Date: Mon, 11 Apr 2011 10:57:30 +0200 From: Daniel Hartmeier <daniel@benzedrine.cx> To: freebsd-pf@freebsd.org Subject: Re: transparent proxy traffic queue ... Message-ID: <20110411085730.GB26940@insomnia.benzedrine.cx> In-Reply-To: <20110411080648.GD22812@relay.ibs.dn.ua> References: <20110210155622.GA60117@icarus.home.lan> <20110411054544.GC22812@relay.ibs.dn.ua> <20110411061730.GA26940@insomnia.benzedrine.cx> <20110411080648.GD22812@relay.ibs.dn.ua>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Apr 11, 2011 at 11:06:48AM +0300, Zeus V Panchenko wrote:
> pass out log (all) on $if_wan inet proto { tcp, udp } from $if_wan:0 \
> to any port { $ports_proxy } keep state queue wan_http
> pass out log (all) on $if_lan inet proto { tcp, udp } from any port { $ports_proxy } \
> to $if_lan:network queue lan_http
The second rule looks wrong. Those connections are incoming (not
outgoing) on $if_lan, so it should be 'pass in log (all) ... to port
$ports_proxy'.
I assume you have some rdr rule, too, so the log (all) option must
be on the rule matching THAT, i.e.
rdr on $if_lan inet proto tcp from $if_lan:network to any port 80 \
-> $if_lan:0 port 3128
pass in log (all) on $if_lan inet proto tcp from $if_lan:network \
to $if_lan:0 port 3128
Run pfctl -vvss and see what states you have, and what rules they
are based on (compare with numbers in pfctl -gsr output), probably
not the right ones (with proper log and queue options).
Also, add a default block rule, then it becomes clear when a
connection doesn't match the expected rule, it gets blocked instead
of passing with wrong options...
Daniel
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20110411085730.GB26940>