From owner-freebsd-pf@FreeBSD.ORG Tue Apr 26 11:46:18 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 11A89106566C for ; Tue, 26 Apr 2011 11:46:18 +0000 (UTC) (envelope-from zeus@relay.ibs.dn.ua) Received: from relay.ibs.dn.ua (relay.ibs.dn.ua [91.216.196.25]) by mx1.freebsd.org (Postfix) with ESMTP id 8630B8FC15 for ; Tue, 26 Apr 2011 11:46:16 +0000 (UTC) Received: from relay.ibs.dn.ua (localhost [127.0.0.1]) by relay.ibs.dn.ua with ESMTP id p3QBk8dH015877; Tue, 26 Apr 2011 14:46:08 +0300 (EEST) Received: (from zeus@localhost) by relay.ibs.dn.ua (8.14.4/8.14.4/Submit) id p3QBk5rU015876; Tue, 26 Apr 2011 14:46:05 +0300 (EEST) Date: Tue, 26 Apr 2011 14:46:05 +0300 From: Zeus V Panchenko To: freebsd-pf@freebsd.org Message-ID: <20110426114605.GC8525@relay.ibs.dn.ua> Mail-Followup-To: freebsd-pf@freebsd.org, Daniel Hartmeier References: <20110210155622.GA60117@icarus.home.lan> <20110411054544.GC22812@relay.ibs.dn.ua> <20110411061730.GA26940@insomnia.benzedrine.cx> <20110411080648.GD22812@relay.ibs.dn.ua> <20110411085730.GB26940@insomnia.benzedrine.cx> <20110411152230.GA88862@relay.ibs.dn.ua> <20110415063632.GA14296@insomnia.benzedrine.cx> <20110426074924.GH87913@relay.ibs.dn.ua> <20110426085747.GA1204@insomnia.benzedrine.cx> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: <20110426085747.GA1204@insomnia.benzedrine.cx> User-Agent: Mutt/1.4.2.3i X-Operating-System: FreeBSD 8.1-RELEASE X-Editor: GNU Emacs 23.2.1 X-Face: iVBORw0KGgoAAAANSUhEUgAAACoAAAAqBAMAAAA37dRoAAAAFVBMVEWjjoiZhHDWzcZuW1U Cc: Subject: Re: former "transparent proxy traffic queue ..." X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: zeus@ibs.dn.ua List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 26 Apr 2011 11:46:18 -0000 now it works, thank you Daniel much! Daniel Hartmeier (daniel@benzedrine.cx) [11.04.26 11:58] wrote: > Remember, only the initial (first) packet of a connection causes > ruleset evaluation, hence rules can be said to apply to the initial > packets of connections (everything else is covered by states). may you point me, where is it described, since i didn't meet it in pf related man pages pf(4) and pf.conf(5) > You don't need to think about the packets flowing in reverse at all. but i was, since my previous firewall was ipfw+dummynet i still a bit missing the logics :( as for the wan interface, i can configure outgoing from wan interface queue as i understande pass out on $if_wan inet proto tcp from any to any port http queue wan_http and it is correct but as for reverse packets it was logical to my mind, to catch them outgoing from lan interface to lan ... but the queue directed traffic is defined by the outgoing from lan request ... still a bit weird for me ... > So, take the initial packet of that connection (the HTTP connection from > client to proxy, incoming on the LAN interface) it is the key i was lacking thnx again -- Zeus V. Panchenko IT Dpt., IBS ltd GMT+2 (EET)