All:
I've scoured the forums & Googled extensively before posting, perhaps I've missed something, but please take me at my word I did a thorough search for answers before posting this question, and I'm hoping DutchDaemon responds since he seems to be quite in the know about this.
I have a FreeBSD AMD64 7.2 installation, with squid 2.7STABLE6 from the ports tree (this version is in use since it's the production FreeBSD release @ my provider), and I'm attempting to create a transparent squid proxy, with this configuration:
- Management interface, bge0, IP address x.x.x.x
- em0, part of bridge0, no IP address.
- em1 part of bridge0, no IP address.
- bridge0, no IP address.
- transparent bridge squid configuration on lo0
- pf
- Nice, "unsafe" 666 permissions on /dev/pf. =)
I have my Internet traffic passing through the bridge sitting between a commercial firewall and the Internet uplink, and I've been happily able to snoop on traffic with tcpdump, etc. as well as filter traffic using PF on one of the member bridge links (the sysctl settings for filtering on the bridge as well as member interfaces are all set to 1). PF HFSC queueing works like a charm as well on the em0 interface pre-queuing outbound traffic to the 'Net.
What I'm wanting to do is create a transparent proxy, where I can re-route HTTP traffic (just like you specified, DutchDaemon, the PF rdr and route-to) to loopback, and then have it passed along out the bridge like it would have gone, out to the Internet router.
I'm a router / switch geek as well as a sysadmin, so thinking this through, I considered that - does squid need a "next hop" address to route it's connection to the destination website? If so, this configuration needs tweaking or won't work, but I'm hoping I've just missed something essential to make it go.
Thanks in advance for any / all responses.
I've scoured the forums & Googled extensively before posting, perhaps I've missed something, but please take me at my word I did a thorough search for answers before posting this question, and I'm hoping DutchDaemon responds since he seems to be quite in the know about this.
I have a FreeBSD AMD64 7.2 installation, with squid 2.7STABLE6 from the ports tree (this version is in use since it's the production FreeBSD release @ my provider), and I'm attempting to create a transparent squid proxy, with this configuration:
- Management interface, bge0, IP address x.x.x.x
- em0, part of bridge0, no IP address.
- em1 part of bridge0, no IP address.
- bridge0, no IP address.
- transparent bridge squid configuration on lo0
- pf
- Nice, "unsafe" 666 permissions on /dev/pf. =)
I have my Internet traffic passing through the bridge sitting between a commercial firewall and the Internet uplink, and I've been happily able to snoop on traffic with tcpdump, etc. as well as filter traffic using PF on one of the member bridge links (the sysctl settings for filtering on the bridge as well as member interfaces are all set to 1). PF HFSC queueing works like a charm as well on the em0 interface pre-queuing outbound traffic to the 'Net.
What I'm wanting to do is create a transparent proxy, where I can re-route HTTP traffic (just like you specified, DutchDaemon, the PF rdr and route-to) to loopback, and then have it passed along out the bridge like it would have gone, out to the Internet router.
I'm a router / switch geek as well as a sysadmin, so thinking this through, I considered that - does squid need a "next hop" address to route it's connection to the destination website? If so, this configuration needs tweaking or won't work, but I'm hoping I've just missed something essential to make it go.
Thanks in advance for any / all responses.