Bypassing transparent http proxy (havp?)

danswartz

I have installed havp as transparent proxy and it works fine.  Until I found my tivo could no longer fetch program updates from the internet.  I remember this happening when I had a linux gateway with squid/dansguardian, and I was able to work around it by adding an iptables rule to allow the tivo IP address to bypass the proxy.  Is that possible with pfsense?  The problem is apparently the tivo sends non-standard http requests, so I see things in the havp log like this: "Invalid request from browser (no Host-header?)".  Whitelisting the tivo urls doesn't help - apparently the above check is done elsewhere than the whitelist code.

danswartz

I did find the following in /usr/local/pkg/havp.inc:

if ($type === 'nat') {
                $rules[] = "# havp proxy ifaces redirect";
            foreach($ifaces as $iface) {
            switch($proxymode) {
                    case 'transparent':
                    # rdr any http => localhost:port
                    $rules[] = "rdr on $iface proto tcp from any to !($iface) port 80 -> $proxybindiface port $proxyport";

I'm guessing I could change the above to say something like '! 10.0.0.222' (or whatever the right pf syntax is) instead of 'any', but I'd rather not have to touch packages.

danswartz

Alternatively, if there was a place I could insert custom rules (specifically, something [don't know what yet] that would bypass any squid/havp transparent proxy, that would be fine.  On my old linux gateway, I could do this:

/sbin/iptables -t nat -I PREROUTING -s 10.0.0.222 -p tcp --dport 80 -j ACCEPT

This would cause anything aimed at port 80 from the specified host (my tivo) to bypass the redirect rule (if any) that squid would add.  Is there a pf way of doing this?  And if so, does pfsense have a place I can hook that in without messing with packages?  My clarkconnect server (formerly gateway) had /etc/rc.d/rc.firewall.local where I could plug in custom rules like the above.

danswartz

I was thinking maybe I was making this overcomplicated.  My concern was to have the rdr rule generated by havp not get in the way, so I thought maybe I could use the internal mode instead of the transparent mode, and add my own rule, but I don't see how to do that in the GUI.  e.g. I can say something like '! 10.0.0.222' on the rules page, but not on the NAT page (which is what generates the rdr rule, no?)  So, at the moment I am stuck :(

dvserg

Try setup not transparent proxy mode and configure Manual nat rules to 127.0.0.1:proxyport

danswartz

thanks, that is what i was thinking, but i'm not familiar enough with pf to be sure what to do.  i want havp to take the requests but not for the one specific IP.  i assumed i should do port forwarding on the LAN for this, but the gui seems not to have a way to say "! IP" for port forwarding, but only for pass/block type rules.  i do not mind putting the rule in somewhere in the CLI, but i am not sure where to do that in pfsense?

danswartz

Am I really asking something that off the wall?  e.g. how I can put in rdr rules that do not apply to certain hosts?  I can see how to do this from the CLI, but not the GUI.  if the former, as i said, i am fine with putting the rules in somewhere in a config file, but I don't see where to do that (there is no /etc/pf.conf like in vanilla freebsd), so what now?

dvserg

Test this:

1. [V] Not NAT - IFACE - from You IP - to any : port 80
2. –--------IFACE - from any    - to any : port 80

danswartz

I will try that when I get home, thanks.  I am not sure how that will work though, since the tivo needs to get to the outside world and does have a private IP, so won't "no nat" keep that from working?