if_bridge + pf rdr (bridged inline proxy)

Kevin Foo chflags at gmail.com
Thu Nov 27 04:58:40 PST 2008 

Hi list,

I recently setup a bridge box with inline cache proxy. if_bridge with
pf filtering was working perfectly. However, squid-cache listening on
loopback device did not get any packets from pf rdr. I have seen
successful setups with OpenBSD's bridge spamd which rather a similar
setup. Is something broken on FreeBSD's if_bridge or am I missing some
configuration here?


pfctl -ss (on bridge box):
------------------
all tcp 127.0.0.1:3128 <- 71.14.235.147:80 <- 192.168.1.100:1041
CLOSED:SYN_SENT
all tcp 192.168.1.100:1041 -> 127.0.0.1:3128     SYN_SENT:CLOSED


Environment
------------------
FreeBSD bridge.mybox 7.1-PRERELEASE FreeBSD 7.1-PRERELEASE #0: Tue Nov
25 22:56:22 MYT 2008
    kev at bridge.mybox:/usr/obj/usr/src/sys/BRIDGE  i386

Squid Cache: Version 2.7.STABLE5 with --enable-pf-transparent


rc.conf:
------------------
cloned_interfaces="bridge0"
ifconfig_bridge0="addm bge0 addm bge1 up"
ifconfig_bge0="up"
ifconfig_bge1="up"
pf_enable="YES"
squid_enabld="YES"

pf.conf:
------------------
int_if="bge0"
ext_if="bge1"
rdr pass on $int_if inet proto tcp from any to any port 80 ->
127.0.0.1 port 3128
pass in all
pass out all
pass on $int_if route-to lo0 proto tcp from any to 127.0.0.1 port 3128


sysctl net.link.bridge :
------------------
net.link.bridge.ipfw: 0
net.link.bridge.log_stp: 0
net.link.bridge.pfil_local_phys: 1
net.link.bridge.pfil_member: 1
net.link.bridge.pfil_bridge: 0
net.link.bridge.ipfw_arp: 0
net.link.bridge.pfil_onlyip: 0


Hping Testing (from client 192.168.1.100):
------------------
hping -S -p 80 -c 10 www.google.com


A quick search on freebsd-pf archive, I found a thread on similar setup in 2004.

http://lists.freebsd.org/pipermail/freebsd-pf/2004-October/000522.html

However, the bridge code of FreeBSD was blamed for poor performance
and lack of functionalities.  A more recent post on freebsd-net
mailing list on similar issue.

http://lists.freebsd.org/pipermail/freebsd-net/2008-September/019556.html

Any ideas? TIA.


P/S : please cc me as I'm not subscribed to freebsd-pf nor freebsd-net
mailing list. Thanks.

-- 
Regards
Kevin Foo

More information about the freebsd-pf mailing list