Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Using PF to rdr all http/https traffic to a web-scanning proxy

Posted on 2006-07-17
8
Medium Priority
?
472 Views
Last Modified: 2013-12-23
I want to redirect all the outgoing traffic on port 80 to force it to go through the proxy held at messagelabs.  At the moment the rdr rule looks like

rdr on $int_if proto tcp from any to any port http -> 216.82.251.227 port 3128

This doesn't work.  I actually am a bit confused by what that does - if the proxy is not in the browser configuration then all pages fail.  If the proxy is in the configuration then it works.

Can anyone suggest how this ought to work with pf on openbsd?
0
Comment
Question by:chemwatch
  • 3
  • 2
6 Comments
 
LVL 51

Expert Comment

by:ahoffmann
ID: 17131387
sorry I'm not used to pf, but is it a full statefull inspection firewall which handles the way back automatically?
If not you probably need a rule for the packets back from the proxy to your clients.
0
 

Author Comment

by:chemwatch
ID: 17135803
The beauty of a redirect is that there should actually be no need to treat the return path specially.  Redirect will rewrite the destination of each outbound packet to be the web-proxy, but the source of the packet will still be the IP of the nat host that is sending it.
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 17136212
do you see the requests at your proxy? If so, does it send the response back to the client?
I'd use tcpdump on the proxy host.
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 

Author Comment

by:chemwatch
ID: 17136251
We don't house the proxy - it is run by an outsourced company in singapore, to which we have no access.
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 17136554
ok, then use tcpdump on your firewall, if you see the outgoing packets but no corresponding incomming, then the problem is at the proxy site
0
 
LVL 1

Accepted Solution

by:
robbak earned 750 total points
ID: 17229787
Transparent Proxying - which is what you want to do - should be allowed to talk to the firewall to work out where the request came from. At the very least, it needs to know that it is supposed to be a transparent proxy. In squid, this is a compile-time option.

It seems that the remote proxy is not set up to act as a transparent proxy.

The best option I can see is to run a proxy on the local system. You don't need to give it a large cache - Indeed, none at all will work - and then have it use the other proxy as a parent. If you wish to go this way, then post back and we'll help you.
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article will inform Clients about common and important expectations from the freelancers (Experts) who are looking at your Gig.
This article will show you step-by-step instructions to build your own NTP CentOS server.  The network diagram shows the best practice to setup the NTP server farm for redundancy.  This article also serves as your NTP server documentation.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
Michael from AdRem Software outlines event notifications and Automatic Corrective Actions in network monitoring. Automatic Corrective Actions are scripts, which can automatically run upon discovery of a certain undesirable condition in your network.…

824 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question