On Tue, Jul 10, 2012 at 3:31 AM, Hao Bryan Cheng <[email protected]> wrote: > Hello all, > > I am working on converting a captive portal system from ipfw to pf (in > order to support port-block allocation in many-to-one NAT) on systems > currently running FreeBSD 8.2. > > Most of the firewall rewrite went without incident. However, I am having > trouble replicating the fwd functionality of ipfw in pf. > > Our ipfw firewall uses the fwd rule to send packets from the private side > of the portal to a squid instance running on 127.0.0.1:3128. From there, > squid runs our url_rewrite script. The nice thing about this setup is that > the fwd rule does not rewrite either the destination IP or port of the > packet, meaning that the url_rewrite script can easily extract this > information from the input line that squid provides (myip corresponding to > the destination IP address of the original HTTP request). We then add the > IP address to a firewall table to grant HTTPS access to the destination > host bypassing squid entirely. > > I was able to get traffic into squid via pf using a rdr rule. However this > rule rewrites the destination IP and port of the request which means that > the url_rewrite script is no longer aware of the original destination IP. > While there are several options for changing the url_rewrite script to > accommodate this change, I would like to avoid unnecessary (and redundant) > nameserver lookups. > > Is there a rule in pf that behaves similarly to ipfw's fwd rule? I have > heard mentions of a divert-to rule, but I was unsuccessful in finding any > official documentation on the subject anywhere online. > > Any help would be greatly appreciated. > You will not find such a functionality easily or without tricky requirements.
> Thanks, > > Hao Bryan Cheng > _______________________________________________ > [email protected] mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "[email protected]" -- Ermal _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "[email protected]"
