From owner-freebsd-pf@FreeBSD.ORG Thu Jul 28 13:44:42 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 31D8616A41F for ; Thu, 28 Jul 2005 13:44:42 +0000 (GMT) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.188]) by mx1.FreeBSD.org (Postfix) with ESMTP id 916A143D45 for ; Thu, 28 Jul 2005 13:44:41 +0000 (GMT) (envelope-from max@love2party.net) Received: from p54A3C5B5.dip.t-dialin.net [84.163.197.181] (helo=donor.laier.local) by mrelayeu.kundenserver.de with ESMTP (Nemesis), id 0MKxQS-1Dy8gh17an-0006Cn; Thu, 28 Jul 2005 15:44:39 +0200 From: Max Laier To: freebsd-pf@freebsd.org Date: Thu, 28 Jul 2005 15:44:27 +0200 User-Agent: KMail/1.8 References: <42E8D3D5.4030300@tirloni.org> In-Reply-To: <42E8D3D5.4030300@tirloni.org> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart3465401.Pxu1IQBoJs"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200507281544.37158.max@love2party.net> X-Provags-ID: kundenserver.de abuse@kundenserver.de login:61c499deaeeba3ba5be80f48ecc83056 Cc: Subject: Re: rdr not working for transparent http - 5.4-stable X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Jul 2005 13:44:42 -0000 --nextPart3465401.Pxu1IQBoJs Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Okay ... so we have to look more closely ... On Thursday 28 July 2005 14:47, Giovanni P. Tirloni wrote: > I've deployed dozens of gateways with transparent HTTP proxy but this > time it isn't working and I suspect pf is somehow involved in this. > Packets aren't being redirected anywhere. I've disabled filtering > totally to debug this. > > I've a rule to redirect every connection attempt to port 80 to > 127.0.0.1 port 3128: > > rdr on $lan_if proto tcp from { $lan_net } to any port 80 -> 127.0.0.1 > port 3128 What does $lan_net contain? And why do you need the "{}"? What does this= =20 rule expand to? > In squid.conf I've enabled this: > > httpd_accel_host virtual > httpd_accel_port 80 > httpd_accel_with_proxy on > httpd_accel_uses_host_header on Could you try to bind netcat to 127.0.0.1:3128 instead to see if it is a sq= uid=20 issue or not? > The rdr rule is being matched and with tcpdump I see packets coming > into the $lan_if but nothing gets to $ext_if or loopback. They simply > disappear (and the originating machine doesn't get a answer back). > > Running tcpdump on pflog0 doesn't show anything either (as expected > since there's no filter rule). Could you add a pass log all or pass log inet proto tcp from any to 127.0.0.1 port =3D 3128 rule to get a better look at things. Rule counters are interesting on thos= e=20 as well. > This was happening on 5.3-STABLE and I updated the system to > 5.4-STABLE this week. Both $int_if and $ext_if are vr interfaces. > > Weird enough.. this works on every other box except this and another > one. And nothing fixes it. > > Any way to debug this ? I've run out of ideas. > > Thanks in advance, =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart3465401.Pxu1IQBoJs Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (FreeBSD) iD8DBQBC6OFFXyyEoT62BG0RAglrAJ4lI2Ai/8TWqcBwo22io/+41pllgACdF6jO GasM/czCoaYeZzHonhK1vXc= =zbn+ -----END PGP SIGNATURE----- --nextPart3465401.Pxu1IQBoJs--