[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: can pf be used as a generic tcp proxy?



On Wed, 23 Feb 2005 22:38:28 +0100, -f <f_(_at_)_obiit_(_dot_)_org> wrote:
> i am trying to accomplish the following:
> a frined of mine has a ban for a certain site (w.x.y.z)
> but can access any other site w/o problems.  what i would
> like to do is set up a generic proxy on my firewall to let
> him go to w.x.y.z thru my firewall (he is not on my lan):
> 
> my friend's browser -> openbsd-firewall:some port -> w.x.y.z:80
> and back.
>
> is this possible using only pf?

While it might be possible using only PF, and doing so would be
an interesting exercise, you'd almost certainly find it easier to
add something like 'netcat' to the mix.  See "man -s 1 nc", 
Also, Hobbit's original netcat documentation includes an
example of exactly what you propose.


>  if not, what tools should i use?
> i don't need caching, so squid is maybe an overkill?

Yes, squid would be overkill.  The 'proxy' module for apache
might be a better choice, but still overkill for just one destination.

If your friend needs to hide the fact that he is accessing the
forbidden site from his local admins, you could use 'stunnel'
to make the connection, and wrap the traffic between the client
and your 'bounce' server inside SSL.  Bear in mind that sometimes
being sneaky about censorship evasion results in more severe
consequences than just defying policy out in the open.

Any way you implement this, there are risks, both for you
and for your friend.  Tread carefully.


Kevin Kadow