On 30 Nov 2012, at 08:30, Leslie Jensen <les...@eskk.nu> wrote: > > > Damien Fleuriot skrev 2012-11-29 00:28: >> On 27 November 2012 22:01, Leslie Jensen <les...@eskk.nu> wrote: >>> >>> >> >> >> Well, that depends on what you want to do. >> >> If you want FTP traffic to go to ftp-proxy running on the firewall, >> then redirect to 8021. >> If you want it to go to your squid proxy, then send it to port 8080 on >> $proxy. >> >> >> >> Let's redo your redirects correctly. >> I'll expand upon Volodymyr's idea of not confusing normal rules with >> ones matching a packet that was redirected, through the use of tags. >> >> >> >> # 1/ redirect web traffic to the proxy $proxy on port $proxyport >> rdr in on $int_if inet proto tcp from !$proxy to any port 80 -> $proxy >> port $proxyport tag rdr_proxy >> >> # 2/ redirect FTP traffic to the ftp-proxy running on the local >> machine on port 8021 >> rdr in on $int_if inet proto tcp from $int_if:network to any port 21 >> -> 127.0.0.1 port 8021 tag rdr_ftp >> >> # 3/ access rule to allow traffic from the local net to your proxy >> pass in quick on $int_if inet proto tcp flags S/SAFR tagged rdr_proxy >> >> # 4/ access rule to allow traffic from the local net to your FTP proxy >> pass in quick on $int_if inet proto tcp flags S/SAFR tagged rdr_ftp >> >> # 5/ access rule to allow your proxy to do whatever it wants in a very >> limited fashion >> pass in quick on $int_if inet proto tcp from $proxy to any port { 80 >> 443 } flags S/SAFR >> >> >> >> I liked Volodymyr's original intent behind the "rdr pass", the use of >> tags here allows you to setup actual pass/block rules and still match >> packets coming from a redirect. >> This has many advantages, including: >> - quick keyword >> - flags matching >> - use of labels to keep stats, if you'd like to >> >> Well basically it only has advantages. >> >> >> Let me know if that helped. >> _______________________________________________ >> freebsd-questions@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-questions >> To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org" >> > > Thank you Damien. > > I'll try out your suggestions and report back. > > Thanks :-) > > /Leslie >
The rdr rules should read: Rdr in on $int_if from !$proxy to any port 80 tag rdr_proxy -> $proxy port $proxyport Notice the packet gets tagged before the "-> destination" syntax. Otherwise, should be just fine. _______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"