aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMartin Fuchs <mfuchs@pfsense.org>2007-10-29 13:14:38 +0000
committerMartin Fuchs <mfuchs@pfsense.org>2007-10-29 13:14:38 +0000
commit0c8b2f57b85d46ead302f83019f8f852897f72cb (patch)
treeff41276474debc005f979f63bed79c36cea5eba1
parent93d90b03b0aaec3ef8e21dbcbc9675d63ca75f25 (diff)
downloadpfsense-packages-0c8b2f57b85d46ead302f83019f8f852897f72cb.tar.gz
pfsense-packages-0c8b2f57b85d46ead302f83019f8f852897f72cb.tar.bz2
pfsense-packages-0c8b2f57b85d46ead302f83019f8f852897f72cb.zip
squid: add option to NOT redirect private subnets to the transparent proxy-server
-rw-r--r--packages/squid/squid.inc17
-rw-r--r--packages/squid/squid.xml6
2 files changed, 20 insertions, 3 deletions
diff --git a/packages/squid/squid.inc b/packages/squid/squid.inc
index 89fd6b44..6835be33 100644
--- a/packages/squid/squid.inc
+++ b/packages/squid/squid.inc
@@ -292,10 +292,14 @@ function squid_validate_general($post, $input_errors) {
$webgui_port = 443;
}
-
if (($post['transparent_proxy'] != 'on') && ($port == $webgui_port)) {
$input_errors[] = "You can not run squid on the same port as the webgui";
}
+
+ if (($post['transparent_proxy'] != 'on') && ($post['private_subnet_proxy'] == 'on')) {
+ $input_errors[] = "You can not disable forwarding traffic to private subnets to the proxy server without using the transparent proxy.";
+ }
+
}
function squid_validate_upstream($post, $input_errors) {
@@ -1039,11 +1043,18 @@ function squid_generate_rules($type) {
switch($type) {
case 'nat':
+ $rules .= "\n# Setup Squid proxy redirect\n";
+ if ($squid_conf['private_subnet_proxy'] == 'on') {
+ foreach ($ifaces as $iface){
+ $rules .= "no rdr on $iface proto tcp from any to 10.0.0.0/8 port 80\n";
+ $rules .= "no rdr on $iface proto tcp from any to 172.16.0.0/12 port 80\n";
+ $rules .= "no rdr on $iface proto tcp from any to 192.168.0.0/16 port 80\n";
+ }
+ }
foreach ($ifaces as $iface){
- $rules .= "# Setup Squid proxy redirect\n";
$rules .= "rdr on $iface proto tcp from any to !($iface) port 80 -> 127.0.0.1 port 80\n";
- $rules .= "\n";
};
+ $rules .= "\n";
break;
case 'filter':
foreach ($ifaces as $iface){
diff --git a/packages/squid/squid.xml b/packages/squid/squid.xml
index b373cebc..698055ca 100644
--- a/packages/squid/squid.xml
+++ b/packages/squid/squid.xml
@@ -169,6 +169,12 @@
<required/>
</field>
<field>
+ <fieldname>private_subnet_proxy</fieldname>
+ <fielddescr>Do NOT proxy private subnets</fielddescr>
+ <description>Do not forward traffic to private subnets to the proxy server.</description>
+ <type>checkbox</type>
+ </field>
+ <field>
<fielddescr>Enabled logging</fielddescr>
<fieldname>log_enabled</fieldname>
<description>This will enable the access log. Don't switch this on if you don't have much disk space left.</description>