From owner-freebsd-pf@FreeBSD.ORG Mon Apr 11 05:56:16 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id CC5CF106564A for ; Mon, 11 Apr 2011 05:56:16 +0000 (UTC) (envelope-from zeus@relay.ibs.dn.ua) Received: from relay.ibs.dn.ua (relay.ibs.dn.ua [91.216.196.25]) by mx1.freebsd.org (Postfix) with ESMTP id 106398FC08 for ; Mon, 11 Apr 2011 05:56:15 +0000 (UTC) Received: from relay.ibs.dn.ua (localhost [127.0.0.1]) by relay.ibs.dn.ua with ESMTP id p3B5jjMT065412 for ; Mon, 11 Apr 2011 08:45:45 +0300 (EEST) Received: (from zeus@localhost) by relay.ibs.dn.ua (8.14.4/8.14.4/Submit) id p3B5jiuO065408 for freebsd-pf@freebsd.org; Mon, 11 Apr 2011 08:45:44 +0300 (EEST) Date: Mon, 11 Apr 2011 08:45:44 +0300 From: Zeus V Panchenko To: freebsd-pf@freebsd.org Message-ID: <20110411054544.GC22812@relay.ibs.dn.ua> Mail-Followup-To: freebsd-pf@freebsd.org References: <20110210155622.GA60117@icarus.home.lan> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: <20110210155622.GA60117@icarus.home.lan> User-Agent: Mutt/1.4.2.3i X-Operating-System: FreeBSD 8.1-RELEASE X-Editor: GNU Emacs 23.2.1 Subject: transparent proxy traffic queue ... X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: zeus@ibs.dn.ua List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 11 Apr 2011 05:56:17 -0000 Hi all, while trying to shape bandwidth for transparent proxy traffic i faced weird for me behaviuor ... may somebody help to understand where i am mistaking, please? i use squid as proxy (installed from ports and configured with WITH_SQUID_PF=true, WITH_SQUID_IPFILTER=true), it works and my LAN can browse inet transparently (without setting proxy in browser options) squid is configured with delay pools, but i want to send it through pf queue too the network topology is simple: (LAN) <-> ale0 [FreeBSD-8.2-STABLE i386] xl0(tun0) <-> [ADSL bridge] <-> (INTERNET) the problem is that outgoing to the internet traffic from proxy is going through the queue on $if_wan and i can see it while tcpdumping pflog0 but i can not see on pflog0, traffic incomming from internet to LAN, no outgoing traffic through $if_lan interface while tcpdump pflog0 ... while trying to: > tcpdump -n -i pflog0 -ttte -s0 port 80 i can see only outgoing traffice from LAN to inet: ... 00:00:00.000000 rule 12/0(match): pass out on tun0: my.wan.ip.here.56987 > 206.127.23.230.80: Flags [S], seq 3641245239, win 65535, options [mss 1452,nop,wscale 3,sackOK,TS val 114160025 ecr 0], length 0 00:00:00.023229 rule 12/0(match): pass out on tun0: my.wan.ip.here.53120 > 64.147.113.42.80: Flags [S], seq 3951546220, win 65535, options [mss 1452,nop,wscale 3,sackOK,TS val 114164836 ecr 0], length 0 00:00:00.479411 rule 12/0(match): pass out on tun0: my.wan.ip.here.40511 > 199.7.50.72.80: Flags [S], seq 3596234346, win 65535, options [mss 1452,nop,wscale 3,sackOK,TS val 114462122 ecr 0], length 0 ... but if i > tcpdump -n -i ale0 -ttte -s0 port 80 than i can see all traffic ofcourse ... what i am missing, please? why traffic outgoing to LAN is missed on pflog0? and yet, the same picture is with smb traffic ... i can see only traffic from LAN to WAN my tailored pf.conf is: if_wan = "tun0" if_lan = "ale0" ports_proxy = "http, https, ftp, ftp-data, ftps, ftps-data" ports_nat = "ntp, xmpp-client, 5223, xmpp-server" ports_smb = "135:139, 445" table persist file "/etc/pf.tbl.admins" table persist file "/etc/pf.tbl.pass_wan" set skip on lo0 set optimization conservative set ruleset-optimization basic altq on $if_wan cbq bandwidth 1Mb queue { wan_rest, wan_http } queue wan_http bandwidth 150Kb priority 2 queue wan_rest bandwidth 850Kb cbq(default) altq on $if_lan cbq bandwidth 100% queue { lan_rest, lan_http } queue lan_http bandwidth 2Mb priority 2 queue lan_rest bandwidth 98Mb cbq(default) rdr on $if_lan proto { tcp, udp } from ! \ to ! 