[prev in list] [next in list] [prev in thread] [next in thread] 

List:       openbsd-misc
Subject:    Re: Transparent Firewall + external proxy
From:       "Peter Verhagen" <pverhagen () sapl ! ab ! ca>
Date:       2003-01-30 19:07:12
[Download RAW message or body]

My response was assuming the proxy was there for a reason (eg squid
time based acls to squelch those after hours p0rn snurfing security
guards/janitors, proxy a specific site or use it as www filter,
squid www caching in attempt to use less internet bandwidth, etc).

The other important piece (I felt) was that the IPs listed were
publicly addressable (132.248) IPs. NAT might not be a possiblility
for political reasons (I've seen organizations always have public
IPs, and it stays that way. No ifs, buts, blah blah blah <insert
higher-up political garbage here> about it).

I really did find the good peice of info on using RDR internally
though. Thank you.

With the upmost respect,
Peter Verhagen

> Javier Martinez wrote:
>>> Hi everybody,
>>>
>>> I have installed a transparent firewall with OpenBSD 3.2, I'm
>>> trying to  install a web proxy external to the firewall, and I
>>> want redirect all the  trafic from my internal network to the
>>> proxy, I tried with rdr but I'm not  sure if it is the correct
>>> tool or if it is possible.
>>>
> 	It is the correct tool, but you're not using it correctly.
> Also, if "transparent" == "bridging", there's other issues here.
> I'm assuming that's what you mean.
> If so, you might want to look at:
> http://marc.theaimsgroup.com/?l=openbsd-misc&m=101814255119388&w=2
> If you can get that working, see below:
>
> However, if you really need this, convert to a routed setup, it'll
> make your life much easier.
>
> <Original ASCII snipped>
>>
> 	The problem here is that you cannot redirect backward on an
> interface,
> which is what I think your problem probably is, given the ASCII
> layout you provided.
> If traffic comes IN on an interface, it has to leave on another
> interface. That's a big principle with rdr.
>
> Given that you've given no pf.conf rules, it's hard to say.
>
> At 09:40 AM 01/30/2003 -0700, Peter Verhagen wrote:
>
>>ummm... you could try to make Comp1/2 think that your web proxy
>> is the default gateway, and have the web proxy default gateway
>> pointing to the internet (I really don't know if that will
>> work.... but it shouldn't require a rdr)
>>
> 	Ouch, no, no, no.  That means you'd be adding extra layers
> unnecesscarily.
>  That, and you'd have to either proxy EVERYTHING though it, or
> redirect
> internally on the proxy itself.
> If all you want to proxy is the WWW traffic, that's a lot of extra
> crap to go through.
>
> However, this does bring up the possibility that in a small enough
> environment, you could use just one box as a combination web-proxy
> and firewall, doing the redirect in the same way that you'd set up
> the ftp-proxy module on OpenBSD (man page for details).  But I'm
> assuming here that for good reasons (of which there can be many),
> these are two separate boxes.  Again, I'd suggest routing over
> bridging.
>
>>OR get a second NIC for your web proxy, and place it behind the
>>transparent firewall like this:
>>
> <More ASCII snipped>
>>
> 	Again, kinda has the same problems with extra layers and what
> not.  Would
> work better than before, but again, total proxy, or NAT, or some
> such.
>
> Really, with this, I'd suggest that you do add a third ethernet
> port to the firewall, on a subnet/NATted subnet, as a DMZ, and put
> the proxy there.
>
> Then have the rdr put through to that interface.  This way, the
> rdr works, and it's still behind the firewall.
>
>
> Signing off,
>
> Joseph C. Bender
> benderjc (at) benderhome.net   ;   jcbender (at) benderhome.net
> This account is used primarily for reading and responding to
> mailing list traffic and is not my main mailing address.

[prev in list] [next in list] [prev in thread] [next in thread]