if_bridge + pf rdr (bridged inline proxy)

Eygene Ryabinkin rea-fbsd at codelabs.ru
Thu Nov 27 06:00:17 PST 2008

Kevin, good day.

Thu, Nov 27, 2008 at 08:26:55PM +0800, Kevin Foo wrote:
> I recently setup a bridge box with inline cache proxy. if_bridge with
> pf filtering was working perfectly. However, squid-cache listening on
> loopback device did not get any packets from pf rdr. I have seen
> successful setups with OpenBSD's bridge spamd which rather a similar
> setup. Is something broken on FreeBSD's if_bridge or am I missing some
> configuration here?

pf can 'rdr' only incoming packets (from 'man pf.conf'):
     Evaluation order of the translation rules is dependent on the type of the
     translation rules and of the direction of a packet.  binat rules are
     always evaluated first.  Then either the rdr rules are evaluated on an
     inbound packet or the nat rules on an outbound packet.  Rules of the same
     type are evaluated in the same order in which they appear in the ruleset.
     The first matching rule decides what action is taken.
So this can be just pf-related.  And may be not, as usual...
 _                ___       _.--.   #
 \`.|\..----...-'`   `-._.-'_.-'`   #  Remember that it is hard
 /  ' `         ,       __.--'      #  to read the on-line manual   
 )/' _/     \   `-_,   /            #  while single-stepping the kernel.
 `-'" `"\_  ,_.-;_.-\_ ',  fsc/as   #
     _.-'_./   {_.'   ; /           #    -- FreeBSD Developers handbook 
    {_.-``-'         {_/            #
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 195 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-net/attachments/20081127/edec6a87/attachment.pgp

More information about the freebsd-net mailing list