tue, 10 Jul 2012 20:49:45 +0000 (UTC) Received: by yenl8 with SMTP id l8so562476yen.13 for ; Tue, 10 Jul 2012 13:49:44 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type; bh=P2Wp/qaGAhDcTBBKhYpbBP8m9+BV/V/stUnurAdHtgk=; b=Grx54eynFaB7NgiEXWWxoMOLKNyHPVyZRIThZ+GHXINbJU1kPRRsP5NixSKJ/cxAM+ keFexDRoEntIvwvEWajmEQaeZPh8qzNrcJfJdwJNiVO33PzcArR8cBkU+mdMi0W7Gbv1 LQ7L/fMAK06P1V/7u99Skc6OryvnLgm6QlrtJTrVHSzJcsQnKEDUtTGgVmnH2c8iKGgW iu9S5dqqchIvqXD/VdKR3tepIrUvzcEtVR3nJZHebXJAX5c76K8FcPYpWZXg51tnjbP4 F66HVFyer9eBqHOTkRQXHAaaFKj2ccnqdJmc53hn95OkvtmmKFnNpTmi9gftoyplMuZS /2dw== MIME-Version: 1.0 Received: by 10.50.203.98 with SMTP id kp2mr12629207igc.42.1341953384586; Tue, 10 Jul 2012 13:49:44 -0700 (PDT) Sender: ermal.luci@gmail.com Received: by 10.231.244.7 with HTTP; Tue, 10 Jul 2012 13:49:44 -0700 (PDT) In-Reply-To: <7b10a675fc6b44b4b93597d97036de31@berkeley.edu> References: <7b10a675fc6b44b4b93597d97036de31@berkeley.edu> Date: Tue, 10 Jul 2012 22:49:44 +0200 X-Google-Sender-Auth: jxxFNUVKCGzkMndBasRi8cZ98AU Message-ID: From: =?ISO-8859-1?Q?Ermal_Lu=E7i?= To: Hao Bryan Cheng Content-Type: text/plain; charset=ISO-8859-1 Cc: freebsd-pf@freebsd.org Subject: Re: Question regarding packet forwarding and Squid X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 Jul 2012 20:49:45 -0000 On Tue, Jul 10, 2012 at 3:31 AM, Hao Bryan Cheng wrote: > Hello all, > > I am working on converting a captive portal system from ipfw to pf (in > order to support port-block allocation in many-to-one NAT) on systems > currently running FreeBSD 8.2. > > Most of the firewall rewrite went without incident. However, I am having > trouble replicating the fwd functionality of ipfw in pf. > > Our ipfw firewall uses the fwd rule to send packets from the private side > of the portal to a squid instance running on 127.0.0.1:3128. From there, > squid runs our url_rewrite script. The nice thing about this setup is that > the fwd rule does not rewrite either the destination IP or port of the > packet, meaning that the url_rewrite script can easily extract this > information from the input line that squid provides (myip corresponding to > the destination IP address of the original HTTP request). We then add the > IP address to a firewall table to grant HTTPS access to the destination > host bypassing squid entirely. > > I was able to get traffic into squid via pf using a rdr rule. However this > rule rewrites the destination IP and port of the request which means that > the url_rewrite script is no longer aware of the original destination IP. > While there are several options for changing the url_rewrite script to > accommodate this change, I would like to avoid unnecessary (and redundant) > nameserver lookups. > > Is there a rule in pf that behaves similarly to ipfw's fwd rule? I have > heard mentions of a divert-to rule, but I was unsuccessful in finding any > official documentation on the subject anywhere online. > > Any help would be greatly appreciated. > You will not find such a functionality easily or without tricky requirements. > Thanks, > > Hao Bryan Cheng > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" -- Ermal