tproxy on freebsd
zen
i know it seem out of topic,
i recently build a proxy server to serve our small ISP,
but i'm facing a big problem. as far as i know FreeBSD didn't support
TPROXY like linux had.
but i need to build this proxy transparently so only my client ips that
visible when browsing.
i use ipnat and ipf with Squid latest stable release.
does anyone has experience building a true transparent proxy with FreeBSD?
please share the knowledge and the regarding this problems.
TIA
Zen
_______________________________________________
freebsd...@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stabl...@freebsd.org"
Max Laier
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
On Tuesday 17 April 2007 09:17, zen wrote:
> i know it seem out of topic,
> i recently build a proxy server to serve our small ISP,
> but i'm facing a big problem. as far as i know FreeBSD didn't support
> TPROXY like linux had.
> but i need to build this proxy transparently so only my client ips that
> visible when browsing.
> i use ipnat and ipf with Squid latest stable release.
> does anyone has experience building a true transparent proxy with
> FreeBSD? please share the knowledge and the regarding this problems.
http://www.benzedrine.cx/transquid.html is a tutorial for OpenBSD + pf +=20
squid, but almost the same steps are required for FreeBSD. If you build=20
squid from the portstree you should enable:
[X] SQUID_PF Enable transparent proxying with PF
or
[ ] SQUID_IPFILTER Enable transp. proxying with IPFilter
if you want to stay with ipf + ipnat.
=2D-=20
/"\ Best regards, | mla...@freebsd.org
\ / Max Laier | ICQ #67774661
X http://pf4freebsd.love2party.net/ | mlaier@EFnet
/ \ ASCII Ribbon Campaign | Against HTML Mail and News
--nextPart2443086.Yx2KudcSDS
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (FreeBSD)
iD8DBQBGJKrbXyyEoT62BG0RAgpfAJ9rR+AMLwAKbaSYw0Z6fM284+j3aACggBeY
xqlCPlAzwyTWueo8mVMimcc=
=fYtR
-----END PGP SIGNATURE-----
--nextPart2443086.Yx2KudcSDS--
Peter Jeremy
--LpQ9ahxlCli8rRTG
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On 2007-Apr-17 14:17:05 +0700, zen <z...@tk-pttuntex.com> wrote:
>does anyone has experience building a true transparent proxy with FreeBSD?
>please share the knowledge and the regarding this problems.
Max beat me to answering but I use squid+IPfilter as a transparent proxy
on my home firewall. The only problems I've run into are bugs in the
IPfilter window handling code.
--=20
Peter Jeremy
--LpQ9ahxlCli8rRTG
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (FreeBSD)
iD8DBQFGJK8I/opHv/APuIcRAkxAAKCziWxoigm9LC8NBrcy6oLz9K4dAwCfSBex
20rch9t79hP4NYC1W9wiQh0=
=B+3B
-----END PGP SIGNATURE-----
--LpQ9ahxlCli8rRTG--
Alexander Kuprijanov
=CE=C1=D0=C9=D3=C1=CC(=C1):
> hi,
> i know it seem out of topic,
> i recently build a proxy server to serve our small ISP,
> but i'm facing a big problem. as far as i know FreeBSD didn't support
> TPROXY like linux had.
> but i need to build this proxy transparently so only my client ips that
> visible when browsing.
> i use ipnat and ipf with Squid latest stable release.
> please share the knowledge and the regarding this problems.
>
>
> Zen
>
> _______________________________________________
> freebsd...@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-stable
> To unsubscribe, send any mail to "freebsd-stabl...@freebsd.org"
Dear Zen
I use transparent proxy on my home wi-fi network, and on work (ethernet lan=
)=20
with pf+proxy on FreeBSD gateways without any problems... earlier I used=20
ipfilter+proxy (for transparent proxing) also without problems.
