# ipfw force feeding a local proxy



## Haravikk (Oct 7, 2010)

Kind of an annoying case, and since I'm fairly inexperienced when it comes to networking I'm not doing too well!

The situation is fairly simple; I have a network in which all outgoing traffic is routed through a single machine. This machine contains a Squid cache/proxy, and uses the following ipfw rule to force specific HTTP traffic to go via that cache:


```
fwd 127.0.0.1:3128 from 192.168.2.0/24 to any dst-port 12046
```
Now, this works great. However the problem is that the gateway machine is also actively used (it's only a small network, but the gateway machine is plenty powerful enough to handle use + proxying), and I want to find a rule that will allow me to force local traffic through Squid as well. The issue with this however is that every rule I've tried produces a loop whereby a local, outgoing request is forwarded to squid, and if squid needs to forward the outgoing request (so that it can cache the result) then it is redirected back to itself over and over until it realises that looping is occurring.

I realise this is a bit of an odd use-case, however I can't for the life of me figure out how to redirect only traffic from a source _other_ than the proxy (in this case the Squid cache), is such a thing even possible, perhaps using some kind of devious trickery? I haven't really got the resources for a separate machine, however the gains of using the proxy are significant, but I need every machine to be able to use it as the gateway machine is one of the primary users due to being the most powerful on the network


----------



## Haravikk (Oct 9, 2010)

Just wanted to add that the specific rule I'm having trouble with is this:

```
fwd 127.0.0.1,3128 from any to any dst-port 12046
```
Clearly this won't work as it has no way of distinguishing the source of the traffic, and merrily causes a loop whenever squid attempts to connect to the requested resource, however I've tried all kinds of things for the source address filter to no avail.

I'm wondering if the tag command could be used for this, however I haven't found any good examples of how to use or figured out the correct syntax, ipfw just complains of an unrecognised argument. I was thinking it would be nice and easy to just tag with a value then check for it another rule that lets it pass, since Squid only makes changes to packets that you specifically ask it to the tag should survive.


----------



## aragon (Oct 10, 2010)

Perhaps you could add a pass rule above that which matches against the uid that squid runs as? eg.


```
pass tcp from me to any dst-port 12046 uid squid
```


----------



## Haravikk (Oct 16, 2010)

Thanks aragon, that seems to be what I need! Didn't realise IPFW could make exceptions for process ID!

However I now have a more worrying problem, when the application whose traffic is being redirected actually starts up, the entire system freezes (processes start becoming unresponsive one by one).

I don't have a complicated ipfw set-up, my rules are as follows:


```
400 allow tcp from me to not-me dst-port 12046 uid squid
500 fwd 127.0.0.1,3178 from me to not-me dst-port 12046
65535 allow ip from any to any
```

I'm trying to eliminate Squid as the cause, but sending test traffic through it doesn't seem to trigger anything unusual, which seems to leave the ipfw rules as culprits, though I can't fathom how, as the worst case would seem to be a loop, but Squid protects itself against that.

Anyone heard of anything like this or has any ideas?
Thanks!


----------



## aragon (Oct 17, 2010)

You're forwarding to port 3178?

tcpdump(1) can probably shed some light on what's wrong.


----------

