[Internet]
|
|
re1|
+----=----+re2 (10.0.8.0/30)
| FW |=-----------+
+----=----+ |fxp0
re0| +---=---+
| | proxy |
| +---=---+
| |xl0
|||----------------+
/|\ (10.0.7.0/24)
[LAN]
Is it possible to configure the indicated setup above for
transparent/intercepting proxy using OpenBSD 5.6 router/firewall and
OpenBSD 5.4 proxy with Squid 3.3.8?
LAN clients have the FW as the default gateway. I planned on
intercepting WWW traffic at the firewall and redirecting to the proxy
out re2 (over the 10.0.8/0/30 net). The proxy has an intercept
listener on fxp0:
http_port 10.0.8.2:3129 intercept
I see from Squid documentation [1] that this should be done with
divert-to and divert-reply in PF.
Is this configuration only possible if Squid runs on the same host as
the PF firewall because of a divert socket having to point locally?
With the following rule active in PF, no traffic is seen on re2 at FW.
@51 pass in log quick inet proto tcp from 10.0.7.32 to any port = 80
flags S/SA divert-to 10.0.8.2 port 3129
The following log is seen when attempting connection from client
10.0.1.32 to WWW:
Jul 14 16:35:18.081709 rule 51/(match) pass in on vlan103:
10.0.7.32.63958 > 209.68.27.16.80: S 1842850855:1842850855(0) win
65535 <mss 1460,nop,wscale 5,nop,nop,timestamp 796985221 0,[|tcp]>
(DF)
Is there any way to successfully configure this or similar sort of
design with interception in Squid so that the proxy can reside on a
different host than the firewall?
[1] http://wiki.squid-cache.org/ConfigExamples/Intercept/OpenBsdPf
--
Darren Spruell
[email protected]
