Re: more transparent proxy and squid questions.

From: Bill Moran (wmoran_at_potentialtech.com)
Date: 06/16/03

  • Next message: Kris Kennaway: "Re: Output from `pkg_info`" 
    Date: Sun, 15 Jun 2003 19:48:03 -0400
To: Andrew Thomson <ajthomson@optushome.com.au>

    Andrew Thomson wrote:
    > On Fri, Jun 13, 2003 at 09:47:09AM -0400, Bill Moran wrote:
    >
    >>Yes. You've got the right idea.
    >
    >
    > hmm.. i have encountered some difficulties ;) so now i'm seeking some
    > more advice..
    >
    > i have the following rules on my firewall:
    >
    > 10561 skipto 11000 ip from 192.168.1.2 to any
    > 10562 fwd 192.168.1.2,3128 tcp from 192.168.1.3 to any 80
    >
    > keeping in line with my example, 1=fwall, 2=squid, 3=user
    >
    > the skipto is in there so we go through nat and get a proper ip.
    >
    > i never see any packets get to the squid box though..
    >
    > ipfw show indicates matching packets
    > ipfw show 10561 10562
    > 10561 5342 331306 skipto 11000 ip from 192.168.1.2 to any
    > 10562 2520 120960 fwd 192.168.1.2,3128 tcp from 192.168.1.3 to any 80
    >
    > a tcpdump on the squid box looking out for port 3128 shows nothing, although
    > the ipfw shows matches..
    >
    > i'll keep digging around but any more tips would be appreciated on this
    > setup.

    Someone else may have keener eyes, but for my part I can't guess what the problem
    could be from your description.

    Can you send your entire ipfw ruleset? (i.e. the complete output of 'ipfw show')
    Perhaps then I'll be able to get a better idea what you're doing. If 10562 is
    catching packets, then it's likely that it's somewhere else that the problem lie. 

    -- 
Bill Moran
Potential Technologies
http://www.potentialtech.com
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"
  • Next message: Kris Kennaway: "Re: Output from `pkg_info`"

    Relevant Pages

    • freebsd 6.2 with ipfw forward not working
      ... I have a rule in ipfw to divert all destination address with tcp port 80 to a local squid server. ... When i did a tcpdump on lo0, no packets are seen. ...
      (freebsd-isp)
    • Re: [PATCH] ng_tag - new netgraph node, please test (L7 filtering possibility)
      ... For simple using, however, you don't need to bother all that details - just remember magic number and where to place it, and it is now simple for use with ipfw tags. ... Currently the only analyzing node in FreeBSD src tree is ng_bpf, but it merely splits incoming packets in two streams, matched and not. ... There are reasons to this, as netgraph needs to be modular, and each node does a small thing, but does it well. ... For long time ng_bpf was used for another purposes in the kernel, and now, as new ipfw features appeared, ng_tag came up for easy integration. ...
      (freebsd-current)
    • Re: [PATCH] ng_tag - new netgraph node, please test (L7 filtering possibility)
      ... For simple using, however, you don't need to bother all that details - just remember magic number and where to place it, and it is now simple for use with ipfw tags. ... Currently the only analyzing node in FreeBSD src tree is ng_bpf, but it merely splits incoming packets in two streams, matched and not. ... There are reasons to this, as netgraph needs to be modular, and each node does a small thing, but does it well. ... For long time ng_bpf was used for another purposes in the kernel, and now, as new ipfw features appeared, ng_tag came up for easy integration. ...
      (freebsd-isp)
    • Re: [PATCH] ng_tag - new netgraph node, please test (L7 filtering possibility)
      ... For simple using, however, you don't need to bother all that details - just remember magic number and where to place it, and it is now simple for use with ipfw tags. ... Currently the only analyzing node in FreeBSD src tree is ng_bpf, but it merely splits incoming packets in two streams, matched and not. ... There are reasons to this, as netgraph needs to be modular, and each node does a small thing, but does it well. ... For long time ng_bpf was used for another purposes in the kernel, and now, as new ipfw features appeared, ng_tag came up for easy integration. ...
      (freebsd-net)
    • FreeBSD Security Advisory: FreeBSD-SA-01:08.ipfw [REVISED]
      ... included in FreeBSD 4.0 and above. ... based on an old version of ipfw and does not contain as many features. ... Due to overloading of the TCP reserved flags field, ... incorrectly treat all TCP packets with the ECE flag set as being part ...
      (FreeBSD-Security)