From owner-freebsd-pf@FreeBSD.ORG Tue Mar 29 14:08:01 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 54B581065677 for ; Tue, 29 Mar 2011 14:08:01 +0000 (UTC) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (106-30.3-213.fix.bluewin.ch [213.3.30.106]) by mx1.freebsd.org (Postfix) with ESMTP id 5C0DB8FC12 for ; Tue, 29 Mar 2011 14:07:58 +0000 (UTC) Received: from insomnia.benzedrine.cx (localhost.benzedrine.cx [127.0.0.1]) by insomnia.benzedrine.cx (8.14.1/8.13.4) with ESMTP id p2TE7tWl018839 (version=TLSv1/SSLv3 cipher=DHE-DSS-AES256-SHA bits=256 verify=NO); Tue, 29 Mar 2011 16:07:55 +0200 (MEST) Received: (from dhartmei@localhost) by insomnia.benzedrine.cx (8.14.1/8.12.10/Submit) id p2TE7srs002158; Tue, 29 Mar 2011 16:07:54 +0200 (MEST) Date: Tue, 29 Mar 2011 16:07:54 +0200 From: Daniel Hartmeier To: Leslie Jensen Message-ID: <20110329140754.GA3026@insomnia.benzedrine.cx> References: <4D8E11CB.2070501@eskk.nu> <4D90075A.3030300@gmail.com> <4D91BF90.2080608@eskk.nu> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <4D91BF90.2080608@eskk.nu> User-Agent: Mutt/1.5.12-2006-07-14 Cc: freebsd-pf@freebsd.org Subject: Re: Lost in rules! X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 Mar 2011 14:08:01 -0000 On Tue, Mar 29, 2011 at 01:16:32PM +0200, Leslie Jensen wrote: > I'm also running > tcpdump -s 256 -n -e -tttt -i pflog0 > > But I cannot see any of the outgoing packets getting detected by pf and > sent to the proxy. You have logging enabled on the rule explicitely passing the redirected connections: pass in log on $int_if inet proto tcp from $internal_net to $proxy port 8080 keep state but subequently have another matching rule without logging: pass in quick on $int_if Either add 'quick' to the former rule, or add 'log' to the latter rule, then you should see establishements of forwarded connections on pflog0. Also, you can run # pfctl -vvss immediately after a connection attempt of a client. You should see a forwarded connection in the list. Other things to check: Make sure IP forwarding is enabled # sysctl net.inet.ip.forwarding net.inet.ip.forwarding: 1 and the interface names are (still) what you expect them to be # ifconfig and pf is enabled # pfctl -si | head -1 Status: Enabled for 19 days 06:45:57 Debug: Misc and the rules are loaded correctly # pfctl -f /etc/pf.conf # Is squid really listening on port 8080 (default is 3128)? # netstat -an | grep LISTEN tcp4 0 0 *.8080 *.* LISTEN If this doesn't lead to any clues, I'd tcpdump tcp port 80 on the internal interface, try to establish one connection, see if the TCP handshake completes, if a HTTP request is sent, etc. HTH, Daniel