From owner-freebsd-pf@FreeBSD.ORG Fri Nov 28 05:29:36 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 57134106564A for ; Fri, 28 Nov 2008 05:29:36 +0000 (UTC) (envelope-from chflags@gmail.com) Received: from qw-out-2122.google.com (qw-out-2122.google.com [74.125.92.26]) by mx1.freebsd.org (Postfix) with ESMTP id 0AB008FC0C for ; Fri, 28 Nov 2008 05:29:35 +0000 (UTC) (envelope-from chflags@gmail.com) Received: by qw-out-2122.google.com with SMTP id 9so305349qwb.7 for ; Thu, 27 Nov 2008 21:29:35 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:reply-to :to:subject:in-reply-to:mime-version:content-type :content-transfer-encoding:content-disposition:references; bh=TQo1Dom25u2RFFFlCWQyXI/FXgo4eUHTEDN7CyVFfyY=; b=nPiNvlf1JjPVflEYo1RskES0LmAAI3HwV0PJaJ7RG9qTkyoDAL4RtFDok2GAeUOFY7 UkaW+tacaTDKE2PKyEzIfLeJQKGIchqnFOBlLcKz2iJ5OeQzpPWmfG4+JIArzLICgOQa FqcX2SAX2oPkW9vk6RLL2khuzj9JcnSkRK5cY= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:reply-to:to:subject:in-reply-to:mime-version :content-type:content-transfer-encoding:content-disposition :references; b=QttUqXFh3A2q1IcfqH6OdSEzFgpICN4GEUnog3qEMRC2mVy2kbC3o2sX4aaKfe+Hwf WI+w9dW5Gw39z1jPFAh8mqjPkuaTKFZI999UpGprxnBwhkTdl+SpAUVbGbXDt4lr8npF O9fmirQ6UekdHOvFqXU0xUZgXxKmEB2X1uxj4= Received: by 10.215.67.5 with SMTP id u5mr7427146qak.12.1227850175373; Thu, 27 Nov 2008 21:29:35 -0800 (PST) Received: by 10.214.147.11 with HTTP; Thu, 27 Nov 2008 21:29:35 -0800 (PST) Message-ID: <25cb30811272129h68e50bf4u46b15823b101a3@mail.gmail.com> Date: Fri, 28 Nov 2008 13:29:35 +0800 From: "Kevin Foo" To: freebsd-pf@freebsd.org, freebsd-net@freebsd.org In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <25cb30811270426i6b5cc4c2s49030f64d06b0ec8@mail.gmail.com> Cc: Subject: Re: if_bridge + pf rdr (bridged inline proxy) X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: chflags@gmail.com List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 28 Nov 2008 05:29:36 -0000 Thank Eygene for the reply. It might be but I'm not sure. Anyone is having the same setting or any info on this? -- Regards Kevin Foo On Thu, Nov 27, 2008 at 10:00 PM, Eygene Ryabinkin wrote: > Kevin, good day. > > Thu, Nov 27, 2008 at 08:26:55PM +0800, Kevin Foo wrote: >> I recently setup a bridge box with inline cache proxy. if_bridge with >> pf filtering was working perfectly. However, squid-cache listening on >> loopback device did not get any packets from pf rdr. I have seen >> successful setups with OpenBSD's bridge spamd which rather a similar >> setup. Is something broken on FreeBSD's if_bridge or am I missing some >> configuration here? > > pf can 'rdr' only incoming packets (from 'man pf.conf'): > ----- > Evaluation order of the translation rules is dependent on the type of the > translation rules and of the direction of a packet. binat rules are > always evaluated first. Then either the rdr rules are evaluated on an > inbound packet or the nat rules on an outbound packet. Rules of the same > type are evaluated in the same order in which they appear in the ruleset. > The first matching rule decides what action is taken. > ----- > So this can be just pf-related. And may be not, as usual... > -- > Eygene > _ ___ _.--. # > \`.|\..----...-'` `-._.-'_.-'` # Remember that it is hard > / ' ` , __.--' # to read the on-line manual > )/' _/ \ `-_, / # while single-stepping the kernel. > `-'" `"\_ ,_.-;_.-\_ ', fsc/as # > _.-'_./ {_.' ; / # -- FreeBSD Developers handbook > {_.-``-' {_/ # >