transparent proxy traffic queue ...

Zeus V Panchenko zeus at ibs.dn.ua
Mon Apr 11 05:56:17 UTC 2011 

Hi all,

while trying to shape bandwidth for transparent proxy traffic i faced
weird for me behaviuor ... may somebody help to understand where i am
mistaking, please?

i use squid as proxy (installed from ports and configured with
WITH_SQUID_PF=true, WITH_SQUID_IPFILTER=true), it works and my LAN can
browse inet transparently (without setting proxy in browser options)

squid is configured with delay pools, but i want to send it through pf
queue too

the network topology is simple:

(LAN) <-> ale0 [FreeBSD-8.2-STABLE i386] xl0(tun0) <-> [ADSL bridge] <-> (INTERNET)


the problem is that outgoing to the internet traffic from proxy is
going through the queue on $if_wan and i can see it while tcpdumping
pflog0 but i can not see on pflog0, traffic incomming from internet to
LAN, no outgoing traffic through $if_lan interface while tcpdump
pflog0 ...

while trying to:
> tcpdump -n -i pflog0 -ttte -s0 port 80

i can see only outgoing traffice from LAN to inet:
...
00:00:00.000000 rule 12/0(match): pass out on tun0: my.wan.ip.here.56987 > 206.127.23.230.80: Flags [S], seq 3641245239, win 65535, options [mss 1452,nop,wscale 3,sackOK,TS val 114160025 ecr 0], length 0
00:00:00.023229 rule 12/0(match): pass out on tun0: my.wan.ip.here.53120 > 64.147.113.42.80: Flags [S], seq 3951546220, win 65535, options [mss 1452,nop,wscale 3,sackOK,TS val 114164836 ecr 0], length 0
00:00:00.479411 rule 12/0(match): pass out on tun0: my.wan.ip.here.40511 > 199.7.50.72.80: Flags [S], seq 3596234346, win 65535, options [mss 1452,nop,wscale 3,sackOK,TS val 114462122 ecr 0], length 0
...


but if i 
> tcpdump -n -i ale0 -ttte -s0 port 80

than i can see all traffic ofcourse ... 


what i am missing, please? why traffic outgoing to LAN is missed on pflog0?

and yet, the same picture is with smb traffic ... i can see only
traffic from LAN to WAN

my tailored pf.conf is:

if_wan = "tun0"
if_lan = "ale0"

ports_proxy = "http, https, ftp, ftp-data, ftps, ftps-data"
ports_nat = "ntp, xmpp-client, 5223, xmpp-server"
ports_smb = "135:139, 445"

table <ADMINS> persist file "/etc/pf.tbl.admins"
table <PASS_WAN> persist file "/etc/pf.tbl.pass_wan"

set skip on lo0
set optimization conservative
set ruleset-optimization basic

altq on $if_wan cbq bandwidth 1Mb queue { wan_rest, wan_http }
queue wan_http bandwidth 150Kb priority 2
queue wan_rest bandwidth 850Kb cbq(default)

altq on $if_lan cbq bandwidth 100% queue { lan_rest, lan_http }
queue lan_http bandwidth 2Mb   priority 2
queue lan_rest bandwidth 98Mb cbq(default)

rdr on $if_lan proto { tcp, udp } from ! <ADMINS> \
    to ! 172.16/12 port { $ports_proxy } -> $if_lan:0 port 3128

nat on $if_wan from <ADMINS> to any -> ($if_wan)
nat on $if_wan from ! <ADMINS> to port { $ports_nat } -> ($if_wan)

antispoof for { $if_wan, $if_lan }

block in log
pass in log inet proto icmp all icmp-type echoreq
pass in log on $if_wan inet proto { tcp, udp } from { <PASS_WAN> } \
     to ($if_wan) port ssh
pass in log on $if_lan

pass out log on $if_wan
pass out log on $if_lan

block drop out log on $if_wan from any \
     to { 127/8, 10/8, 172.16/12, 192.168/16 }

pass out log on $if_wan inet proto { tcp, udp } from $if_lan:0 \
     to any port { $ports_proxy } keep state queue wan_http
pass out log on $if_lan inet proto { tcp, udp } from any port { $ports_proxy } \
     to $if_lan:0 queue lan_http

pass out log on $if_lan inet proto { tcp, udp } from any port { $ports_smb } \
     to $if_lan:network queue lan_smb
pass out log on $if_vpn inet proto { tcp, udp } from $if_lan:network \
     to any port { $ports_smb } queue vpn_smb


-- 
Zeus V. Panchenko
IT Dpt., IBS ltd			      	        GMT+2 (EET)

More information about the freebsd-pf mailing list