Anyone using squid and pf?

Wed Nov 28 23:28:08 UTC 2012

On 27 November 2012 22:01, Leslie Jensen <leslie at eskk.nu> wrote:
>
>
> Volodymyr Kostyrko skrev 2012-11-26 21:50:
>>
>> 26.11.2012 20:40, Leslie Jensen:
>>
>>> Rules from pf.conf
>>>
>>> --------------------------------------------
>>> # macros
>>> ext_if="xl0"
>>> int_if="bge0"
>>>
>>> tcp_services="{ 22, 993, 5910:5917 }"
>>> tcp_priv_services="{ 389, 443 }"
>>> proxy_services = "{ 21, 80 }"
>>> icmp_types="{ echoreq unreach squench timex }"
>>> internal_net = "172.18.0.0/16"
>>> proxy = "172.18.0.1"
>>> proxyport="8021"
>>>
>>> # tables
>>> table <goodguys> persist
>>> table <sshguard> persist
>>>
>>> # options
>>> set block-policy return     # ports are closed but can be seen
>>> set loginterface $ext_if
>>>
>>> set skip on lo0
>>>
>>> # scrub
>>> scrub in
>>>
>>> rdr pass proto tcp from any to any port ftp -> 127.0.0.1 port 8021
>>>
>>> # redirect www trafic to proxy
>>> rdr on $int_if inet proto tcp from $internal_net to any port
>>> $proxy_services -> $proxy port 8080
>>
>>
>> I could be wrong here but I think you have a loop. You are redirecting
>> from local interface to local interface i.e. the result of redirect is
>> still subject for redirect. Could you try one of the following:
>>
>> 1. Make this a `rdr in on $int_if`.
>>
>> 2. Make this a `rdr pass ... -> 127.0.0.1 port 8080`. I prefer this way
>> so port for transparent forwarding is unreachable except when explicitly
>> redirecting to it.
>>
>> Personally I newer allow such ambiguity in my configs.
>>
>
> #1 gives a syntax error when I try to load it.
>
> #2 My intention is to redirect only ftp traffic with this rule so that's why
> I use port 8021.
>
> Do you mean that I should redirect even ftp traffic to port 8080?
>
> Thanks!
>
> /Leslie
>

Well, that depends on what you want to do.

If you want FTP traffic to go to ftp-proxy running on the firewall,
then redirect to 8021.
If you want it to go to your squid proxy, then send it to port 8080 on $proxy.

Let's redo your redirects correctly.
I'll expand upon Volodymyr's idea of not confusing normal rules with
ones matching a packet that was redirected, through the use of tags.

# 1/ redirect web traffic to the proxy $proxy on port $proxyport
rdr in on $int_if inet proto tcp from !$proxy to any port 80 -> $proxy
port $proxyport tag rdr_proxy

# 2/ redirect FTP traffic to the ftp-proxy running on the local
machine on port 8021
rdr in on $int_if inet proto tcp from $int_if:network to any port 21
-> 127.0.0.1 port 8021 tag rdr_ftp

# 3/ access rule to allow traffic from the local net to your proxy
pass in quick on $int_if inet proto tcp flags S/SAFR tagged rdr_proxy

# 4/ access rule to allow traffic from the local net to your FTP proxy
pass in quick on $int_if inet proto tcp flags S/SAFR tagged rdr_ftp

# 5/ access rule to allow your proxy to do whatever it wants in a very
limited fashion
pass in quick on $int_if inet proto tcp from $proxy to any port { 80
443 } flags S/SAFR

I liked Volodymyr's original intent behind the "rdr pass", the use of
tags here allows you to setup actual pass/block rules and still match
packets coming from a redirect.
This has many advantages, including:
- quick keyword
- flags matching
- use of labels to keep stats, if you'd like to

Well basically it only has advantages.

Let me know if that helped.