transparent proxy traffic queue ...
Daniel Hartmeier
daniel at benzedrine.cx
Mon Apr 11 08:57:33 UTC 2011
On Mon, Apr 11, 2011 at 11:06:48AM +0300, Zeus V Panchenko wrote:
> pass out log (all) on $if_wan inet proto { tcp, udp } from $if_wan:0 \
> to any port { $ports_proxy } keep state queue wan_http
> pass out log (all) on $if_lan inet proto { tcp, udp } from any port { $ports_proxy } \
> to $if_lan:network queue lan_http
The second rule looks wrong. Those connections are incoming (not
outgoing) on $if_lan, so it should be 'pass in log (all) ... to port
$ports_proxy'.
I assume you have some rdr rule, too, so the log (all) option must
be on the rule matching THAT, i.e.
rdr on $if_lan inet proto tcp from $if_lan:network to any port 80 \
-> $if_lan:0 port 3128
pass in log (all) on $if_lan inet proto tcp from $if_lan:network \
to $if_lan:0 port 3128
Run pfctl -vvss and see what states you have, and what rules they
are based on (compare with numbers in pfctl -gsr output), probably
not the right ones (with proper log and queue options).
Also, add a default block rule, then it becomes clear when a
connection doesn't match the expected rule, it gets blocked instead
of passing with wrong options...
Daniel
More information about the freebsd-pf
mailing list