|
OpenBSD Packages and Ports Installation and upgrading of packages and ports on OpenBSD. |
|
Thread Tools | Display Modes |
|
|||
How to make polipo proxy transparent?
I'm using polipo for ad filtering. Instead of configuring each client to use a proxy I'd like to redirect all outgoing http traffic through polipo using pf.
I tried something like this (which of course didn't work. Polipo returns 404): Code:
pass in on $lan_if proto tcp from $lan to !$lan port www \ rdr-to $polipo_proxy port 8123 |
|
||||
I believe that the reason this isn't working is that the incoming packets are routed through the firewall but the return traffic is direct between $polipo_proxy and the local device. See the the Traffic Redirection and Reflection section of the Redirection Chapter of the PF User's guide. It explains similar configuration issues and offers several different ways to redirect internal traffic.
http://www.openbsd.org/faq/pf/rdr.html#reflect Last edited by jggimi; 7th November 2012 at 09:21 PM. Reason: clarity |
|
||||
I had the same issue with privoxy and havp. You have to set the proxy up as a intercepting proxy, which apparently the polipo developers consider to be a fascist pig type of move, so they refuse to implement support for it.
I'd use something else, personally.
__________________
Linux/Network-Security Engineer by Profession. OpenBSD user by choice. Last edited by rocket357; 7th November 2012 at 11:06 PM. |
|
|||
Thanks!
Too bad polipo doesn't support interception. Look's like ad filtering is quit doable with relayd. |
|
|||
I'm using squid, had to use a make option for transparent. After that a rule like yours is used.
If I remember when I get home I'll post my pf.conf, if you'd like. |
|
|||
I tried to avoid Squid.
But having a working setup listed here is probably good for fellow readers though. |
|
|||
Here's my pf.conf, terribly uncommented :P
A note: this was a 3 NIC machine with the wireless (a dlink dr-615) being on XL1, but things like iTunes wifi sync and library sharing weren't working despite attempts to forward those ports. Another note: when you remove a NIC, remember to comment out any lines referencing it in pf.conf, otherwise pf will fail to load and you'll scratch your head as to why your box doesn't pass packets Code:
# cat /etc/pf.conf ## em0 = int lan ## xl0 = to wan ## xl1 = wireless pass in on em0 proto tcp from any to any port 80 rdr-to 127.0.0.1 port 3128 #pass in on xl1 proto tcp from any to any port 80 rdr-to 127.0.0.1 port 3128 pass in on em0 inet proto tcp from any to 127.0.0.1 port 3128 keep state #pass in on xl1 inet proto tcp from any to 127.0.0.1 port 3128 keep state pass out on xl0 inet proto tcp from any to any port www keep state #pass out on xl0 from xl1:network to any nat-to (xl0) pass out on xl0 from em0:network to any nat-to (xl0) I know it's a horrible mess, but it works. I'm going to sit down with the advance PF FAQs "soon"(tm). Last edited by pcronin; 5th December 2012 at 03:47 PM. Reason: changed from "quote" to "code" |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
transparent relay | schmurfy | OpenBSD General | 5 | 20th April 2012 11:21 AM |
transparent firewall & authpf? | ll2ollvll3o | OpenBSD General | 2 | 10th April 2012 12:42 AM |
Transparent proxy and bandwidth | majkelos | OpenBSD General | 9 | 12th November 2011 02:52 AM |
Transparent bridge performance with PF | northwoods | FreeBSD General | 3 | 30th January 2009 09:48 AM |
ftp-proxy on transparent bridge | mswall | OpenBSD Security | 4 | 7th July 2008 01:30 PM |