transparent proxy traffic queue ...
Zeus V Panchenko
zeus at ibs.dn.ua
Mon Apr 11 15:22:34 UTC 2011
Daniel Hartmeier (daniel at benzedrine.cx) [11.04.11 11:57] wrote:
> On Mon, Apr 11, 2011 at 11:06:48AM +0300, Zeus V Panchenko wrote:
>
> > pass out log (all) on $if_wan inet proto { tcp, udp } from $if_wan:0 \
> > to any port { $ports_proxy } keep state queue wan_http
> > pass out log (all) on $if_lan inet proto { tcp, udp } from any port { $ports_proxy } \
> > to $if_lan:network queue lan_http
>
> The second rule looks wrong. Those connections are incoming (not
> outgoing) on $if_lan, so it should be 'pass in log (all) ... to port
> $ports_proxy'.
proxy is bent to if_lan:0
first rull catches traffic from LAN to inet so, the sequence is:
LAN -> if_lan -> proxy server -> if_wan -> inet -> some_web_server
and backward ...
some_web_server -> if_wan -> proxy server -> if_lan -> LAN
is it because proxy LAN address is bent to if_lan:0 the traffic on
if_lan is incoming rather than outgoing?
> I assume you have some rdr rule, too, so the log (all) option must
> be on the rule matching THAT, i.e.
>
> rdr on $if_lan inet proto tcp from $if_lan:network to any port 80 \
> -> $if_lan:0 port 3128
> pass in log (all) on $if_lan inet proto tcp from $if_lan:network \
> to $if_lan:0 port 3128
yes, i have rdr rull
rdr on $if_lan proto { tcp, udp } from ! <ADMINS> to ! 172.16/12 \
port { $ports_proxy } -> $if_lan:0 port 3128
and after addition of rull
pass in log (all) on $if_lan inet proto tcp from $if_lan:network \
to $if_lan:0 port 3128
at last i can see traffic outgoing to LAN
00:00:00.016574 rule 12/0(match): pass out on ale0: 178.63.86.132.80 > 172.16.0.35.56256: Flags [.], ack 3758, win 8326, options [nop,nop,TS val 3521710434 ecr 560947], length 0
00:00:00.000200 rule 12/0(match): pass out on ale0: 178.63.86.132.80 > 172.16.0.35.56256: Flags [P.], ack 3758, win 8326, options [nop,nop,TS val 3521710442 ecr 560947], length 376
00:00:00.000017 rule 12/0(match): pass out on ale0: 178.63.86.132.80 > 172.16.0.35.56256: Flags [P.], ack 3758, win 8326, options [nop,nop,TS val 3521710442 ecr 560947], length 180
00:00:00.098247 rule 12/0(match): pass out on ale0: 178.63.86.132.80 > 172.16.0.35.56256: Flags [.], ack 4307, win 8326, options [nop,nop,TS val 3521710989 ecr 561085], length 0
00:00:00.000207 rule 12/0(match): pass out on ale0: 178.63.86.132.80 > 172.16.0.35.56256: Flags [P.], ack 4307, win 8326, options [nop,nop,TS val 3521711168 ecr 561085], length 514
but when i'm trying to catch it and direct to queue it fails
pass out log (all) on $if_lan inet proto { tcp, udp } from any port { $ports_proxy } to $if_lan:network queue lan_http
pass in log (all) on $if_lan inet proto { tcp, udp } from any port { $ports_proxy } to $if_lan:network queue lan_http
> Run pfctl -vvss and see what states you have, and what rules they
> are based on (compare with numbers in pfctl -gsr output), probably
> not the right ones (with proper log and queue options).
in pfctl output i still can see only outgoing to internet states ... no incoming
> Also, add a default block rule, then it becomes clear when a
> connection doesn't match the expected rule, it gets blocked instead
> of passing with wrong options...
i have the rull (i was posting pf.conf in the first message)
--
Zeus V. Panchenko
IT Dpt., IBS ltd GMT+2 (EET)
More information about the freebsd-pf
mailing list