On 2018-08-16, Joerg Streckfuss <streckf...@dfn-cert.de> wrote:
> Am 15.08.2018 um 18:26 schrieb Stuart Henderson:
>> On 2018-08-15, George <g.lis...@nodeunit.com> wrote:
>>> I believe you may be looking for a redirect not a relay. It all really
>>> depends on your network topology and what you are trying to do but in
>>> general something like this is what you are looking at:
>>
>> For directing traffic from a PF box to a separate Squid box setup
>> as an interception ("transparent") proxy, you want "route-to" rather
>> than "rdr-to" (see squid pkg-readme).
>>
>> I haven't tried this with relayd but it looks like redirection with
>> "route to" is what's needed here.
>>
>> An associated "divert-to" is also needed on the box running Squid
>> (again see the pkg-readme).
>>
>>
>
> I tried to get the relayd part with redirects and the route-to option
> running. The Problem here in my opinion is the listen option of redirects.
> You could say something like: listen on ip X port 80 route-to y. So the
> redirect will listen for the _destination_ ip X with port 80 and will route
> this packets to Y.
> But how could you say: listen for _all_ packets coming from this special ip
> to any port 80 route to Y?
Ah yes of course, in that case relayd doesn't seem suitable for this
job as-is.
> My first thought was to divert the relevant packets with pf to localhost and
> then a redirect should do the job. The pf part is not the problem. But I
> didn't
> find a running redirect configuration. I think grabing diverted packets from
> localhost are the job of relays not redirects, right?
You definitely don't want a redirect for this, squid itself wants to get the
packets with divert-to so it can lookup the original destination address.
Redirecting would remove that address. So in that case it would require
changes to relayd.
