Date: Fri, 15 Apr 2011 08:36:32 +0200 From: Daniel Hartmeier <daniel@benzedrine.cx> To: freebsd-pf@freebsd.org Subject: Re: transparent proxy traffic queue ... Message-ID: <20110415063632.GA14296@insomnia.benzedrine.cx> In-Reply-To: <20110411152230.GA88862@relay.ibs.dn.ua> References: <20110210155622.GA60117@icarus.home.lan> <20110411054544.GC22812@relay.ibs.dn.ua> <20110411061730.GA26940@insomnia.benzedrine.cx> <20110411080648.GD22812@relay.ibs.dn.ua> <20110411085730.GB26940@insomnia.benzedrine.cx> <20110411152230.GA88862@relay.ibs.dn.ua>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Apr 11, 2011 at 06:22:30PM +0300, Zeus V Panchenko wrote: > first rull catches traffic from LAN to inet so, the sequence is: > > LAN -> if_lan -> proxy server -> if_wan -> inet -> some_web_server > > and backward ... > > some_web_server -> if_wan -> proxy server -> if_lan -> LAN > > is it because proxy LAN address is bent to if_lan:0 the traffic on > if_lan is incoming rather than outgoing? First, incoming and outgoing in context of pf.conf rules are relative to the firewall (and not your LAN vs. the internet), e.g. incoming means 'enters the firewall through an interface from a network' and outgoing means 'exits the firewall through an interface to a network'. Second, with a squid proxy, there are actually two distinct connections: one connection from the client to the proxy, and another connection from the proxy to the server. There are two different (random) source ports, and two different destination ports (3128 and 80): 1) client:random1 -> proxy:3128 (incoming on if_lan) 2) proxy:random2 -> server:80 (outgoing on if_wan) Both are filtered by pf, and both must be passed explicitely. Only the first is affected by rdr (destination port translation), and the pass rule must match the connection AFTER translation, i.e. rdr on $if_lan ... to any port 80 -> $if_lan:0 port 3128 pass in on $if_lan ... to $if_lan:0 port 3128 The fact that the proxy's listening socket is bound to if_lan:0 doesn't change any of this, you could just as well bind it to 127.0.0.1 or ext_if. > > Run pfctl -vvss and see what states you have, and what rules they > > are based on (compare with numbers in pfctl -gsr output), probably > > not the right ones (with proper log and queue options). > > in pfctl output i still can see only outgoing to internet states ... no incoming You can add 'set state-policy if-bound', so states get bound to interfaces, and pfctl -ss shows both, which can help. The arrows (-> or <-) in the pfctl -ss output indicate the direction of a state (-> for outoing, <- for incoming). You should see pairs of states, like described above. As long as you only see one state, there is something wrong. HTH, Daniel
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20110415063632.GA14296>