[geeks] pf question: doing internal rdr?
Phil Stracchino
alaric at metrocast.net
Wed Jun 2 16:46:58 CDT 2010
Seeking the assistance of those whose pf-fu is stronger than mine.
I am endeavoring to force a http (but not https) proxy on certain
machines on my local net so that I can use squid to apply access
restrictions. My squid filter configuration appears to be working
correctly, but the pf part of the equation isn't. These are the
applicable pf rules:
if_backbone = "fxp0" # 10.24.32.1
if_wireless = "fxp1" # 10.24.33.1
if_external = "fxp2" # 216.246.132.90
if_internal = "{ fxp0, fxp1 }"
table <ad_internal> persist { 10.24.32.0/23 }
table <proxy_clients> persist { 10.24.32.21, 10.24.32.24, \
10.24.32.28, 10.24.32.51, 10.24.33.51 }
rdr on $if_internal inet proto tcp from <proxy_clients> \
to !<ad_internal> port http -> 10.24.32.14 port 3128
According to this 2006 article, this should work:
http://onlamp.com/pub/a/bsd/2006/02/16/os_fingerprint_filtering.html
According to this thread on the FreeBSD forums, it can't, because pf
can't reflect a packet back out on the same interface it came in on:
http://forums.freebsd.org/archive/index.php/t-4722.html
And indeed, from a client on the same segment as the server, this does
not work. Using tcpdump on pflog0, I can watch the packet go in and be
ostensibly redirected to the squid host and port, but squid appears to
never receive it and the client connection hangs forever.
Can anyone point me at a way to do this that will work with clients on
the same segment as the squid proxy, but does not require a manual proxy
setting on the client (and thus cannot be evaded at the client simply by
clearing the proxy setting)?
--
Phil Stracchino, CDK#2 DoD#299792458 ICBM: 43.5607, -71.355
alaric at caerllewys.net alaric at metrocast.net phil at co.ordinate.org
Renaissance Man, Unix ronin, Perl hacker, Free Stater
It's not the years, it's the mileage.
More information about the geeks
mailing list