now it works,
thank you Daniel much!
Daniel Hartmeier (dan...@benzedrine.cx) [11.04.26 11:58] wrote:
> Remember, only the initial (first) packet of a connection causes
> ruleset evaluation, hence rules can be said to apply to the initial
> packets of connections (everything else is covered by stat
On Tue, Apr 26, 2011 at 10:49:24AM +0300, Zeus V Panchenko wrote:
> here we see outgoing via $if_wan traffic successfully coming through wan_http
> queue, the rull 18
> but no traffic comming trough the rull 24 but 10 instead ...
>
> so, what am i missing, please?
>
> why pflog row:
> ... rule
Daniel Hartmeier (dan...@benzedrine.cx) [11.04.15 09:37] wrote:
> First, incoming and outgoing in context of pf.conf rules are
> relative to the firewall (and not your LAN vs. the internet),
> e.g. incoming means 'enters the firewall through an interface
> from a network' and outgoing means 'exits
On Mon, Apr 11, 2011 at 06:22:30PM +0300, Zeus V Panchenko wrote:
> first rull catches traffic from LAN to inet so, the sequence is:
>
> LAN -> if_lan -> proxy server -> if_wan -> inet -> some_web_server
>
> and backward ...
>
> some_web_server -> if_wan -> proxy server -> if_lan -> LAN
>
> i
Daniel Hartmeier (dan...@benzedrine.cx) [11.04.11 11:57] wrote:
> On Mon, Apr 11, 2011 at 11:06:48AM +0300, Zeus V Panchenko wrote:
>
> > pass out log (all) on $if_wan inet proto { tcp, udp } from $if_wan:0 \
> > to any port { $ports_proxy } keep state queue wan_http
> > pass out log (all) on
On Mon, Apr 11, 2011 at 11:06:48AM +0300, Zeus V Panchenko wrote:
> pass out log (all) on $if_wan inet proto { tcp, udp } from $if_wan:0 \
> to any port { $ports_proxy } keep state queue wan_http
> pass out log (all) on $if_lan inet proto { tcp, udp } from any port {
> $ports_proxy } \
>
Thank you Daniel for reply,
Daniel Hartmeier (dan...@benzedrine.cx) [11.04.11 09:18] wrote:
> On Mon, Apr 11, 2011 at 08:45:44AM +0300, Zeus V Panchenko wrote:
> It seems you want log(all), but are only using log, see pf.conf(5):
it didn't help ...
pftop output still shows no lan_http counters an
On Mon, Apr 11, 2011 at 08:45:44AM +0300, Zeus V Panchenko wrote:
> what i am missing, please? why traffic outgoing to LAN is missed on pflog0?
It seems you want log(all), but are only using log, see pf.conf(5):
log Only the packet that establishes the state is logged
log (all)
Hi all,
while trying to shape bandwidth for transparent proxy traffic i faced
weird for me behaviuor ... may somebody help to understand where i am
mistaking, please?
i use squid as proxy (installed from ports and configured with
WITH_SQUID_PF=true, WITH_SQUID_IPFILTER=true), it works and my LAN
> Something like: pass in log on $int_if route-to ($int_if 127.0.0.1) from
> 192.168.103.1 synproxy state
Interesting, the client shows :
CONNECTED(0003)
Pflog shows (this time 192.168.103.69 was used in place of 192.168.103.1):
1294126958.718778 rule 0/0(match): pass in on ed0: (tos 0x0,
en "rdr pass" in the first
rule)
3/ Allow outgoing traffic on our external interface to web servers
(which comes in use if you don't have a "pass out" rule for everything)
However regarding squid you need to compile it with the transparent
proxy for PF option, so there&#
>From studying squid rules, I found the following pf rule set. Does this do
something similar to what I'm after? I tried something like this but it
didn't help.
int_if="gem0"
ext_if="kue0"
rdr on $int_if inet proto tcp from any to any port www -> 127.0.0.1 port 3128
pass in on $int_if inet proto
Is there a way to see what the rule is doing? It didn't have any effect.
I've been trying different combinations, sometimes targeting
192.168.103.2. One test locked up the host.
> On 1/2/11 9:04 PM, j...@experts-exchange.com wrote:
>> Here I want :
>>
>> nn:nn:nn.nn IP 127.0.0.1.51791 > 192
On 1/2/11 9:04 PM, j...@experts-exchange.com wrote:
> Here I want :
>
> nn:nn:nn.nn IP 127.0.0.1.51791 > 192.168.103.2.80: Flags [S], ack ...
>
> int_if="lo0"
> ext_if="ed0"
>
> pass in on $int_if route-to ($int_if 127.0.0.1) from 192.168.103.1 keep state
>
> But no good (it's not able to s
n one not bound to
any available network interface in the system. This functionality (in
conjunction with special firewall rules) can be used for implementing a
transparent proxy. The PRIV_NETINET_BINDANY privilege is needed to set
this option.
http://www.freebsd.org/cgi/man.cgi?q
nux version of the kernel level
> DIVERT proxy filters, so my version is not capturing that function. From
> my lack of understanding of PF, I don't know that it can work this way.
