From owner-freebsd-questions@FreeBSD.ORG Wed Feb 20 16:06:26 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A3B7016A410 for ; Wed, 20 Feb 2008 16:06:26 +0000 (UTC) (envelope-from deianp@gmail.com) Received: from fk-out-0910.google.com (fk-out-0910.google.com [209.85.128.184]) by mx1.freebsd.org (Postfix) with ESMTP id D6EBF13C467 for ; Wed, 20 Feb 2008 16:06:25 +0000 (UTC) (envelope-from deianp@gmail.com) Received: by fk-out-0910.google.com with SMTP id b27so2986820fka.11 for ; Wed, 20 Feb 2008 08:06:24 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to:subject:mime-version:content-type; bh=YjcF/LWzvch6X88V4mTzHbTd0xdTMVwA3XxOcJx6Vjc=; b=xxe2wsDd9Mm6/D+BGrMRTwhB0yzseD3D++aqBlNvrz/179yRAJWg6qEXJbeNo3RPnFVbiCEfPB+c4Yy+0DJiL2TeJP4BlSgbjHCn24wwM+yCRDpHbihA5z1239e1dQhTPCW/hEM8FHRj4D+DWnHEtAvkBxA0lPsh5PY6wT+7XOc= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:mime-version:content-type; b=BksgmO6nHC6C3QJrn8VcUSRy8LPrvpzx+eqwpB3GHKRkCUNH9pkayRFLWlN4UIWIia4io/P8rM9610M6JVPSH6XG82PS+gZlM3+8ZN0R95/8Eb20RhadJjuUcueqnD+rO48GThDIYmFTTbJAvVGYDgzbfWpbGoSefRCgQr/mruU= Received: by 10.82.112.3 with SMTP id k3mr16608164buc.15.1203523583933; Wed, 20 Feb 2008 08:06:23 -0800 (PST) Received: by 10.82.120.14 with HTTP; Wed, 20 Feb 2008 08:06:23 -0800 (PST) Message-ID: Date: Wed, 20 Feb 2008 18:06:23 +0200 From: "Deian Popov" To: freebsd-questions@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: PF connection pool + squid 3 oddity X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 Feb 2008 16:06:26 -0000 Hello, I have very odd problem with pf connection pool(2 ISPs) and squid 3. Just to mention, I support 3 other networks without connection pool. All of them work using squid and pf but do not use connection pool. If I setup my browser to use proxy (e.g. gateway port 3128), all traffic passes through squid. If I use rdr rule (as I should) I am unable to browse web. My question is what is the difference between the request from browser instructed to use proxy, and the rdr rule of pf. Why are my requests dying? I will not attach squid.conf since I have changed just the allowed network and have added "transparent".Here is my sample pf.conf: lan_net = "192.168.0.0/24" int_if = "rl0" ext_if1 = "dc0" ext_if2 = "rl1" ext_gw1 = "X1" ext_gw2 = "X2" local_host = "127.0.0.1" # define ports ports_in = "{9000}" ports_out = "{21, 25, 53, 80, 110, 443, 1863, 1194, 5190, 5222, 9000}" # define allowed hosts table persist file "/etc/allowed" # skip l0 set skip on lo0 # default block policy set block-policy drop # normalize packets scrub in all fragment reassemble # squid it #rdr on $int_if inet proto tcp to port 80 -> $local_host port 3128 # nat outgoing connections on each internet interface # nat on $ext_if1 from $lan_net to any -> ($ext_if1) # nat on $ext_if2 from $lan_net to any -> ($ext_if2) nat on $ext_if1 from to any -> ($ext_if1) nat on $ext_if2 from to any -> ($ext_if2) # spoof protection antispoof quick for {$int_if, $ext_if1, $ext_if2} # default deny block in log from any to any block out log from any to any # pass all outgoing packets on internal interface pass out on $int_if from any to $lan_net # pass in quick any packets destined for the gateway itself pass in quick on $int_if from $lan_net to $int_if pass out quick on $int_if from $int_if to $lan_net # load balance outgoing tcp traffic from internal network. pass in on $int_if route-to \ { ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2) } round-robin \ proto tcp from $lan_net to any flags S/SA modulate state # load balance outgoing udp and icmp traffic from internal network pass in on $int_if route-to \ { ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2) } round-robin \ proto { udp, icmp } from $lan_net to any keep state # general "pass in" rules for external interfaces pass in on $ext_if1 proto tcp from any to $ext_if1 port $ports_in pass in on $ext_if2 proto tcp from any to $ext_if2 port $ports_in # general "pass out" rules for external interfaces pass out on $ext_if1 proto tcp from any to any port $ports_out flags S/SA modulate state pass out on $ext_if1 proto udp from any to any port $ports_out keep state pass out on $ext_if1 proto icmp from any to any keep state pass out on $ext_if2 proto tcp from any to any port $ports_out flags S/SA modulate state pass out on $ext_if2 proto udp from any to any port $ports_out keep state pass out on $ext_if2 proto icmp from any to any keep state # route packets from any IPs on $ext_if1 to $ext_gw1 and the same for # $ext_if2 and $ext_gw2 pass out on $ext_if1 route-to ($ext_if2 $ext_gw2) from $ext_if2 to any pass out on $ext_if2 route-to ($ext_if1 $ext_gw1) from $ext_if1 to any Thanks in advance.