# pf and squid but not for all



## meciarz (Jul 16, 2010)

hello everyone,
i'm new in freebsd, before i was using debian linux.
What i want to do is a router based on freebsd 8.0.
So i had install and configure freebsd. I'm using PF as a firewall
All i want to have is:
- ftp proxy for all in LAN (i cheked and it works)
- http proxy (squid transparent) for almost all (2 addresses must have direct access to www - not by proxy)
Here is my pf.conf:

```
##--- makra ---##
ext_if = "em0"
int_if = "em1"
lan = $int_if:network
gw = "127.0.0.1"
przep = "{ 172.26.8.201, 172.26.8.250 }"

##--- akceptowane uslugi  ---##
tcp_services = "{ 22, 113 }"
udp_services = "{ 53 }"
icmp_types = "{ echoreq, unreach }"

##--- domyslne odpowiedzi na zablokowane pakiety dla reguly block  ---##
set block-policy return
##--- logowanie roznego rodz statystyk dla int zew ---##
set loginterface $ext_if

##--- wylaczenie filtrowania dla loopback ---##
set skip on lo

##--- normalizacja datagramow ?? ---##
#match in all scrub (no-df)

##--- NAT ---##
nat on $ext_if from !($ext_if) to any -> ($ext_if)

##--- zakotwiczenie NAT dla ftp ---##
nat-anchor "ftp-proxy/*"

##--- przekierowanie dla ftp ---##
rdr-anchor "ftp-proxy/*"
rdr on $int_if proto tcp from any to any port 21 -> $gw port 8021

##--- przekierowanie ruchu www na squida ---##
rdr on $int_if proto tcp from $lan to any port www -> $gw port 3128

##--- przekierowanie do sieci wew np port 80 na 172.26.8.1 ---##
#rdr on $ext_if proto tcp from any to any port 80 -> 172.26.8.1

##--- domyslnie blokowanie wejscia ---##
block in

##--- puszczenie wyjscia wraz z ich wejsciami ---##
pass out keep state

##--- zakotwiczenie dla ftp ---##
anchor "ftp-proxy/*"

##--- blokowanie sfalszowanych adresow ---##
antispoof quick for { lo $int_if }

##--- przepuszczenie ruchu na wybranych portach TCP z zew ---##
#pass in on $ext_if inet proto tcp from any to ($ext_if) port $tcp_services flags S/SA keep state

##--- wpuszczenie ruchu na wybranych portach UDP z zew ---##
#pass in on $ext_if inet proto udp from any to ($ext_if) port $udp_services 

##--- wpuszczenie ruchu dla rdr port 80 na 172.26.8.1 ---##
##--- synproxy - dodatkowe zabezpieczenie przed atakami z zew ---##
#pass in on $ext_if inet proto tcp from any to 172.26.8.1 port 80 flags S/SA synproxy state

##--- wpuszczenie pakietow ICMP ---##
pass in inet proto icmp all icmp-type $icmp_types keep state

##--- wpuszczenie WSZYSTKIEGO!! na int wew ---##
pass in quick on $int_if
```
My problem are those 2 addresses (przep = "{ 172.26.8.201, 172.26.8.250 }") which i don't want to go by proxy but i can't config them.

Can you help me what should i add in my pf.conf?


----------



## DutchDaemon (Jul 16, 2010)

Either


```
no rdr on $int_if proto tcp from $przep to any port www
rdr on $int_if proto tcp from $lan to any port www -> $gw port 3128
```

or


```
rdr on $int_if proto tcp from ! $przep to any port www -> $gw port 3128
```

should work. The second one assumes that $przep is a subset of $lan, and that there are no other networks. So it's basically 'any, but not $przep'.


----------



## meciarz (Jul 17, 2010)

Well, the second rule cause syntax error but but first with no rdr work great.
That is what i want.
Thx for help


----------



## DutchDaemon (Jul 17, 2010)

The negating ('!') is always a bit tricky. It may only work with a <table>, not with a multi-value $macro.


----------

