Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 28 Jun 2002 08:23:39 -0400 (EDT)
From:      Jaime <jaime@snowmoon.com>
To:        freebsd-questions@freebsd.org
Subject:   transparent proxying
Message-ID:  <20020628082314.M9991-100000@malkav.snowmoon.com>

next in thread | raw e-mail | index | archive | help
	I know how to make a transparent proxy with squid and ipfw.  I've
done it before.  But now that I have to use dansguardian (damn CIPA
rules), I'm having some trouble.  My network looks something like:

(ISP) -- (Router) -- (Firewall) -- (Core switch)

	The firewall looks something like:

[ipfw] <--> [transproxy] <--> [dansguardian] <--> [squid] <--> [Web]

	I'm trying to get transproxy out of the mix, because its making
all traffic to dansguardian into 127.0.0.1.  This prevents me from
tracking anything down or exempting certain IPs from the filters.

	My current attempts are more like this:

[ipfw divert] <-> [natd] <-> dansguardian] <-> [squid] <-> [Web]

	I'm not sure how to configure natd, though.  The firewall's inside
interface is fxp1 and the outside is fxp0.  I've tried each of the
following ways to start natd, but none have seemed to work.  Sometimes it
ends up blocking all traffic and other times it lets all traffic through
but it doesn't filter it.

/sbin/natd -proxy_only -proxy_rule port 80 server 127.0.0.1:8080 -interface fxp0
/sbin/natd -proxy_only -proxy_rule encode_ip_hdr port 80 server 127.0.0.1:8080 -interface fxp0
/sbin/natd -proxy_only -proxy_rule encode_tcp_stream port 80 server 127.0.0.1:8080 -interface fxp0
/sbin/natd -reverse -proxy_only -proxy_rule port 80 server 127.0.0.1:8080 -interface fxp0
/sbin/natd -reverse -proxy_only -proxy_rule encode_ip_hdr port 80 server 127.0.0.1:8080 -interface fxp0
/sbin/natd -reverse -proxy_only -proxy_rule encode_tcp_stream port 80 server 127.0.0.1:8080 -interface fxp0
/sbin/natd -reverse -proxy_only -proxy_rule port 80 server 127.0.0.1:8080 -interface fxp1
/sbin/natd -reverse -proxy_only -proxy_rule encode_ip_hdr port 80 server 127.0.0.1:8080 -interface fxp1
/sbin/natd -reverse -proxy_only -proxy_rule encode_tcp_stream port 80 server 127.0.0.1:8080 -interface fxp1
/sbin/natd -proxy_only -proxy_rule port 80 server 127.0.0.1:8080 -interface fxp1
/sbin/natd -proxy_only -proxy_rule encode_ip_hdr port 80 server 127.0.0.1:8080 -interface fxp1
/sbin/natd -proxy_only -proxy_rule encode_tcp_stream port 80 server 127.0.0.1:8080 -interface fxp1

	These were all with ipfw rules like this:
/sbin/ipfw add 00050 divert natd tcp from 10.0.0.0/8 to not 10.0.0.0/8 80

	Can anyone offer any insights?  It doesn't even have to be a
solution.  I just feel like I'm missing a detail somewhere.  Though I
wouldn't turn down a solution!  :)

							Thanks in advance,
							Jaime



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020628082314.M9991-100000>