DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Packages and Ports

OpenBSD Packages and Ports Installation and upgrading of packages and ports on OpenBSD.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 7th November 2012
Skinny Skinny is offline
Port Guard
 
Join Date: Jul 2012
Posts: 25
Thanked 0 Times in 0 Posts
Default How to make polipo proxy transparent?

I'm using polipo for ad filtering. Instead of configuring each client to use a proxy I'd like to redirect all outgoing http traffic through polipo using pf.

I tried something like this (which of course didn't work. Polipo returns 404):
Code:
pass in on $lan_if proto tcp from $lan to !$lan port www \
    rdr-to $polipo_proxy port 8123
How can I redirect outgoing http traffic through polipo?
Reply With Quote
  #2   (View Single Post)  
Old 7th November 2012
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,613
Thanked 214 Times in 189 Posts
Default

I believe that the reason this isn't working is that the incoming packets are routed through the firewall but the return traffic is direct between $polipo_proxy and the local device. See the the Traffic Redirection and Reflection section of the Redirection Chapter of the PF User's guide. It explains similar configuration issues and offers several different ways to redirect internal traffic.

http://www.openbsd.org/faq/pf/rdr.html#reflect

Last edited by jggimi; 7th November 2012 at 09:21 PM. Reason: clarity
Reply With Quote
  #3   (View Single Post)  
Old 7th November 2012
rocket357's Avatar
rocket357 rocket357 is offline
Real Name: Jonathon
Wannabe OpenBSD porter
 
Join Date: Jun 2010
Location: 127.0.0.1
Posts: 318
Thanked 9 Times in 9 Posts
Default

I had the same issue with privoxy and havp. You have to set the proxy up as a intercepting proxy, which apparently the polipo developers consider to be a fascist pig type of move, so they refuse to implement support for it.

I'd use something else, personally.
__________________
Linux Admin by Profession. OpenBSD user by choice.

Last edited by rocket357; 7th November 2012 at 11:06 PM.
Reply With Quote
  #4   (View Single Post)  
Old 11th November 2012
Skinny Skinny is offline
Port Guard
 
Join Date: Jul 2012
Posts: 25
Thanked 0 Times in 0 Posts
Default

Thanks!
Too bad polipo doesn't support interception.

Look's like ad filtering is quit doable with relayd.
Reply With Quote
  #5   (View Single Post)  
Old 29th November 2012
pcronin pcronin is offline
Port Guard
 
Join Date: May 2012
Posts: 17
Thanked 0 Times in 0 Posts
Default

I'm using squid, had to use a make option for transparent. After that a rule like yours is used.
If I remember when I get home I'll post my pf.conf, if you'd like.
Reply With Quote
  #6   (View Single Post)  
Old 1st December 2012
Skinny Skinny is offline
Port Guard
 
Join Date: Jul 2012
Posts: 25
Thanked 0 Times in 0 Posts
Default

I tried to avoid Squid.
But having a working setup listed here is probably good for fellow readers though.
Reply With Quote
  #7   (View Single Post)  
Old 5th December 2012
pcronin pcronin is offline
Port Guard
 
Join Date: May 2012
Posts: 17
Thanked 0 Times in 0 Posts
Default

Here's my pf.conf, terribly uncommented :P
A note: this was a 3 NIC machine with the wireless (a dlink dr-615) being on XL1, but things like iTunes wifi sync and library sharing weren't working despite attempts to forward those ports.

Another note: when you remove a NIC, remember to comment out any lines referencing it in pf.conf, otherwise pf will fail to load and you'll scratch your head as to why your box doesn't pass packets

Code:
# cat /etc/pf.conf
## em0 = int lan
## xl0 = to wan
## xl1 = wireless

pass in on em0 proto tcp from any to any port 80 rdr-to 127.0.0.1 port 3128
#pass in on xl1 proto tcp from any to any port 80 rdr-to 127.0.0.1 port 3128
pass in on em0 inet proto tcp from any to 127.0.0.1 port 3128 keep state
#pass in on xl1 inet proto tcp from any to 127.0.0.1 port 3128 keep state
pass out on xl0 inet proto tcp from any to any port www keep state
#pass out on xl0 from xl1:network to any nat-to (xl0)
pass out on xl0 from em0:network to any nat-to (xl0)

I know it's a horrible mess, but it works. I'm going to sit down with the advance PF FAQs "soon"(tm).

Last edited by pcronin; 5th December 2012 at 03:47 PM. Reason: changed from "quote" to "code"
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
transparent relay schmurfy OpenBSD General 5 20th April 2012 11:21 AM
transparent firewall & authpf? ll2ollvll3o OpenBSD General 2 10th April 2012 12:42 AM
Transparent proxy and bandwidth majkelos OpenBSD General 9 12th November 2011 02:52 AM
Transparent bridge performance with PF northwoods FreeBSD General 3 30th January 2009 09:48 AM
ftp-proxy on transparent bridge mswall OpenBSD Security 4 7th July 2008 01:30 PM


All times are GMT. The time now is 10:45 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick