aboutsummaryrefslogtreecommitdiffstats
path: root/packages
diff options
context:
space:
mode:
authorMartin Fuchs <mfuchs@pfsense.org>2008-09-18 21:55:47 +0000
committerMartin Fuchs <mfuchs@pfsense.org>2008-09-18 21:55:47 +0000
commit6b553ad36fbfafe9b4f1ea3b42f3798ccc406187 (patch)
tree151b33210e3090dd07ee39374be538def5f7f591 /packages
parentc1eb00a0c8aa3cb457bf982ded5aebffb47976c9 (diff)
downloadpfsense-packages-6b553ad36fbfafe9b4f1ea3b42f3798ccc406187.tar.gz
pfsense-packages-6b553ad36fbfafe9b4f1ea3b42f3798ccc406187.tar.bz2
pfsense-packages-6b553ad36fbfafe9b4f1ea3b42f3798ccc406187.zip
squid: add possibility to exempt IPs from transparent squid
Diffstat (limited to 'packages')
-rw-r--r--packages/squid/squid.inc28
-rw-r--r--packages/squid/squid.xml7
-rw-r--r--packages/squid3/squid.inc28
-rw-r--r--packages/squid3/squid.xml7
4 files changed, 70 insertions, 0 deletions
diff --git a/packages/squid/squid.inc b/packages/squid/squid.inc
index b641dbd5..3a4369ba 100644
--- a/packages/squid/squid.inc
+++ b/packages/squid/squid.inc
@@ -316,6 +316,18 @@ function squid_validate_general($post, $input_errors) {
if (($post['transparent_proxy'] != 'on') && ($post['private_subnet_proxy_off'] == 'on')) {
$input_errors[] = "You can not bypass traffic to private subnets without using the transparent proxy.";
}
+
+ if (($post['transparent_proxy'] != 'on') && !empty($post['defined_ip_proxy_off'])) {
+ $input_errors[] = "You can not bypass traffic from specific IPs without using the transparent proxy.";
+ }
+
+ foreach (array('defined_ip_proxy_off') as $hosts) {
+ foreach (explode(";", $post[$hosts]) as $host) {
+ $host = trim($host);
+ if (!empty($host) && !is_ipaddr($host))
+ $input_errors[] = "The entry '$host' is not a valid IP address";
+ }
+ }
if(!empty($post['dns_nameservers'])) {
$altdns = explode(";", ($post['dns_nameservers']));
@@ -1213,6 +1225,22 @@ function squid_generate_rules($type) {
$rules .= "no rdr on $iface proto tcp from any to { 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 } port 80\n";
}
}
+
+ if (!empty($squid_conf['defined_ip_proxy_off'])) {
+ $defined_ip_proxy_off = explode(";", $config['installedpackages']['squid']['config'][0]['defined_ip_proxy_off']);
+ $exempt_ip = "";
+ foreach ($defined_ip_proxy_off as $ip_proxy_off) {
+ if(!empty($ip_proxy_off)) {
+ $ip_proxy_off = trim($ip_proxy_off);
+ $exempt_ip .= ", $ip_proxy_off";
+ }
+ }
+ $exempt_ip = substr($exempt_ip,2);
+ foreach ($ifaces as $iface){
+ $rules .= "no rdr on $iface proto tcp from { $exempt_ip } to any port 80\n";
+ }
+ }
+
foreach ($ifaces as $iface){
$rules .= "rdr on $iface proto tcp from any to !($iface) port 80 -> 127.0.0.1 port 80\n";
};
diff --git a/packages/squid/squid.xml b/packages/squid/squid.xml
index fe57bebb..4c8bc4ab 100644
--- a/packages/squid/squid.xml
+++ b/packages/squid/squid.xml
@@ -175,6 +175,13 @@
<type>checkbox</type>
</field>
<field>
+ <fielddescr>Do NOT proxy these IPs</fielddescr>
+ <fieldname>defined_ip_proxy_off</fieldname>
+ <description>Do not forward traffic from these &lt;b&gt;source&lt;/b&gt; IPs through the proxy server. Separate by semi-colons (;).</description>
+ <type>input</type>
+ <size>80</size>
+ </field>
+ <field>
<fielddescr>Enabled logging</fielddescr>
<fieldname>log_enabled</fieldname>
<description>This will enable the access log. Don't switch this on if you don't have much disk space left.</description>
diff --git a/packages/squid3/squid.inc b/packages/squid3/squid.inc
index 3c42f92e..1f3b5f7e 100644
--- a/packages/squid3/squid.inc
+++ b/packages/squid3/squid.inc
@@ -317,6 +317,18 @@ function squid_validate_general($post, $input_errors) {
if (($post['transparent_proxy'] != 'on') && ($post['private_subnet_proxy_off'] == 'on')) {
$input_errors[] = "You can not bypass traffic to private subnets without using the transparent proxy.";
}
+
+ if (($post['transparent_proxy'] != 'on') && !empty($post['defined_ip_proxy_off'])) {
+ $input_errors[] = "You can not bypass traffic from specific IPs without using the transparent proxy.";
+ }
+
+ foreach (array('defined_ip_proxy_off') as $hosts) {
+ foreach (explode(";", $post[$hosts]) as $host) {
+ $host = trim($host);
+ if (!empty($host) && !is_ipaddr($host))
+ $input_errors[] = "The entry '$host' is not a valid IP address";
+ }
+ }
if(!empty($post['dns_nameservers'])) {
$altdns = explode(";", ($post['dns_nameservers']));
@@ -1214,6 +1226,22 @@ function squid_generate_rules($type) {
$rules .= "no rdr on $iface proto tcp from any to { 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 } port 80\n";
}
}
+
+ if (!empty($squid_conf['defined_ip_proxy_off'])) {
+ $defined_ip_proxy_off = explode(";", $config['installedpackages']['squid']['config'][0]['defined_ip_proxy_off']);
+ $exempt_ip = "";
+ foreach ($defined_ip_proxy_off as $ip_proxy_off) {
+ if(!empty($ip_proxy_off)) {
+ $ip_proxy_off = trim($ip_proxy_off);
+ $exempt_ip .= ", $ip_proxy_off";
+ }
+ }
+ $exempt_ip = substr($exempt_ip,2);
+ foreach ($ifaces as $iface){
+ $rules .= "no rdr on $iface proto tcp from { $exempt_ip } to any port 80\n";
+ }
+ }
+
foreach ($ifaces as $iface){
$rules .= "rdr on $iface proto tcp from any to !($iface) port 80 -> 127.0.0.1 port 80\n";
};
diff --git a/packages/squid3/squid.xml b/packages/squid3/squid.xml
index 5e0acf9b..8529526e 100644
--- a/packages/squid3/squid.xml
+++ b/packages/squid3/squid.xml
@@ -175,6 +175,13 @@
<type>checkbox</type>
</field>
<field>
+ <fielddescr>Do NOT proxy these IPs</fielddescr>
+ <fieldname>defined_ip_proxy_off</fieldname>
+ <description>Do not forward traffic from these &lt;b&gt;source&lt;/b&gt; IPs through the proxy server. Separate by semi-colons (;).</description>
+ <type>input</type>
+ <size>80</size>
+ </field>
+ <field>
<fielddescr>Enabled logging</fielddescr>
<fieldname>log_enabled</fieldname>
<description>This will enable the access log. Don't switch this on if you don't have much disk space left.</description>