From owner-freebsd-pf@FreeBSD.ORG Mon Apr 11 15:22:34 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 230DA1065673 for ; Mon, 11 Apr 2011 15:22:34 +0000 (UTC) (envelope-from zeus@relay.ibs.dn.ua) Received: from relay.ibs.dn.ua (relay.ibs.dn.ua [91.216.196.25]) by mx1.freebsd.org (Postfix) with ESMTP id 9757C8FC19 for ; Mon, 11 Apr 2011 15:22:33 +0000 (UTC) Received: from relay.ibs.dn.ua (localhost [127.0.0.1]) by relay.ibs.dn.ua with ESMTP id p3BFMVma092953 for ; Mon, 11 Apr 2011 18:22:31 +0300 (EEST) Received: (from zeus@localhost) by relay.ibs.dn.ua (8.14.4/8.14.4/Submit) id p3BFMUj3092952 for freebsd-pf@freebsd.org; Mon, 11 Apr 2011 18:22:30 +0300 (EEST) Date: Mon, 11 Apr 2011 18:22:30 +0300 From: Zeus V Panchenko To: freebsd-pf@freebsd.org Message-ID: <20110411152230.GA88862@relay.ibs.dn.ua> Mail-Followup-To: freebsd-pf@freebsd.org References: <20110210155622.GA60117@icarus.home.lan> <20110411054544.GC22812@relay.ibs.dn.ua> <20110411061730.GA26940@insomnia.benzedrine.cx> <20110411080648.GD22812@relay.ibs.dn.ua> <20110411085730.GB26940@insomnia.benzedrine.cx> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: <20110411085730.GB26940@insomnia.benzedrine.cx> User-Agent: Mutt/1.4.2.3i X-Operating-System: FreeBSD 8.1-RELEASE X-Editor: GNU Emacs 23.2.1 Subject: Re: transparent proxy traffic queue ... X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: zeus@ibs.dn.ua List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 11 Apr 2011 15:22:34 -0000 Daniel Hartmeier (daniel@benzedrine.cx) [11.04.11 11:57] wrote: > On Mon, Apr 11, 2011 at 11:06:48AM +0300, Zeus V Panchenko wrote: > > > pass out log (all) on $if_wan inet proto { tcp, udp } from $if_wan:0 \ > > to any port { $ports_proxy } keep state queue wan_http > > pass out log (all) on $if_lan inet proto { tcp, udp } from any port { $ports_proxy } \ > > to $if_lan:network queue lan_http > > The second rule looks wrong. Those connections are incoming (not > outgoing) on $if_lan, so it should be 'pass in log (all) ... to port > $ports_proxy'. proxy is bent to if_lan:0 first rull catches traffic from LAN to inet so, the sequence is: LAN -> if_lan -> proxy server -> if_wan -> inet -> some_web_server and backward ... some_web_server -> if_wan -> proxy server -> if_lan -> LAN is it because proxy LAN address is bent to if_lan:0 the traffic on if_lan is incoming rather than outgoing? > I assume you have some rdr rule, too, so the log (all) option must > be on the rule matching THAT, i.e. > > rdr on $if_lan inet proto tcp from $if_lan:network to any port 80 \ > -> $if_lan:0 port 3128 > pass in log (all) on $if_lan inet proto tcp from $if_lan:network \ > to $if_lan:0 port 3128 yes, i have rdr rull rdr on $if_lan proto { tcp, udp } from ! to ! 172.16/12 \ port { $ports_proxy } -> $if_lan:0 port 3128 and after addition of rull pass in log (all) on $if_lan inet proto tcp from $if_lan:network \ to $if_lan:0 port 3128 at last i can see traffic outgoing to LAN 00:00:00.016574 rule 12/0(match): pass out on ale0: 178.63.86.132.80 > 172.16.0.35.56256: Flags [.], ack 3758, win 8326, options [nop,nop,TS val 3521710434 ecr 560947], length 0 00:00:00.000200 rule 12/0(match): pass out on ale0: 178.63.86.132.80 > 172.16.0.35.56256: Flags [P.], ack 3758, win 8326, options [nop,nop,TS val 3521710442 ecr 560947], length 376 00:00:00.000017 rule 12/0(match): pass out on ale0: 178.63.86.132.80 > 172.16.0.35.56256: Flags [P.], ack 3758, win 8326, options [nop,nop,TS val 3521710442 ecr 560947], length 180 00:00:00.098247 rule 12/0(match): pass out on ale0: 178.63.86.132.80 > 172.16.0.35.56256: Flags [.], ack 4307, win 8326, options [nop,nop,TS val 3521710989 ecr 561085], length 0 00:00:00.000207 rule 12/0(match): pass out on ale0: 178.63.86.132.80 > 172.16.0.35.56256: Flags [P.], ack 4307, win 8326, options [nop,nop,TS val 3521711168 ecr 561085], length 514 but when i'm trying to catch it and direct to queue it fails pass out log (all) on $if_lan inet proto { tcp, udp } from any port { $ports_proxy } to $if_lan:network queue lan_http pass in log (all) on $if_lan inet proto { tcp, udp } from any port { $ports_proxy } to $if_lan:network queue lan_http > Run pfctl -vvss and see what states you have, and what rules they > are based on (compare with numbers in pfctl -gsr output), probably > not the right ones (with proper log and queue options). in pfctl output i still can see only outgoing to internet states ... no incoming > Also, add a default block rule, then it becomes clear when a > connection doesn't match the expected rule, it gets blocked instead > of passing with wrong options... i have the rull (i was posting pf.conf in the first message) -- Zeus V. Panchenko IT Dpt., IBS ltd GMT+2 (EET)