> > perhaps I should give more info about this: > > I have a internal LAN , DMZ and a WAN. My proxy is in the DMZ. I redirect > all http traffic from the LAN to the proxy in the DMZ. The rule looks like > this: > > rdr on vr0 inet proto tcp from any to any port = http -> 10.6.0.10 port > 8080 > > I would like to eventually have a rule that reads something like: > > no rdr on vr0 inet proto tcp from any to 10.2.0.0/16 port = http > > above it. > The "no nat" feature available on outbound nat currently doesn't even > allow me to select my internal interface. So I'm not sure if this rule > will work because its probably going to be caught by the the rdr rule > above anyways. >
[alan walters] I have been thinking about this a lot recently. I was wondering if rules for squid ftp proxy ipsec extra. Could be added to the xml file. At least this way the user has some control over what to do with them. I thought the best way to display these would be under there relative interface setting and grouped by the anchor points defined in pf. At least this would allow for a bit more transperancyy as to what rules are going on and maybe a bit more control over what services are used where. Look forward to hearing what other users have to say in respect to this issue on hidden rules in the /tmp/rules.debug file. > Unless I'm not suppose to be using rdr for this in the first place, which > doesn't make sense to me, how should I then be doing this ? > > thanks, > > e. > > > On 10/31/05, Bill Marquette <[EMAIL PROTECTED]> wrote: > > On 10/31/05, Etienne Ledoux <[EMAIL PROTECTED]> wrote: > > I'm using pfsense to redirect all outgoing http traffic to a > transparent > > proxy. But I need to not redirect a specific range when browsing > to that > > specific range. pf supports "not rdr" as well as other options to > achieve > > this. But I can't figure out how can do this via pfsense ? Perhaps > the "No > > nat" feature somehow ? > > Yup, no nat. I assume you are redirecting to another server and not > using the squid on box. If so, 'no nat' should work for you, just > make sure the 'no nat' rule is before the fall through redirect that > redirects everything else. > > --Bill > >
