Damien Fleuriot skrev 2012-11-29 00:28:
On 27 November 2012 22:01, Leslie Jensen <les...@eskk.nu> wrote:Well, that depends on what you want to do. If you want FTP traffic to go to ftp-proxy running on the firewall, then redirect to 8021. If you want it to go to your squid proxy, then send it to port 8080 on $proxy. Let's redo your redirects correctly. I'll expand upon Volodymyr's idea of not confusing normal rules with ones matching a packet that was redirected, through the use of tags. # 1/ redirect web traffic to the proxy $proxy on port $proxyport rdr in on $int_if inet proto tcp from !$proxy to any port 80 -> $proxy port $proxyport tag rdr_proxy # 2/ redirect FTP traffic to the ftp-proxy running on the local machine on port 8021 rdr in on $int_if inet proto tcp from $int_if:network to any port 21 -> 127.0.0.1 port 8021 tag rdr_ftp # 3/ access rule to allow traffic from the local net to your proxy pass in quick on $int_if inet proto tcp flags S/SAFR tagged rdr_proxy # 4/ access rule to allow traffic from the local net to your FTP proxy pass in quick on $int_if inet proto tcp flags S/SAFR tagged rdr_ftp # 5/ access rule to allow your proxy to do whatever it wants in a very limited fashion pass in quick on $int_if inet proto tcp from $proxy to any port { 80 443 } flags S/SAFR I liked Volodymyr's original intent behind the "rdr pass", the use of tags here allows you to setup actual pass/block rules and still match packets coming from a redirect. This has many advantages, including: - quick keyword - flags matching - use of labels to keep stats, if you'd like to Well basically it only has advantages. Let me know if that helped. _______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Thank you Damien. I'll try out your suggestions and report back. Thanks :-) /Leslie _______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
