Re: rdr on bridge interface possible? (squid transparent proxy on bridge)

2007-05-05 Thread Darrin Chandler 
On Fri, May 04, 2007 at 10:57:51PM -0600, Steve Williams wrote:
> Mark Pecaut wrote:
> >http://marc.info/?l=openbsd-misc&m=108089194621750&w=2
> >
> >so try
> >
> >rdr on $int_if inet proto tcp from any to port www -> 127.0.0.1port 3128
> >...
> >pass in on $int_if route-to lo0 proto tcp from any to 127.0.0.1 port 3128
> Which interface do you have the IP address on?  Is it on the interface 
> closest to the default gateway?
> 
> Thanks VERY much for your pointers.  I will try this ASAP.

I've used this as well, for spamd in a transparent bridge. In my case
the rdr and pass/route-to were on the $ext_if, which is where I had my
IP address being that it needed to talk to the outside world rather than
internal hosts.

-- 
Darrin Chandler|  Phoenix BSD User Group  |  MetaBUG
[EMAIL PROTECTED]   |  http://phxbug.org/  |  http://metabug.org/
http://www.stilyagin.com/  |  Daemons in the Desert   |  Global BUG Federation

Re: rdr on bridge interface possible? (squid transparent proxy on bridge)

2007-05-04 Thread Steve Williams 

Mark Pecaut wrote:

On 5/4/07, Steve Williams <[EMAIL PROTECTED]> wrote:

I now would like to throw squid into the mix acting as a transparent
proxy.  I have the squid-transparent port installed.  If I change the

...

I have tried everything I can think of to get this to work in bridge
mode to no avail.

I have net.inet.ip.forwarding=1.  I have pf=YES in /etc/rc.conf.local.


http://marc.info/?l=openbsd-misc&m=108089194621750&w=2

so try

rdr on $int_if inet proto tcp from any to port www -> 127.0.0.1port 3128
...
pass in on $int_if route-to lo0 proto tcp from any to 127.0.0.1 port 3128

I have it working here like this.  Also, you aren't doing IP
forwarding, so turn that off.  The bridge does not need it.

-Mark
Which interface do you have the IP address on?  Is it on the interface 
closest to the default gateway?


Thanks VERY much for your pointers.  I will try this ASAP.

Cheers,
Steve Williams

Re: rdr on bridge interface possible? (squid transparent proxy on bridge)

2007-05-04 Thread Mark Pecaut 

On 5/4/07, Steve Williams <[EMAIL PROTECTED]> wrote:

I now would like to throw squid into the mix acting as a transparent
proxy.  I have the squid-transparent port installed.  If I change the

...

I have tried everything I can think of to get this to work in bridge
mode to no avail.

I have net.inet.ip.forwarding=1.  I have pf=YES in /etc/rc.conf.local.


http://marc.info/?l=openbsd-misc&m=108089194621750&w=2

so try

rdr on $int_if inet proto tcp from any to port www -> 127.0.0.1port 3128
...
pass in on $int_if route-to lo0 proto tcp from any to 127.0.0.1 port 3128

I have it working here like this.  Also, you aren't doing IP
forwarding, so turn that off.  The bridge does not need it.

-Mark

rdr on bridge interface possible? (squid transparent proxy on bridge)

2007-05-04 Thread Steve Williams 

Hi,

I have googled with no success, read all the relevant man pages I could 
also with no success.


I have an OpenBSD 4.1 box configured as a bridge.  It is working 100%.  
I have a few monitoring programs (pmacct)  feeding to some analysis 
tools ( flox, pnrg ).  It's also running symon, symux, syweb.  I'm very 
pleased with the config so far.


I now would like to throw squid into the mix acting as a transparent 
proxy.  I have the squid-transparent port installed.  If I change the 
box from a bridge to a router doing NAT, the transparent proxy works 
100%.  I can also hit the box on 3128 and access the Internet (even in 
bridge mode).  However, I want the installation of this system to be 
non-intrusive.  To run as a router, it needs to be the default gateway 
of all the systems, and that amount of change for a transient analysis 
tool is not acceptable.


I have tried everything I can think of to get this to work in bridge 
mode to no avail.


I have net.inet.ip.forwarding=1.  I have pf=YES in /etc/rc.conf.local.  
I have the default route to be the network default gateway and DNS is 
working on the OpenBSD box.


I have put an IP address on the external (router facing) NIC and told 
Squid to listen to it.  Configuring my browser to use that IP address as 
a proxy works 100%.


I was thinking that a rule like below should work:

rdr on $int_if inet proto tcp from any to any port www tag SQUID -> 
10.5.2.143 port 3128


int_if has no ip address.  10.5.2.143 is the IP address assigned on the 
external interface.  My reasoning was that this would "conceptually" 
route the packet across the 2 interfaces, coming in on the internal and 
going out on the external.  Doing a tcpdump on the int_if I can see the 
packet arriving with a destination port 80.  Doing a tcpdump on the 
ext_if, I can see the packet arriving with a destination port of 3128.  
Squid never sees the packet...or maybe it does, but it does not log 
anything.  I'm completely at a loss, as the squid itself is working 
properly if I can just get the packets to it!


I have tried most combinations of IP address on inside interface, 
outside interface, redirecting to inside, outside, localhost, etc. to no 
avail.


I'm begining to wonder if rdr is even possible on a bridge interface.  I 
have not been able to find a complete list of commands available to the 
brconfig (eg: brconfig bridge0 rule pass in on fxp0 src 9:8:7:6:5:4 tag 
boss)


I cannot believe that at the bridge level (ethernet) I have access to 
any ip information (eg: port), so I can't tag at the bridge level for 
processing in pf.  Any attempts I made to specify that type of 
information with the brconfig command failed.


Can anyone shed any light?

And no, no packets should be getting blocked as I have 2 rules,

pass in all kepp state
pass out all keep state

Thanks,
Steve Williams