Subject: IPFilter and transparent proxy redirection confusion
To: None <tech-net@netbsd.org>
From: Urban Boquist <urban@boquist.net>
List: tech-net
Date: 07/11/2007 17:33:18
Hi all, I would greatly appreciate some help with my ipfilter rules...
I have been running Squid as a transparent proxy on my NetBSD firewall
machine for a really long time with zero problems. I only needed:
rdr fxp1 0/0 port 80 -> 127.0.0.1 port 3128 tcp
Now I'm trying to move Squid to a different machine, but get totally confused:
| fxp0 = a.b.c.d/32
____|_____
| |
| GW |--- lo0
|________|
| fxp1 = 192.168.1.1
| ______________
|--------------------------| |
| ex0 = 192.168.1.5 | Squid:3128 |
| |____________|
|
clients: 192.168.1.0/24
First attempt to just redirect on GW like before:
rdr fxp1 0/0 port 80 -> 192.168.1.5 port 3128 tcp
seems to work somewhat initially, I see a SYN being redirected at GW
to 192.168.1.5, and a SYN-ACK sent back to the original client, but
then it responds with a RST. I assume it gets confused because the
reply comes from a different ip?
So do I need to rewrite source address too at the GW?
And then it seems that I need some exception for the Squid machine
itself, to avoid its port 80 requests being redirected to itself?
Any hint would be appreciated, I can find millions of pages with
Google that explains how to do this when Squid is running on
127.0.0.1, but none that explains when it is not... :-(
Best regards,
-- Urban