diff options
author | Martin Fuchs <mfuchs@pfsense.org> | 2007-10-29 13:14:38 +0000 |
---|---|---|
committer | Martin Fuchs <mfuchs@pfsense.org> | 2007-10-29 13:14:38 +0000 |
commit | 0c8b2f57b85d46ead302f83019f8f852897f72cb (patch) | |
tree | ff41276474debc005f979f63bed79c36cea5eba1 | |
parent | 93d90b03b0aaec3ef8e21dbcbc9675d63ca75f25 (diff) | |
download | pfsense-packages-0c8b2f57b85d46ead302f83019f8f852897f72cb.tar.gz pfsense-packages-0c8b2f57b85d46ead302f83019f8f852897f72cb.tar.bz2 pfsense-packages-0c8b2f57b85d46ead302f83019f8f852897f72cb.zip |
squid: add option to NOT redirect private subnets to the transparent proxy-server
-rw-r--r-- | packages/squid/squid.inc | 17 | ||||
-rw-r--r-- | packages/squid/squid.xml | 6 |
2 files changed, 20 insertions, 3 deletions
diff --git a/packages/squid/squid.inc b/packages/squid/squid.inc index 89fd6b44..6835be33 100644 --- a/packages/squid/squid.inc +++ b/packages/squid/squid.inc @@ -292,10 +292,14 @@ function squid_validate_general($post, $input_errors) { $webgui_port = 443; } - if (($post['transparent_proxy'] != 'on') && ($port == $webgui_port)) { $input_errors[] = "You can not run squid on the same port as the webgui"; } + + if (($post['transparent_proxy'] != 'on') && ($post['private_subnet_proxy'] == 'on')) { + $input_errors[] = "You can not disable forwarding traffic to private subnets to the proxy server without using the transparent proxy."; + } + } function squid_validate_upstream($post, $input_errors) { @@ -1039,11 +1043,18 @@ function squid_generate_rules($type) { switch($type) { case 'nat': + $rules .= "\n# Setup Squid proxy redirect\n"; + if ($squid_conf['private_subnet_proxy'] == 'on') { + foreach ($ifaces as $iface){ + $rules .= "no rdr on $iface proto tcp from any to 10.0.0.0/8 port 80\n"; + $rules .= "no rdr on $iface proto tcp from any to 172.16.0.0/12 port 80\n"; + $rules .= "no rdr on $iface proto tcp from any to 192.168.0.0/16 port 80\n"; + } + } foreach ($ifaces as $iface){ - $rules .= "# Setup Squid proxy redirect\n"; $rules .= "rdr on $iface proto tcp from any to !($iface) port 80 -> 127.0.0.1 port 80\n"; - $rules .= "\n"; }; + $rules .= "\n"; break; case 'filter': foreach ($ifaces as $iface){ diff --git a/packages/squid/squid.xml b/packages/squid/squid.xml index b373cebc..698055ca 100644 --- a/packages/squid/squid.xml +++ b/packages/squid/squid.xml @@ -169,6 +169,12 @@ <required/> </field> <field> + <fieldname>private_subnet_proxy</fieldname> + <fielddescr>Do NOT proxy private subnets</fielddescr> + <description>Do not forward traffic to private subnets to the proxy server.</description> + <type>checkbox</type> + </field> + <field> <fielddescr>Enabled logging</fielddescr> <fieldname>log_enabled</fieldname> <description>This will enable the access log. Don't switch this on if you don't have much disk space left.</description> |