172.16/12 port { $ports_proxy } -> $if_lan:0 port 3128 nat on $if_wan from to any -> ($if_wan) nat on $if_wan from ! to port { $ports_nat } -> ($if_wan) antispoof for { $if_wan, $if_lan } block in log pass in log inet proto icmp all icmp-type echoreq pass in log on $if_wan inet proto { tcp, udp } from { } \ to ($if_wan) port ssh pass in log on $if_lan pass out log on $if_wan pass out log on $if_lan block drop out log on $if_wan from any \ to { 127/8, 10/8, 172.16/12, 192.168/16 } pass out log on $if_wan inet proto { tcp, udp } from $if_lan:0 \ to any port { $ports_proxy } keep state queue wan_http pass out log on $if_lan inet proto { tcp, udp } from any port { $ports_proxy } \ to $if_lan:0 queue lan_http pass out log on $if_lan inet proto { tcp, udp } from any port { $ports_smb } \ to $if_lan:network queue lan_smb pass out log on $if_vpn inet proto { tcp, udp } from $if_lan:network \ to any port { $ports_smb } queue vpn_smb -- Zeus V. Panchenko IT Dpt., IBS ltd GMT+2 (EET) From owner-freebsd-pf@FreeBSD.ORG Mon Apr 11 06:17:33 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 66F9B1065670 for ; Mon, 11 Apr 2011 06:17:33 +0000 (UTC) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (106-30.3-213.fix.bluewin.ch [213.3.30.106]) by mx1.freebsd.org (Postfix) with ESMTP id BB7618FC19 for ; Mon, 11 Apr 2011 06:17:32 +0000 (UTC) Received: from insomnia.benzedrine.cx (localhost.benzedrine.cx [127.0.0.1]) by insomnia.benzedrine.cx (8.14.1/8.13.4) with ESMTP id p3B6HUMj014288 (version=TLSv1/SSLv3 cipher=DHE-DSS-AES256-SHA bits=256 verify=NO) for ; Mon, 11 Apr 2011 08:17:30 +0200 (MEST) Received: (from dhartmei@localhost) by insomnia.benzedrine.cx (8.14.1/8.12.10/Submit) id p3B6HUxm026895 for freebsd-pf@freebsd.org; Mon, 11 Apr 2011 08:17:30 +0200 (MEST) Date: Mon, 11 Apr 2011 08:17:30 +0200 From: Daniel Hartmeier To: freebsd-pf@freebsd.org Message-ID: <20110411061730.GA26940@insomnia.benzedrine.cx> References: <20110210155622.GA60117@icarus.home.lan> <20110411054544.GC22812@relay.ibs.dn.ua> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20110411054544.GC22812@relay.ibs.dn.ua> User-Agent: Mutt/1.5.12-2006-07-14 Subject: Re: transparent proxy traffic queue ... X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 11 Apr 2011 06:17:33 -0000 On Mon, Apr 11, 2011 at 08:45:44AM +0300, Zeus V Panchenko wrote: > what i am missing, please? why traffic outgoing to LAN is missed on pflog0? It seems you want log(all), but are only using log, see pf.conf(5): log Only the packet that establishes the state is logged log (all) Used to force logging of all packets for a connection. Daniel From owner-freebsd-pf@FreeBSD.ORG Mon Apr 11 08:07:04 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 02DF0106566B for ; Mon, 11 Apr 2011 08:07:04 +0000 (UTC) (envelope-from zeus@relay.ibs.dn.ua) Received: from relay.ibs.dn.ua (relay.ibs.dn.ua [91.216.196.25]) by mx1.freebsd.org (Postfix) with ESMTP id 78D5A8FC0A for ; Mon, 11 Apr 2011 08:07:02 +0000 (UTC) Received: from relay.ibs.dn.ua (localhost [127.0.0.1]) by relay.ibs.dn.ua with ESMTP id p3B86pxe072177; Mon, 11 Apr 2011 11:06:51 +0300 (EEST) Received: (from zeus@localhost) by relay.ibs.dn.ua (8.14.4/8.14.4/Submit) id p3B86maT072176; Mon, 11 Apr 2011 11:06:49 +0300 (EEST) Date: Mon, 11 Apr 2011 11:06:48 +0300 From: Zeus V Panchenko To: freebsd-pf@freebsd.org Message-ID: <20110411080648.GD22812@relay.ibs.dn.ua> Mail-Followup-To: freebsd-pf@freebsd.org, Daniel Hartmeier References: <20110210155622.GA60117@icarus.home.lan> <20110411054544.GC22812@relay.ibs.dn.ua> <20110411061730.GA26940@insomnia.benzedrine.cx> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: <20110411061730.GA26940@insomnia.benzedrine.cx> User-Agent: Mutt/1.4.2.3i X-Operating-System: FreeBSD 8.1-RELEASE X-Editor: GNU Emacs 23.2.1 Cc: Subject: Re: transparent proxy traffic queue ... X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: zeus@ibs.dn.ua List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 11 Apr 2011 08:07:04 -0000 Thank you Daniel for reply, Daniel Hartmeier (daniel@benzedrine.cx) [11.04.11 09:18] wrote: > On Mon, Apr 11, 2011 at 08:45:44AM +0300, Zeus V Panchenko wrote: > It seems you want log(all), but are only using log, see pf.conf(5): it didn't help ... pftop output still shows no lan_http counters and when i download from inet anything it eats all bandwidth ... in pf.conf pass out log (all) on $if_wan inet proto { tcp, udp } from $if_wan:0 \ to any port { $ports_proxy } keep state queue wan_http pass out log (all) on $if_lan inet proto { tcp, udp } from any port { $ports_proxy } \ to $if_lan:network queue lan_http squid is bent to $if_lan:0 and in logs i see the activity (LAN browses inet successfully) if i tcpdump $if_lan i can see that, but it looks like it is passing by the queue ... why? in pftop output: pfTop: Up Queue 1-6/6, View: queue, Cache: 10000 10:59:55 QUEUE BW SCH PRIO PKTS BYTES DROP_P DROP_B QLEN BORROW SUSPEN P/S B/S root_tun0 1000K cbq 0 12270 1429980 0 0 0 0 0 23 1867 wan_http 150K cbq 2 4180 512946 0 0 0 0 29 0 0 wan_rest 850K cbq 8090 917034 0 0 0 0 0 23 1867 root_ale0 100M cbq 0 11789 9982786 0 0 0 0 0 16 21739 lan_http 2000K cbq 2 0 0 0 0 0 0 0 0 0 lan_rest 98M cbq 13469 11810110 0 0 0 0 1073 38 43015 -- Zeus V. Panchenko IT Dpt., IBS ltd GMT+2 (EET) From owner-freebsd-pf@FreeBSD.ORG Mon Apr 11 08:57:33 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 03626106566B for ; Mon, 11 Apr 2011 08:57:33 +0000 (UTC) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (106-30.3-213.fix.bluewin.ch [213.3.30.106]) by mx1.freebsd.org (Postfix) with ESMTP id 428348FC1E for ; Mon, 11 Apr 2011 08:57:31 +0000 (UTC) Received: from insomnia.benzedrine.cx (localhost.benzedrine.cx [127.0.0.1]) by insomnia.benzedrine.cx (8.14.1/8.13.4) with ESMTP id p3B8vVr6009891 (version=TLSv1/SSLv3 cipher=DHE-DSS-AES256-SHA bits=256 verify=NO) for ; Mon, 11 Apr 2011 10:57:31 +0200 (MEST) Received: (from dhartmei@localhost) by insomnia.benzedrine.cx (8.14.1/8.12.10/Submit) id p3B8vUnc003280 for freebsd-pf@freebsd.org; Mon, 11 Apr 2011 10:57:30 +0200 (MEST) Date: Mon, 11 Apr 2011 10:57:30 +0200 From: Daniel Hartmeier To: freebsd-pf@freebsd.org Message-ID: <20110411085730.GB26940@insomnia.benzedrine.cx> References: <20110210155622.GA60117@icarus.home.lan> <20110411054544.GC22812@relay.ibs.dn.ua> <20110411061730.GA26940@insomnia.benzedrine.cx> <20110411080648.GD22812@relay.ibs.dn.ua> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20110411080648.GD22812@relay.ibs.dn.ua> User-Agent: Mutt/1.5.12-2006-07-14 Subject: Re: transparent proxy traffic queue ... X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 11 Apr 2011 08:57:33 -0000 On Mon, Apr 11, 2011 at 11:06:48AM +0300, Zeus V Panchenko wrote: > pass out log (all) on $if_wan inet proto { tcp, udp } from $if_wan:0 \ > to any port { $ports_proxy } keep state queue wan_http > pass out log (all) on $if_lan inet proto { tcp, udp } from any port { $ports_proxy } \ > to $if_lan:network queue lan_http The second rule looks