From owner-freebsd-questions@freebsd.org Wed Jun 29 13:32:11 2016 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 3E69FB817BC for ; Wed, 29 Jun 2016 13:32:11 +0000 (UTC) (envelope-from kraduk@gmail.com) Received: from mail-wm0-x22c.google.com (mail-wm0-x22c.google.com [IPv6:2a00:1450:400c:c09::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id B95BB250E for ; Wed, 29 Jun 2016 13:32:10 +0000 (UTC) (envelope-from kraduk@gmail.com) Received: by mail-wm0-x22c.google.com with SMTP id f126so181637633wma.1 for ; Wed, 29 Jun 2016 06:32:10 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=/QtmdP3tUKVxS77nbSCirT4uTMzpirj0TWMggm+ndWM=; b=iRvlZo/h5UQ2nchJEPQT/haOZ4YcA7g9ECaiBt+n4fBpegokBVp84ZwH8VCZacm8q0 ML9SFA5n/XRNe244a4nVDvRijDQTasmnCWq+kY19PyssfkD//0W4y87E6bL+Y+T1aVUz XUgNmI8uRwlmTBVkwds6wkddvlrTWm5DnUalttJ2K6+lzh6NyoFS66Prbykcm3jgwHiX 6H27cksBTHHYPXD03nccNYJ1bNz9scnJqkCk3OrOOVIPe602UwGAg6DCiY///L9CKoFu aNFg2LJya1pY7CUpLc+xuLPSnOhi2oS3C5/05R7vaAek4fZSi/r8zjOWLKBaPtEOiPJ6 oIJA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=/QtmdP3tUKVxS77nbSCirT4uTMzpirj0TWMggm+ndWM=; b=Mf52zW4Ry+pE8GrH1xjmY7gkfxgZ1tq6fZbpK0TRuhylVObD+TSNgUZtstfjT8fRkP 7TtZtvgvYx/k6/Q1FHx3BSirjBdyvB/0R7+AnnHFwt8NSno/OQjGhVXZmbXqqlKomP4X UvbIG4J6mnoIWl7At3HrpJijJX89B6ccLyhE/Fv/7R2vDKrxKV8SFf+uiM2+hXtG0RH4 lGJIiFmxnnMWIahtVmopHGgwasv8dCZp9BE8Fo3fil1TFpsN8M7YwEf1OQsX7e8XotBT gPZmegU3JvXVfwx/lzvDIPFpBYN2VtcBja1301u3X+jHjXaGDJ3SehWfGCtw0ck8QF1q /pSQ== X-Gm-Message-State: ALyK8tLte+JdzgPPW5WiGgECGyEo9+EM0mdzY3R40N2i3Od/IuRapUOw/ssGsusry+XtA86c3jZhO/3UUNra0g== X-Received: by 10.28.130.15 with SMTP id e15mr16128645wmd.19.1467207129190; Wed, 29 Jun 2016 06:32:09 -0700 (PDT) MIME-Version: 1.0 Received: by 10.28.88.206 with HTTP; Wed, 29 Jun 2016 06:32:08 -0700 (PDT) In-Reply-To: <20160629131951.GA12552@beagle.bcn.sia.es> References: <20160628130759.GA13226@beagle.bcn.sia.es> <2822287D-FE6F-4A4B-995A-639B696911DF@FreeBSD.org> <20160629113324.GA10436@beagle.bcn.sia.es> <20160629131951.GA12552@beagle.bcn.sia.es> From: krad Date: Wed, 29 Jun 2016 14:32:08 +0100 Message-ID: Subject: Re: Problems with pf rules for intercept squid proxy To: "C. L. Martinez" Cc: FreeBSD Questions Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.22 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 29 Jun 2016 13:32:11 -0000 you need to as squid needs read write access to the /dev/pf to work in intercept mode. As long as you dont have any other users in the squid group you are good. Did you restart devfs or reboot? On 29 June 2016 at 14:20, C. L. Martinez wrote: > Yep, is it not too dangerous to assign 0770 to /dev/pf?? > > Anyway, I have tried, but with same error: traffic is denied by squid ... > > > On Wed 29.Jun'16 at 13:39:46 +0100, krad wrote: > > have you got these lines in your /etc/devfs.conf file > > > > > > own pf root:squid > > perm pf 0770 > > > > you also need lines like this in the squid.conf > > > > http_port 192.168.1.1:3128 intercept > > > > > > > > On 29 June 2016 at 12:33, C. L. Martinez wrote: > > > > > On Tue 28.Jun'16 at 19:37:37 +0200, Kristof Provost wrote: > > > > > > > > > > > > On 28 Jun 2016, at 15:07, C. L. Martinez wrote: > > > > > I have some problems with my pf rules on a FreeBSD 10.3 host tha= t > acts > > > > > as a squid intercept proxy. My actual pf rules are: > > > > > > > > > > rdr pass on $vpnif proto tcp from $int_network to any port http -= > > lo0 > > > > > port 5144 > > > > > rdr pass on $vpnif proto tcp from $int_network to any port https > -> lo0 > > > > > port 5145 > > > > > > > > > > At first stage it seems that these rules works, but don't. > Traffic is > > > > > redirected to squid, but squid denies all connections: > > > > > > > > > > 1467111934.502 1 172.22.55.1 TCP_DENIED/403 4221 GET > > > > > http://www.osnews.com/ - HIER_NONE/- text/html > > > > > > > > > > Using same squid.conf's file under an OpenBSD test machine, squi= d > > > works > > > > > without problems. For this reason, I don't think there is some > problem > > > > > with my squid's config. The only difference between this OpenBSD > host > > > > > and FreeBSD are the pf rules. > > > > > > > > > You may have a different squid version, or