Selective PF RDR

jhp · #1 **(View Single Post)** 30th March 2010

Hi Everyone

Does anyone know if it's possible to selectively redirect clients using pf to my squid proxy?

I tried this and it didn't seem to work, though it does work if I redirect all. I would like the direct servers list to go direct and not go through the transparent squid (due to authentication and other reasons on the client PCs).

Code:

direct_servers="{ !172.26.0.24, !172.26.0.32, !172.26.0.39, !172.26.0.41 }"

rdr on $int_if inet proto tcp from $int_if:network to $direct_servers port www -> 127.0.0.1 port 3128

Thanks for your time!

John

Carpetsmoker · #2 **(View Single Post)** 30th March 2010

I have this is my pf.conf, it works:

Code:

# For passing firewall/proxy at work
rdr on $if inet proto tcp from $work to $ip1 port https -> $ip1 port ssh

So that would be a yes.

Is www a valid service name? (I always use http).

BSDfan666 · #3 **(View Single Post)** 30th March 2010

Quote:

Originally Posted by Carpetsmoker

Is www a valid service name? (I always use http).

The /etc/services file seems to allow aliases, and http happens to be an alias for www.

DutchDaemon · #4 **(View Single Post)** 30th March 2010

@jhp: try reversing the statements (move the '!" from the IP addresses to the variable).

Code:

direct_servers="{ 172.26.0.24, 172.26.0.32, 172.26.0.39, 172.26.0.41 }"

rdr on $int_if inet proto tcp from $int_if:network to ! $direct_servers port www -> 127.0.0.1 port 3128

jhp · #5 **(View Single Post)** 31st March 2010

@Carpetsmoker: Sorry I should have been clearer in my description. It works fine the way you have it, but not if I invert the selection with a '!'. As there are only a few servers I wish to exclude from the filtering (rather than include) it would be easier this way around.

@DutchDaemon: Yeah that was the way I tried it initially but it gives a config error if I put ! before the list name. Putting the ! in the list was the only way I could launch pf successfully.

Any other thoughts?

DutchDaemon · #6 **(View Single Post)** 31st March 2010

Got it. This actually bit me in the past.

Use this:

Code:

table <direct_servers> const { 172.26.0.24, 172.26.0.32, 172.26.0.39, 172.26.0.41 }
rdr on $int_if inet proto tcp from $int_if:network to ! <direct_servers> port www -> 127.0.0.1 port 3128

I think something prevents negating 'multi-value variables' (or maybe even single-value ones), whereas tables are not a problem.

jhp · #7 **(View Single Post)** 31st March 2010

Spot on!

Thanks for helping out, DutchDaemon! There's surprisingly little on the web regarding this particular problem.

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode