From owner-freebsd-questions@freebsd.org Wed Jun 29 13:33:56 2016 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 537AEB818B2 for ; Wed, 29 Jun 2016 13:33:56 +0000 (UTC) (envelope-from kraduk@gmail.com) Received: from mail-wm0-x235.google.com (mail-wm0-x235.google.com [IPv6:2a00:1450:400c:c09::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id CE9F12658 for ; Wed, 29 Jun 2016 13:33:55 +0000 (UTC) (envelope-from kraduk@gmail.com) Received: by mail-wm0-x235.google.com with SMTP id f126so181707209wma.1 for ; Wed, 29 Jun 2016 06:33:55 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=70nu30eJ0W22JyAP5PxeiasSSZ8ZFzo7DstObCoIpdE=; b=vU4YphOKVOTXo9tf/QCD13OrvOTo89M2NqJUAcXF0gq+FpIN/mhXGHOMjD702BmnYx IkCGKggVE7rKeu+0ac1VUHmxXFWZSXPiqYLWD8ze7hncWJmPzGHB0V6EW/BAunlQbplJ b5WGWDMGExpNZB51yoFAC3WAeabjphLLauErBNr9GtdrSipmqauZt6nu+s3cvH+ZThof brdIfXTMUauSVv2R3XKzVwu4i6u3B2ap0S0UefgJi4NW7Q8WFJ8/SKADE5gkO/gjFpI5 dIgazsnlObjXJWUSZX5/k8Pl0p0IfkYSFSMbcGyt7w/lhZi4WBiC4yjSmLktFG4zeI4E idDg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=70nu30eJ0W22JyAP5PxeiasSSZ8ZFzo7DstObCoIpdE=; b=YgZbTKqQquFnd+RpmW5WjQyOJudke/S11POhalokqfofDKIH0UuDXHDVgLLKxvljuj uyprAF7eWK90D5wrMdZKZ0ROnYeh4TlFJwzztbvGsxi1IS//NHz1NMbuCjW3uaEJEGW/ s46FaFahIseAslwoNRaTF6mte9ya1UWcdSrgj4RTvau/HtOJ/VRx+jTuEj2qJqlQX+LU 1XDvhHpkT5YNL3EidSLDCrbJ6kk7juaNx1yuSLG+xQXtkokDkOLbcSSCU5oyRwmUxWcP l4JAI0ABgfOB2amMEyzvubEeoDn/+/E2IERrDli5QitSbkyvN9togrr0rZCYKm/yJDsS +GOg== X-Gm-Message-State: ALyK8tJEqdB/jU+fOgqpIIVPQLittjViHcZlj5vdOc3BrzusJOUvQ1DFC41/E3MBNBswSiiRDqsb6Ht5eKhJhQ== X-Received: by 10.28.218.71 with SMTP id r68mr22848435wmg.48.1467207234410; Wed, 29 Jun 2016 06:33:54 -0700 (PDT) MIME-Version: 1.0 Received: by 10.28.88.206 with HTTP; Wed, 29 Jun 2016 06:33:53 -0700 (PDT) In-Reply-To: References: <20160628130759.GA13226@beagle.bcn.sia.es> <2822287D-FE6F-4A4B-995A-639B696911DF@FreeBSD.org> <20160629113324.GA10436@beagle.bcn.sia.es> <20160629131951.GA12552@beagle.bcn.sia.es> From: krad Date: Wed, 29 Jun 2016 14:33:53 +0100 Message-ID: Subject: Re: Problems with pf rules for intercept squid proxy To: "C. L. Martinez" Cc: FreeBSD Questions Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.22 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 29 Jun 2016 13:33:56 -0000 oh also if you are redirecting https you will need to setup squid to do ssl bump and install certs on all your clients. As you havent supplied your squid.conf its difficult to know if thats correct. On 29 June 2016 at 14:32, krad wrote: > you need to as squid needs read write access to the /dev/pf to work in > intercept mode. As long as you dont have any other users in the squid gro= up > you are good. Did you restart devfs or reboot? > > > On 29 June 2016 at 14:20, C. L. Martinez wrote: > >> Yep, is it not too dangerous to assign 0770 to /dev/pf?? >> >> Anyway, I have tried, but with same error: traffic is denied by squid ..= . >> >> >> On Wed 29.Jun'16 at 13:39:46 +0100, krad wrote: >> > have you got these lines in your /etc/devfs.conf file >> > >> > >> > own pf root:squid >> > perm pf 0770 >> > >> > you also need lines like this in the squid.conf >> > >> > http_port 192.168.1.1:3128 intercept >> > >> > >> > >> > On 29 June 2016 at 12:33, C. L. Martinez wrote: >> > >> > > On Tue 28.Jun'16 at 19:37:37 +0200, Kristof Provost wrote: >> > > > >> > > > >> > > > On 28 Jun 2016, at 15:07, C. L. Martinez wrote: >> > > > > I have some problems with my pf rules on a FreeBSD 10.3 host >> that acts >> > > > > as a squid intercept proxy. My actual pf rules are: >> > > > > >> > > > > rdr pass on $vpnif proto tcp from $int_network to any port http >> -> lo0 >> > > > > port 5144 >> > > > > rdr pass on $vpnif proto tcp from $int_network to any port https >> -> lo0 >> > > > > port 5145 >> > > > > >> > > > > At first stage it seems that these rules works, but don't. >> Traffic is >> > > > > redirected to squid, but squid denies all connections: >> > > > > >> > > > > 1467111934.502 1 172.22.55.1 TCP_DENIED/403 4221 GET >> > > > > http://www.osnews.com/ - HIER_NONE/- text/html >> > > > > >> > > > > Using same squid.conf's file under an OpenBSD test machine, squ= id >> > > works >> > > > > without problems. For this reason, I don't think there is some >> problem >> > > > > with my squid's config. The only difference between this OpenBSD >> host >> > > > > and FreeBSD are the pf rules. >> > > > > >> > > > You