DaemonForums  

Go Back   DaemonForums > FreeBSD > FreeBSD General

FreeBSD General Other questions regarding FreeBSD which do not fit in any of the categories below.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 30th March 2010
jhp jhp is offline
Real Name: John
New User
 
Join Date: Mar 2010
Location: Derbyshire, UK
Posts: 5
Default Selective PF RDR

Hi Everyone

Does anyone know if it's possible to selectively redirect clients using pf to my squid proxy?

I tried this and it didn't seem to work, though it does work if I redirect all. I would like the direct servers list to go direct and not go through the transparent squid (due to authentication and other reasons on the client PCs).

Code:
direct_servers="{ !172.26.0.24, !172.26.0.32, !172.26.0.39, !172.26.0.41 }"

rdr on $int_if inet proto tcp from $int_if:network to $direct_servers port www -> 127.0.0.1 port 3128
Thanks for your time!

John
Reply With Quote
  #2   (View Single Post)  
Old 30th March 2010
Carpetsmoker's Avatar
Carpetsmoker Carpetsmoker is offline
Real Name: Martin
Tcpdump Spy
 
Join Date: Apr 2008
Location: Netherlands
Posts: 2,243
Default

I have this is my pf.conf, it works:

Code:
# For passing firewall/proxy at work
rdr on $if inet proto tcp from $work to $ip1 port https -> $ip1 port ssh
So that would be a yes.

Is www a valid service name? (I always use http).
__________________
UNIX was not designed to stop you from doing stupid things, because that would also stop you from doing clever things.
Reply With Quote
  #3   (View Single Post)  
Old 30th March 2010
BSDfan666 BSDfan666 is offline
Real Name: N/A, this is the interweb.
Banned
 
Join Date: Apr 2008
Location: Ontario, Canada
Posts: 2,223
Default

Quote:
Originally Posted by Carpetsmoker View Post
Is www a valid service name? (I always use http).
The /etc/services file seems to allow aliases, and http happens to be an alias for www.
Reply With Quote
  #4   (View Single Post)  
Old 30th March 2010
DutchDaemon's Avatar
DutchDaemon DutchDaemon is offline
Real Name: Ben
Spam Refugee
 
Join Date: Jul 2008
Location: Rotterdam, The Netherlands
Posts: 336
Default

@jhp: try reversing the statements (move the '!" from the IP addresses to the variable).

Code:
direct_servers="{ 172.26.0.24, 172.26.0.32, 172.26.0.39, 172.26.0.41 }"

rdr on $int_if inet proto tcp from $int_if:network to ! $direct_servers port www -> 127.0.0.1 port 3128
Reply With Quote
  #5   (View Single Post)  
Old 31st March 2010
jhp jhp is offline
Real Name: John
New User
 
Join Date: Mar 2010
Location: Derbyshire, UK
Posts: 5
Default

@Carpetsmoker: Sorry I should have been clearer in my description. It works fine the way you have it, but not if I invert the selection with a '!'. As there are only a few servers I wish to exclude from the filtering (rather than include) it would be easier this way around.

@DutchDaemon: Yeah that was the way I tried it initially but it gives a config error if I put ! before the list name. Putting the ! in the list was the only way I could launch pf successfully.

Any other thoughts?
Reply With Quote
  #6   (View Single Post)  
Old 31st March 2010
DutchDaemon's Avatar
DutchDaemon DutchDaemon is offline
Real Name: Ben
Spam Refugee
 
Join Date: Jul 2008
Location: Rotterdam, The Netherlands
Posts: 336
Default

Got it. This actually bit me in the past.

Use this:
Code:
table <direct_servers> const { 172.26.0.24, 172.26.0.32, 172.26.0.39, 172.26.0.41 }
rdr on $int_if inet proto tcp from $int_if:network to ! <direct_servers> port www -> 127.0.0.1 port 3128
I think something prevents negating 'multi-value variables' (or maybe even single-value ones), whereas tables are not a problem.
Reply With Quote
  #7   (View Single Post)  
Old 31st March 2010
jhp jhp is offline
Real Name: John
New User
 
Join Date: Mar 2010
Location: Derbyshire, UK
Posts: 5
Thumbs up

Spot on!

Thanks for helping out, DutchDaemon! There's surprisingly little on the web regarding this particular problem.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 02:04 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick