From owner-freebsd-pf@FreeBSD.ORG Thu Jul 28 12:47:21 2005 Return-Path: X-Original-To: pf@freebsd.org Delivered-To: freebsd-pf@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0351F16A41F for ; Thu, 28 Jul 2005 12:47:21 +0000 (GMT) (envelope-from gpt@tirloni.org) Received: from srv-03.bs2.com.br (srv-03.bs2.com.br [200.203.183.32]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9490A43D45 for ; Thu, 28 Jul 2005 12:47:20 +0000 (GMT) (envelope-from gpt@tirloni.org) Received: from localhost (localhost.bs2.com.br [127.0.0.1]) by srv-03.bs2.com.br (Postfix) with ESMTP id AF8D74AD6E for ; Thu, 28 Jul 2005 09:47:46 -0300 (BRT) Received: from [172.16.12.100] (unknown [201.15.55.66]) by srv-03.bs2.com.br (Postfix) with ESMTP id 5754A4AD58 for ; Thu, 28 Jul 2005 09:47:46 -0300 (BRT) Message-ID: <42E8D3D5.4030300@tirloni.org> Date: Thu, 28 Jul 2005 09:47:17 -0300 From: "Giovanni P. Tirloni" User-Agent: Mozilla Thunderbird 1.0.6-1.4.1.centos4 (X11/20050721) X-Accept-Language: en-us, en MIME-Version: 1.0 To: pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: Subject: rdr not working for transparent http - 5.4-stable X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Jul 2005 12:47:21 -0000 Hello, I've deployed dozens of gateways with transparent HTTP proxy but this time it isn't working and I suspect pf is somehow involved in this. Packets aren't being redirected anywhere. I've disabled filtering totally to debug this. I've a rule to redirect every connection attempt to port 80 to 127.0.0.1 port 3128: rdr on $lan_if proto tcp from { $lan_net } to any port 80 -> 127.0.0.1 port 3128 In squid.conf I've enabled this: httpd_accel_host virtual httpd_accel_port 80 httpd_accel_with_proxy on httpd_accel_uses_host_header on The rdr rule is being matched and with tcpdump I see packets coming into the $lan_if but nothing gets to $ext_if or loopback. They simply disappear (and the originating machine doesn't get a answer back). Running tcpdump on pflog0 doesn't show anything either (as expected since there's no filter rule). This was happening on 5.3-STABLE and I updated the system to 5.4-STABLE this week. Both $int_if and $ext_if are vr interfaces. Weird enough.. this works on every other box except this and another one. And nothing fixes it. Any way to debug this ? I've run out of ideas. Thanks in advance, -- Giovanni P. Tirloni / gpt@tirloni.org