Shamefully realized I missed the documentation from /usr/local/share/doc/pkg-readmes/ that covers this.
Bad luser. Will RTFM. On Tue, Jul 14, 2015 at 4:46 PM, Darren Spruell <[email protected]> wrote: > [Internet] > | > | > re1| > +----=----+re2 (10.0.8.0/30) > | FW |=-----------+ > +----=----+ |fxp0 > re0| +---=---+ > | | proxy | > | +---=---+ > | |xl0 > |||----------------+ > /|\ (10.0.7.0/24) > [LAN] > > > Is it possible to configure the indicated setup above for > transparent/intercepting proxy using OpenBSD 5.6 router/firewall and > OpenBSD 5.4 proxy with Squid 3.3.8? > > LAN clients have the FW as the default gateway. I planned on > intercepting WWW traffic at the firewall and redirecting to the proxy > out re2 (over the 10.0.8/0/30 net). The proxy has an intercept > listener on fxp0: > > http_port 10.0.8.2:3129 intercept > > I see from Squid documentation [1] that this should be done with > divert-to and divert-reply in PF. > > Is this configuration only possible if Squid runs on the same host as > the PF firewall because of a divert socket having to point locally? > With the following rule active in PF, no traffic is seen on re2 at FW. > > @51 pass in log quick inet proto tcp from 10.0.7.32 to any port = 80 > flags S/SA divert-to 10.0.8.2 port 3129 > > The following log is seen when attempting connection from client > 10.0.1.32 to WWW: > > Jul 14 16:35:18.081709 rule 51/(match) pass in on vlan103: > 10.0.7.32.63958 > 209.68.27.16.80: S 1842850855:1842850855(0) win > 65535 <mss 1460,nop,wscale 5,nop,nop,timestamp 796985221 0,[|tcp]> > (DF) > > Is there any way to successfully configure this or similar sort of > design with interception in Squid so that the proxy can reside on a > different host than the firewall? > > [1] http://wiki.squid-cache.org/ConfigExamples/Intercept/OpenBsdPf > > -- > Darren Spruell > [email protected] -- Darren Spruell [email protected]
