Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 13 Oct 2006 08:55:43 -0400 (EDT)
From:      "B. Cook" <bcook@poklib.org>
To:        "Travis H." <solinym@gmail.com>
Cc:        freebsd-pf@freebsd.org
Subject:   Re: Transparent proxy with ! and table issues..
Message-ID:  <54636.24.161.8.173.1160744143.squirrel@mail.poklib.org>
In-Reply-To: <d4f1333a0610130213q21fc91d2v4f82ede3ef562f9d@mail.gmail.com>
References:  <56217.24.161.8.173.1159492654.squirrel@mail.poklib.org> <d4f1333a0610130213q21fc91d2v4f82ede3ef562f9d@mail.gmail.com>

next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, October 13, 2006 5:13 am, Travis H. wrote:
> I know this has been a while, but I didn't see a proper response in the
> thread.
> I suspect that the gateway is unset or improperly set on the routes
> associated
> with the alias.
>
> I'm not familiar with squidclient, but It looks like all requests are
> going through the squid proxy.  The common pattern seems to be that
> all the queries to .53 fail, and the only one to .52 succeeded.  I'm
> not sure why you think any of these queries should _not_ go through
> the rdr rules, since they are all in <localnets> and none are in
> <noproxy>, so they all match rdr rules.
> --
> "The obvious mathematical breakthrough would be the development of an
> easy way to factor large prime numbers.'' [sic] -- Bill Gates  -><-
> <URL:http://www.lightconsulting.com/~travis/>;
> GPG fingerprint: 9D3F 395A DAC5 5CCC 9066  151D 0A6B 4098 0C55 1484
>


Thank you for looking at my post.

I did end up solving it with the following config:
staff_if="sis0"
public_if="xl0"
proxy_server="192.168.1.3"
allowed="{ 192.168.1.0/24, 172.16.10.0/24 }"

scrub on { $public_if, $staff_if } no-df min-ttl 32 max-mss 1460 random-id

no rdr on $public_if from $public_if:network to $allowed
no rdr on $staff_if from $staff_if:network to $allowed

rdr on $public_if inet proto tcp from $public_if:network to any port www
-> $proxy_server port 8080
rdr on $staff_if inet proto tcp from $staff_if:network to any port www ->
$proxy_server port 8080

pass in on $staff_if inet proto tcp from any to $proxy_server port 8080
keep state
pass in on $public_if inet proto tcp from any to $proxy_server port 8080
keep state

pass out on $staff_if inet proto tcp from any to any port www keep state
pass out on $public_if inet proto tcp from any to any port www keep state
pass out on lo0 inet proto tcp from any to any port www modulate state


# EOF

the "no rdr" needed to be before the rdr statements.  It seems that having
the !<localnets> it would only take the first network and not the second.

I was trying to say "Not (this and that)" to negate them both, but it
would come out like this "Not this and that" so the 'that' was allowed the
"not this" worked as intended.




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?54636.24.161.8.173.1160744143.squirrel>