From owner-freebsd-pf@FreeBSD.ORG Sun Jul 31 06:18:46 2005 Return-Path: X-Original-To: pf@freebsd.org Delivered-To: freebsd-pf@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B7CEF16A41F for ; Sun, 31 Jul 2005 06:18:46 +0000 (GMT) (envelope-from khaled.abu@gmail.com) Received: from wproxy.gmail.com (wproxy.gmail.com [64.233.184.205]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3A35E43D48 for ; Sun, 31 Jul 2005 06:18:44 +0000 (GMT) (envelope-from khaled.abu@gmail.com) Received: by wproxy.gmail.com with SMTP id 71so865506wri for ; Sat, 30 Jul 2005 23:18:43 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=n5nszeexSZtpfJHDPCyEjsIzRb9caZUdGwDcmJs6TAQg2RQKTOIUsvMe6pbc99BLWVwQfSoPdoCl+5dG0cvKumyFC1mIxUAyOwyIVw1hby0pEnT2YrJ2/Y5aMv53P5GBDpZO2NBLEww1unO5GaICNNIJYzySLsxXeQejc2epjT4= Received: by 10.54.68.4 with SMTP id q4mr2189963wra; Sat, 30 Jul 2005 23:18:43 -0700 (PDT) Received: by 10.54.66.16 with HTTP; Sat, 30 Jul 2005 23:18:43 -0700 (PDT) Message-ID: Date: Sun, 31 Jul 2005 09:18:43 +0300 From: Abu Khaled To: "Giovanni P. Tirloni" In-Reply-To: <42EC2DCE.4090009@tirloni.org> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: <42E8D3D5.4030300@tirloni.org> <200507281458.56534.max@love2party.net> <42E8DBC6.6060907@tirloni.org> <42EB7A2A.3080701@tirloni.org> <42EC2DCE.4090009@tirloni.org> Cc: pf@freebsd.org Subject: Re: rdr not working for transparent http - 5.4-stable X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Abu Khaled List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 31 Jul 2005 06:18:46 -0000 On 7/31/05, Giovanni P. Tirloni wrote: > Abu Khaled wrote: > > On 7/30/05, Giovanni P. Tirloni wrote: > > > >>Giovanni P. Tirloni wrote: > >> > >>>Max Laier wrote: > >>> > >>> > >>>>One thing comes to my mind: What does > >>>> $sysctl net.inet.ip.forwarding > >>>>say? > >>> > >>> > >>># sysctl net.inet.ip.forwarding > >>>net.inet.ip.forwarding: 1 > >>> > >>>I had some tweaks in /etc/sysctl but disabling them didn't help either= . > >>> > >>>#net.inet.ip.check_interface=3D1 > >>>#net.inet.tcp.blackhole=3D2 > >>>#net.inet.udp.blackhole=3D1 > >>> > >> > >> I forgot to mention this box had ipfw+dummnyet (with two queues) > >>activated. I disabled ipfw in the kernel and pf rdr worked again! Just > >>removing the ipfw rules didn't work. > >> > >> Weird enough, I don't have dummynet on the other 2 machines that have > >>the same problem. But ipfw is compiled in but disabled. > >> > >> I'll try to disable ipfw on the other boxes and see what happens ther= e > >>to confirm this. > > > > > > If ipfw is compiled in the kernel and it defaults to deny all, then > > you need to add rules for ipfw to allow connections to and from > > localhost (127.0.0.1 and port 3128). Otherwise ipfw well drop 'pf rdr > > traffic'. > > > > # ipfw add allow tcp from $lan_net to 127.0.0.1 3128 > > # ipfw add allow tcp from 127.0.0.1 3128 to $lan_net > > > > Put the rules before any anti spoofing rules in ipfw. > > >=20 > I think there's something in the code that makes it not work because I > set ipfw to accept by default on every machine I have. There must be > something else. >=20 Sounds confusing !!! Do you mind providing you ipfw/pf rules and the output of: # squid -v # ls -l /dev/pf Just to have a look at them while I scratch my head (to express the confused system administrator emotion). --=20 Regards. Abu Khaled