. on gateway, place fwd rule before divert.
. run tcpdump & 'ipfw -a list' on __proxy__ and see if packets really
reach the
proxy/squid or not.
. A network diagram would be helpful in the case the problem still persist.
David Martens wrote:
I've taken H.Fazaeli's suggestion and moved the proxy to the same
class C as the gateway with no change.
So now my rule set on the gateway is:
00100 allow ip from any to any via lo0
00110 deny ip from any to 127.0.0.0/8 via en0
00800 divert 8668 ip from any to any via en0
00850 deny ip from any to any in frag
00890 allow ip from any to 192.168.0.2
00990 fwd 192.168.0.2 tcp from 192.168.1.60 to any 80
And on the proxy:
00080 allow tcp from any to any out
00100 fwd 127.0.0.1,8082 tcp from 192.168.1.60 to any dst-port 80
For testing purposes I've set the forward to only a single ip
address. Eventually this will be set to the entire /22 subnet.
A tcpdump on the LAN interface on the gateway indicates traffic from
192.168.1.60 & and fwd rule increments, but the packets don't make it
to the proxy. They are not dropped, the requested web pages load fine
in the browser, just no proxy.
On Jun 5, 2008, at 2:46 AM, H.fazaeli wrote:
This is what is happening:
1. Client's packet match with fwd rule on gateway.
2. gateway tries to fwd packet to 192.168.3.2. For this, it should
replace
destination mac address with that of proxy (192.168.3.22).
3. gateway fails to obtain proxy mac address, since it is not on the
same
subnet as proxy (can not use arp).
4. fwd rule drops the packet.
FIX: assign a 192.168.3.XXX address to the gateway's interface
which proxy is supposed to be reachable from.
David Martens wrote:
I'm trying to set up a transparent proxy using two machines, the
gateway and the proxy. The proxy is 192.168.3.22 and is listening
on port 8082. The gateway is 192.168.0.1, subnet is 255.255.252.0
so everything is on the same subnet.
I set the following rules on the gateway:
00100 allow ip from any to any via lo0
00110 deny ip from any to 127.0.0.0/8 via en0
00800 divert 8668 ip from any to any via en0
00850 deny ip from any to any in frag
00990 fwd 192.168.3.22 tcp from 192.168.1.0/24 to any 80
When I get a packet count (ipfw -a list) rule 990 increments when I
try to access a web page.
On the proxy box I have the following rules:
00100 allow tcp from 192.168.3.22 to any
00110 fwd 127.0.0.1,8082 tcp from 192.168.0.1/22 to any dst-port 80
rule 110 never receives any forwarded packets. Any ideas what I've
done wrong here? The http requests do go out, but are not forwarded
through the proxy.
_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
--
Best regards.
Hooman Fazaeli <[EMAIL PROTECTED]>
Sepehr S. T. Co. Ltd.
Web: http://www.sepehrs.com
Tel: (9821)88975701-2
Fax: (9821)88983352
_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
--
Best regards.
Hooman Fazaeli <[EMAIL PROTECTED]>
Sepehr S. T. Co. Ltd.
Web: http://www.sepehrs.com
Tel: (9821)88975701-2
Fax: (9821)88983352
_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
