Forwarding to a proxy on a different system with pf

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

Forwarding to a proxy on a different system with pf

John Tate-8
I have a squid proxy listening in transparent mode on another faster
system, but I can't seem to get packets there with pf. I tried simply
modifying the other divert-to rule to use the IP address of that system. It
doesn't seem to work, packets don't reach that system.

#pass in quick on $int_if inet proto tcp to port http divert-to 127.0.0.1
port 3128
pass in quick on $int_if inet proto tcp to port http divert-to 10.0.0.10
port 3128

How should I be doing this? I couldn't find anything on Google.

--
www.johntate.org

Reply | Threaded
Open this post in threaded view
|

Re: Forwarding to a proxy on a different system with pf

Josh Grosse
John Tate <[hidden email]> wrote:

>I have a squid proxy listening in transparent mode on another faster
>system, but I can't seem to get packets there with pf. I tried simply
>modifying the other divert-to rule to use the IP address of that
>system. It
>doesn't seem to work, packets don't reach that system.
>
>#pass in quick on $int_if inet proto tcp to port http divert-to
>127.0.0.1
>port 3128
>pass in quick on $int_if inet proto tcp to port http divert-to
>10.0.0.10
>port 3128
>
>How should I be doing this? I couldn't find anything on Google.
>
>--
>www.johntate.org

I believe you want rdr-to.  The divert-* options are for userspace application
connection, not packet redirection.
--
Sent from my phone.  Please excuse any idiotic automated word choices.  It
wasn't me.  Honest.

Reply | Threaded
Open this post in threaded view
|

Re: Forwarding to a proxy on a different system with pf

Ralf Horstmann-2
In reply to this post by John Tate-8
* John Tate <[hidden email]> [2013-05-03 17:23]:

> I have a squid proxy listening in transparent mode on another faster
> system, but I can't seem to get packets there with pf. I tried simply
> modifying the other divert-to rule to use the IP address of that system. It
> doesn't seem to work, packets don't reach that system.
>
> #pass in quick on $int_if inet proto tcp to port http divert-to 127.0.0.1
> port 3128
> pass in quick on $int_if inet proto tcp to port http divert-to 10.0.0.10
> port 3128
>
> How should I be doing this? I couldn't find anything on Google.

Some time ago I did a similar setup with multiple proxies on seperate machines.
The OpenBSD machine had three interfaces:

- em1: client network
- em2: proxies
- em0: outbound

The inbound redirection rules looked somehow like this:

proxy1="10.0.0.5 fd00::5"
proxy2="10.0.0.6 fd00::6"

table <proxies> { $proxy1 $proxy2 }

pass in quick on em1 proto tcp from any to any port 80 \
        route-to { (em2 <proxies>) } round-robin

This should work for both IPv4 and IPv6.

To make this a bit more interesting, I made the proxy do non-local bind to the
client IP for the outbound connection. To get return traffic back to the
correct proxy, you can use a bridge on em2 to tag connection by MAC address:

/etc/hostname.bridge0:
up
add em2
rule pass in on em2 src 00:12:34:56:78:01 tag proxy1
rule pass in on em2 src 00:12:34:56:78:02 tag proxy2

With that in place you can route return traffic to the correct proxy although
the proxy's outbound connection uses the source IP of the original client. If I
remember correctly the use of tables here makes it possible to write one rule
per proxy that works for both IPv4 and IPv6:

table <proxy1> { $proxy1 }
table <proxy2> { $proxy2 }
pass in quick on em2 proto tcp from !<proxy1> \
        tagged "proxy1" reply-to (em2 <proxy1>)
pass in quick on em2 proto tcp from !<proxy2> \
        tagged "proxy2" reply-to (em2 <proxy2>)

I hope this still works.

Cheers,
Ralf

Reply | Threaded
Open this post in threaded view
|

Re: Forwarding to a proxy on a different system with pf

Stuart Henderson
In reply to this post by John Tate-8
On 2013-05-03, John Tate <[hidden email]> wrote:

> I have a squid proxy listening in transparent mode on another faster
> system, but I can't seem to get packets there with pf. I tried simply
> modifying the other divert-to rule to use the IP address of that system. It
> doesn't seem to work, packets don't reach that system.
>
> #pass in quick on $int_if inet proto tcp to port http divert-to 127.0.0.1
> port 3128
> pass in quick on $int_if inet proto tcp to port http divert-to 10.0.0.10
> port 3128
>
> How should I be doing this? I couldn't find anything on Google.
>

If you installed squid from the package, there was a notice pointing you
at the readme file.

Read the file, it has an example for this exact case.

Reply | Threaded
Open this post in threaded view
|

Re: Forwarding to a proxy on a different system with pf

Tor Houghton
In reply to this post by John Tate-8
On Sat, May 04, 2013 at 01:23:06AM +1000, John Tate wrote:

> I have a squid proxy listening in transparent mode on another faster
> system, but I can't seem to get packets there with pf. I tried simply
> modifying the other divert-to rule to use the IP address of that system. It
> doesn't seem to work, packets don't reach that system.
>
> #pass in quick on $int_if inet proto tcp to port http divert-to 127.0.0.1
> port 3128
> pass in quick on $int_if inet proto tcp to port http divert-to 10.0.0.10
> port 3128
>
> How should I be doing this? I couldn't find anything on Google.
>

Someone may already have answered this by now, but I use

pass in quick on $int_if proto tcp from !$proxyhost to any port 80 \
        rdr-to $proxyhost port 3128
pass out quick on $int_if proto tcp to $proxyhost port 3128 \
        received-on $int_if nat-to $int_if

I also allow my "dmz" users (basically all the handheld devices' traffic
arrive on a different interface) via the proxy:

pass in quick on $dmz_if proto tcp to any port 80 \
        rdr-to $proxyhost port 3128
pass out quick on $int_if proto tcp to $proxyhost port 3128 \
        received-on $dmz_if nat-to $int_if

Seems to work(!).

Tor

Reply | Threaded
Open this post in threaded view
|

Re: Forwarding to a proxy on a different system with pf

Peter Hessler
In reply to this post by John Tate-8
divert-to is *only* for the localhost.  To send this traffic to a
different host, you have to use rdr-to.


On 2013 May 04 (Sat) at 01:23:06 +1000 (+1000), John Tate wrote:
:I have a squid proxy listening in transparent mode on another faster
:system, but I can't seem to get packets there with pf. I tried simply
:modifying the other divert-to rule to use the IP address of that system. It
:doesn't seem to work, packets don't reach that system.
:
:#pass in quick on $int_if inet proto tcp to port http divert-to 127.0.0.1
:port 3128
:pass in quick on $int_if inet proto tcp to port http divert-to 10.0.0.10
:port 3128
:
:How should I be doing this? I couldn't find anything on Google.
:
:--
:www.johntate.org
:

--
The human mind treats a new idea the way the body treats a strange
protein -- it rejects it.
                -- P. Medawar