Re: [pfSense Support] Policy Routing and Re-Direct Question
It can be done, although not if the proxy machine is inside your LAN. It would need to live on a separate network segment (ie: DMZ). In this case, yes, its possible to redirect outbound traffic for TCP 80 to the proxy machine, do your content filtering and pass it on. You cannot transparently proxy SSL traffic in this manner however due to the fact that the streams are encrypted. -Gary Vaughn L. Reid III wrote: Hello, I have a policy routing and re-direct question. Is it possible in PFSense to do something like the following: A request comes to PFSense on the internal LAN interface on port 80 or port 443. Instead of passing this out WAN to the Internet, can the traffic, instead, be re-directed to a different port number of another internal machine (e.g. a proxy server or content filter)? Ascii art example: LAN Network Workstation port 80 or 443 request --> PFSense LAN interface --> internal PFSense rules, etc --> re-direct back out interface to 2nd Internal network machine which would then either serve the content or fetch it from the Internet I'm asking this to see if it is feasible to set up a traditional proxy server/content filter in a way to avoid having to configure proxy settings on each client machine. I'm also wanting to keep the proxying and content filtering off of the gateway routers. If it would make things easier, the 2nd machine could live on a different PFSense interface. Thanks for your help. Vaughn Reid III - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Commercial support available - https://portal.pfsense.org !DSPAM:4936b04415805038518620! - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Policy Routing and Re-Direct Question
On Wed, Dec 3, 2008 at 09:09, Vaughn L. Reid III <[EMAIL PROTECTED]> wrote: > I'm asking this to see if it is feasible to set up a traditional proxy > server/content filter in a way to avoid having to configure proxy settings Ditto Gary's statement. Even though you want to keep proxying off of the router, it's worth noting that the squid package offers a transparent proxy configuration. I've been using that with an ultra-minimal setup (no caching) pointed at an upstream content filter for just over a year with zero issues. The upstream proxy solely serves that network and averages 40GB/day, but has seen as much as 3x that with no ill effect. pfSense: Dell PE2650, 2xP-IV @ 1.8GHz RB - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Policy Routing and Re-Direct Question
On Wed, Dec 3, 2008 at 10:12 AM, Gary Buckmaster <[EMAIL PROTECTED]> wrote: > It can be done, although not if the proxy machine is inside your LAN. It > would need to live on a separate network segment (ie: DMZ). In this case, > yes, its possible to redirect outbound traffic for TCP 80 to the proxy > machine, do your content filtering and pass it on. You cannot transparently > proxy SSL traffic in this manner however due to the fact that the streams > are encrypted. Well, there are ways to do it, all of them evil :) Consider it a trusted MITM attack. Wh...outside of commercial proxies however, I know of no open source way to automate this (without lots of work on the administrator end to set it up). --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Policy Routing and Re-Direct Question
On Wed, Dec 3, 2008 at 5:40 PM, Bill Marquette <[EMAIL PROTECTED]> wrote: > On Wed, Dec 3, 2008 at 10:12 AM, Gary Buckmaster > <[EMAIL PROTECTED]> wrote: >> It can be done, although not if the proxy machine is inside your LAN. It >> would need to live on a separate network segment (ie: DMZ). In this case, >> yes, its possible to redirect outbound traffic for TCP 80 to the proxy >> machine, do your content filtering and pass it on. You cannot transparently >> proxy SSL traffic in this manner however due to the fact that the streams >> are encrypted. > > Well, there are ways to do it, all of them evil :) Consider it a > trusted MITM attack. Wh...outside of commercial proxies however, > I know of no open source way to automate this (without lots of work on > the administrator end to set it up). > Actually relayd can do this! > --Bill > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > Commercial support available - https://portal.pfsense.org > > -- Ermal - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Policy Routing and Re-Direct Question
On Wed, Dec 3, 2008 at 5:12 PM, Ermal Luçi <[EMAIL PROTECTED]> wrote: > On Wed, Dec 3, 2008 at 5:40 PM, Bill Marquette <[EMAIL PROTECTED]> wrote: >> On Wed, Dec 3, 2008 at 10:12 AM, Gary Buckmaster >> <[EMAIL PROTECTED]> wrote: >>> It can be done, although not if the proxy machine is inside your LAN. It >>> would need to live on a separate network segment (ie: DMZ). In this case, >>> yes, its possible to redirect outbound traffic for TCP 80 to the proxy >>> machine, do your content filtering and pass it on. You cannot transparently >>> proxy SSL traffic in this manner however due to the fact that the streams >>> are encrypted. >> >> Well, there are ways to do it, all of them evil :) Consider it a >> trusted MITM attack. Wh...outside of commercial proxies however, >> I know of no open source way to automate this (without lots of work on >> the administrator end to set it up). >> > > Actually relayd can do this! I assume you are talking about the transparent mode of relayd which isn't in the FreeBSD port (and I believe requires kernel work to be usable?). While it can terminate an HTTPS connection and send it to a proxy, the proxy will have no idea that the destination should be HTTPS (let alone on port 443). You'd be better off using something like HAProxy if you went that route. My point was solely that "it can't be done" isn't technically correct - only in the context of the current state of technology in open source and pfSense in general (it wouldn't take much for someone motivated to actually implement this correctly though - decrypt SSL, figure out destination, turn it into a CONNECT call through a proxy and reencrypt - or proxy it yourself). --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Commercial support available - https://portal.pfsense.org