wrong. Those connections are incoming (not outgoing) on $if_lan, so it should be 'pass in log (all) ... to port $ports_proxy'. I assume you have some rdr rule, too, so the log (all) option must be on the rule matching THAT, i.e. rdr on $if_lan inet proto tcp from $if_lan:network to any port 80 \ -> $if_lan:0 port 3128 pass in log (all) on $if_lan inet proto tcp from $if_lan:network \ to $if_lan:0 port 3128 Run pfctl -vvss and see what states you have, and what rules they are based on (compare with numbers in pfctl -gsr output), probably not the right ones (with proper log and queue options). Also, add a default block rule, then it becomes clear when a connection doesn't match the expected rule, it gets blocked instead of passing with wrong options... Daniel From owner-freebsd-pf@FreeBSD.ORG Mon Apr 11 11:07:07 2011 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0EBCA1065677 for ; Mon, 11 Apr 2011 11:07:07 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id F2A5A8FC1A for ; Mon, 11 Apr 2011 11:07:06 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id p3BB76DK025951 for ; Mon, 11 Apr 2011 11:07:06 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.4/8.14.4/Submit) id p3BB76Zu025949 for freebsd-pf@FreeBSD.org; Mon, 11 Apr 2011 11:07:06 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 11 Apr 2011 11:07:06 GMT Message-Id: <201104111107.p3BB76Zu025949@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-pf@FreeBSD.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 11 Apr 2011 11:07:07 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/155736 pf [pf] [altq] borrow from parent queue does not work wit o kern/153307 pf [pf] Bug with PF firewall o kern/148290 pf [pf] "sticky-address" option of Packet Filter (PF) blo o kern/148260 pf [pf] [patch] pf rdr incompatible with dummynet o kern/147789 pf [pf] Firewall PF no longer drops connections by sendin o kern/146832 pf [pf] "(self)" not always matching all local IPv6 addre o kern/143543 pf [pf] [panic] PF route-to causes kernel panic o bin/143504 pf [patch] outgoing states are not killed by authpf(8) o conf/142961 pf [pf] No way to adjust pidfile in pflogd o conf/142817 pf [patch] etc/rc.d/pf: silence pfctl o kern/141905 pf [pf] [panic] pf kernel panic on 7.2-RELEASE with empty o kern/140697 pf [pf] pf behaviour changes - must be documented o kern/137982 pf [pf] when pf can hit state limits, random IP failures o kern/136781 pf [pf] Packets appear to drop with pf scrub and if_bridg o kern/135948 pf [pf] [gre] pf not natting gre protocol o kern/135162 pf [pfsync] pfsync(4) not usable with GENERIC kernel o kern/134996 pf [pf] Anchor tables not included when pfctl(8) is run w o kern/133732 pf [pf] max-src-conn issue o kern/132769 pf [pf] [lor] 2 LOR's with pf task mtx / ifnet and rtent f kern/132176 pf [pf] pf stalls connection when using route-to [regress o conf/130381 pf [rc.d] [pf] [ip6] ipv6 not fully configured when pf st o kern/129861 pf [pf] [patch] Argument names reversed in pf_table.c:_co o kern/127920 pf [pf] ipv6 and synproxy don't play well together o conf/127814 pf [pf] The flush in pf_reload in /etc/rc.d/pf does not w o kern/127439 pf [pf] deadlock in pf f kern/127345 pf [pf] Problem with PF on FreeBSD7.0 [regression] o kern/127121 pf [pf] [patch] pf incorrect log priority o kern/127042 pf [pf] [patch] pf recursion panic if interface group is o kern/125467 pf [pf] pf keep state bug while handling sessions between s kern/124933 pf [pf] [ip6] pf does not support (drops) IPv6 fragmented o kern/124364 pf [pf] [panic] Kernel panic with pf + bridge o kern/122773 pf [pf] pf doesn't