jamie: bleh, definately effecting me, cvs.openbsd.org is unreachable from arpnetworks due to the outage of course er whatever shaw's problem is "the outage"? is cvs.openbsd.org not at a datacentre? i can mtr to it but ssh syas no route to host oh oops wasn't arp anyway maybe diff port, i've only used anoncvs1.ca.openbsd.org anoncvs1 has openssh beta apparently cvs.openbsd.org is indeed inaccessible from ARP AS22512 is behind Rogers and Shaw anyone here have knowledge of pf and iptables? I know how to stop it. I assume you need more in depth help though. yah iptables -A INPUT -i venet0 -d 172.0.0.1 -p tcp -m tcp --dport 8128 -j ACCEPT iptables -t nat -A PREROUTING -i venet0 -p tcp --dport 80 -j DNAT --to 172.0.0.1:8128 im trying to figure out what that translates to in pf im honestly confused as hell right now. just went through configuring bind9, and squid. got both of those running but my brain is just refusing to wrap itself around this pass in on venet0 tcp from any to 172.0.0.1 port 8128 looks like the first one then hte nat stuff, who knows man it. i have im confused What are you trying to do? transparent proxy or something? oh, I see what that's doing. yah ok, the venet0 is refering to something specific with this guys provider It's refering to the internal interface on the NAT most likely. He's forwarding any connection outgoing to the web on port 80 to 172.0.0.1:8128, which is probably the proxy server. He's also allowing connections throug the firewall for this in the first rule. ok Look up any transparent proxy pf configuration and you'll see almost exactly the same thing. well I have squid running on 8128 i'm going to need to create an interface on 172.0.0.1 right? 127.0.0.1 is probably what he meant and he made a typo? I'd have squid listen on localhost and forward connections to it. i think the idea might be that only traffic from the 172 interface is going through squid so that normal traffic isn't how do I find my vps local internal IP? rdr inet proto tcp from any to port 80 -> 127.0.0.1 port 8128 is the freebsd old style syntax well actually i had a src range rather than interface range but it'd diff in freebsd/openbsd cos openbsd has newer pf man pf.conf on either should help you out though i think I might be on to something now. thanks. cool are you doing openbsd or freebsd? mercutio: freebsd ahh ok did that rdr worK? 2013/03/09 18:34:29.050 kid1| PF open failed: (13) Permission denied :/ squid sucks use apache traffic server actualyl i dunno are you actually trying to do full redirection? https://github.com/corporate-gadfly/Tunlr-Clone is what I'm trying to do err transparent both ways i have no idea yeh you only need single level transparent is it workign? fwiw if your'e not being transparent proxied you can make it work without your own proxy no, squid is reporting permission denied opening pf does it start anyway is that warning or error? do you have http_port 3128 transparent? in squid.conf 8128 is transpartent squid is starting err 8128 even 2013/03/09 18:34:29.050 kid1| PF open failed: (13) Permission denied that is from cache_log what happens when you do telnet localhost 8128 Connected to localhost. Escape character is '^]'. Connection closed by foreign host. and you're using transparent rather than intercept? http_port 0.0.0.0:8128 transparent hmm http://wiki.squid-cache.org/ConfigExamples/Intercept/OpenBsdPf i know it's openbsd but it says about compiling squid with disable-pf-intercept http://wiki.squid-cache.org/ConfigExamples/Intercept/OpenBsdPf#PfInterception:_PF_open_failed:_.2813.29_Permission_denied mercutio: i tried with squid built without pf transparent already, it give a transparent proxying not supported error 2013/03/09 18:15:33.818 kid1| WARNING: transparent proxying not supported so I went and compiled with pf support oh what weird just use apache traffic server :) ok I think I fixed that problem i had to let squid have access to the pf devfs but now something weird is happening its just forwarding to my apache instead of being a transparent proxy it'll do a dns lookup you want it to parent? to another cache? i don't know what that means ok so here's how I want it to work. i goto netflix.com from my network in canada im using this freebsd machine as my dns server the dns server overwrites netflix.com with its own IP so when I goto netflix.com from my home, its actaully connecting to this VPS the squid on teh VPS is then supposed to transparently give me access to the real netflix.com then the vps does look up on netflix ok so your hoem has an arp ip address in hosts file? for netflix oh do you have apache listening on port 80 on arp too? yup do you have two ip addresses? no i didn't think I needed a second IP well it'll go to normal port 80 won't it? should I shutdo3wn my apache and see what happens? yeh ok but don't you need split view for dns? i'll quickly scan that page ahaha looks like apache was intercepting my requests yeh they're not using a web server do you have an intelligent router at home? yes can you redirect some lan ip address on port 80 to 8128 on the arp vps? not from your same subnet like if you're on 192.168.1.0/24 like 192.168.90.0/24 for the one being used for redirection that shouldn't be needed though should it? anyway, you don't actually need all that stuff, you just need to parent to a US dns server for those domains. my VPS is now a us dns server it at least works with hulu.com doing that yeah try without munging the names and see if it "just works" oh I have it doesn't i haven't tried netflix cos i don't have subscription ahh does your isp transparently proxy? because it uses geoip to see where your sending your requests from no ahh ok so this is making netflix think that my VPS is actually doing the requests ahh yip and since the streaming isnt done through netflix.com its akamaihd or some such none of the streaming will have to go through my vps yeh so I'm not sure I have pf setup the way I want it #squid transparent rdr on $ext_if inet proto tcp from any to any port www -> 127.0.0.1 port 8128 #### Squid Proxy pass in on $int_if inet proto tcp from any to 127.0.0.1 port 8128 keep state pass out on $ext_if inet proto tcp from any to any port www keep state i've got everything else going properly I think its that last bloody thing they the guy tells you how to do with iptables Iptables 172.x.x.x is the venet0:1 internal IP address. For the filter table (which is the default): iptables -A INPUT -i venet0 -d 172.x.x.x -p tcp -m tcp --dport 8128 -j ACCEPT For the nat table: iptables -t nat -A PREROUTING -i venet0 -p tcp --dport 80 -j DNAT --to 172.x.x.x:8128 i think you can just do rdr pass on $ext_if but i'd do from but the whole wanting to view your web site too copmlicates matters i'd be happy to not view my web for now oh then just do it from your ip ok, I'll work on that later, gotta eat and have company now. thanks for the help.