From owner-freebsd-questions@FreeBSD.ORG Wed Nov 28 23:28:08 2012 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 75931C38 for ; Wed, 28 Nov 2012 23:28:08 +0000 (UTC) (envelope-from ml@my.gd) Received: from mail-ie0-f182.google.com (mail-ie0-f182.google.com [209.85.223.182]) by mx1.freebsd.org (Postfix) with ESMTP id 334E18FC08 for ; Wed, 28 Nov 2012 23:28:07 +0000 (UTC) Received: by mail-ie0-f182.google.com with SMTP id s9so18502608iec.13 for ; Wed, 28 Nov 2012 15:28:07 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:x-gm-message-state; bh=NHrIxy0e+3kv8ombj1Auee2KQM/Vs569OL2c5paofqc=; b=fxoy/n5wo9vYwqBYMsb6bqxEJrhLR5Tguy41s+bxfXZm4J7tAiK15DLY1DEg3QxC5R qjrOUxEDRvMP9BsGa9aAbpJehgLVMVKJfwwku/PRNJymw9bHgcuhlZRSB2C/uS17xTNE 9+ivEgCwz4cSUg8NDgjDw1gMhtTdEiPS2HHwBBJ2jGdvhHKKbNZjzXAqmZV7CUQSrmzm cOUUztA2/MU4rtrE9v2eMmr5GNQv/hnZEljujTOY3pVR9DKSrEQgoEFm6P+vL/ko2vUB p7TJI1Mm0JEFtqMADAR0XfjpRyi6vl5MB8t6VP601UPPNGPltIGkuehnpOD9ACojckM5 p8Dw== MIME-Version: 1.0 Received: by 10.50.40.137 with SMTP id x9mr24582406igk.1.1354145287136; Wed, 28 Nov 2012 15:28:07 -0800 (PST) Received: by 10.64.147.34 with HTTP; Wed, 28 Nov 2012 15:28:06 -0800 (PST) In-Reply-To: <50B52A1A.6070103@eskk.nu> References: <50B0EA28.7060904@eskk.nu> <50B338B2.3090600@gmail.com> <50B3B788.6040801@eskk.nu> <50B3D603.6050904@gmail.com> <50B52A1A.6070103@eskk.nu> Date: Thu, 29 Nov 2012 00:28:06 +0100 Message-ID: Subject: Re: Anyone using squid and pf? From: Damien Fleuriot To: Leslie Jensen Content-Type: text/plain; charset=ISO-8859-1 X-Gm-Message-State: ALoCoQnFVZg/UHw/Plll2P4DI23GVJA7/DPkxN5svRRYw1WRqx/nOv0/AuiWBGGs9Onv9OKG/iEP Cc: Volodymyr Kostyrko , freebsd questions list X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 28 Nov 2012 23:28:08 -0000 On 27 November 2012 22:01, Leslie Jensen wrote: > > > Volodymyr Kostyrko skrev 2012-11-26 21:50: >> >> 26.11.2012 20:40, Leslie Jensen: >> >>> Rules from pf.conf >>> >>> -------------------------------------------- >>> # macros >>> ext_if="xl0" >>> int_if="bge0" >>> >>> tcp_services="{ 22, 993, 5910:5917 }" >>> tcp_priv_services="{ 389, 443 }" >>> proxy_services = "{ 21, 80 }" >>> icmp_types="{ echoreq unreach squench timex }" >>> internal_net = "172.18.0.0/16" >>> proxy = "172.18.0.1" >>> proxyport="8021" >>> >>> # tables >>> table persist >>> table persist >>> >>> # options >>> set block-policy return # ports are closed but can be seen >>> set loginterface $ext_if >>> >>> set skip on lo0 >>> >>> # scrub >>> scrub in >>> >>> rdr pass proto tcp from any to any port ftp -> 127.0.0.1 port 8021 >>> >>> # redirect www trafic to proxy >>> rdr on $int_if inet proto tcp from $internal_net to any port >>> $proxy_services -> $proxy port 8080 >> >> >> I could be wrong here but I think you have a loop. You are redirecting >> from local interface to local interface i.e. the result of redirect is >> still subject for redirect. Could you try one of the following: >> >> 1. Make this a `rdr in on $int_if`. >> >> 2. Make this a `rdr pass ... -> 127.0.0.1 port 8080`. I prefer this way >> so port for transparent forwarding is unreachable except when explicitly >> redirecting to it. >> >> Personally I newer allow such ambiguity in my configs. >> > > #1 gives a syntax error when I try to load it. > > #2 My intention is to redirect only ftp traffic with this rule so that's why > I use port 8021. > > Do you mean that I should redirect even ftp traffic to port 8080? > > Thanks! > > /Leslie > Well, that depends on what you want to do. If you want FTP traffic to go to ftp-proxy running on the firewall, then redirect to 8021. If you want it to go to your squid proxy, then send it to port 8080 on $proxy. Let's redo your redirects correctly. I'll expand upon Volodymyr's idea of not confusing normal rules with ones matching a packet that was redirected, through the use of tags. # 1/ redirect web traffic to the proxy $proxy on port $proxyport rdr in on $int_if inet proto tcp from !$proxy to any port 80 -> $proxy port $proxyport tag rdr_proxy # 2/ redirect FTP traffic to the ftp-proxy running on the local machine on port 8021 rdr in on $int_if inet proto tcp from $int_if:network to any port 21 -> 127.0.0.1 port 8021 tag rdr_ftp # 3/ access rule to allow traffic from the local net to your proxy pass in quick on $int_if inet proto tcp flags S/SAFR tagged rdr_proxy # 4/ access rule to allow traffic from the local net to your FTP proxy pass in quick on $int_if inet proto tcp flags S/SAFR tagged rdr_ftp # 5/ access rule to allow your proxy to do whatever it wants in a very limited fashion pass in quick on $int_if inet proto tcp from $proxy to any port { 80 443 } flags S/SAFR I liked Volodymyr's original intent behind the "rdr pass", the use of tags here allows you to setup actual pass/block rules and still match packets coming from a redirect. This has many advantages, including: - quick keyword - flags matching - use of labels to keep stats, if you'd like to Well basically it only has advantages. Let me know if that helped.