SEO

#1 (**permalink**) 02-16-2008, 06:25 AM

Hi,

One need to setup the following nat/rdr rule in IPF to work with
transparent Squid proxy:

# Redirect direct web traffic to local web server.
rdr de0 1.2.3.4/32 port 80 -> 1.2.3.4 port 80 tcp

# Redirect everything else to squid on port 8080
rdr de0 0.0.0.0/0 port 80 -> 1.2.3.4 port 8080 tcp

How can I configure nat/rdr in PF to do that same thing?
I assumed 1.2.3.4/32 is the IP of the Squid server.
But 0.0.0.0/0 looks strange to me if I do that same thing in PF.

Thanks
Sam

#2 (**permalink**) 02-16-2008, 06:25 AM

On Sat, 12 Feb 2005 19:37:03 +0800, sam <sam.wun@authtec.com> wrote:

>How can I configure nat/rdr in PF to do that same thing?
>I assumed 1.2.3.4/32 is the IP of the Squid server.
>But 0.0.0.0/0 looks strange to me if I do that same thing in PF.
>

Easy,

Squid is configured to listen on localhost only and has been configured as
a transparent cache, this

~ # grep -i 3128 /etc/pf.conf
rdr pass on $Int proto tcp from $LAN to !$<InsideNets> port www ->\
127.0.0.1 port 3128
rdr pass on $Int proto tcp from $LAN to $Int:0 port 3128 ->\
127.0.0.1 port 3128

The 1st rdr pass does the http interception.
The 2nd rdr pass allows the proxy to be utilised inline if necessary.

& this

~ # grep -i squid /etc/pf.conf
pass out quick on $Ext $TCP to !<InsideNets> user squid $KSF\
queue (q_def, q_pri)

takes care of the rest.
--
Yeah - straight from the top of my dome
As I rock, rock, rock, rock, rock the microphone

#3 (**permalink**) 02-16-2008, 06:25 AM

Greg Hennessy wrote:

> On Sat, 12 Feb 2005 19:37:03 +0800, sam <sam.wun@authtec.com> wrote:
>
>
>
>>How can I configure nat/rdr in PF to do that same thing?
>>I assumed 1.2.3.4/32 is the IP of the Squid server.
>>But 0.0.0.0/0 looks strange to me if I do that same thing in PF.
>>
>
>
> Easy,
>
> Squid is configured to listen on localhost only and has been configured as
> a transparent cache, this
>
> ~ # grep -i 3128 /etc/pf.conf
> rdr pass on $Int proto tcp from $LAN to !$<InsideNets> port www ->\
> 127.0.0.1 port 3128
Hi thanks very much for the help.
I m not quite expert in PF syntax. What does !$<InsideNets> represent?
<InsideNets> is a table that contains a list of internal subnets, and
!$<...> means "not belong to the Internal Subnets?

> rdr pass on $Int proto tcp from $LAN to $Int:0 port 3128 ->\
> 127.0.0.1 port 3128
>
> The 1st rdr pass does the http interception.
> The 2nd rdr pass allows the proxy to be utilised inline if necessary.
>
>
> & this
>
> ~ # grep -i squid /etc/pf.conf
> pass out quick on $Ext $TCP to !<InsideNets> user squid $KSF\
> queue (q_def, q_pri)
Simliary, what does !<...> represent? and how about $KSF?

Thanks
Sam.

>
>
> takes care of the rest.

#4 (**permalink**) 02-16-2008, 06:25 AM

On Sat, 12 Feb 2005 23:31:45 +0800, sam <sam.wun@authtec.com> wrote:

>Greg Hennessy wrote:
>
>> ~ # grep -i 3128 /etc/pf.conf
>> rdr pass on $Int proto tcp from $LAN to !$<InsideNets> port www ->\
>> 127.0.0.1 port 3128
>Hi thanks very much for the help.
>I m not quite expert in PF syntax.

That will change :-), the syntax improvements over IPF make for shorter and
easier to maintain policies IMHO.

When I migrated over from IPF on Solaris, I was able reduce the number of
lines in the policy I was using by around half.

>What does !$<InsideNets> represent?
><InsideNets> is a table that contains a list of internal subnets, and
>!$<...> means "not belong to the Internal Subnets?

Sorry, typo on my part, it should be

rdr pass on $Int proto tcp from $LAN to !<InsideNets> port www ->\
127.0.0.1 port 3128

There is no dollar before the table delimiter, it's not a macro expansion.

And you are correct, '!' indicates the set of addresses 'not' contained in
the table <InsideNets>.

>> rdr pass on $Int proto tcp from $LAN to $Int:0 port 3128 ->\
>> 127.0.0.1 port 3128
>>
>> The 1st rdr pass does the http interception.
>> The 2nd rdr pass allows the proxy to be utilised inline if necessary.
>>
>>
>> & this
>>
>> ~ # grep -i squid /etc/pf.conf
>> pass out quick on $Ext $TCP to !<InsideNets> user squid $KSF\
>> queue (q_def, q_pri)
>Simliary, what does !<...> represent?

Same as above, allow out tcp traffic from the process(es) owned by the UID
squid to any destination address which is 'not' in the table <InsideNets>

> and how about $KSF?

You'll find the pfctl macro expansion capability to be very useful.

Here are some of the ones I use

UDP="inet proto udp"
TCP="inet proto tcp"
KSF="keep state flags S/SA"
KS="keep state"

greg
--
Yeah - straight from the top of my dome
As I rock, rock, rock, rock, rock the microphone

#5 (**permalink**) 02-16-2008, 06:25 AM

sam wrote:
> Hi,
>
> One need to setup the following nat/rdr rule in IPF to work with
> transparent Squid proxy:
>
> # Redirect direct web traffic to local web server.
> rdr de0 1.2.3.4/32 port 80 -> 1.2.3.4 port 80 tcp
>
> # Redirect everything else to squid on port 8080
> rdr de0 0.0.0.0/0 port 80 -> 1.2.3.4 port 8080 tcp
>
>
> How can I configure nat/rdr in PF to do that same thing?
> I assumed 1.2.3.4/32 is the IP of the Squid server.
> But 0.0.0.0/0 looks strange to me if I do that same thing in PF.
>
> Thanks
> Sam
snippet from my pf.conf, you will also nees a pass rule if you are
blocking by default.
visit https://solarflux.org/pf to look at some example and research a bit.

# WWW - this will allow access to our web server behind firewall
#rdr on $ext_if inet proto tcp from any to ($ext_if) port 80 -> \
#192.168.100.2 port 80

# Allow WWW connections from the internet, through the firewall to
# a specific machine on the LAN, as long as only the SYN flag is set on
# the initial packet.
#pass in on $ext_if inet proto tcp from any to 192.168.100.2 port 80 \
#flags S/SAFRUPEW keep state

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode