Hi,
I have googled with no success, read all the relevant man pages I could
also with no success.
I have an OpenBSD 4.1 box configured as a bridge. It is working 100%.
I have a few monitoring programs (pmacct) feeding to some analysis
tools ( flox, pnrg ). It's also running symon, symux, syweb. I'm very
pleased with the config so far.
I now would like to throw squid into the mix acting as a transparent
proxy. I have the squid-transparent port installed. If I change the
box from a bridge to a router doing NAT, the transparent proxy works
100%. I can also hit the box on 3128 and access the Internet (even in
bridge mode). However, I want the installation of this system to be
non-intrusive. To run as a router, it needs to be the default gateway
of all the systems, and that amount of change for a transient analysis
tool is not acceptable.
I have tried everything I can think of to get this to work in bridge
mode to no avail.
I have net.inet.ip.forwarding=1. I have pf=YES in /etc/rc.conf.local.
I have the default route to be the network default gateway and DNS is
working on the OpenBSD box.
I have put an IP address on the external (router facing) NIC and told
Squid to listen to it. Configuring my browser to use that IP address as
a proxy works 100%.
I was thinking that a rule like below should work:
rdr on $int_if inet proto tcp from any to any port www tag SQUID ->
10.5.2.143 port 3128
int_if has no ip address. 10.5.2.143 is the IP address assigned on the
external interface. My reasoning was that this would "conceptually"
route the packet across the 2 interfaces, coming in on the internal and
going out on the external. Doing a tcpdump on the int_if I can see the
packet arriving with a destination port 80. Doing a tcpdump on the
ext_if, I can see the packet arriving with a destination port of 3128.
Squid never sees the packet...or maybe it does, but it does not log
anything. I'm completely at a loss, as the squid itself is working
properly if I can just get the packets to it!
I have tried most combinations of IP address on inside interface,
outside interface, redirecting to inside, outside, localhost, etc. to no
avail.
I'm begining to wonder if rdr is even possible on a bridge interface. I
have not been able to find a complete list of commands available to the
brconfig (eg: brconfig bridge0 rule pass in on fxp0 src 9:8:7:6:5:4 tag
boss)
I cannot believe that at the bridge level (ethernet) I have access to
any ip information (eg: port), so I can't tag at the bridge level for
processing in pf. Any attempts I made to specify that type of
information with the brconfig command failed.
Can anyone shed any light?
And no, no packets should be getting blocked as I have 2 rules,
pass in all kepp state
pass out all keep state
Thanks,
Steve Williams
