Date: Mon, 11 Apr 2011 08:45:44 +0300 From: Zeus V Panchenko <zeus@ibs.dn.ua> To: freebsd-pf@freebsd.org Subject: transparent proxy traffic queue ... Message-ID: <20110411054544.GC22812@relay.ibs.dn.ua> In-Reply-To: <20110210155622.GA60117@icarus.home.lan> References: <20110210155622.GA60117@icarus.home.lan>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi all,
while trying to shape bandwidth for transparent proxy traffic i faced
weird for me behaviuor ... may somebody help to understand where i am
mistaking, please?
i use squid as proxy (installed from ports and configured with
WITH_SQUID_PF=true, WITH_SQUID_IPFILTER=true), it works and my LAN can
browse inet transparently (without setting proxy in browser options)
squid is configured with delay pools, but i want to send it through pf
queue too
the network topology is simple:
(LAN) <-> ale0 [FreeBSD-8.2-STABLE i386] xl0(tun0) <-> [ADSL bridge] <-> (INTERNET)
the problem is that outgoing to the internet traffic from proxy is
going through the queue on $if_wan and i can see it while tcpdumping
pflog0 but i can not see on pflog0, traffic incomming from internet to
LAN, no outgoing traffic through $if_lan interface while tcpdump
pflog0 ...
while trying to:
> tcpdump -n -i pflog0 -ttte -s0 port 80
i can see only outgoing traffice from LAN to inet:
...
00:00:00.000000 rule 12/0(match): pass out on tun0: my.wan.ip.here.56987 > 206.127.23.230.80: Flags [S], seq 3641245239, win 65535, options [mss 1452,nop,wscale 3,sackOK,TS val 114160025 ecr 0], length 0
00:00:00.023229 rule 12/0(match): pass out on tun0: my.wan.ip.here.53120 > 64.147.113.42.80: Flags [S], seq 3951546220, win 65535, options [mss 1452,nop,wscale 3,sackOK,TS val 114164836 ecr 0], length 0
00:00:00.479411 rule 12/0(match): pass out on tun0: my.wan.ip.here.40511 > 199.7.50.72.80: Flags [S], seq 3596234346, win 65535, options [mss 1452,nop,wscale 3,sackOK,TS val 114462122 ecr 0], length 0
...
but if i
> tcpdump -n -i ale0 -ttte -s0 port 80
than i can see all traffic ofcourse ...
what i am missing, please? why traffic outgoing to LAN is missed on pflog0?
and yet, the same picture is with smb traffic ... i can see only
traffic from LAN to WAN
my tailored pf.conf is:
if_wan = "tun0"
if_lan = "ale0"
ports_proxy = "http, https, ftp, ftp-data, ftps, ftps-data"
ports_nat = "ntp, xmpp-client, 5223, xmpp-server"
ports_smb = "135:139, 445"
table <ADMINS> persist file "/etc/pf.tbl.admins"
table <PASS_WAN> persist file "/etc/pf.tbl.pass_wan"
set skip on lo0
set optimization conservative
set ruleset-optimization basic
altq on $if_wan cbq bandwidth 1Mb queue { wan_rest, wan_http }
queue wan_http bandwidth 150Kb priority 2
queue wan_rest bandwidth 850Kb cbq(default)
altq on $if_lan cbq bandwidth 100% queue { lan_rest, lan_http }
queue lan_http bandwidth 2Mb priority 2
queue lan_rest bandwidth 98Mb cbq(default)
rdr on $if_lan proto { tcp, udp } from ! <ADMINS> \
to ! 172.16/12 port { $ports_proxy } -> $if_lan:0 port 3128
nat on $if_wan from <ADMINS> to any -> ($if_wan)
nat on $if_wan from ! <ADMINS> to port { $ports_nat } -> ($if_wan)
antispoof for { $if_wan, $if_lan }
block in log
pass in log inet proto icmp all icmp-type echoreq
pass in log on $if_wan inet proto { tcp, udp } from { <PASS_WAN> } \
to ($if_wan) port ssh
pass in log on $if_lan
pass out log on $if_wan
pass out log on $if_lan
block drop out log on $if_wan from any \
to { 127/8, 10/8, 172.16/12, 192.168/16 }
pass out log on $if_wan inet proto { tcp, udp } from $if_lan:0 \
to any port { $ports_proxy } keep state queue wan_http
pass out log on $if_lan inet proto { tcp, udp } from any port { $ports_proxy } \
to $if_lan:0 queue lan_http
pass out log on $if_lan inet proto { tcp, udp } from any port { $ports_smb } \
to $if_lan:network queue lan_smb
pass out log on $if_vpn inet proto { tcp, udp } from $if_lan:network \
to any port { $ports_smb } queue vpn_smb
--
Zeus V. Panchenko
IT Dpt., IBS ltd GMT+2 (EET)
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20110411054544.GC22812>