From owner-freebsd-pf@FreeBSD.ORG Tue Apr 26 07:49:39 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6560D106564A for ; Tue, 26 Apr 2011 07:49:39 +0000 (UTC) (envelope-from zeus@relay.ibs.dn.ua) Received: from relay.ibs.dn.ua (relay.ibs.dn.ua [91.216.196.25]) by mx1.freebsd.org (Postfix) with ESMTP id B42258FC0C for ; Tue, 26 Apr 2011 07:49:38 +0000 (UTC) Received: from relay.ibs.dn.ua (localhost [127.0.0.1]) by relay.ibs.dn.ua with ESMTP id p3Q7nRQF004524; Tue, 26 Apr 2011 10:49:27 +0300 (EEST) Received: (from zeus@localhost) by relay.ibs.dn.ua (8.14.4/8.14.4/Submit) id p3Q7nOCm004523; Tue, 26 Apr 2011 10:49:24 +0300 (EEST) Date: Tue, 26 Apr 2011 10:49:24 +0300 From: Zeus V Panchenko To: freebsd-pf@freebsd.org Message-ID: <20110426074924.GH87913@relay.ibs.dn.ua> Mail-Followup-To: freebsd-pf@freebsd.org, Daniel Hartmeier References: <20110210155622.GA60117@icarus.home.lan> <20110411054544.GC22812@relay.ibs.dn.ua> <20110411061730.GA26940@insomnia.benzedrine.cx> <20110411080648.GD22812@relay.ibs.dn.ua> <20110411085730.GB26940@insomnia.benzedrine.cx> <20110411152230.GA88862@relay.ibs.dn.ua> <20110415063632.GA14296@insomnia.benzedrine.cx> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: <20110415063632.GA14296@insomnia.benzedrine.cx> User-Agent: Mutt/1.4.2.3i X-Operating-System: FreeBSD 8.1-RELEASE X-Editor: GNU Emacs 23.2.1 Cc: Subject: former "transparent proxy traffic queue ..." X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: zeus@ibs.dn.ua List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 26 Apr 2011 07:49:39 -0000 Daniel Hartmeier (daniel@benzedrine.cx) [11.04.15 09:37] wrote: > First, incoming and outgoing in context of pf.conf rules are > relative to the firewall (and not your LAN vs. the internet), > e.g. incoming means 'enters the firewall through an interface > from a network' and outgoing means 'exits the firewall through > an interface to a network'. yes, thanks, and i believe it is what i was trying to say, but failed > Second, with a squid proxy, there are actually two distinct > connections: one connection from the client to the proxy, and > another connection from the proxy to the server. There are > two different (random) source ports, and two different > destination ports (3128 and 80): > > 1) client:random1 -> proxy:3128 (incoming on if_lan) > 2) proxy:random2 -> server:80 (outgoing on if_wan) > > Both are filtered by pf, and both must be passed explicitely. yes, and what is concerning the outgoing traffic, i can see outgoing http queue works but what concerns to incoming (http server replies to my lan clients requests) traffic, it passes by the queue and counters for it remains empty ... i look on it via pftop ... so, i had simplified the task ... i excluded proxy stuff and trying now just to queue http traffic for the box passing by the proxy ... here is the pf.conf ------------------------------------------------------------------------------------ if_wan = "tun0" if_lan = "ale0" table persist file "/etc/pf.tbl.pass_wan" # allowed to direct (proxy less) http table persist file "/etc/pf.tbl.direct" ports_proxy = "http, https, ftp, ftp-data, ftps, ftps-data" set skip on lo0 set optimization conservative set ruleset-optimization basic set state-policy if-bound altq on $if_wan cbq bandwidth 1Mb queue { wan_rest, wan_http } queue wan_http bandwidth 150Kb priority 2 queue wan_rest bandwidth 850Kb cbq(default) altq on $if_lan cbq bandwidth 100% queue { lan_rest, lan_http,lan_voip, lan_smb, lan_prn } queue lan_http bandwidth 2Mb priority 2 queue lan_rest bandwidth 98Mb cbq(default) rdr on $if_lan proto { tcp, udp } from ! to ! 172.16/12 port { $ports_proxy } -> $if_lan:0 port 3128 nat on $if_wan from to any -> ($if_wan) antispoof for { $if_wan, $if_lan } block in log(all) pass in log(all) inet proto icmp all icmp-type echoreq pass in log(all) on $if_wan inet proto { tcp, udp } from { } to ($if_wan) port ssh pass in log(all) on $if_lan from $if_lan:network to any pass out log(all) on $if_wan block drop out log on $if_wan from any to { 127/8, 10/8, 172.16/12, 192.168/16 } pass out log (all) on $if_wan inet proto tcp from any to any port { $ports_proxy } queue wan_http pass in log (all) on $if_lan inet proto tcp from any port { $ports_proxy } to 172.12.10.12 queue lan_http ------------------------------------------------------------------------------------ so, when i launch wget on the box from the table address, i see in > pfctl -k 172.16.10.12 ; tcpdump -n -i pflog0 -ettt -s0 host 172.16.10.12 ... 