From owner-freebsd-pf@FreeBSD.ORG Tue Apr 26 08:57:52 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 195C51065672 for ; Tue, 26 Apr 2011 08:57:52 +0000 (UTC) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (106-30.3-213.fix.bluewin.ch [213.3.30.106]) by mx1.freebsd.org (Postfix) with ESMTP id 8A14B8FC15 for ; Tue, 26 Apr 2011 08:57:50 +0000 (UTC) Received: from insomnia.benzedrine.cx (localhost.benzedrine.cx [127.0.0.1]) by insomnia.benzedrine.cx (8.14.1/8.13.4) with ESMTP id p3Q8vmCr004432 (version=TLSv1/SSLv3 cipher=DHE-DSS-AES256-SHA bits=256 verify=NO) for ; Tue, 26 Apr 2011 10:57:48 +0200 (MEST) Received: (from dhartmei@localhost) by insomnia.benzedrine.cx (8.14.1/8.12.10/Submit) id p3Q8vlkD001744 for freebsd-pf@freebsd.org; Tue, 26 Apr 2011 10:57:47 +0200 (MEST) Date: Tue, 26 Apr 2011 10:57:47 +0200 From: Daniel Hartmeier To: freebsd-pf@freebsd.org Message-ID: <20110426085747.GA1204@insomnia.benzedrine.cx> References: <20110210155622.GA60117@icarus.home.lan> <20110411054544.GC22812@relay.ibs.dn.ua> <20110411061730.GA26940@insomnia.benzedrine.cx> <20110411080648.GD22812@relay.ibs.dn.ua> <20110411085730.GB26940@insomnia.benzedrine.cx> <20110411152230.GA88862@relay.ibs.dn.ua> <20110415063632.GA14296@insomnia.benzedrine.cx> <20110426074924.GH87913@relay.ibs.dn.ua> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20110426074924.GH87913@relay.ibs.dn.ua> User-Agent: Mutt/1.5.12-2006-07-14 Subject: Re: former "transparent proxy traffic queue ..." X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 26 Apr 2011 08:57:52 -0000 On Tue, Apr 26, 2011 at 10:49:24AM +0300, Zeus V Panchenko wrote: > here we see outgoing via $if_wan traffic successfully coming through wan_http queue, the rull 18 > but no traffic comming trough the rull 24 but 10 instead ... > > so, what am i missing, please? > > why pflog row: > ... rule 10/0(match): pass out on ale0: 213.130.10.226.80 > 172.16.10.12.40650: ... > not matches my pf.conf rull @24: > pass out log (all) on ale0 inet proto tcp from any port = http to 172.12.10.12 flags S/SA keep state (if-bound) queue lan_http > ? Ah, I see. Your rule @24 restricts the _source_ port: pass in log (all) on $if_lan inet proto tcp from any port { $ports_proxy } \ to 172.12.10.12 queue lan_http Remember, only the initial (first) packet of a connection causes ruleset evaluation, hence rules can be said to apply to the initial packets of connections (everything else is covered by states). You don't need to think about the packets flowing in reverse at all. So, take the initial packet of that connection (the HTTP connection from client to proxy, incoming on the LAN interface), what are its source and destination ports? The source port is random, the destination port is 3128. So, change the above rule to pass in log (all) on $if_lan inet proto tcp from any \ to 172.12.10.12 port 3128 queue lan_http HTH, Daniel