From owner-freebsd-pf@FreeBSD.ORG Mon Apr 11 08:57:33 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 03626106566B for ; Mon, 11 Apr 2011 08:57:33 +0000 (UTC) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (106-30.3-213.fix.bluewin.ch [213.3.30.106]) by mx1.freebsd.org (Postfix) with ESMTP id 428348FC1E for ; Mon, 11 Apr 2011 08:57:31 +0000 (UTC) Received: from insomnia.benzedrine.cx (localhost.benzedrine.cx [127.0.0.1]) by insomnia.benzedrine.cx (8.14.1/8.13.4) with ESMTP id p3B8vVr6009891 (version=TLSv1/SSLv3 cipher=DHE-DSS-AES256-SHA bits=256 verify=NO) for ; Mon, 11 Apr 2011 10:57:31 +0200 (MEST) Received: (from dhartmei@localhost) by insomnia.benzedrine.cx (8.14.1/8.12.10/Submit) id p3B8vUnc003280 for freebsd-pf@freebsd.org; Mon, 11 Apr 2011 10:57:30 +0200 (MEST) Date: Mon, 11 Apr 2011 10:57:30 +0200 From: Daniel Hartmeier To: freebsd-pf@freebsd.org Message-ID: <20110411085730.GB26940@insomnia.benzedrine.cx> References: <20110210155622.GA60117@icarus.home.lan> <20110411054544.GC22812@relay.ibs.dn.ua> <20110411061730.GA26940@insomnia.benzedrine.cx> <20110411080648.GD22812@relay.ibs.dn.ua> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20110411080648.GD22812@relay.ibs.dn.ua> User-Agent: Mutt/1.5.12-2006-07-14 Subject: Re: transparent proxy traffic queue ... X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 11 Apr 2011 08:57:33 -0000 On Mon, Apr 11, 2011 at 11:06:48AM +0300, Zeus V Panchenko wrote: > pass out log (all) on $if_wan inet proto { tcp, udp } from $if_wan:0 \ > to any port { $ports_proxy } keep state queue wan_http > pass out log (all) on $if_lan inet proto { tcp, udp } from any port { $ports_proxy } \ > to $if_lan:network queue lan_http The second rule looks wrong. Those connections are incoming (not outgoing) on $if_lan, so it should be 'pass in log (all) ... to port $ports_proxy'. I assume you have some rdr rule, too, so the log (all) option must be on the rule matching THAT, i.e. rdr on $if_lan inet proto tcp from $if_lan:network to any port 80 \ -> $if_lan:0 port 3128 pass in log (all) on $if_lan inet proto tcp from $if_lan:network \ to $if_lan:0 port 3128 Run pfctl -vvss and see what states you have, and what rules they are based on (compare with numbers in pfctl -gsr output), probably not the right ones (with proper log and queue options). Also, add a default block rule, then it becomes clear when a connection doesn't match the expected rule, it gets blocked instead of passing with wrong options... Daniel