00:00:00.001251 rule 18/0(match): pass in on tun0: 213.130.10.226.80 > 172.16.10.12.40650: Flags [.], ack 326, win 54, options [nop,nop,TS val 705375604 ecr 73094598], length 1428 00:00:00.000004 rule 10/0(match): pass out on ale0: 213.130.10.226.80 > 172.16.10.12.40650: Flags [.], ack 326, win 54, options [nop,nop,TS val 705375604 ecr 73094598], length 1428 00:00:00.000480 rule 10/0(match): pass in on ale0: 172.16.10.12.40650 > 213.130.10.226.80: Flags [R], seq 2961119950, win 0, length 0 00:00:00.001240 rule 18/0(match): pass in on tun0: 213.130.10.226.80 > 172.16.10.12.40650: Flags [.], ack 326, win 54, options [nop,nop,TS val 705375604 ecr 73094598], length 1428 00:00:00.000007 rule 10/0(match): pass out on ale0: 213.130.10.226.80 > 172.16.10.12.40650: Flags [.], ack 326, win 54, options [nop,nop,TS val 705375604 ecr 73094598], length 1428 00:00:00.000447 rule 10/0(match): pass in on ale0: 172.16.10.12.40650 > 213.130.10.226.80: Flags [R], seq 2961119950, win 0, length 0 00:00:00.001019 rule 18/0(match): pass in on tun0: 213.130.10.226.80 > 172.16.10.12.40650: Flags [.], ack 326, win 54, options [nop,nop,TS val 705375604 ecr 73094598], length 1428 00:00:00.000006 rule 10/0(match): pass out on ale0: 213.130.10.226.80 > 172.16.10.12.40650: Flags [.], ack 326, win 54, options [nop,nop,TS val 705375604 ecr 73094598], length 1428 00:00:00.000446 rule 10/0(match): pass in on ale0: 172.16.10.12.40650 > 213.130.10.226.80: Flags [R], seq 2961119950, win 0, length 0 00:00:00.001530 rule 18/0(match): pass in on tun0: 213.130.10.226.80 > 172.16.10.12.40650: Flags [.], ack 326, win 54, options [nop,nop,TS val 705375604 ecr 73094598], length 1428 00:00:00.000006 rule 10/0(match): pass out on ale0: 213.130.10.226.80 > 172.16.10.12.40650: Flags [.], ack 326, win 54, options [nop,nop,TS val 705375604 ecr 73094598], length 1428 00:00:00.000447 rule 10/0(match): pass in on ale0: 172.16.10.12.40650 > 213.130.10.226.80: Flags [R], seq 2961119950, win 0, length 0 00:00:00.001067 rule 18/0(match): pass in on tun0: 213.130.10.226.80 > 172.16.10.12.40650: Flags [.], ack 326, win 54, options [nop,nop,TS val 705375604 ecr 73094598], length 1428 00:00:00.000006 rule 10/0(match): pass out on ale0: 213.130.10.226.80 > 172.16.10.12.40650: Flags [.], ack 326, win 54, options [nop,nop,TS val 705375604 ecr 73094598], length 1428 ... where > pfctl -gsr ... @10 pass in log (all) on ale0 inet from 10.200.50.0/24 to any flags S/SA keep state (if-bound) [ Skip steps: d=12 p=18 sp=24 da=14 dp=18 ] [ queue: qname= qid=0 pqname= pqid=0 ] ... @18 pass out log (all) on tun0 inet proto tcp from any to any port = http flags S/SA keep state (if-bound) queue wan_http [ Skip steps: i=24 d=24 f=38 p=32 sa=30 sp=24 da=24 ] [ queue: qname=wan_http qid=2 pqname= pqid=2 ] ... @24 pass out log (all) on ale0 inet proto tcp from any port = http to 172.12.10.12 flags S/SA keep state (if-bound) queue lan_http [ Skip steps: i=30 d=30 f=38 p=32 sa=30 da=30 dp=30 ] [ queue: qname=lan_http qid=6 pqname= pqid=6 ] ... here we see outgoing via $if_wan traffic successfully coming through wan_http queue, the rull 18 but no traffic comming trough the rull 24 but 10 instead ... so, what am i missing, please? why pflog row: ... rule 10/0(match): pass out on ale0: 213.130.10.226.80 > 172.16.10.12.40650: ... not matches my pf.conf rull @24: pass out log (all) on ale0 inet proto tcp from any port = http to 172.12.10.12 flags S/SA keep state (if-bound) queue lan_http ? why can not i catch $if_int (ale0) outgoing (to lan, from pf) http traffic to the queue lan_http ? thank you much for taking time to read all this and reply. -- Zeus V. Panchenko IT Dpt., IBS ltd GMT+2 (EET)