# Local transparent proxy for my own traffic ?



## patraulea (Aug 28, 2010)

I am trying to filter web traffic from browsers running on my local machine through a local proxy, mainly for anti-phishing.

Although I am using the ipfw fwd rule to redirect outgoing traffic on port 80 to localhost:3128, this also redirects the local proxy's outgoing connections to itself. So far I am considering two ways to solve this. One is to run the proxy as user "proxy" and use ipfw to let traffic from that user pass through. Another would be to force the proxy to use ports below 1024 for outbound connections, and tell ipfw to let those ports pass through.

Both solutions are imperfect (the first because of the extra setup needed, the second for potentially allowing extra traffic). Is there a Right way to do something like this ? 

Thank you,
Patraulea


----------



## DutchDaemon (Aug 28, 2010)

Why not simply use a non-transparent proxy, i.e. instruct your web browsers to use the local proxy in their settings, and run the proxy on localhost:3128?


----------



## patraulea (Aug 29, 2010)

Thanks for your answer. Manually configuring a proxy is of course a straightforward solution and for "home use" would be the correct one. 

But I intend to distribute this filter as part of a set of tools (firewall, AV) that already exists for non-BSD systems. I'm also targeting web-based IM protocols, non-browser web clients etc. These are reasons why manual configuration for each app would be a pain. 

What I'm hoping for is an "allow this PID" (or "this executable" or "this connection") functionality in ipfw.


----------



## DutchDaemon (Aug 30, 2010)

Just put a second NIC in the proxy server and use it as a router or bridge. Redirect HTTP traffic on the LAN side to localhost:3128, and leave outgoing HTTP traffic (caused by Squid) on the WAN side alone. All other solutions are messy.


----------



## patraulea (Aug 30, 2010)

DutchDaemon said:
			
		

> Just put a second NIC [...]. All other solutions are messy.



I was afraid of that last sentence. But your "second NIC" approach might be the answer. A physical device is out of the question since this is intended for desktop machines. 

But if I can assign a second IP to the machine, make Squid bind to that IP and then have a rule like "SNAT to real machine's IP and allow it" then I'm going somewhere. 

Thank you again.
Patraulea


----------

