On 2010-04-21, Michal <mic...@ionic.co.uk> wrote:
> It must allow ALL traffic (SSH, SMPT, IMAP etc) and
> essentially ignore that traffic, simply working as a web cache and
> logger. Web traffic works fine, it goes though it, it logs it and cache
> is working I guess but nothing else goes through it. SMTP, SSH, IMAP all
> refuse to connect and I know it's something stupid but after searching
> around I can't find an answer.
So this system must act as a router for the other traffic
(net.inet.ip.forwarding=1).
> int_if="em0"
> ext_if="em0"
Same interface... so unless you take measures to avoid it, packet flow
will look like this:
.->out>--o proxy o----------.
/ \
/ \
/ \
host o-------------<return<--------------o gateway
i.e. proxy sees outbound but not return traffic.
So you will either have to arrange that the real gateway sends traffic
for these machines via the proxy (e.g. using route table entries),
or will have to arrange some way that PF can handle the asymmetric
routing (see the pf.conf manual).
> rdr on $int_if inet proto tcp from any port www to any port www -> 127.0.0.1
> port 3128
> pass out on $ext_if inet proto tcp from any port www to any port www keep
> state
www connection requests won't have SOURCE port 80.
