Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 13 Sep 2010 11:57:47 -0400
From:      Nathan Vidican <nathan@vidican.com>
To:        questions@freebsd.org
Subject:   Re: ipfw fwd for transparent proxy (squid) - but, not on loopback
Message-ID:  <AANLkTikDrjc1Ouopzwqd8GOW5TAt9iSc7dSMDH1NB9pY@mail.gmail.com>
In-Reply-To: <AANLkTikuAZTmHvZ8meBPRv_p6EH74aDNwWhE2rmVgA2d@mail.gmail.com>
References:  <AANLkTikuAZTmHvZ8meBPRv_p6EH74aDNwWhE2rmVgA2d@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Mon, Sep 13, 2010 at 11:53 AM, Nathan Vidican <nathan@vidican.com> wrote=
:
>
> Hey all - I've been trying to implement a transparent proxy for all outgo=
ing traffic to port 80 to forward to a proxy server. The problem is that th=
e proxy itself resides on a different host than the forward rule does. Has =
anyone done something similar? Ideally I'd like to implement with ipfw, but=
 not opposed to other suggestions?
>
> Internet -> firewall/gateway -> proxy server -> LAN/clients
>
> Where the firewall/gateway is the central router for multiple networks, i=
ncluding the public subnet which 'proxy server' gets it's external IP for. =
So ideally I would like something along the lines of this (assuming the pro=
xy server is running on 10.1.1.12:3128):
>
> ipfw add 600 fwd 10.1.1.12,3128 tcp from 10.1.2.0/24 to any 80 via 10.1.2=
.254
> ipfw add 600 fwd 10.1.1.12,3128 tcp from 10.1.3.0/24 to any 80 via 10.1.3=
.254
> ipfw add 600 fwd 10.1.1.12,3128 tcp from 10.1.1.0/26 to any 80 via 10.1.1=
.1
>
> I have tried the identical rules to above using 127.0.0.1,3128 - of cours=
e starting up squid on the gateway machine too... the problem is that machi=
ne simply doesn't have the resources and I'd prefer to run squid on a diffe=
rent host.
>
> Any suggestions or referrals to RTFM somewhere would be greatly appreciat=
ed. Thanks.
>
> --
> Nathan Vidican
> nathan@vidican.com
>

Go figure, five minutes after posting I found what I needed in squid's
documentation. FYI in case anyone comes accross this thread, what I
had been doing wrong was 'http_port 3128 transparent' should have been
'http_port 3128 intercept' instead. See this link for more details:

http://wiki.squid-cache.org/ConfigExamples/Intercept/FreeBsdIpfw

--
Nathan Vidican
nathan@vidican.com

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?AANLkTikDrjc1Ouopzwqd8GOW5TAt9iSc7dSMDH1NB9pY>