Date: Tue, 26 Apr 2011 10:57:47 +0200 From: Daniel Hartmeier <daniel@benzedrine.cx> To: freebsd-pf@freebsd.org Subject: Re: former "transparent proxy traffic queue ..." Message-ID: <20110426085747.GA1204@insomnia.benzedrine.cx> In-Reply-To: <20110426074924.GH87913@relay.ibs.dn.ua> References: <20110210155622.GA60117@icarus.home.lan> <20110411054544.GC22812@relay.ibs.dn.ua> <20110411061730.GA26940@insomnia.benzedrine.cx> <20110411080648.GD22812@relay.ibs.dn.ua> <20110411085730.GB26940@insomnia.benzedrine.cx> <20110411152230.GA88862@relay.ibs.dn.ua> <20110415063632.GA14296@insomnia.benzedrine.cx> <20110426074924.GH87913@relay.ibs.dn.ua>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Apr 26, 2011 at 10:49:24AM +0300, Zeus V Panchenko wrote: > here we see outgoing via $if_wan traffic successfully coming through wan_http queue, the rull 18 > but no traffic comming trough the rull 24 but 10 instead ... > > so, what am i missing, please? > > why pflog row: > ... rule 10/0(match): pass out on ale0: 213.130.10.226.80 > 172.16.10.12.40650: ... > not matches my pf.conf rull @24: > pass out log (all) on ale0 inet proto tcp from any port = http to 172.12.10.12 flags S/SA keep state (if-bound) queue lan_http > ? Ah, I see. Your rule @24 restricts the _source_ port: pass in log (all) on $if_lan inet proto tcp from any port { $ports_proxy } \ to 172.12.10.12 queue lan_http Remember, only the initial (first) packet of a connection causes ruleset evaluation, hence rules can be said to apply to the initial packets of connections (everything else is covered by states). You don't need to think about the packets flowing in reverse at all. So, take the initial packet of that connection (the HTTP connection from client to proxy, incoming on the LAN interface), what are its source and destination ports? The source port is random, the destination port is 3128. So, change the above rule to pass in log (all) on $if_lan inet proto tcp from any \ to 172.12.10.12 port 3128 queue lan_http HTH, Daniel
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20110426085747.GA1204>