From owner-freebsd-pf@FreeBSD.ORG Fri Sep 29 01:17:35 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DA0E316A40F for ; Fri, 29 Sep 2006 01:17:35 +0000 (UTC) (envelope-from bcook@poklib.org) Received: from c.mx.poklib.org (c.mx.poklib.org [64.72.87.254]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6B1B043D4C for ; Fri, 29 Sep 2006 01:17:35 +0000 (GMT) (envelope-from bcook@poklib.org) Received: from [192.168.1.249] (port=56597 helo=mail.poklib.org) by c.mx.poklib.org with esmtps (TLSv1:AES256-SHA:256) (Exim 4.63; FreeBSD) (envelope-from ) id 1GT70Q-000IXj-Eg for freebsd-pf@freebsd.org ; Thu, 28 Sep 2006 21:17:34 -0400 Received: from node-249.adriance.poklib.org ([192.168.1.249] helo=mail.poklib.org) by mail.poklib.org with esmtp (Exim 4.60; FreeBSD) (envelope-from ) id 1GT70Q-0006P3-3H for freebsd-pf@freebsd.org ; Thu, 28 Sep 2006 21:17:34 -0400 Received: from 24.161.8.173 (SquirrelMail authenticated user bcook@poklib.org) by mail.poklib.org with HTTP; Thu, 28 Sep 2006 21:17:34 -0400 (EDT) X-Virus-Check: ClamAV 0.88.4/1950 on c.mx.poklib.org; Thu, 28 Sep 2006 21:17:34 -0400 Message-ID: <56217.24.161.8.173.1159492654.squirrel@mail.poklib.org> Date: Thu, 28 Sep 2006 21:17:34 -0400 (EDT) From: "B. Cook" To: freebsd-pf@freebsd.org User-Agent: SquirrelMail/1.4.8 MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal X-RcvHost: node-249.adriance.poklib.org ([192.168.1.249] helo=mail.poklib.org) X-RcvFor: X-Auth-Id: X-AntiVirus: No Virus Found X-MIME-Character-set: iso-8859-1 Subject: Transparent proxy with ! and table issues.. X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 29 Sep 2006 01:17:36 -0000 Hello, I'm not sure how to explain this but I will do my best. I have a FreeBSD 6.1-p7 box running pf. sis0 10.0.0.87/25 xl0 192.168.1.3/24 gw is 10.0.0.62 pf rules are simple: public_if ="sis0" staff_if ="xl0" proxy_server ="192.168.1.3" table const {172.16.10.0/24} table const { 172.16.1.0/24, 192.168.1.0/24, 10.0.0.0/25 } rdr on {$staff_if, $public_if} inet proto tcp from to ! port www -> $proxy_server port 8080 TRANSLATION RULES: rdr on xl0 inet proto tcp from to ! port = http -> 192.168.1.3 port 8080 rdr on sis0 inet proto tcp from to ! port = http -> 192.168.1.3 port 8080 FILTER RULES: No queue in use Here is what I am trying to accomplish: To have 'local' traffic on the 172.16.1.0/24, and 10.0.0.0/25 and 192.168.1.0/24 be able to connect to the 192.168.1.53 and 192.168.1.52 server without being pushed through the pf rdr. What I currently have is I can connect to the webserver directly from all the localnets, but I can not attach to the 192.168.1.52 from the 10/25, it pushes me through the squid proxy and gives an error. located at 192.168.1.53 is a webserver, located at 192.168.1.52 is a program called ezproxy (for remote database access - we are a library). The .53 and .52 are on a different fbsd box. The .52 is the aliased IP. (192.168.1.52) at 00:08:c7:f3:e4:e2 on xl0 [ethernet] (192.168.1.53) at 00:08:c7:f3:e4:e2 on xl0 [ethernet] This is what the clients see.. squidclient -l 192.168.1.3 -v http://192.168.1.53 headers: 'GET http://192.168.1.53 HTTP/1.0 Accept: */* ' HTTP/1.0 200 OK Vary: Accept-Encoding Content-Type: text/html ETag: "-2046984779" Accept-Ranges: bytes Last-Modified: Fri, 22 Sep 2006 12:53:33 GMT Content-Length: 11185 Date: Fri, 29 Sep 2006 01:09:25 GMT Server: lighttpd/1.4.11 This is a successful test, as the page was displayed to the 192.168.1.0 client. squidclient -l 192.168.1.3 -v http://192.168.1.52 headers: 'GET http://192.168.1.52 HTTP/1.0 Accept: */* ' 2006-09-28 21:12:05 [1]: 0.208 secs, 6.347656 KB/s (2KB) HTTP/1.0 502 Bad Gateway Server: squid/2.5.STABLE14 Mime-Version: 1.0 Date: Fri, 29 Sep 2006 01:12:05 GMT Content-Type: text/html Content-Length: 1063 Expires: Fri, 29 Sep 2006 01:12:05 GMT X-Squid-Error: ERR_READ_ERROR 54 X-Cache: MISS Proxy-Connection: close This is a failure. squidclient -l 10.0.0.87 -v http://192.168.1.52 | less headers: 'GET http://192.168.1.52 HTTP/1.0 Accept: */* ' 2006-09-28 21:13:23 [1]: 0.205 secs, 6.440549 KB/s (2KB) HTTP/1.0 502 Bad Gateway Server: squid/2.5.STABLE14 Mime-Version: 1.0 Date: Fri, 29 Sep 2006 01:13:23 GMT Content-Type: text/html Content-Length: 1063 Expires: Fri, 29 Sep 2006 01:13:23 GMT X-Squid-Error: ERR_READ_ERROR 54 X-Cache: MISS Proxy-Connection: close This is a failure. squidclient -l 10.0.0.87 -v http://192.168.1.53 headers: 'GET http://192.168.1.53 HTTP/1.0 Accept: */* ' HTTP/1.0 200 OK Vary: Accept-Encoding Content-Type: text/html ETag: "-2046984779" Accept-Ranges: bytes Last-Modified: Fri, 22 Sep 2006 12:53:33 GMT Content-Length: 11185 Date: Fri, 29 Sep 2006 01:09:25 GMT Server: lighttpd/1.4.11 This is a success. So what I think I am seeing is that hosts destined for the 192.168.1.0 are still being pushed through the proxy. But it looks like my pf rules are saying something different. Can someone help me understand what I am missing or doing wrong? Thanks in advance. - Brian