rdr not working for transparent http - 5.4-stable

[Max Laier]

On Thursday 28 July 2005 14:47, Giovanni P. Tirloni wrote:
> Hello,
>
>   I've deployed dozens of gateways with transparent HTTP proxy but this
> time it isn't working and I suspect pf is somehow involved in this.
> Packets aren't being redirected anywhere. I've disabled filtering
> totally to debug this.
>
>   I've a rule to redirect every connection attempt to port 80 to
> 127.0.0.1 port 3128:
>
>   rdr on $lan_if proto tcp from { $lan_net } to any port 80 -> 127.0.0.1
> port 3128
>
>   In squid.conf I've enabled this:
>
>   httpd_accel_host virtual
>   httpd_accel_port 80
>   httpd_accel_with_proxy on
>   httpd_accel_uses_host_header on
>
>
>   The rdr rule is being matched and with tcpdump I see packets coming
> into the $lan_if but nothing gets to $ext_if or loopback. They simply
> disappear (and the originating machine doesn't get a answer back).
>
>   Running tcpdump on pflog0 doesn't show anything either (as expected
> since there's no filter rule).
>
>   This was happening on 5.3-STABLE and I updated the system to
> 5.4-STABLE this week. Both $int_if and $ext_if are vr interfaces.
>
>   Weird enough.. this works on every other box except this and another
> one. And nothing fixes it.
>
>   Any way to debug this ? I've run out of ideas.

One thing comes to my mind: What does
    $sysctl net.inet.ip.forwarding
say?

> Thanks in advance,

-- 
/"\  Best regards,                      | mlaier at freebsd.org
\ /  Max Laier                          | ICQ #67774661
 X   http://pf4freebsd.love2party.net/  | mlaier at EFnet
/ \  ASCII Ribbon Campaign              | Against HTML Mail and News
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-pf/attachments/20050728/6881f554/attachment.bin