Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 28 Jul 2005 15:44:27 +0200
From:      Max Laier <max@love2party.net>
To:        freebsd-pf@freebsd.org
Subject:   Re: rdr not working for transparent http - 5.4-stable
Message-ID:  <200507281544.37158.max@love2party.net>
In-Reply-To: <42E8D3D5.4030300@tirloni.org>
References:  <42E8D3D5.4030300@tirloni.org>
next in thread | previous in thread | raw e-mail | index | archive | help 
--nextPart3465401.Pxu1IQBoJs
Content-Type: text/plain;
  charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

Okay ... so we have to look more closely ...

On Thursday 28 July 2005 14:47, Giovanni P. Tirloni wrote:
>   I've deployed dozens of gateways with transparent HTTP proxy but this
> time it isn't working and I suspect pf is somehow involved in this.
> Packets aren't being redirected anywhere. I've disabled filtering
> totally to debug this.
>
>   I've a rule to redirect every connection attempt to port 80 to
> 127.0.0.1 port 3128:
>
>   rdr on $lan_if proto tcp from { $lan_net } to any port 80 -> 127.0.0.1
> port 3128

What does $lan_net contain?  And why do you need the "{}"?  What does this=
=20
rule expand to?

>   In squid.conf I've enabled this:
>
>   httpd_accel_host virtual
>   httpd_accel_port 80
>   httpd_accel_with_proxy on
>   httpd_accel_uses_host_header on

Could you try to bind netcat to 127.0.0.1:3128 instead to see if it is a sq=
uid=20
issue or not?

>   The rdr rule is being matched and with tcpdump I see packets coming
> into the $lan_if but nothing gets to $ext_if or loopback. They simply
> disappear (and the originating machine doesn't get a answer back).
>
>   Running tcpdump on pflog0 doesn't show anything either (as expected
> since there's no filter rule).

Could you add a
    pass log all
or
    pass log inet proto tcp from any to 127.0.0.1 port =3D 3128
rule to get a better look at things.  Rule counters are interesting on thos=
e=20
as well.

>   This was happening on 5.3-STABLE and I updated the system to
> 5.4-STABLE this week. Both $int_if and $ext_if are vr interfaces.
>
>   Weird enough.. this works on every other box except this and another
> one. And nothing fixes it.
>
>   Any way to debug this ? I've run out of ideas.
>
> Thanks in advance,

=2D-=20
/"\  Best regards,                      | mlaier@freebsd.org
\ /  Max Laier                          | ICQ #67774661
 X   http://pf4freebsd.love2party.net/  | mlaier@EFnet
/ \  ASCII Ribbon Campaign              | Against HTML Mail and News

--nextPart3465401.Pxu1IQBoJs
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (FreeBSD)

iD8DBQBC6OFFXyyEoT62BG0RAglrAJ4lI2Ai/8TWqcBwo22io/+41pllgACdF6jO
GasM/czCoaYeZzHonhK1vXc=
=zbn+
-----END PGP SIGNATURE-----

--nextPart3465401.Pxu1IQBoJs--

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200507281544.37158.max>