From owner-freebsd-pf@FreeBSD.ORG Sat Jul 30 22:50:29 2005 Return-Path: X-Original-To: pf@freebsd.org Delivered-To: freebsd-pf@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6BF4A16A423 for ; Sat, 30 Jul 2005 22:50:29 +0000 (GMT) (envelope-from khaled.abu@gmail.com) Received: from wproxy.gmail.com (wproxy.gmail.com [64.233.184.206]) by mx1.FreeBSD.org (Postfix) with ESMTP id F0B5E43D46 for ; Sat, 30 Jul 2005 22:50:28 +0000 (GMT) (envelope-from khaled.abu@gmail.com) Received: by wproxy.gmail.com with SMTP id i32so761549wra for ; Sat, 30 Jul 2005 15:50:28 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=Hhs9kpRyyzAtTF/B298IHSJI+xFZuOQ9RB5I8amOodffdzM3ajmPpG4PeW1exUCIae8bh8+Zid2BdUQWGel20+H3jWDm7Eb0SOs6GbeXz5NGGk54HDLMrO9HtjOQTtyfYddlz6tzpGIU7Yggtur2QSUgOK9Ibosd4IxYadBDOsA= Received: by 10.54.37.1 with SMTP id k1mr2072331wrk; Sat, 30 Jul 2005 15:50:28 -0700 (PDT) Received: by 10.54.66.16 with HTTP; Sat, 30 Jul 2005 15:50:28 -0700 (PDT) Message-ID: Date: Sun, 31 Jul 2005 01:50:28 +0300 From: Abu Khaled To: "Giovanni P. Tirloni" In-Reply-To: <42EB7A2A.3080701@tirloni.org> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: <42E8D3D5.4030300@tirloni.org> <200507281458.56534.max@love2party.net> <42E8DBC6.6060907@tirloni.org> <42EB7A2A.3080701@tirloni.org> Cc: pf@freebsd.org Subject: Re: rdr not working for transparent http - 5.4-stable X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Abu Khaled List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 30 Jul 2005 22:50:29 -0000 On 7/30/05, Giovanni P. Tirloni wrote: > Giovanni P. Tirloni wrote: > > Max Laier wrote: > > > >> One thing comes to my mind: What does > >> $sysctl net.inet.ip.forwarding > >> say? > > > > > > # sysctl net.inet.ip.forwarding > > net.inet.ip.forwarding: 1 > > > > I had some tweaks in /etc/sysctl but disabling them didn't help either. > > > > #net.inet.ip.check_interface=3D1 > > #net.inet.tcp.blackhole=3D2 > > #net.inet.udp.blackhole=3D1 > > >=20 > I forgot to mention this box had ipfw+dummnyet (with two queues) > activated. I disabled ipfw in the kernel and pf rdr worked again! Just > removing the ipfw rules didn't work. >=20 > Weird enough, I don't have dummynet on the other 2 machines that have > the same problem. But ipfw is compiled in but disabled. >=20 > I'll try to disable ipfw on the other boxes and see what happens there > to confirm this. If ipfw is compiled in the kernel and it defaults to deny all, then you need to add rules for ipfw to allow connections to and from localhost (127.0.0.1 and port 3128). Otherwise ipfw well drop 'pf rdr traffic'. # ipfw add allow tcp from $lan_net to 127.0.0.1 3128 # ipfw add allow tcp from 127.0.0.1 3128 to $lan_net Put the rules before any anti spoofing rules in ipfw. --=20 Regards. Abu Khaled