From owner-freebsd-pf@FreeBSD.ORG Fri Apr 15 06:36:37 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 84850106566C for ; Fri, 15 Apr 2011 06:36:37 +0000 (UTC) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (106-30.3-213.fix.bluewin.ch [213.3.30.106]) by mx1.freebsd.org (Postfix) with ESMTP id C52EA8FC0A for ; Fri, 15 Apr 2011 06:36:35 +0000 (UTC) Received: from insomnia.benzedrine.cx (localhost.benzedrine.cx [127.0.0.1]) by insomnia.benzedrine.cx (8.14.1/8.13.4) with ESMTP id p3F6aXuc023255 (version=TLSv1/SSLv3 cipher=DHE-DSS-AES256-SHA bits=256 verify=NO) for ; Fri, 15 Apr 2011 08:36:33 +0200 (MEST) Received: (from dhartmei@localhost) by insomnia.benzedrine.cx (8.14.1/8.12.10/Submit) id p3F6aWr7021133 for freebsd-pf@freebsd.org; Fri, 15 Apr 2011 08:36:32 +0200 (MEST) Date: Fri, 15 Apr 2011 08:36:32 +0200 From: Daniel Hartmeier To: freebsd-pf@freebsd.org Message-ID: <20110415063632.GA14296@insomnia.benzedrine.cx> References: <20110210155622.GA60117@icarus.home.lan> <20110411054544.GC22812@relay.ibs.dn.ua> <20110411061730.GA26940@insomnia.benzedrine.cx> <20110411080648.GD22812@relay.ibs.dn.ua> <20110411085730.GB26940@insomnia.benzedrine.cx> <20110411152230.GA88862@relay.ibs.dn.ua> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20110411152230.GA88862@relay.ibs.dn.ua> User-Agent: Mutt/1.5.12-2006-07-14 Subject: Re: transparent proxy traffic queue ... X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 15 Apr 2011 06:36:37 -0000 On Mon, Apr 11, 2011 at 06:22:30PM +0300, Zeus V Panchenko wrote: > first rull catches traffic from LAN to inet so, the sequence is: > > LAN -> if_lan -> proxy server -> if_wan -> inet -> some_web_server > > and backward ... > > some_web_server -> if_wan -> proxy server -> if_lan -> LAN > > is it because proxy LAN address is bent to if_lan:0 the traffic on > if_lan is incoming rather than outgoing? First, incoming and outgoing in context of pf.conf rules are relative to the firewall (and not your LAN vs. the internet), e.g. incoming means 'enters the firewall through an interface from a network' and outgoing means 'exits the firewall through an interface to a network'. Second, with a squid proxy, there are actually two distinct connections: one connection from the client to the proxy, and another connection from the proxy to the server. There are two different (random) source ports, and two different destination ports (3128 and 80): 1) client:random1 -> proxy:3128 (incoming on if_lan) 2) proxy:random2 -> server:80 (outgoing on if_wan) Both are filtered by pf, and both must be passed explicitely. Only the first is affected by rdr (destination port translation), and the pass rule must match the connection AFTER translation, i.e. rdr on $if_lan ... to any port 80 -> $if_lan:0 port 3128 pass in on $if_lan ... to $if_lan:0 port 3128 The fact that the proxy's listening socket is bound to if_lan:0 doesn't change any of this, you could just as well bind it to 127.0.0.1 or ext_if. > > Run pfctl -vvss and see what states you have, and what rules they > > are based on (compare with numbers in pfctl -gsr output), probably > > not the right ones (with proper log and queue options). > > in pfctl output i still can see only outgoing to internet states ... no incoming You can add 'set state-policy if-bound', so states get bound to interfaces, and pfctl -ss shows both, which can help. The arrows (-> or <-) in the pfctl -ss output indicate the direction of a state (-> for outoing, <- for incoming). You should see pairs of states, like described above. As long as you only see one state, there is something wrong. HTH, Daniel