I can share my config (pf+proxy) if you need
jonathan michaels
list, sorry for posting to list, i tried to post to advertised mail
address and my post bounced as "user unknown". so i try here.
On Tue, Apr 17, 2007 at 09:29:21PM +0400, Alexander Kuprijanov wrote:
> В сообщении от Tuesday 17 April 2007 11:17:05 zen написал(а):
> I use transparent proxy on my home wi-fi network, and on work (ethernet lan)
> with pf+proxy on FreeBSD gateways without any problems... earlier I used
> ipfilter+proxy (for transparent proxing) also without problems.
>
> I can share my config (pf+proxy) if you need
i don't have a problem with this but i am going to be setting up a
similar setup and would appreciate the help a working setup would
provide.
sorry for my poor english and typing .. i am disabled.
kind regards
jonathan
--
================================================================
powered by ..
QNX, OS9 and freeBSD -- http://caamora com au/operating system
==== === appropriate solution in an inappropriate world === ====
zen
>alexander,
>
>list, sorry for posting to list, i tried to post to advertised mail
>address and my post bounced as "user unknown". so i try here.
>
>On Tue, Apr 17, 2007 at 09:29:21PM +0400, Alexander Kuprijanov wrote:
>
>
>>В сообщении от Tuesday 17 April 2007 11:17:05 zen написал(а):
>>
>>
>
>
>
>>I use transparent proxy on my home wi-fi network, and on work (ethernet lan)
>>with pf+proxy on FreeBSD gateways without any problems... earlier I used
>>ipfilter+proxy (for transparent proxing) also without problems.
>>
>>I can share my config (pf+proxy) if you need
>>
>>
>
>i don't have a problem with this but i am going to be setting up a
>similar setup and would appreciate the help a working setup would
>provide.
>
>sorry for my poor english and typing .. i am disabled.
>
>kind regards
>
>jonathan
>
>
>
any help will be appreciated, i could use a sample configuration file
regarding this problem.
FYI i already running transparent proxy with ipf+ipnat,:
rdr nve0 0.0.0.0/0 port 80 -> 122.x.x.x port 3128 tcp
but with that configuration, still the proxy ip address that visible
when my client using the proxy.
is it me or just i cant achieve that with FreeBSD?
because i hate to switch to other OS only because of this.
anyway this what i found in the net, but only work on linux
http://www.sanog.org/resources/sanog4-devdas-transproxy.pdf
TIA
Zen
jonathan michaels
sorry my internet (web browser machine/webbrowser is offline) access is
broken at moment .. i use lynx on a 486dx50, its 20 years old.
will this work on centos v4 and/or debian v3.4 ??? i am setting up a
compaq proliant 5500r as the network backbone, multi boot (freebsd v6,
debian v3.4 and ms window 2003 server/professional). this is my fall
back stratagy.
much thanks and most kind regards
jonathan
--
================================================================
powered by ..
QNX, OS9 and freeBSD -- http://caamora com au/operating system
==== === appropriate solution in an inappropriate world === ====
zen
i think so, it work on most of linux machine depend on your linux kernel.
here is the patch for the kernel :
http://www.balabit.com/downloads/tproxy/
but if i cand choose linux or FreeBSD i preferred FreeBSD ( i'm a
FreeBSD die hard user).
that's why i ask the people here, maybe they have solutions regarding
this problems.
TIA
Zen
Volker
>> i don't have a problem with this but i am going to be setting up a
>> similar setup and would appreciate the help a working setup would
>> provide.
>>
> regarding this problem.
zen & others,
building a transparent proxy using pf + squid is an easy topic and
well documented on the net.
In detail, it's going that way:
pf (assuming nve0 is your local IF):
rdr on nve0 from any to any port 80 -> 127.0.0.1 port 3128
pass in on nve0 from any to any port 80 keep state
pass in on nve0 from any to 127.0.0.1 port 3128 keep state
Now, compile squid with transparent support and use:
'http_port 3128 transparent' in your squid.conf (assuming you're
running squid >= 2.6).
