Date: Tue, 29 Mar 2011 16:07:54 +0200 From: Daniel Hartmeier <daniel@benzedrine.cx> To: Leslie Jensen <leslie@eskk.nu> Cc: freebsd-pf@freebsd.org Subject: Re: Lost in rules! Message-ID: <20110329140754.GA3026@insomnia.benzedrine.cx> In-Reply-To: <4D91BF90.2080608@eskk.nu> References: <4D8E11CB.2070501@eskk.nu> <4D90075A.3030300@gmail.com> <4D91BF90.2080608@eskk.nu>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Mar 29, 2011 at 01:16:32PM +0200, Leslie Jensen wrote: > I'm also running > tcpdump -s 256 -n -e -tttt -i pflog0 > > But I cannot see any of the outgoing packets getting detected by pf and > sent to the proxy. You have logging enabled on the rule explicitely passing the redirected connections: pass in log on $int_if inet proto tcp from $internal_net to $proxy port 8080 keep state but subequently have another matching rule without logging: pass in quick on $int_if Either add 'quick' to the former rule, or add 'log' to the latter rule, then you should see establishements of forwarded connections on pflog0. Also, you can run # pfctl -vvss immediately after a connection attempt of a client. You should see a forwarded connection in the list. Other things to check: Make sure IP forwarding is enabled # sysctl net.inet.ip.forwarding net.inet.ip.forwarding: 1 and the interface names are (still) what you expect them to be # ifconfig and pf is enabled # pfctl -si | head -1 Status: Enabled for 19 days 06:45:57 Debug: Misc and the rules are loaded correctly # pfctl -f /etc/pf.conf # Is squid really listening on port 8080 (default is 3128)? # netstat -an | grep LISTEN tcp4 0 0 *.8080 *.* LISTEN If this doesn't lead to any clues, I'd tcpdump tcp port 80 on the internal interface, try to establish one connection, see if the TCP handshake completes, if a HTTP request is sent, etc. HTH, Daniel
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20110329140754.GA3026>