# transparent proxy in jail with pf in host



## reivaj (Sep 24, 2013)

Hello,

I hope some of you please can help me with the following problem. I have a FreeBSD server 9.1 with several jails installed one which is a web proxy. For that I have a rule of redirection configured in pf for that all the traffic from my internal net go to the proxy jail.


```
rdr pass inet proto tcp from $int_net to any port www -> $pxy_ip port 3128 
pass in log (all, to pflog0) on $int_if inet proto tcp from $int_net to $pxy_ip port 3128
pass out on $int_if inet from $int_net to $int_net
pass out log  (all, to pflog0) on $ext_if inet from $ext_ip to any (I do NAT to the internal network)
```

In the jail I have Squid version 3.3.8 compiled with support for pf transparent proxy and configured with the following directive to allow the transparent proxy:


```
http_port 127.0.0.1:3128 transparent (I tried with intercept here too)
```

For the comprobation *[ What? -- Mod. ]* of the redirection shutting down Squid to use nc I made two tests from Firefox:

With the proxy configured manually:

```
# nc -l 3128
GET http://www.hostgator.com/ HTTP/1.1
Host: www.hostgator.com
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:16.0) Gecko/20100101 Firefox/16.0
```

With no proxy (direct) seems that the URL in GET not arrives only "/".


```
# nc -l 3128
GET / HTTP/1.1
Host: www.hostgator.com
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:16.0) Gecko/20100101 Firefox/16.0
```

Later when I started Squid, I saw in /var/log/squid/cache.log several errors about pf:


```
2013/09/23 17:05:23 kid1| PF open failed: (2) No such file or directory
```

I know that Squid must have permissions to access the device used by pf, but it is not pf in the jail but on the host server.

Even so when I think in put in /etc/devfs.conf:


```
own     pf      root:squid
perm    pf      0640
```

I don't know where this must go, because the host server does not have the squid user nor group and in the jail there is no pf.

What can I do?

Thank you very much.

Javier


----------



## SirDice (Sep 24, 2013)

I don't think this is ever going to work. You can't change the settings of PF from within a jail. So Squid can't do what it needs to do.


----------



## wonslung (Nov 20, 2013)

This works on my system where *I* have pf as the firewall/NAT and a jail with Squid configured to run transparent. You will need a redirect rule in your /etc/pf.conf. Here is an example:


```
rdr on $Int_if inet proto tcp from $Int_if:network to any port http  -> 10.0.0.1 port 3128
```

This assumes your jail is running at 10.0.0.1, you will want to change this to suit your needs. The key to getting this to work is to use /etc/devfs.rules. You will want to add/edit a listing for your jails. Here is mine:


```
devfsrules_jail=4]
add include $devfsrules_hide_all
add include $devfsrules_unhide_basic
add include $devfsrules_unhide_login
add path zfs unhide
add path pf unhide mode 0640 group 100
```

This works even though you don't explicitly have a squid user in your base system by using the GID. 

On FreeBSD 10 you must also add 
	
	



```
devfs_load_rulesets="YES"
```
 to /etc/rc.conf.


----------

