PF redirect to remote proxy

B

billythekidz

dear all,

i've got server with one network interface (le0), one public IP address (A.B.C.D) and there is remote proxy (W.X.Y.Z) port 3128. How to redirecting www traffict to use remote proxy using pf ? I use this pf rule but still not work.

rdr on le0 proto tcp from $my_if to any port www -> W.X.Y.Z port 3128


thanks
 
Is the proxy on W.X.Y.Z : 3128 transparent or not?

Do you want to redirect http trafic from the machine A.B.C.D itself or from another?
 
Redirections cannot reflect packets back through the interface they arrive on, they can only be redirected to hosts connected to different interfaces or to the firewall itself.
Click to expand...

See pf.conf(5).
 
@pbd : transparent proxy, and i want to redirect http from the machine itself.

@SirDice : is there another way so i can redirect http traffict from my server to use remote proxy ?

thanks
 
Never tried this, but you could redirect le0 -> lo0, and then lo0 -> le0 to force the packet out again.

Code: 
rdr pass on le0 proto tcp from $my_if to any port www -> lo0
rdr pass on lo0 proto tcp from $my_if to any port www -> W.X.Y.Z port 3128

I have absoultely no idea if that works ;) Might as well buy a second NIC for 10 bucks and do it properly ..
 
What shows tcpdump?

Code: 
tcpdump -ni le0

Do you see packets comming from A.B.C.D to W.X.Y.Z and/or back (when you try to open some web page)?
 
You mean the http traffic is originating from the machine itself?

You could try
Code: 
rdr pass on le0 proto tcp from { le0 lo0 } to any port www -> W.X.Y.Z port 3128
I suppose, or use HTTP_PROXY/FTP_PROXY environment variables if the applications support it.
 
DutchDaemon said:
Never tried this, but you could redirect le0 -> lo0, and then lo0 -> le0 to force the packet out again.

Code: 
rdr pass on le0 proto tcp from $my_if to any port www -> lo0
rdr pass on lo0 proto tcp from $my_if to any port www -> W.X.Y.Z port 3128

I have absoultely no idea if that works ;) Might as well buy a second NIC for 10 bucks and do it properly ..
Click to expand...

(I've tried this /on FreeBSD 7.2/, but it doesn't seem to work. Packets arrive to the interface, but never come out.)
 
billythekidz said:
@SirDice : is there another way so i can redirect http traffict from my server to use remote proxy ?
Click to expand...
Configure the application to use that proxy. As far as I'm able to see there's no way to 'automagically' do this with pf.
 
No you can't, you need to configure both pf (for transparent mode) and upstream proxy configuration which need to be done in squid itself. For e.g, we use an upstream proxy provided by ISP for Squid using something called ICP. Here is a sample config:
Code: 
cache_peer squid02.ent.example.com parent 3128 3130
prefer_direct off
squid02.ent.example.com is an ISP upstream remote proxy. Your local pf will redirect traffic to local squid. And local squid will use upstream as and when required. See official squid wiki or documentation about ICP config. http://www.squid-cache.org/Doc/config/cache_peer/
 
You must log in or register to reply here.
Back
Top