by Veaceslav Revutch » Wed, 01 Jul 1998 04:00:00
Hi, i have a machine (200mmx plus 64ram and scsi drives runing freebsd2.2.6)
acting as a firewall between the external 256k link and the internal
net. The ipfw has about 200 rules, actualy doing accounting rather
than filtering. Do you think that a transparent www proxy (you know,
diverting all packets with destination port 80 to a Squid on this machine)
will not put too much load on this machine?
any suggestion is appreciated.
Veaceslav
by Kenneth Furg » Wed, 01 Jul 1998 04:00:00
Your machine should have plenty to horsepower to support your ipfw rules
and a squid proxy.
- K.C.
> Hi, i have a machine (200mmx plus 64ram and scsi drives runing freebsd2.2.6)
> acting as a firewall between the external 256k link and the internal
> net. The ipfw has about 200 rules, actualy doing accounting rather
> than filtering. Do you think that a transparent www proxy (you know,
> diverting all packets with destination port 80 to a Squid on this machine)
> will not put too much load on this machine?
> any suggestion is appreciated.
> Veaceslav
by Tony Griffith » Thu, 02 Jul 1998 04:00:00
> Your machine should have plenty to horsepower to support your ipfw rules
> and a squid proxy.
Note that you need to run squid in "accelerate" mode for this to work.
We are also running an alpha/beta version of natd 2.0 with the "proxy_rule
..." stuff in it. Not sure if this is really necessary and the code I pulled
off the 'net had a serious bug which screwed the TCP/IP header of the
diverted packets. If you want to use this version, then contact me for the
patch!
Tony
1. ipfw -- Transparent proxy problem (2.0.30 & 2.1.57)
Howdy,
I'm having some trouble with the Transparent Proxy
stuff. Specificly, it won't redirect to a local port
other than the port the connection was attempted on.
I used:
ipfwadm -I -i accept -P tcp -S0.0.0.0/0 -D 0.0.0.0/0
2000 -r 81
to establish a forwarding rule which should have
forwarded all connections on port 2000 to port 81 (a
local web proxy server).
Under 2.0.30, any attempt to connect to or through
the machine on port 2000 was forwarded to local port 2000
instead of local port 81.
Under 2.1.57, the connections were forwarded to port 81
but not interpreted correctly on the way back. I.e.
tcpdump showed:
12:11:22.419068 206.246.124.50.1969 > 199.33.225.1.2000:
S 669359392:669359392(0) win 31744 <mss 1460>
12:11:22.419352 199.33.225.1.81 > 206.246.124.50.1969: S
426511492:426511492(0) ack 669359393 win 3968 <mss 496>
(DF)
12:11:22.489063 206.246.124.50.1969 > 199.33.225.1.81: R
669359393:669359393(0) win 0
An attempt to connect through the Linux box (rather than
to it) on port 2000 simply died (the SYN packet came in
but nothing went back out).
I checked on the net, but all I could find was a vague
reference saying that transparent proxying in 2.0.30
through 2.1.something was broken.
Any thoughts on how to get this working?
Thanks,
Bill Herrin
3. please help me with ipfw and transparent proxy
4. Extracting full path name from ~user/path
5. Transparent FTP proxy with IPFW & NATD?
7. transparent proxy on FreeBSD with squid and ipfw
9. technical diff between transparent/non-transparent proxy servers
10. Transparent proxy not really transparent??
11. Using IPFW to set up "transparent proxying"
13. transparent proxy on freebsd?