log uid or pid when configured to o kern/122014 pf [pf] [panic] FreeBSD 6.2 panic in pf o kern/120281 pf [pf] [request] lost returning packets to PF for a rdr o kern/120057 pf [pf] [patch] Allow proper settings of ALTQ_HFSC. The c o bin/118355 pf [pf] [patch] pfctl(8) help message options order false o kern/114567 pf [pf] [lor] pf_ioctl.c + if.c o kern/114095 pf [carp] carp+pf delay with high state limit s conf/110838 pf [pf] tagged parameter on nat not working on FreeBSD 5. o kern/103283 pf pfsync fails to sucessfully transfer some sessions o kern/103281 pf pfsync reports bulk update failures o kern/93825 pf [pf] pf reply-to doesn't work o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/92949 pf [pf] PF + ALTQ problems with latency o bin/86635 pf [patch] pfctl(8): allow new page character (^L) in pf. o kern/82271 pf [pf] cbq scheduler cause bad latency 46 problems total. From owner-freebsd-pf@FreeBSD.ORG Mon Apr 11 15:22:34 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 230DA1065673 for ; Mon, 11 Apr 2011 15:22:34 +0000 (UTC) (envelope-from zeus@relay.ibs.dn.ua) Received: from relay.ibs.dn.ua (relay.ibs.dn.ua [91.216.196.25]) by mx1.freebsd.org (Postfix) with ESMTP id 9757C8FC19 for ; Mon, 11 Apr 2011 15:22:33 +0000 (UTC) Received: from relay.ibs.dn.ua (localhost [127.0.0.1]) by relay.ibs.dn.ua with ESMTP id p3BFMVma092953 for ; Mon, 11 Apr 2011 18:22:31 +0300 (EEST) Received: (from zeus@localhost) by relay.ibs.dn.ua (8.14.4/8.14.4/Submit) id p3BFMUj3092952 for freebsd-pf@freebsd.org; Mon, 11 Apr 2011 18:22:30 +0300 (EEST) Date: Mon, 11 Apr 2011 18:22:30 +0300 From: Zeus V Panchenko To: freebsd-pf@freebsd.org Message-ID: <20110411152230.GA88862@relay.ibs.dn.ua> Mail-Followup-To: freebsd-pf@freebsd.org References: <20110210155622.GA60117@icarus.home.lan> <20110411054544.GC22812@relay.ibs.dn.ua> <20110411061730.GA26940@insomnia.benzedrine.cx> <20110411080648.GD22812@relay.ibs.dn.ua> <20110411085730.GB26940@insomnia.benzedrine.cx> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: <20110411085730.GB26940@insomnia.benzedrine.cx> User-Agent: Mutt/1.4.2.3i X-Operating-System: FreeBSD 8.1-RELEASE X-Editor: GNU Emacs 23.2.1 Subject: Re: transparent proxy traffic queue ... X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: zeus@ibs.dn.ua List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 11 Apr 2011 15:22:34 -0000 Daniel Hartmeier (daniel@benzedrine.cx) [11.04.11 11:57] wrote: > On Mon, Apr 11, 2011 at 11:06:48AM +0300, Zeus V Panchenko wrote: > > > pass out log (all) on $if_wan inet proto { tcp, udp } from $if_wan:0 \ > > to any port { $ports_proxy } keep state queue wan_http > > pass out log (all) on $if_lan inet proto { tcp, udp } from any port { $ports_proxy } \ > > to $if_lan:network queue lan_http > > The second rule looks wrong. Those connections are incoming (not > outgoing) on $if_lan, so it should be 'pass in log (all) ... to port > $ports_proxy'. proxy is bent to if_lan:0 first rull catches traffic from LAN to inet so, the sequence is: LAN -> if_lan -> proxy server -> if_wan -> inet -> some_web_server and backward ... some_web_server -> if_wan -> proxy server -> if_lan -> LAN is it because proxy LAN address is bent to if_lan:0 the traffic on if_lan is incoming rather than outgoing? > I assume you have some rdr rule, too, so the log (all) option must > be on the rule matching THAT, i.e. > > rdr on $if_lan inet proto tcp from $if_lan:network to any port 80 \ > -> $if_lan:0 port 3128 > pass in log (all) on $if_lan inet proto tcp from $if_lan:network \ > to $if_lan:0 port 3128 yes, i have rdr rull rdr on $if_lan proto { tcp, udp } from ! to ! 