they may be patched > > > differently. > > > > Your redirect rules are working, as demonstrated by the fact that > squid > > > gets > > > > a request, and replies to it. > > > > > > > > Note that pf does not change your HTTP payload, it only affects TCP= . > In > > > > other words: if Squid sees the connection (and it does) it=E2=80=99= s a Squid > > > > problem. > > > > > > > > Also note that you=E2=80=99re redirecting on FreeBSD, but using div= ert-to on > > > > OpenBSD. > > > > This may be triggering different behaviour from Squid. The man page > says > > > > that with divert-to: > > > > > > > > The packets will not be modified, so getsockname(2) on the > socket > > > will > > > > return > > > > the original destination address of the packet. > > > > > > > > That might be affecting an ACL in Squid. > > > > > > > > Regards, > > > > Kristof > > > > > > Thanks Kristof. I am using squid installed from pkg under a FreeBSD > 10.3, > > > fully updated: > > > > > > Squid Cache: Version 3.5.19 > > > Service Name: squid > > > configure options: '--with-default-user=3Dsquid' > '--bindir=3D/usr/local/sbin' > > > '--sbindir=3D/usr/local/sbin' '--datadir=3D/usr/local/etc/squid' > > > '--libexecdir=3D/usr/local/libexec/squid' '--localstatedir=3D/var' > > > '--sysconfdir=3D/usr/local/etc/squid' '--with-logdir=3D/var/log/squid= ' > > > '--with-pidfile=3D/var/run/squid/squid.pid' > '--with-swapdir=3D/var/squid/cache' > > > '--without-gnutls' '--enable-auth' '--enable-build-info' > > > '--enable-loadable-modules' '--enable-removal-policies=3Dlru heap' > > > '--disable-epoll' '--disable-linux-netfilter' '--disable-linux-tproxy= ' > > > '--disable-translation' '--disable-arch-native' '--enable-eui' > > > '--enable-cache-digests' '--enable-delay-pools' '--disable-ecap' > > > '--disable-esi' '--enable-follow-x-forwarded-for' '--enable-htcp' > > > '--enable-icap-client' '--enable-icmp' '--enable-ident-lookups' > > > '--enable-ipv6' '--enable-kqueue' '--with-large-files' > > > '--enable-http-violations' '--without-nettle' '--enable-snmp' > > > '--enable-ssl' '--with-openssl=3D/usr' 'LIBOPENSSL_CFLAGS=3D-I/usr/in= clude' > > > 'LIBOPENSSL_LIBS=3D-lcrypto -lssl' '--enable-ssl-crtd' > > > '--disable-stacktraces' '--enable-ipf-transparent' > > > '--enable-ipfw-transparent' '--enable-pf-transparent' > '--with-nat-devpf' > > > '--enable-forw-via-db' '--enable-wccp' '--enable-wccpv2' > > > '--with-heimdal-krb5=3D/usr' 'CFLAGS=3D-I/usr/include -O2 -pipe > > > -fstack-protector -fno-strict-aliasing' 'LDFLAGS=3D-L/usr/lib -pthre= ad > > > -fstack-protector' 'LIBS=3D-lkrb5 -lgssapi -lgssapi_krb5 ' > > > 'KRB5CONFIG=3D/usr/bin/krb5-config' '--enable-auth-basic=3DDB SMB_LM > > > MSNT-multi-domain NCSA PAM POP3 RADIUS fake getpwnam NIS' > > > '--enable-auth-digest=3Dfile' '--enable-external-acl-helpers=3Dfile_u= serip > > > time_quota unix_group' '--enable-auth-negotiate=3Dkerberos wrapper' > > > '--enable-auth-ntlm=3Dfake smb_lm' '--enable-storeio=3Daufs diskd roc= k ufs' > > > '--enable-disk-io=3DDiskThreads DiskDaemon AIO Blocking IpcIo Mmapped= ' > > > '--enable-log-daemon-helpers=3Dfile' '--enable-url-rewrite-helpers=3D= fake' > > > '--enable-storeid-rewrite-helpers=3Dfile' '--prefix=3D/usr/local' > > > '--mandir=3D/usr/local/man' '--infodir=3D/usr/local/info/' > > > '--build=3Damd64-portbld-freebsd10.1' > 'build_alias=3Damd64-portbld-freebsd10.1' > > > 'CC=3Dcc' 'CPPFLAGS=3D' 'CXX=3Dc++' 'CXXFLAGS=3D-O2 -pipe -fstack-pro= tector > > > -fno-strict-aliasing ' 'CPP=3Dcpp' --enable-ltdl-convenience > > > > > > According to this options, intercept is enabled ... Then, I don't > > > understand why it doesn't works ... > > > > > > -- > > > Greetings, > > > C. L. Martinez > > > _______________________________________________ > > > freebsd-questions@freebsd.org mailing list > > > https://lists.freebsd.org/mailman/listinfo/freebsd-questions > > > To unsubscribe, send any mail to " > > > freebsd-questions-unsubscribe@freebsd.org" > > > > > -- > Greetings, > C. L. Martinez > _______________________________________________ > freebsd-questions@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to " > freebsd-questions-unsubscribe@freebsd.org" >