# PF redirect to remote proxy



## billythekidz (Jun 12, 2009)

dear all,

i've got server with one network interface (le0), one public IP address (A.B.C.D) and there is remote proxy (W.X.Y.Z) port 3128. How to redirecting www traffict to use remote proxy using pf ? I use this pf rule but still not work.

rdr on le0 proto tcp from $my_if to any port www -> W.X.Y.Z port 3128


thanks


----------



## pbd (Jun 12, 2009)

Is the proxy on W.X.Y.Z : 3128 transparent or not?

Do you want to redirect http trafic from the machine A.B.C.D itself or from another?


----------



## SirDice (Jun 12, 2009)

> Redirections cannot reflect packets back through the interface they arrive on, they can only be redirected to hosts connected to different interfaces or to the firewall itself.



See pf.conf(5).


----------



## billythekidz (Jun 12, 2009)

@pbd : transparent proxy, and i want to redirect http from the machine itself.

@SirDice : is there another way so i can redirect http traffict from my server to use remote proxy ?

thanks


----------



## DutchDaemon (Jun 12, 2009)

Never tried this, but you could redirect le0 -> lo0, and then lo0 -> le0 to force the packet out again.


```
rdr pass on le0 proto tcp from $my_if to any port www -> lo0
rdr pass on lo0 proto tcp from $my_if to any port www -> W.X.Y.Z port 3128
```

I have absoultely no idea if that works  Might as well buy a second NIC for 10 bucks and do it properly ..


----------



## pbd (Jun 12, 2009)

What shows tcpdump?


```
tcpdump -ni le0
```

Do you see packets comming from A.B.C.D to W.X.Y.Z and/or back (when you try to open some web page)?


----------



## DutchDaemon (Jun 12, 2009)

You mean the http traffic is originating from the machine itself?

You could try

```
rdr pass on le0 proto tcp from { le0 lo0 } to any port www -> W.X.Y.Z port 3128
```
I suppose, or use HTTP_PROXY/FTP_PROXY environment variables if the applications support it.


----------



## pbd (Jun 12, 2009)

DutchDaemon said:
			
		

> Never tried this, but you could redirect le0 -> lo0, and then lo0 -> le0 to force the packet out again.
> 
> 
> ```
> ...



(I've tried this /on FreeBSD 7.2/, but it doesn't seem to work. Packets arrive to the interface, but never come out.)


----------



## SirDice (Jun 12, 2009)

billythekidz said:
			
		

> @SirDice : is there another way so i can redirect http traffict from my server to use remote proxy ?


Configure the application to use that proxy. As far as I'm able to see there's no way to 'automagically' do this with pf.


----------



## vivek (Jun 12, 2009)

No you can't, you need to  configure both pf (for transparent mode) and upstream proxy configuration which need to be done in squid itself. For e.g, we use an upstream proxy provided by ISP for Squid using something called ICP. Here is a sample config:

```
cache_peer squid02.ent.example.com parent 3128 3130
prefer_direct off
```
squid02.ent.example.com is an ISP upstream remote proxy. Your local pf will redirect traffic to local squid. And local squid will use upstream as and when required.  See official squid wiki or documentation about ICP config. http://www.squid-cache.org/Doc/config/cache_peer/


----------

