From owner-freebsd-pf@FreeBSD.ORG  Tue Jul 31 11:13:54 2007
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 3F79016A41B
	for <freebsd-pf@freebsd.org>; Tue, 31 Jul 2007 11:13:54 +0000 (UTC)
	(envelope-from jamesoff@gmail.com)
Received: from wa-out-1112.google.com (wa-out-1112.google.com [209.85.146.182])
	by mx1.freebsd.org (Postfix) with ESMTP id 11EE713C46E
	for <freebsd-pf@freebsd.org>; Tue, 31 Jul 2007 11:13:54 +0000 (UTC)
	(envelope-from jamesoff@gmail.com)
Received: by wa-out-1112.google.com with SMTP id k17so1975350waf
	for <freebsd-pf@freebsd.org>; Tue, 31 Jul 2007 04:13:53 -0700 (PDT)
DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta;
	h=domainkey-signature:received:received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition;
	b=ZkVveBL28TyID/I7NBTC979JV1GaJlqSoGRlsS+Q42VHnf+9fzJsWFIceCuEuSKBRPcqtrG4uoWp94zXD+NXgshRwSdShdY93M5qarXel89SNPPnSMV6trygGb3C9j8N++1glyJJ9LPutACfPzP5uacecpVx/r2GJTd/xOjywrw=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta;
	h=received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition;
	b=ugwd9GErfMP/z0gFn1zChr5Xf0RcvIbDpHqOpS1lrczSlr21VBVvXNZcu80jl60YZUzGVF8uB7zoWvv6bSVhubEYcxSbhrRz9jm4XMpqJoQpnUBXUSBR6trIm/ln7mryM74J94CIk3U/NnmzHWoPJy4Pt8bkIgB0ICi/kFs5G1Q=
Received: by 10.115.92.2 with SMTP id u2mr6536552wal.1185878747466;
	Tue, 31 Jul 2007 03:45:47 -0700 (PDT)
Received: by 10.114.149.13 with HTTP; Tue, 31 Jul 2007 03:45:41 -0700 (PDT)
Message-ID: <720051dc0707310345y1fe23172x69dce6b939ee50c6@mail.gmail.com>
Date: Tue, 31 Jul 2007 11:45:41 +0100
From: "James Seward" <jamesoff@gmail.com>
To: freebsd-pf@freebsd.org
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Subject: Transparent squid proxy with if_bridge
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
	\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 31 Jul 2007 11:13:54 -0000

Hello all,

I'm trying to set up a machine using if_bridge to do transparent
proxying via squid.

I've been following a selection of walkthroughs online including
http://www.benzedrine.cx/transquid.html

I have a machine with three network cards, two of which form the
bridge and the third is for management.

Using a rdr rule in pf.conf, I am rewriting packets from my
workstation (currently the only client while I test) to
localhost:8080. I have also tried redirecting to the IP of the
management card. In both cases squid was configured to listen either
on localhost:8080 or management_ip:8080. The "transparent" option
appears on the http_port configuration line. Squid is currently set to
allow anyone access.

If squid is listening on the management_ip, I can point my browser at
that and squid services my request normally. If I bind squid to
localhost, I can nc(1) to it and it services my request.

If I let the rdr rule redirect my packets to squid, nothing happens
and the client times out. pfctl -sa shows that pf has done the
redirection and displays something like:
127.0.0.1:8080 <- external_ip:80 <- client_ip:34582 CLOSED:SYN_SENT
so it seems the SYN never arrives at squid. tcpdumping lo0 shows no
traffic at all.

I have tried this with and without IPs for the bridged cards (without
would suit me better) but I'm not sure if that's the problem at this
stage.

--8<-- pf.conf ----
ext_if="fxp0"
int_if="xl0"

# send web-type stuff to the cache
rdr on $int_if inet proto tcp \
        from 192.168.200.112 to any port www \
        -> 127.0.0.1 port 8080

pass in all
pass out all
-----

--8<--- squid.conf
# egrep -v "^#" /usr/local/etc/squid/squid.conf | egrep -v '^$'
http_port 127.0.0.1:8080 transparent
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
cache_mem 32 MB
cache_dir ufs /usr/local/squid/cache 4096 16 256
access_log /usr/local/squid/logs/access.log squid
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern .               0       20%     4320
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access     allow   all
http_reply_access allow all
icp_access allow all
cache_mgr XXXXX
mail_program mail
visible_hostname XXXXX
logfile_rotate 10
append_domain .XXXXX
always_direct allow all
coredump_dir /usr/local/squid/cache
------

--%<--- ifconfig
fxp0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
        options=8<VLAN_MTU>
        inet 192.168.200.17 netmask 0xffffff00 broadcast 192.168.200.255
        ether 00:a0:c9:ea:92:91
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active
xl0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
        options=9<RXCSUM,VLAN_MTU>
        inet 192.168.200.16 netmask 0xffffff00 broadcast 192.168.200.255
        ether 00:50:04:39:c2:f2
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active
rl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        options=8<VLAN_MTU>
        inet 192.168.200.113 netmask 0xffffff00 broadcast 192.168.200.255
        ether 00:40:f4:4d:84:31
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x6
        inet6 ::1 prefixlen 128
        inet 127.0.0.1 netmask 0xff000000
bridge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        ether 5a:6b:3a:b8:6a:c1
        id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
        maxage 20 holdcnt 6 proto stp maxaddr 100 timeout 1200
        root id 00:00:00:00:00:00 priority 0 ifcost 0 port 0
        member: fxp0 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
        member: xl0 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
------
(xl0 and fxp0 currently have ips, but it doesn't work when they don't either)

Sample state:
STATES:
self tcp 127.0.0.1:8080 <- 207.46.193.254:80 <- 192.168.200.112:50526
     CLOSED:SYN_SENT


Every walkthrough makes it sound very simple and easy; I feel like I
must be missing something obvious :)

Thanks in advance,
James