Transparent proxy with ! and table issues..

Thu Sep 28 18:17:36 PDT 2006

Hello,

I'm not sure how to explain this but I will do my best.

I have a FreeBSD 6.1-p7 box running pf.

sis0 10.0.0.87/25
xl0 192.168.1.3/24
gw is 10.0.0.62

pf rules are simple:
public_if       ="sis0"
staff_if        ="xl0"
proxy_server    ="192.168.1.3"

table <noproxy> const {172.16.10.0/24}
table <localnets> const { 172.16.1.0/24, 192.168.1.0/24, 10.0.0.0/25 }
rdr on {$staff_if, $public_if} inet proto tcp from <localnets> to
!<noproxy> port www -> $proxy_server port 8080

TRANSLATION RULES:
rdr on xl0 inet proto tcp from <localnets> to ! <noproxy> port = http ->
192.168.1.3 port 8080
rdr on sis0 inet proto tcp from <localnets> to ! <noproxy> port = http ->
192.168.1.3 port 8080

FILTER RULES:
No queue in use

Here is what I am trying to accomplish:
To have 'local' traffic on the 172.16.1.0/24, and 10.0.0.0/25 and
192.168.1.0/24 be able to connect to the 192.168.1.53 and 192.168.1.52
server without being pushed through the pf rdr.

What I currently have is I can connect to the webserver directly from all
the localnets, but I can not attach to the 192.168.1.52 from the 10/25, it
pushes me through the squid proxy and gives an error.

located at 192.168.1.53 is a webserver, located at 192.168.1.52 is a
program called ezproxy (for remote database access - we are a library). 
The .53 and .52 are on a different fbsd box.  The .52 is the aliased IP.

(192.168.1.52) at 00:08:c7:f3:e4:e2 on xl0 [ethernet]
(192.168.1.53) at 00:08:c7:f3:e4:e2 on xl0 [ethernet]

This is what the clients see..

squidclient -l 192.168.1.3 -v http://192.168.1.53
headers: 'GET http://192.168.1.53 HTTP/1.0
Accept: */*

'
HTTP/1.0 200 OK
Vary: Accept-Encoding
Content-Type: text/html
ETag: "-2046984779"
Accept-Ranges: bytes
Last-Modified: Fri, 22 Sep 2006 12:53:33 GMT
Content-Length: 11185
Date: Fri, 29 Sep 2006 01:09:25 GMT
Server: lighttpd/1.4.11

This is a successful test, as the page was displayed to the 192.168.1.0
client.

 squidclient -l 192.168.1.3 -v http://192.168.1.52
headers: 'GET http://192.168.1.52 HTTP/1.0
Accept: */*

'
2006-09-28 21:12:05 [1]: 0.208 secs, 6.347656 KB/s (2KB)
HTTP/1.0 502 Bad Gateway
Server: squid/2.5.STABLE14
Mime-Version: 1.0
Date: Fri, 29 Sep 2006 01:12:05 GMT
Content-Type: text/html
Content-Length: 1063
Expires: Fri, 29 Sep 2006 01:12:05 GMT
X-Squid-Error: ERR_READ_ERROR 54
X-Cache: MISS
Proxy-Connection: close

This is a failure.

 squidclient -l 10.0.0.87 -v http://192.168.1.52 | less
headers: 'GET http://192.168.1.52 HTTP/1.0
Accept: */*

'
2006-09-28 21:13:23 [1]: 0.205 secs, 6.440549 KB/s (2KB)
HTTP/1.0 502 Bad Gateway
Server: squid/2.5.STABLE14
Mime-Version: 1.0
Date: Fri, 29 Sep 2006 01:13:23 GMT
Content-Type: text/html
Content-Length: 1063
Expires: Fri, 29 Sep 2006 01:13:23 GMT
X-Squid-Error: ERR_READ_ERROR 54
X-Cache: MISS
Proxy-Connection: close

This is a failure.

 squidclient -l 10.0.0.87 -v http://192.168.1.53
headers: 'GET http://192.168.1.53 HTTP/1.0
Accept: */*

'
HTTP/1.0 200 OK
Vary: Accept-Encoding
Content-Type: text/html
ETag: "-2046984779"
Accept-Ranges: bytes
Last-Modified: Fri, 22 Sep 2006 12:53:33 GMT
Content-Length: 11185
Date: Fri, 29 Sep 2006 01:09:25 GMT
Server: lighttpd/1.4.11

This is a success.

So what I think I am seeing is that hosts destined for the 192.168.1.0 are
still being pushed through the proxy.

But it looks like my pf rules are saying something different.

Can someone help me understand what I am missing or doing wrong?

Thanks in advance.

- Brian