PF Redirect traffic from localhost using pf

[grisuthedragon]

I want to redirect http traffic from localhost to a squid proxy running on localhost as well. I know normally one set the http_proxy variable but I have some clients running that do not support setting the proxy. I tried adding

rdr pass proto tcp from any to any port http -> 127.0.0.1 port 8080

but I do not see any incoming connections on port 8080. How can I realize this?

 

[ljboiler]

Do you have this in your PF rules?

set skip on lo0

This is telling PF to ignore all rules for the localhost interface.

 

[SirDice]

I want to redirect http traffic from localhost to a squid proxy running on localhost as well.

Nothing passes in or out of an interface in this case. So translations are not applied.

     Translation rules apply only to packets that pass through the specified
     interface, and if no interface is specified, translation is applied to
     packets on all interfaces.  For instance, redirecting port 80 on an
     external interface to an internal web server will only work for
     connections originating from the outside.  Connections to the address of
     the external interface from local hosts will not be redirected, since
     such packets do not actually pass through the external interface.
     Redirections cannot reflect packets back through the interface they
     arrive on, they can only be redirected to hosts connected to different
     interfaces or to the firewall itself.

I have some clients running that do not support setting the proxy

What kind of clients? What do they do?

 

[`Orum]

Do you have this in your PF rules?

set skip on lo0

This is telling PF to ignore all rules for the localhost interface.

This shouldn't be the issue, unless he's trying to redirect traffic to a webserver on localhost via the proxy.

 

[grisuthedragon]

Do you have this in your PF rules?

set skip on lo0

This is telling PF to ignore all rules for the localhost interface.

That was my first thought but I already deactivate it. And it does change the situation.

According to SirDice, I need to move the services to a VM/JAIL/.. and route the traffic over the virtual interface. So understanding the above right, traffic having its origin on localhost can not be redirected / modified using pf.

The http client are custom build programs by some colleagues accessing various Web APIs to pick data from later analysis. And these cause a lot of traffic and I think, caching can reduce the foot print on the network and accelerate the stuff. Unfortunately, they dont use curl or similar stuff but wrote the http client code themselves.