From owner-freebsd-questions@freebsd.org Tue Jun 28 17:37:42 2016 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 346CBB859A0 for ; Tue, 28 Jun 2016 17:37:42 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: from venus.codepro.be (venus.codepro.be [IPv6:2a01:4f8:162:1127::2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "*.codepro.be", Issuer "Gandi Standard SSL CA 2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id D71512A1F for ; Tue, 28 Jun 2016 17:37:41 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: from [192.168.228.1] (unknown [IPv6:2a02:1811:2419:4e02:4099:dad7:6b5b:f8d5]) (Authenticated sender: kp) by venus.codepro.be (Postfix) with ESMTPSA id 7BA3A23B5A; Tue, 28 Jun 2016 19:37:37 +0200 (CEST) From: "Kristof Provost" To: "C. L. Martinez" Cc: freebsd-questions@freebsd.org Subject: Re: Problems with pf rules for intercept squid proxy Date: Tue, 28 Jun 2016 19:37:37 +0200 Message-ID: <2822287D-FE6F-4A4B-995A-639B696911DF@FreeBSD.org> In-Reply-To: <20160628130759.GA13226@beagle.bcn.sia.es> References: <20160628130759.GA13226@beagle.bcn.sia.es> MIME-Version: 1.0 X-Mailer: MailMate (2.0BETAr6038) Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit X-Content-Filtered-By: Mailman/MimeDel 2.1.22 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 28 Jun 2016 17:37:42 -0000 On 28 Jun 2016, at 15:07, C. L. Martinez wrote: > I have some problems with my pf rules on a FreeBSD 10.3 host that > acts as a squid intercept proxy. My actual pf rules are: > > rdr pass on $vpnif proto tcp from $int_network to any port http -> lo0 > port 5144 > rdr pass on $vpnif proto tcp from $int_network to any port https -> > lo0 port 5145 > > At first stage it seems that these rules works, but don't. Traffic is > redirected to squid, but squid denies all connections: > > 1467111934.502 1 172.22.55.1 TCP_DENIED/403 4221 GET > http://www.osnews.com/ - HIER_NONE/- text/html > > Using same squid.conf's file under an OpenBSD test machine, squid > works without problems. For this reason, I don't think there is some > problem with my squid's config. The only difference between this > OpenBSD host and FreeBSD are the pf rules. > You may have a different squid version, or they may be patched differently. Your redirect rules are working, as demonstrated by the fact that squid gets a request, and replies to it. Note that pf does not change your HTTP payload, it only affects TCP. In other words: if Squid sees the connection (and it does) it’s a Squid problem. Also note that you’re redirecting on FreeBSD, but using divert-to on OpenBSD. This may be triggering different behaviour from Squid. The man page says that with divert-to: The packets will not be modified, so getsockname(2) on the socket will return the original destination address of the packet. That might be affecting an ACL in Squid. Regards, Kristof