RE: Squid 2.6 transparent proxy with pf

2006-12-21 Thread Clinton Sigmon 
i seem to remember someone saying that you could NOT redirect out the same 
interface but not 100% sure.

cs


-Original Message-
From:   [EMAIL PROTECTED] on behalf of Dominik Zalewski
Sent:   Thu 12/21/2006 8:29 AM
To: Peter N. M. Hansteen
Cc: misc@openbsd.org; pf@benzedrine.cx
Subject:Re: Squid 2.6 transparent proxy with pf

On Thursday 21 December 2006 15:04, Peter N. M. Hansteen wrote:
 Dominik Zalewski [EMAIL PROTECTED] writes:
  I have OpenBSD 4.0 firewall and I would like to redirect all outgoing
  http requests to my squid web proxy.

 Daniel Hartmeier wrote about this a while back, his article can be found at
 http://www.benzedrine.cx/transquid.html

In this article squid is running on the same machine as OpenBSD firewall. In 
my case I have squid running on different machine connected to LAN interface. 
My question is can redirect traffic on $int_if to another machine connected 
to the same interface? Does this rule is corrrect ?

rdr pass on $int_if proto tcp from any to any port 80 - $squid port 8080

pfctl doesnt complain about nothing but its simply doesnt work.

here is cut from my squid.conf:

### Main ###
http_port 8080 transparent

.

acl lan src 10.0.0.0/255.255.255.0

.

http_access allow lan


When I setup proxy manually in my browser, its works.

Re: FTP clients behind PF can connect to ftp serves but cannot list files why?

2004-09-29 Thread Clinton Sigmon 
how FTP works
http://slacksite.com/other/ftp.html
http://pintday.org/whitepapers/ftp-review.shtml
how to apply the rules in PF using FTP-Proxy
http://www.aei.ca/~pmatulis/pub/obsd_ftp.html

Siju George wrote:
hi all,
I configured OpenBSD 3.5 PF as said in the FAQ.
For the clients behind my PF firewall to access ftp servers I put this
line in the pf.conf file
rdr on $int_if proto tcp from any to any port 21 - 127.0.0.1:8021
I also have the following line uncommented from /etc/inetd.conf
127.0.0.1:8021 stream tcp nowait root /usr/libexec/ftp-proxy ftp-proxy
Now the FTP clients behind the PF firewall cant connect to the ftp
servers on the internet username is authenticated successfully. but
listing of files is not possible.
It is not a problem with user permission because if I FTP from the
OpenBSD firewall itslef as the same user to the same FTP server I am
able to list the files.
I'll paste the output of ftp commands issued from both OpenBSD and a
client behind OpenBSD below. Domain names and user names are replaced
with a  for the sake of security.
Could someone please point out the trouble?
Thankyou somuch
Siju
---FTP command Output when Remote FTP Server is accessed form the
OpenBSD Firewall
rain# ftp .aaa
Connected to .aaa.
220-=(*)=-.:. (( Welcome to PureFTPd 1.0.12 )) .:.-=(*)=-
220-You are user number 5 of 50 allowed.
220-Local time is now 01:41 and the load is 0.30. Server port: 21.
220 You will be disconnected after 15 minutes of inactivity.
Name (.aaa:root): aa
331 User aa OK. Password required
Password:
230-User aa has group access to:  aa
230 OK. Current restricted directory is /
Remote system type is UNIX.
Using binary mode to transfer files.
ftp ls
500 Unknown command
227 Entering Passive Mode (64,235,230,209,152,108)
150 Accepted data connection
drwxr-x---3 3265112   4096 Sep 25 02:25 etc
drwxrwx---   19 3265112   4096 Sep 28 16:11 mail
drwxr-x---3 32651aa  4096 Sep 23 09:56 public_ftp
drwxr-xr-x   13 3265199   4096 Sep 23 23:43 public_html
drwx--6 32651aa  4096 Sep 23 10:10 tmp
lrwxrwxrwx1 32651aa11 Sep 23 09:56 www - public_html
226-Options: -l
226 6 matches total
ftp

Now,
---FTP command Output when Remote FTP Server is accessed form an
ftp-client behind the OpenBSD Firewall
ftp .aaa
Connected to .aaa
220-=(*)=-.:. (( Welcome to PureFTPd 1.0.12 )) .:.-=(*)=-
220-You are user number 2 of 50 allowed.
220-Local time is now 01:10 and the load is 0.47. Server port: 21.
220 You will be disconnected after 15 minutes of inactivity.
User (.aaa:(none)): aaa
331 User aaa OK. Password required
Password:
230-User aaa has group access to:  aaa
230 OK. Current restricted directory is /
ftp ls
200 PORT command successful
425 Could not open data connection to port 57234: Connection timed out
 

Thanks a lot
Siju
--
clint
Cryptek, Inc.

Re: pf error in OpenBSD help!

2004-09-25 Thread Clinton Sigmon 
adding on to cedric's answer
you may also want to add ( ) around interface if this outside interface 
gets address via DHCP

nat on $ext_if from $int_if:network to any - ($ext_if)
--
clint
Cryptek, Inc.

Cedric Berger wrote:
Siju George wrote:
  Hi all,
 
  When my OpenBSD 3.5 System tries to load the PF ruleset it shows the
  following error.
 
  /etc/pf.conf:22: could not parse host specification no IP address
  found for dc0:172.16.0.0/12
 
  the 22nd line of my pf.conf is this.
 
  nat on $ext_if from $int_if:172.16.0.0/12 to any - $ext_if
either (literally):
nat on $ext_if from $int_if:network to any - $ext_if
or:
nat on $ext_if from 172.16.0.0/12 to any - $ext_if
will work
Cedric