From owner-freebsd-pf@FreeBSD.ORG Mon Apr 11 05:56:16 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id CC5CF106564A for ; Mon, 11 Apr 2011 05:56:16 +0000 (UTC) (envelope-from zeus@relay.ibs.dn.ua) Received: from relay.ibs.dn.ua (relay.ibs.dn.ua [91.216.196.25]) by mx1.freebsd.org (Postfix) with ESMTP id 106398FC08 for ; Mon, 11 Apr 2011 05:56:15 +0000 (UTC) Received: from relay.ibs.dn.ua (localhost [127.0.0.1]) by relay.ibs.dn.ua with ESMTP id p3B5jjMT065412 for ; Mon, 11 Apr 2011 08:45:45 +0300 (EEST) Received: (from zeus@localhost) by relay.ibs.dn.ua (8.14.4/8.14.4/Submit) id p3B5jiuO065408 for freebsd-pf@freebsd.org; Mon, 11 Apr 2011 08:45:44 +0300 (EEST) Date: Mon, 11 Apr 2011 08:45:44 +0300 From: Zeus V Panchenko To: freebsd-pf@freebsd.org Message-ID: <20110411054544.GC22812@relay.ibs.dn.ua> Mail-Followup-To: freebsd-pf@freebsd.org References: <20110210155622.GA60117@icarus.home.lan> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: <20110210155622.GA60117@icarus.home.lan> User-Agent: Mutt/1.4.2.3i X-Operating-System: FreeBSD 8.1-RELEASE X-Editor: GNU Emacs 23.2.1 Subject: transparent proxy traffic queue ... X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: zeus@ibs.dn.ua List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 11 Apr 2011 05:56:17 -0000 Hi all, while trying to shape bandwidth for transparent proxy traffic i faced weird for me behaviuor ... may somebody help to understand where i am mistaking, please? i use squid as proxy (installed from ports and configured with WITH_SQUID_PF=true, WITH_SQUID_IPFILTER=true), it works and my LAN can browse inet transparently (without setting proxy in browser options) squid is configured with delay pools, but i want to send it through pf queue too the network topology is simple: (LAN) <-> ale0 [FreeBSD-8.2-STABLE i386] xl0(tun0) <-> [ADSL bridge] <-> (INTERNET) the problem is that outgoing to the internet traffic from proxy is going through the queue on $if_wan and i can see it while tcpdumping pflog0 but i can not see on pflog0, traffic incomming from internet to LAN, no outgoing traffic through $if_lan interface while tcpdump pflog0 ... while trying to: > tcpdump -n -i pflog0 -ttte -s0 port 80 i can see only outgoing traffice from LAN to inet: ... 00:00:00.000000 rule 12/0(match): pass out on tun0: my.wan.ip.here.56987 > 206.127.23.230.80: Flags [S], seq 3641245239, win 65535, options [mss 1452,nop,wscale 3,sackOK,TS val 114160025 ecr 0], length 0 00:00:00.023229 rule 12/0(match): pass out on tun0: my.wan.ip.here.53120 > 64.147.113.42.80: Flags [S], seq 3951546220, win 65535, options [mss 1452,nop,wscale 3,sackOK,TS val 114164836 ecr 0], length 0 00:00:00.479411 rule 12/0(match): pass out on tun0: my.wan.ip.here.40511 > 199.7.50.72.80: Flags [S], seq 3596234346, win 65535, options [mss 1452,nop,wscale 3,sackOK,TS val 114462122 ecr 0], length 0 ... but if i > tcpdump -n -i ale0 -ttte -s0 port 80 than i can see all traffic ofcourse ... what i am missing, please? why traffic outgoing to LAN is missed on pflog0? and yet, the same picture is with smb traffic ... i can see only traffic from LAN to WAN my tailored pf.conf is: if_wan = "tun0" if_lan = "ale0" ports_proxy = "http, https, ftp, ftp-data, ftps, ftps-data" ports_nat = "ntp, xmpp-client, 5223, xmpp-server" ports_smb = "135:139, 445" table persist file "/etc/pf.tbl.admins" table persist file "/etc/pf.tbl.pass_wan" set skip on lo0 set optimization conservative set ruleset-optimization basic altq on $if_wan cbq bandwidth 1Mb queue { wan_rest, wan_http } queue wan_http bandwidth 150Kb priority 2 queue wan_rest bandwidth 850Kb cbq(default) altq on $if_lan cbq bandwidth 100% queue { lan_rest, lan_http } queue lan_http bandwidth 2Mb priority 2 queue lan_rest bandwidth 98Mb cbq(default) rdr on $if_lan proto { tcp, udp } from ! \ to ! 172.16/12 port { $ports_proxy } -> $if_lan:0 port 3128 nat on $if_wan from to any -> ($if_wan) nat on $if_wan from ! to port { $ports_nat } -> ($if_wan) antispoof for { $if_wan, $if_lan } block in log pass in log inet proto icmp all icmp-type echoreq pass in log on $if_wan inet proto { tcp, udp } from { } \ to ($if_wan) port ssh pass in log on $if_lan pass out log on $if_wan pass out log on $if_lan block drop out log on $if_wan from any \ to { 127/8, 10/8, 172.16/12, 192.168/16 } pass out log on $if_wan inet proto { tcp, udp } from $if_lan:0 \ to any port { $ports_proxy } keep state queue wan_http pass out log on $if_lan inet proto { tcp, udp } from any port { $ports_proxy } \ to $if_lan:0 queue lan_http pass out log on $if_lan inet proto { tcp, udp } from any port { $ports_smb } \ to $if_lan:network queue lan_smb pass out log on $if_vpn inet proto { tcp, udp } from $if_lan:network \ to any port { $ports_smb } queue vpn_smb -- Zeus V. Panchenko IT Dpt., IBS ltd GMT+2 (EET)