Dominik Zalewski <[EMAIL PROTECTED]> wrote: > On Thursday 21 December 2006 15:04, Peter N. M. Hansteen wrote: > > Dominik Zalewski <[EMAIL PROTECTED]> writes: > > > I have OpenBSD 4.0 firewall and I would like to redirect all outgoing > > > http requests to my squid web proxy. > > > > Daniel Hartmeier wrote about this a while back, his article can be > > found at http://www.benzedrine.cx/transquid.html > > In this article squid is running on the same machine as OpenBSD > firewall. In my case I have squid running on different machine connected > to LAN interface. My question is can redirect traffic on $int_if to > another machine connected to the same interface? Does this rule is > corrrect ? > > rdr pass on $int_if proto tcp from any to any port 80 -> $squid port 8080 > > pfctl doesnt complain about nothing but its simply doesnt work.
I believe Squid's intercepting mode relies on PF's DIOCNATLOOK ioctl to get an idea what the real destination was. I don't know if this information can be pfsync'ed between different machines, but from the man page I would assume that it's currently not possible (I only checked on FreeBSD 6.2-PRERELEASE, my pfsync version might be a few steps behind the one on OpenBSD 4.0). If it's not possible you probably have to move Squid to the box where PF is running, or use a proxy that extracts the destination from the host header. Unless with DIOCNATLOOK, this doesn't work for HTTP/1.0 requests without host headers, but with recent clients this shouldn't be an issue. Privoxy 3.0.7 (unreleased, only available trough CVS) does this and you could still use Squid as caching proxy, but Privoxy's intercepting mode is rather new and you would probably be the second tester ... Fabian -- http://www.fabiankeil.de/
