[pfSense-discussion] how do I "not rdr" with pfsense
I'm using pfsense to redirect all outgoing http traffic to a transparent proxy. But I need to not redirect a specific range when browsing to that specific range. pf supports "not rdr" as well as other options to achieve this. But I can't figure out how can do this via pfsense ? Perhaps the "No nat" feature somehow ? Any ideas or is it a missing feature ? thanks, e.
Re: [pfSense-discussion] how do I "not rdr" with pfsense
perhaps I should give more info about this: I have a internal LAN , DMZ and a WAN. My proxy is in the DMZ. I redirect all http traffic from the LAN to the proxy in the DMZ. The rule looks like this: rdr on vr0 inet proto tcp from any to any port = http -> 10.6.0.10 port 8080 I would like to eventually have a rule that reads something like: no rdr on vr0 inet proto tcp from any to 10.2.0.0/16 port = http above it. The "no nat" feature available on outbound nat currently doesn't even allow me to select my internal interface. So I'm not sure if this rule will work because its probably going to be caught by the the rdr rule above anyways. Unless I'm not suppose to be using rdr for this in the first place, which doesn't make sense to me, how should I then be doing this ? thanks, e.On 10/31/05, Bill Marquette <[EMAIL PROTECTED]> wrote: On 10/31/05, Etienne Ledoux <[EMAIL PROTECTED]> wrote:> I'm using pfsense to redirect all outgoing http traffic to a transparent> proxy. But I need to not redirect a specific range when browsing to that > specific range. pf supports "not rdr" as well as other options to achieve> this. But I can't figure out how can do this via pfsense ? Perhaps the "No> nat" feature somehow ? Yup, no nat. I assume you are redirecting to another server and notusing the squid on box. If so, 'no nat' should work for you, justmake sure the 'no nat' rule is before the fall through redirect thatredirects everything else. --Bill
Re: [pfSense-discussion] how do I "not rdr" with pfsense
ok, I guess this means there is no solution for this problem yet ? I'll have to wait a bit ? e.On 11/1/05, Bill Marquette <[EMAIL PROTECTED]> wrote: On 11/1/05, alan walters <[EMAIL PROTECTED]> wrote:> [alan walters]> I have been thinking about this a lot recently. I was wondering if rules> for squid ftp proxy ipsec extra. Could be added to the xml file. At > least this way the user has some control over what to do with them.>> I thought the best way to display these would be under there relative> interface setting and grouped by the anchor points defined in pf. >> At least this would allow for a bit more transperancyy as to what rules> are going on and maybe a bit more control over what services are used> where.>> Look forward to hearing what other users have to say in respect to this > issue on hidden rules in the /tmp/rules.debug file.I agree (who cares about the users when the devs - well at least one - agree? ;-P), the system generated rules do need to be exposed. It'sone of the items on my "Enterprise readiness TODO" list. Currently those rules are tied pretty heavily into the rules.debug generation,but I've got some ideas on the "best" way to move them out.I'm actually finding this somewhat refreshing, with the user levels, multi-user, and hidden rules discussions, it sounds like we're nearlyat a point where SOHO is usable and we've peaked enough interest toconsider it in an enterprise.--Bill
[pfSense-discussion] 1:1 nat on multiple interfaces....
Why are you not allowed to have 1:1 nat mappings on multiple interfaces ? error: "Another 1:1 rule overlaps with the specified external subnet." The difference between the two rules I tried to apply was the interface I'm trying to apply it on. There shouldn't be anything wrong in doing this ? I have multiple dmz's hence this requirement. thanks, e.
[pfSense-discussion] qemu, pfsense and0 "FreeSBIE2 now integrated"....
Not having access to vmware or a spare pc, I use qemu as a system emulator to install and test stuff on. Qemu has served me well, but I have never been able to use it to install pfsense. It always complained about some dump error. Since the integration into FreeSBIE2 I'm able to install pfsense in qemu. So obviously something was fixed. This is good news because now I can install, upgrade break and go wild in a test enviroment. Anybody else interested in testing, tweaking and breaking pfsense could also use this now without breaking their live firewall. Just thought I would share this with everyone. e.
