[ previous ] [ next ] [ threads ]
 From:  =?ISO-8859-1?Q?Thomas_Kolst=F8?= <thomas at kolsto dot no>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Transparent proxi and NAT server IP addresses
 Date:  Thu, 16 Dec 2004 19:11:35 +0100
Chris Buechler wrote:

>On Mon, 6 Dec 2004 15:26:53 +0200, Marian Adelin STOICESCU
><marian at wsc dot ro> wrote:
>>2. It's posibile to use ipfw fwd.. on exec.php to put a proxy server pc to
>>work transparently.. or the problem of transparent proxy it's on work and i
>>must wait for a m0n0wall betas
>I know that'll work with ipfw, not sure if it will in m0n0wall's
>specific setup.  It's worth a shot, I'd be interested in knowing if it
>works or not.  Worst that could happen is what you put in exec.php
>could take down the firewall, but then a reboot will remove all that
>stuff.  If you get it working, see the FAQ on hidden config.xml
>options on how to put them in <shellcmd> to get them to load at every
Not the scenario you describe, but maybe a solution for you is to use 
the NAT Inbound rules on a OPT interface to do the redirect.
It does not use ipfw but rather the ipnat rdr statement creating a rule 
like; "ipnat rdr ti0 port 80 -> N.N.N.N port 3128 tcp" 
(N.N.N.N being my squid proxy located in the DMZ network.)

This will work with a NAT Inbound rule on a OPT  interface redirecting 
all traffic to port 80 to a box in DMZ, but it implies some restrictions;
- It cannot be enabled for the LAN interface, probably a failsafe 
mechanism preventing user from locking himself out of the webgui - see 
- The webgui is not accessible from the firewalls OPT ip anymore since 
it is redirected, you need to access it trough the DMZ leg.
- You can only enable it for the whole network, no fine grained control 
as to what ip should be transparently proxied(but I guess this should be 
trivial to add since   ipnat supports it)

Hope this helps..

Thomas Kolstø <thomas at kolsto dot no>