bridge + transparent proxy with 4-stable

Fri, 05 Oct 2001 03:40:54 -0700 


Hi,

Recently I've installed new bridge+ipfw at office. It is configured as:

 outer network -- <router> -- <bridge> -- <main hub>  ---> inner network

I installed FreeBSD 4.4-RELEASE and immediately update to
4-stable. Kernel configuration has:

options         IPFIREWALL              #firewall
options         IPFIREWALL_VERBOSE      #print information about dropped packets
options         IPFIREWALL_FORWARD      #enable transparent proxy support
options         IPFIREWALL_VERBOSE_LIMIT=100    #limit verbosity
options         IPFIREWALL_DEFAULT_TO_ACCEPT    #allow everything by default
options         IPV6FIREWALL            #firewall for IPv6
options         IPV6FIREWALL_VERBOSE
options         IPV6FIREWALL_VERBOSE_LIMIT=100
options         IPV6FIREWALL_DEFAULT_TO_ACCEPT
options         IPDIVERT                #divert sockets
options         DUMMYNET
options         BRIDGE

And this machine has fxp0(outer), fxp1(inner) interface. Only fxp1 has
IP address.

Bridged firewall was successful; it works nicely.

I wish to try one more thing: Transparent proxy via Squid.

I've installed www/squid24 port. squid.conf has:

  http_port 127.0.0.1:3128
  httpd_accel_host virtual
  httpd_accel_port 80
  httpd_accel_with_proxy on
  httpd_accel_uses_host_header on

After running squid, I've added this rule at top of rules(output of
ipfw -a list). 208.2.3.200(not real IP) is our firewall.

00500       0          0 allow tcp from 208.2.3.200 to any via fxp0
00550     173      11165 fwd 127.0.0.1,3128 tcp from 208.2.3.128/25 to any 80 via fxp1

As shown, rule 550 _filters_ packets, but it seems not to forward
packets to 3128 ports(squid). All clients can go out with its IP, and
nothing remains in squid log.

Am I doing something wrong? I've searched many mailing lists(freebsd
and squid) but I can't get good answers.

p.s. I am doing NAT + Transparent Proxy in my home(ADSL). It works nicely.

--
 +++ Any opinions in this posting are my own and not those of my employers +++
 CHOI Junho [sleeping now]                    <http://www.kr.FreeBSD.org/~cjh>
 [while sleeping] <cjh @ kr.FreeBSD.ORG> <cjh @ FreeBSD.ORG> <cjh @ wdb.co.kr>
 Korea FreeBSD Users Group <www.kr.FreeBSD.org>   Web Data Bank<www.wdb.co.kr>

To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-net" in the body of the message

Reply via email to