Date: Fri, 13 Oct 2006 08:55:43 -0400 (EDT) From: "B. Cook" <bcook@poklib.org> To: "Travis H." <solinym@gmail.com> Cc: freebsd-pf@freebsd.org Subject: Re: Transparent proxy with ! and table issues.. Message-ID: <54636.24.161.8.173.1160744143.squirrel@mail.poklib.org> In-Reply-To: <d4f1333a0610130213q21fc91d2v4f82ede3ef562f9d@mail.gmail.com> References: <56217.24.161.8.173.1159492654.squirrel@mail.poklib.org> <d4f1333a0610130213q21fc91d2v4f82ede3ef562f9d@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, October 13, 2006 5:13 am, Travis H. wrote: > I know this has been a while, but I didn't see a proper response in the > thread. > I suspect that the gateway is unset or improperly set on the routes > associated > with the alias. > > I'm not familiar with squidclient, but It looks like all requests are > going through the squid proxy. The common pattern seems to be that > all the queries to .53 fail, and the only one to .52 succeeded. I'm > not sure why you think any of these queries should _not_ go through > the rdr rules, since they are all in <localnets> and none are in > <noproxy>, so they all match rdr rules. > -- > "The obvious mathematical breakthrough would be the development of an > easy way to factor large prime numbers.'' [sic] -- Bill Gates -><- > <URL:http://www.lightconsulting.com/~travis/> > GPG fingerprint: 9D3F 395A DAC5 5CCC 9066 151D 0A6B 4098 0C55 1484 > Thank you for looking at my post. I did end up solving it with the following config: staff_if="sis0" public_if="xl0" proxy_server="192.168.1.3" allowed="{ 192.168.1.0/24, 172.16.10.0/24 }" scrub on { $public_if, $staff_if } no-df min-ttl 32 max-mss 1460 random-id no rdr on $public_if from $public_if:network to $allowed no rdr on $staff_if from $staff_if:network to $allowed rdr on $public_if inet proto tcp from $public_if:network to any port www -> $proxy_server port 8080 rdr on $staff_if inet proto tcp from $staff_if:network to any port www -> $proxy_server port 8080 pass in on $staff_if inet proto tcp from any to $proxy_server port 8080 keep state pass in on $public_if inet proto tcp from any to $proxy_server port 8080 keep state pass out on $staff_if inet proto tcp from any to any port www keep state pass out on $public_if inet proto tcp from any to any port www keep state pass out on lo0 inet proto tcp from any to any port www modulate state # EOF the "no rdr" needed to be before the rdr statements. It seems that having the !<localnets> it would only take the first network and not the second. I was trying to say "Not (this and that)" to negate them both, but it would come out like this "Not this and that" so the 'that' was allowed the "not this" worked as intended.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?54636.24.161.8.173.1160744143.squirrel>