172.16/12 \ port { $ports_proxy } -> $if_lan:0 port 3128 and after addition of rull pass in log (all) on $if_lan inet proto tcp from $if_lan:network \ to $if_lan:0 port 3128 at last i can see traffic outgoing to LAN 00:00:00.016574 rule 12/0(match): pass out on ale0: 178.63.86.132.80 > 172.16.0.35.56256: Flags [.], ack 3758, win 8326, options [nop,nop,TS val 3521710434 ecr 560947], length 0 00:00:00.000200 rule 12/0(match): pass out on ale0: 178.63.86.132.80 > 172.16.0.35.56256: Flags [P.], ack 3758, win 8326, options [nop,nop,TS val 3521710442 ecr 560947], length 376 00:00:00.000017 rule 12/0(match): pass out on ale0: 178.63.86.132.80 > 172.16.0.35.56256: Flags [P.], ack 3758, win 8326, options [nop,nop,TS val 3521710442 ecr 560947], length 180 00:00:00.098247 rule 12/0(match): pass out on ale0: 178.63.86.132.80 > 172.16.0.35.56256: Flags [.], ack 4307, win 8326, options [nop,nop,TS val 3521710989 ecr 561085], length 0 00:00:00.000207 rule 12/0(match): pass out on ale0: 178.63.86.132.80 > 172.16.0.35.56256: Flags [P.], ack 4307, win 8326, options [nop,nop,TS val 3521711168 ecr 561085], length 514 but when i'm trying to catch it and direct to queue it fails pass out log (all) on $if_lan inet proto { tcp, udp } from any port { $ports_proxy } to $if_lan:network queue lan_http pass in log (all) on $if_lan inet proto { tcp, udp } from any port { $ports_proxy } to $if_lan:network queue lan_http > Run pfctl -vvss and see what states you have, and what rules they > are based on (compare with numbers in pfctl -gsr output), probably > not the right ones (with proper log and queue options). in pfctl output i still can see only outgoing to internet states ... no incoming > Also, add a default block rule, then it becomes clear when a > connection doesn't match the expected rule, it gets blocked instead > of passing with wrong options... i have the rull (i was posting pf.conf in the first message) -- Zeus V. Panchenko IT Dpt., IBS ltd GMT+2 (EET) From owner-freebsd-pf@FreeBSD.ORG Tue Apr 12 16:54:18 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 27A25106566B for ; Tue, 12 Apr 2011 16:54:18 +0000 (UTC) (envelope-from fjk@sw-global.org) Received: from smtp.net4india.com (smtp.net4india.com [118.67.248.46]) by mx1.freebsd.org (Postfix) with ESMTP id 9ADA58FC1D for ; Tue, 12 Apr 2011 16:54:17 +0000 (UTC) Received: from [14.97.204.131] (helo=ATOM116) by smtp.net4india.com with esmtp (Exim 4.72) (envelope-from ) id 1Q9MuE-0004HA-O0 for freebsd-pf@freebsd.org; Tue, 12 Apr 2011 01:06:15 +0530 From: "Shristi" To: freebsd-pf@freebsd.org MIME-Version: 1.0 Date: Tue, 12 Apr 2011 01:02:35 +0530 Message-ID: <3796128927982168@atom116> Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Start Your day with Happy smile X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: info@freejokesworld.com List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 12 Apr 2011 16:54:18 -0000 =EF=BB=BF=20 Hi, =20 Wish you a Good Day !!! =20 What Does Your Name Means : http://freejokesworld.com/index.php/2010/1= 2/what-ur-name-means-check-it-out/ =20 =20 Story or Pencil & Eraser : http://freejokesworld.com/index.php/2010/12= /pencil-eraser/ =20 When Life Throws dirt on you : http://freejokesworld.com/index.php/201= 0/12/when-life-throws-dirt-on-you/ =20 Never ask Help from HR : http://freejokesworld.com/index.php/2010/06/= never-ask-help-from-hr/ =20 And Many more ..... Visit http://freejokesworld.com =20 =20 Regards ... =20 Srishti =20 Do not want any more emails from me just mail me at nokes@freejokeswor= ld.com =20 This mail was sent to freebsd-pf@freebsd.org