Subject: IPFilter and transparent proxy redirection confusion
To: None <>
From: Urban Boquist <>
List: tech-net
Date: 07/11/2007 17:33:18
Hi all, I would greatly appreciate some help with my ipfilter rules...

I have been running Squid as a transparent proxy on my NetBSD firewall
machine for a really long time with zero problems. I only needed:

  rdr fxp1 0/0 port 80 -> port 3128 tcp

Now I'm trying to move Squid to a different machine, but get totally confused:

             | fxp0 = a.b.c.d/32
         |        |
         |  GW    |--- lo0
             | fxp1 =
	     |	       	  	        ______________
       	     |--------------------------|            |
	     | 	      ex0 = | Squid:3128 |
	     |	       		        |____________|

First attempt to just redirect on GW like before:

  rdr fxp1 0/0 port 80 -> port 3128 tcp

seems to work somewhat initially, I see a SYN being redirected at GW
to, and a SYN-ACK sent back to the original client, but
then it responds with a RST. I assume it gets confused because the
reply comes from a different ip?

So do I need to rewrite source address too at the GW?

And then it seems that I need some exception for the Squid machine
itself, to avoid its port 80 requests being redirected to itself?

Any hint would be appreciated, I can find millions of pages with
Google that explains how to do this when Squid is running on, but none that explains when it is not... :-(

Best regards,

        -- Urban