Subject: IPFilter and transparent proxy redirection confusion
To: None <tech-net@netbsd.org>
From: Urban Boquist <urban@boquist.net>
List: tech-net
Date: 07/11/2007 17:33:18
Hi all, I would greatly appreciate some help with my ipfilter rules...

I have been running Squid as a transparent proxy on my NetBSD firewall
machine for a really long time with zero problems. I only needed:

  rdr fxp1 0/0 port 80 -> 127.0.0.1 port 3128 tcp

Now I'm trying to move Squid to a different machine, but get totally confused:

             | fxp0 = a.b.c.d/32
         ____|_____
         |        |
         |  GW    |--- lo0
         |________|
             | fxp1 = 192.168.1.1
	     |	       	  	        ______________
       	     |--------------------------|            |
	     | 	      ex0 = 192.168.1.5 | Squid:3128 |
	     |	       		        |____________|
	     |
     clients: 192.168.1.0/24

First attempt to just redirect on GW like before:

  rdr fxp1 0/0 port 80 -> 192.168.1.5 port 3128 tcp

seems to work somewhat initially, I see a SYN being redirected at GW
to 192.168.1.5, and a SYN-ACK sent back to the original client, but
then it responds with a RST. I assume it gets confused because the
reply comes from a different ip?

So do I need to rewrite source address too at the GW?

And then it seems that I need some exception for the Squid machine
itself, to avoid its port 80 requests being redirected to itself?

Any hint would be appreciated, I can find millions of pages with
Google that explains how to do this when Squid is running on
127.0.0.1, but none that explains when it is not... :-(

Best regards,

        -- Urban