I'm running several hosts with a setup like that.
Also you may want to check out www/havp and use it as a transparent
proxy + squid as upstream proxy. That way you also have virus
protection for your internal users while surfing the web (I'm also
doing things like that as I found it a better solution that
squidclam or the like - YMMV).
> FYI i already running transparent proxy with ipf+ipnat,:
>
> rdr nve0 0.0.0.0/0 port 80 -> 122.x.x.x port 3128 tcp
>
> but with that configuration, still the proxy ip address that visible
> when my client using the proxy.
Don't understand that sentence. What address is visible to whom? And
which address do you want to 'hide'? If you don't want to leak your
internal addresses to any outside webserver, this is a squid issue
and there should (?) be configuration options for squid.
> is it me or just i cant achieve that with FreeBSD?
> because i hate to switch to other OS only because of this.
No need to switch! :)
You may find tons of infos using google or in the ML archives pf@.
Also pf@ or isp@ would be the appropriate list for questions like that.
HTH,
Volker
Adrian Chadd
> > but with that configuration, still the proxy ip address that visible
> > when my client using the proxy.
>
> Don't understand that sentence. What address is visible to whom? And
> which address do you want to 'hide'? If you don't want to leak your
> internal addresses to any outside webserver, this is a squid issue
> and there should (?) be configuration options for squid.
>
He means fully transparent - ie, client thinks its talking to the
server; server thinks its talking to the client; proxy server IP isn't
visible to either.
Adrian
--
Adrian Chadd - adr...@freebsd.org
Volker
> On 18/04/07, Volker <vol...@vwsoft.com> wrote:
>
>> > but with that configuration, still the proxy ip address that visible
>> > when my client using the proxy.
>>
>> Don't understand that sentence. What address is visible to whom? And
>> which address do you want to 'hide'? If you don't want to leak your
>> internal addresses to any outside webserver, this is a squid issue
>> and there should (?) be configuration options for squid.
>>
>
> He means fully transparent - ie, client thinks its talking to the
> server; server thinks its talking to the client; proxy server IP isn't
> visible to either.
>
>
>
> Adrian
>
Adrian,
thanks, I got it.
Talking about real transparent proxy not just a transparent one... ;)
Unfortunately I don't have a solution for that as I'm using mostly
NATed environments and it doesn't make sense to hand out private
address space to a web server.
Volker
jonathan michaels
> On 04/18/07 14:14, Adrian Chadd wrote:
> > On 18/04/07, Volker <vol...@vwsoft.com> wrote:
> >
> >> > but with that configuration, still the proxy ip address that visible
> >> > when my client using the proxy.
> >>
> >> Don't understand that sentence. What address is visible to whom? And
> >> which address do you want to 'hide'? If you don't want to leak your
> >> internal addresses to any outside webserver, this is a squid issue
> >> and there should (?) be configuration options for squid.
> >>
> >
> > He means fully transparent - ie, client thinks its talking to the
> > server; server thinks its talking to the client; proxy server IP isn't
> > visible to either.
> >
> >
> >
> > Adrian
> >
>
> Adrian,
>
> thanks, I got it.
>
> Talking about real transparent proxy not just a transparent one... ;)
not sure i understand this one, a "real transparent" "not just a tra.."
> Unfortunately I don't have a solution for that as I'm using mostly
> NATed environments and it doesn't make sense to hand out private
> address space to a web server.
i was assigned a class c some 15 years ago and its getting used for all
sorts of admin stuff/disabled user client stuff and other stuff that i
cannot sort out 'netting/natting for'
most kind regards and appreciations
jonathan
thanks all ... adrian volker and zen if i forgot somebody sorry.
--
================================================================
powered by ..
QNX, OS9 and freeBSD -- http://caamora com au/operating system
==== === appropriate solution in an inappropriate world === ====