Changes between Version 49 and Version 50 of doc/TransparentProxy


Ignore:
Timestamp:
Jun 7, 2011, 7:07:25 PM (6 years ago)
Author:
martian67
Comment:

updated openbsd 4.9 pf rules, no need for second loopback interface, as rdr support on outgoing packets has been added.

Legend:

Unmodified
Added
Removed
Modified
  • doc/TransparentProxy

    v49 v50  
    294294}}}
    295295
    296 As root, create a second loopback interface.
     296As root, create a second loopback interface. Note this is only necessary in OpenBSD versions prior 4.9 and FreeBSD.
    297297
    298298{{{
     
    366366}}}
    367367
     368
     369Use the PF ruleset below as an example for OpenBSD 4.9 and later.
     370
     371{{{
     372# destinations you don't want routed through Tor
     373non_tor = "{ 192.168.1.0/24 192.168.0.0/24 }"
     374
     375# Tor's TransPort
     376trans_port = "9040"
     377
     378match in all scrub (no-df random-id reassemble tcp)
     379antispoof for egress inet
     380block return log on egress all
     381
     382# uncomment the following line if you want to use hidden services
     383#pass out quick on lo0 inet proto tcp to 127.192.0.0/10 route-to lo1
     384
     385pass quick on { lo0 }
     386
     387# uncomment the following line if you need to be able to connect to this system
     388# from elsewhere on your $non_tor subnet
     389#pass in proto tcp from $non_tor to $non_tor port { 22 25 80 110 }
     390
     391pass out quick inet to $non_tor
     392pass out quick inet proto tcp user _tor flags S/SA modulate state
     393pass out quick inet proto udp to port domain rdr-to 127.0.0.1 port domain
     394pass out inet proto tcp all flags S/SA modulate state rdr-to 127.0.0.1 port $trans_port
     395}}}
     396
    368397----
    369398
     
    433462}}}
    434463
    435 As root, create a second loopback interface.
     464As root, create a second loopback interface. Note this is only necessary in OpenBSD versions prior 4.9 and FreeBSD.
    436465
    437466{{{
     
    491520pass out quick inet proto udp to port domain keep state rdr-to lo1
    492521pass out inet proto tcp all flags S/SA modulate state rdr-to lo1
     522}}}
     523
     524Use the PF ruleset below as an example for OpenBSD 4.9 and later.
     525
     526{{{
     527# your internal interface
     528int_if = "fxp0"
     529
     530# destinations you don't want routed through Tor
     531non_tor = "{ 192.168.1.0/24 192.168.0.0/24 }"
     532
     533# Tor's TransPort
     534trans_port = "9040"
     535
     536match in all scrub (no-df random-id)
     537
     538pass in on $int_if inet proto tcp to !($int_if) rdr-to 127.0.0.1 port $trans_port
     539pass in on $int_if inet proto udp to port domain rdr-to 127.0.0.1 port domain
     540
     541block return out
     542
     543pass quick on { lo0 lo1 } keep state
     544
     545
     546pass out quick inet to $non_tor
     547pass out quick inet proto tcp user _tor flags S/SA modulate state
     548pass out quick inet proto udp to port domain rdr-to 127.0.0.1 port domain
     549pass out inet proto tcp all flags S/SA modulate state rdr-to 127.0.0.1 port $trans_port
    493550}}}
    494551