Transparent Tinyproxy and PF

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Transparent Tinyproxy and PF

theobaam
Good morning,

I am having problems getting tinyproxy 1.6.3 to run transparently
with pf.

I recompiled/reinstalled tinyproxy with --enable-transparent-proxy
and restarted my system.

I figured the key is to start simple and build from there.

So, I set up the most simplistic pf ruleset:  pass everything and
log all traffic going in and out of the firewall.

   int_if="xl0"
   ext_if="rl0"
   set loginterface $int_if
   nat on $ext_if from !($ext_if) -> ($ext_if:0)
   rdr on $int_if inet proto tcp from $int_net to any \
      port www -> 127.0.0.1 port 3128
   pass in log all keep state
   pass out log all keep state

Here is what happens:

1. As it stands,
   No internal clients can surf the internet.

2. If I comment out the rdr,
   my internal clients can surf the internet.

3. Leave rdr commented out,
   set internal browsers to use firewall addr plus port 3128 as proxy,
   my internal clients can surf the internet.

All this would suggest that tinyproxy is not acting as a
transparent proxy.

But I'm not sure what to do next to figure it all out.

Thanks and take care,

Allen
Tired of spam?  Yahoo! Mail has the best spam protection around
http://mail.yahoo.com 

Reply | Threaded
Open this post in threaded view
|

Re: Transparent Tinyproxy and PF

Stuart Henderson
On 2006/06/12 04:20, Allen Theobald wrote:
> I recompiled/reinstalled tinyproxy with --enable-transparent-proxy
> and restarted my system.

Double-check you're running the new binary...ports/packages might not
put files in the same place as the original distribution, I don't know
if that's relevant to you?

Are you testing from a web browser? If not, make sure you supply
HOST: headers when testing. Tinyproxy doesn't know how to use /dev/pf
to fetch the original destination address.

>    rdr on $int_if inet proto tcp from $int_net to any \
>       port www -> 127.0.0.1 port 3128

Looks ok.

Reply | Threaded
Open this post in threaded view
|

Re: Transparent Tinyproxy and PF

theobaam
--- Stuart Henderson <[hidden email]> wrote:

> On 2006/06/12 04:20, Allen Theobald wrote:
> > I recompiled/reinstalled tinyproxy with --enable-transparent-proxy
> > and restarted my system.
>
> Double-check you're running the new binary...ports/packages might
> not put files in the same place as the original distribution, I
> don't know if that's relevant to you?

Thanks for the suggestion.  I double-checked and I am running the
correct binary.
 
> Are you testing from a web browser? If not, make sure you supply
> HOST: headers when testing. Tinyproxy doesn't know how to use
> /dev/pf to fetch the original destination address.

I am testing from a browser only.  The 'rdr' is causes the browser to
get 'access denied' messages.

> >    rdr on $int_if inet proto tcp from $int_net to any \
> >       port www -> 127.0.0.1 port 3128
>
> Looks ok.

I will tcpdump -netti pflog0, see what it says and report back.

Take care,

Allen
Tired of spam?  Yahoo! Mail has the best spam protection around
http://mail.yahoo.com