may have a different squid version, or they may be patched >> > > differently. >> > > > Your redirect rules are working, as demonstrated by the fact that >> squid >> > > gets >> > > > a request, and replies to it. >> > > > >> > > > Note that pf does not change your HTTP payload, it only affects >> TCP. In >> > > > other words: if Squid sees the connection (and it does) it=E2=80= =99s a Squid >> > > > problem. >> > > > >> > > > Also note that you=E2=80=99re redirecting on FreeBSD, but using di= vert-to on >> > > > OpenBSD. >> > > > This may be triggering different behaviour from Squid. The man pag= e >> says >> > > > that with divert-to: >> > > > >> > > > The packets will not be modified, so getsockname(2) on the >> socket >> > > will >> > > > return >> > > > the original destination address of the packet. >> > > > >> > > > That might be affecting an ACL in Squid. >> > > > >> > > > Regards, >> > > > Kristof >> > > >> > > Thanks Kristof. I am using squid installed from pkg under a FreeBSD >> 10.3, >> > > fully updated: >> > > >> > > Squid Cache: Version 3.5.19 >> > > Service Name: squid >> > > configure options: '--with-default-user=3Dsquid' >> '--bindir=3D/usr/local/sbin' >> > > '--sbindir=3D/usr/local/sbin' '--datadir=3D/usr/local/etc/squid' >> > > '--libexecdir=3D/usr/local/libexec/squid' '--localstatedir=3D/var' >> > > '--sysconfdir=3D/usr/local/etc/squid' '--with-logdir=3D/var/log/squi= d' >> > > '--with-pidfile=3D/var/run/squid/squid.pid' >> '--with-swapdir=3D/var/squid/cache' >> > > '--without-gnutls' '--enable-auth' '--enable-build-info' >> > > '--enable-loadable-modules' '--enable-removal-policies=3Dlru heap' >> > > '--disable-epoll' '--disable-linux-netfilter' '--disable-linux-tprox= y' >> > > '--disable-translation' '--disable-arch-native' '--enable-eui' >> > > '--enable-cache-digests' '--enable-delay-pools' '--disable-ecap' >> > > '--disable-esi' '--enable-follow-x-forwarded-for' '--enable-htcp' >> > > '--enable-icap-client' '--enable-icmp' '--enable-ident-lookups' >> > > '--enable-ipv6' '--enable-kqueue' '--with-large-files' >> > > '--enable-http-violations' '--without-nettle' '--enable-snmp' >> > > '--enable-ssl' '--with-openssl=3D/usr' >> 'LIBOPENSSL_CFLAGS=3D-I/usr/include' >> > > 'LIBOPENSSL_LIBS=3D-lcrypto -lssl' '--enable-ssl-crtd' >> > > '--disable-stacktraces' '--enable-ipf-transparent' >> > > '--enable-ipfw-transparent' '--enable-pf-transparent' >> '--with-nat-devpf' >> > > '--enable-forw-via-db' '--enable-wccp' '--enable-wccpv2' >> > > '--with-heimdal-krb5=3D/usr' 'CFLAGS=3D-I/usr/include -O2 -pipe >> > > -fstack-protector -fno-strict-aliasing' 'LDFLAGS=3D-L/usr/lib -pthr= ead >> > > -fstack-protector' 'LIBS=3D-lkrb5 -lgssapi -lgssapi_krb5 ' >> > > 'KRB5CONFIG=3D/usr/bin/krb5-config' '--enable-auth-basic=3DDB SMB_LM >> > > MSNT-multi-domain NCSA PAM POP3 RADIUS fake getpwnam NIS' >> > > '--enable-auth-digest=3Dfile' '--enable-external-acl-helpers=3Dfile_= userip >> > > time_quota unix_group' '--enable-auth-negotiate=3Dkerberos wrapper' >> > > '--enable-auth-ntlm=3Dfake smb_lm' '--enable-storeio=3Daufs diskd ro= ck >> ufs' >> > > '--enable-disk-io=3DDiskThreads DiskDaemon AIO Blocking IpcIo Mmappe= d' >> > > '--enable-log-daemon-helpers=3Dfile' '--enable-url-rewrite-helpers= =3Dfake' >> > > '--enable-storeid-rewrite-helpers=3Dfile' '--prefix=3D/usr/local' >> > > '--mandir=3D/usr/local/man' '--infodir=3D/usr/local/info/' >> > > '--build=3Damd64-portbld-freebsd10.1' >> 'build_alias=3Damd64-portbld-freebsd10.1' >> > > 'CC=3Dcc' 'CPPFLAGS=3D' 'CXX=3Dc++' 'CXXFLAGS=3D-O2 -pipe -fstack-pr= otector >> > > -fno-strict-aliasing ' 'CPP=3Dcpp' --enable-ltdl-convenience >> > > >> > > According to this options, intercept is enabled ... Then, I don't >> > > understand why it doesn't works ... >> > > >> > > -- >> > > Greetings, >> > > C. L. Martinez >> > > _______________________________________________ >> > > freebsd-questions@freebsd.org mailing list >> > > https://lists.freebsd.org/mailman/listinfo/freebsd-questions >> > > To unsubscribe, send any mail to " >> > > freebsd-questions-unsubscribe@freebsd.org" >> > > >> >> -- >> Greetings, >> C. L. Martinez >> _______________________________________________ >> freebsd-questions@freebsd.org mailing list >> https://lists.freebsd.org/mailman/listinfo/freebsd-questions >> To unsubscribe, send any mail to " >> freebsd-questions-unsubscribe@freebsd.org" >> > >