>
> Thanks
>
>> I'm not sure what you're trying to achieve here.
>>
>>
ks
> I'm not sure what you're trying to achieve here.
>
> Are you actually using proxy software at all, or only a PF redirect rule ?
>
> Are you trying to set up a FORWARD or a REVERSE proxy ?
>
> What do you use stunnel for, SSL/TLS connectivity ?
>
>
>
.com wrote:
> Folks,
>
> I am trying to use stunnel & pf to devise a transparent proxy, but am
> unable to figure out how to do it. What I have is ext ip -> stunnel ->
> http service, but the http service does not know where to route back the
> packets, and remains in
Folks,
I am trying to use stunnel & pf to devise a transparent proxy, but am
unable to figure out how to do it. What I have is ext ip -> stunnel ->
http service, but the http service does not know where to route back the
packets, and remains in a sync state.
00:40:28
Hello folks,
On a FBSD7.1 box I would like to implement this sort of
"transparent reverse proxy":
inet <---> (vr0)(vr1) <---> host
such box is expected to
1) pass transparently anything from inet to host and viceversa
2) redirect some of such traffic (some well-defined TCP connections)
from "
On 5/17/07, Andrew Thompson <[EMAIL PROTECTED]> wrote:
On Thu, May 17, 2007 at 05:25:35PM -0700, Kurt Buff wrote:
> All,
>
> Wondering if the following scenario at all rational/feasible:
>
> [fw-a]---
> |
> |
> [switch]---[freebsd]---[router]---[many subnets]
On Thu, May 17, 2007 at 05:25:35PM -0700, Kurt Buff wrote:
> All,
>
> Wondering if the following scenario at all rational/feasible:
>
> [fw-a]---
> |
> |
> [switch]---[freebsd]---[router]---[many subnets]
> |
> |
> [fw-b]---
>
> F
All,
Wondering if the following scenario at all rational/feasible:
[fw-a]---
|
|
[switch]---[freebsd]---[router]---[many subnets]
|
|
[fw-b]---
Fw-a fronts our current T1, and that ties our other two offices
together with IPSec,
On 10/13/06, B. Cook <[EMAIL PROTECTED]> wrote:
the "no rdr" needed to be before the rdr statements. It seems that having
the ! it would only take the first network and not the second.
Well, I don't think that's the way it was working.
Negated lists don't work as expected (see the FAQ), but y
On Fri, October 13, 2006 5:13 am, Travis H. wrote:
> I know this has been a while, but I didn't see a proper response in the
> thread.
> I suspect that the gateway is unset or improperly set on the routes
> associated
> with the alias.
>
> I'm not familiar with squidclient, but It looks like all re
I know this has been a while, but I didn't see a proper response in the thread.
I suspect that the gateway is unset or improperly set on the routes associated
with the alias.
I'm not familiar with squidclient, but It looks like all requests are
going through the squid proxy. The common pattern s
Hello,
I'm not sure how to explain this but I will do my best.
I have a FreeBSD 6.1-p7 box running pf.
sis0 10.0.0.87/25
xl0 192.168.1.3/24
gw is 10.0.0.62
pf rules are simple:
public_if ="sis0"
staff_if="xl0"
proxy_server="192.168.1.3"
table const {172.16.10.0/24}
table co
Roman Gorohov. wrote:
Hello list.
I'm planning to configure pf in bridged environment(using if_bridge on 6.1),
so I have question if transparent proxy will work?
Is the any working config, or some known issues?
TIA, Roman Gorohov.
___
What
Hello list.
I'm planning to configure pf in bridged environment(using if_bridge on 6.1),
so I have question if transparent proxy will work?
Is the any working config, or some known issues?
TIA, Roman Gorohov.
___
freebsd-pf@freebsd.org mailing
On Sat, Aug 20, 2005 at 02:34:19PM +0700, sephiroth wrote:
> i have question about transparent proxy. I read the manual in
> http://benzedrin.cx about transparent proxy with squid. I have network
> with 20 client connect to internet and i have implement that manual in
> my serve
hi,
i have question about transparent proxy. I read the manual in
http://benzedrin.cx about transparent proxy with squid. I have network
with 20 client connect to internet and i have implement that manual in
my server. I want my client only use proxy in my server. My question is
why the
Quoting Aguiar Magalhaes <[EMAIL PROTECTED]>:
Can the host 192.168.10.100 bypass the squid using
transparent proxy ?
I have a rule in my pf.conf:
rdr on $dmz_if proto tcp from any to any port
$web_ports -> 127.0.0.1 port 3128
You could try something like:
table { 192.168.10.100
Hi list,
Can the host 192.168.10.100 bypass the squid using
transparent proxy ?
I have a rule in my pf.conf:
rdr on $dmz_if proto tcp from any to any port
$web_ports -> 127.0.0.1 port 3128
Tha
hi,
we have pf and couple of ip aliases on the $ext_if. pf NAT's the connections
out in round-robin fasion, pf let's the clients out through statefull
rules Recently, we switched to the transparent proxy mode in squid-pf conf
pf.conf>
rdr on $int_if inet proto tcp from any to {!1
34 matches
Mail list logo
