From owner-freebsd-pf@FreeBSD.ORG Fri Oct 13 12:55:46 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CB53F16A407 for ; Fri, 13 Oct 2006 12:55:46 +0000 (UTC) (envelope-from bcook@poklib.org) Received: from c.mx.poklib.org (c.mx.poklib.org [64.72.87.254]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0D44C43D60 for ; Fri, 13 Oct 2006 12:55:45 +0000 (GMT) (envelope-from bcook@poklib.org) Received: from [192.168.1.249] (port=64763 helo=mail.poklib.org) by c.mx.poklib.org with esmtps (TLSv1:AES256-SHA:256) (Exim 4.63; FreeBSD) (envelope-from ) id 1GYMZj-000Pky-Rt ; Fri, 13 Oct 2006 08:55:43 -0400 Received: from node-249.adriance.poklib.org ([192.168.1.249] helo=mail.poklib.org) by mail.poklib.org with esmtp (Exim 4.63; FreeBSD) (envelope-from ) id 1GYMZj-000Il6-ET ; Fri, 13 Oct 2006 08:55:43 -0400 Received: from 24.161.8.173 (SquirrelMail authenticated user bcook@poklib.org) by mail.poklib.org with HTTP; Fri, 13 Oct 2006 08:55:43 -0400 (EDT) X-Virus-Check: ClamAV 0.88.4/2028 on c.mx.poklib.org; Fri, 13 Oct 2006 08:55:43 -0400 Message-ID: <54636.24.161.8.173.1160744143.squirrel@mail.poklib.org> In-Reply-To: References: <56217.24.161.8.173.1159492654.squirrel@mail.poklib.org> Date: Fri, 13 Oct 2006 08:55:43 -0400 (EDT) From: "B. Cook" To: "Travis H." User-Agent: SquirrelMail/1.4.8 MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal X-RcvHost: node-249.adriance.poklib.org ([192.168.1.249] helo=mail.poklib.org) X-RcvFor: X-Auth-Id: X-AntiVirus: No Virus Found X-MIME-Character-set: iso-8859-1 Cc: freebsd-pf@freebsd.org Subject: Re: Transparent proxy with ! and table issues.. X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 13 Oct 2006 12:55:46 -0000 On Fri, October 13, 2006 5:13 am, Travis H. wrote: > I know this has been a while, but I didn't see a proper response in the > thread. > I suspect that the gateway is unset or improperly set on the routes > associated > with the alias. > > I'm not familiar with squidclient, but It looks like all requests are > going through the squid proxy. The common pattern seems to be that > all the queries to .53 fail, and the only one to .52 succeeded. I'm > not sure why you think any of these queries should _not_ go through > the rdr rules, since they are all in and none are in > , so they all match rdr rules. > -- > "The obvious mathematical breakthrough would be the development of an > easy way to factor large prime numbers.'' [sic] -- Bill Gates -><- > > GPG fingerprint: 9D3F 395A DAC5 5CCC 9066 151D 0A6B 4098 0C55 1484 > Thank you for looking at my post. I did end up solving it with the following config: staff_if="sis0" public_if="xl0" proxy_server="192.168.1.3" allowed="{ 192.168.1.0/24, 172.16.10.0/24 }" scrub on { $public_if, $staff_if } no-df min-ttl 32 max-mss 1460 random-id no rdr on $public_if from $public_if:network to $allowed no rdr on $staff_if from $staff_if:network to $allowed rdr on $public_if inet proto tcp from $public_if:network to any port www -> $proxy_server port 8080 rdr on $staff_if inet proto tcp from $staff_if:network to any port www -> $proxy_server port 8080 pass in on $staff_if inet proto tcp from any to $proxy_server port 8080 keep state pass in on $public_if inet proto tcp from any to $proxy_server port 8080 keep state pass out on $staff_if inet proto tcp from any to any port www keep state pass out on $public_if inet proto tcp from any to any port www keep state pass out on lo0 inet proto tcp from any to any port www modulate state # EOF the "no rdr" needed to be before the rdr statements. It seems that having the ! it would only take the first network and not the second. I was trying to say "Not (this and that)" to negate them both, but it would come out like this "Not this and that" so the 'that' was allowed the "not this" worked as intended.