From owner-freebsd-pf@FreeBSD.ORG Fri Apr 15 06:36:37 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 84850106566C for ; Fri, 15 Apr 2011 06:36:37 +0000 (UTC) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (106-30.3-213.fix.bluewin.ch [213.3.30.106]) by mx1.freebsd.org (Postfix) with ESMTP id C52EA8FC0A for ; Fri, 15 Apr 2011 06:36:35 +0000 (UTC) Received: from insomnia.benzedrine.cx (localhost.benzedrine.cx [127.0.0.1]) by insomnia.benzedrine.cx (8.14.1/8.13.4) with ESMTP id p3F6aXuc023255 (version=TLSv1/SSLv3 cipher=DHE-DSS-AES256-SHA bits=256 verify=NO) for ; Fri, 15 Apr 2011 08:36:33 +0200 (MEST) Received: (from dhartmei@localhost) by insomnia.benzedrine.cx (8.14.1/8.12.10/Submit) id p3F6aWr7021133 for freebsd-pf@freebsd.org; Fri, 15 Apr 2011 08:36:32 +0200 (MEST) Date: Fri, 15 Apr 2011 08:36:32 +0200 From: Daniel Hartmeier To: freebsd-pf@freebsd.org Message-ID: <20110415063632.GA14296@insomnia.benzedrine.cx> References: <20110210155622.GA60117@icarus.home.lan> <20110411054544.GC22812@relay.ibs.dn.ua> <20110411061730.GA26940@insomnia.benzedrine.cx> <20110411080648.GD22812@relay.ibs.dn.ua> <20110411085730.GB26940@insomnia.benzedrine.cx> <20110411152230.GA88862@relay.ibs.dn.ua> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20110411152230.GA88862@relay.ibs.dn.ua> User-Agent: Mutt/1.5.12-2006-07-14 Subject: Re: transparent proxy traffic queue ... X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 15 Apr 2011 06:36:37 -0000 On Mon, Apr 11, 2011 at 06:22:30PM +0300, Zeus V Panchenko wrote: > first rull catches traffic from LAN to inet so, the sequence is: > > LAN -> if_lan -> proxy server -> if_wan -> inet -> some_web_server > > and backward ... > > some_web_server -> if_wan -> proxy server -> if_lan -> LAN > > is it because proxy LAN address is bent to if_lan:0 the traffic on > if_lan is incoming rather than outgoing? First, incoming and outgoing in context of pf.conf rules are relative to the firewall (and not your LAN vs. the internet), e.g. incoming means 'enters the firewall through an interface from a network' and outgoing means 'exits the firewall through an interface to a network'. Second, with a squid proxy, there are actually two distinct connections: one connection from the client to the proxy, and another connection from the proxy to the server. There are two different (random) source ports, and two different destination ports (3128 and 80): 1) client:random1 -> proxy:3128 (incoming on if_lan) 2) proxy:random2 -> server:80 (outgoing on if_wan) Both are filtered by pf, and both must be passed explicitely. Only the first is affected by rdr (destination port translation), and the pass rule must match the connection AFTER translation, i.e. rdr on $if_lan ... to any port 80 -> $if_lan:0 port 3128 pass in on $if_lan ... to $if_lan:0 port 3128 The fact that the proxy's listening socket is bound to if_lan:0 doesn't change any of this, you could just as well bind it to 127.0.0.1 or ext_if. > > Run pfctl -vvss and see what states you have, and what rules they > > are based on (compare with numbers in pfctl -gsr output), probably > > not the right ones (with proper log and queue options). > > in pfctl output i still can see only outgoing to internet states ... no incoming You can add 'set state-policy if-bound', so states get bound to interfaces, and pfctl -ss shows both, which can help. The arrows (-> or <-) in the pfctl -ss output indicate the direction of a state (-> for outoing, <- for incoming). You should see pairs of states, like described above. As long as you only see one state, there is something wrong. HTH, Daniel