transparent proxy traffic queue ...

Mon Apr 11 15:22:34 UTC 2011

Daniel Hartmeier (daniel at benzedrine.cx) [11.04.11 11:57] wrote:
> On Mon, Apr 11, 2011 at 11:06:48AM +0300, Zeus V Panchenko wrote:
> 
> > pass out log (all) on $if_wan inet proto { tcp, udp } from $if_wan:0 \
> >      to any port { $ports_proxy } keep state queue wan_http
> > pass out log (all) on $if_lan inet proto { tcp, udp } from any port { $ports_proxy } \
> >      to $if_lan:network queue lan_http
> 
> The second rule looks wrong. Those connections are incoming (not
> outgoing) on $if_lan, so it should be 'pass in log (all) ... to port
> $ports_proxy'.

proxy is bent to if_lan:0

first rull catches traffic from LAN to inet so, the sequence is:

LAN -> if_lan -> proxy server -> if_wan -> inet -> some_web_server

and backward ...

some_web_server -> if_wan -> proxy server -> if_lan -> LAN 

is it because proxy LAN address is bent to if_lan:0 the traffic on
if_lan is incoming rather than outgoing?

> I assume you have some rdr rule, too, so the log (all) option must
> be on the rule matching THAT, i.e.
> 
>   rdr on $if_lan inet proto tcp from $if_lan:network to any port 80 \
>     -> $if_lan:0 port 3128
>   pass in log (all) on $if_lan inet proto tcp from $if_lan:network \
>     to $if_lan:0 port 3128

yes, i have rdr rull

rdr on $if_lan proto { tcp, udp } from ! <ADMINS> to ! 172.16/12 \
    port { $ports_proxy } -> $if_lan:0 port 3128

and after addition of rull

pass in log (all) on $if_lan inet proto tcp from $if_lan:network \
     to $if_lan:0 port 3128

at last i can see traffic outgoing to LAN

00:00:00.016574 rule 12/0(match): pass out on ale0: 178.63.86.132.80 > 172.16.0.35.56256: Flags [.], ack 3758, win 8326, options [nop,nop,TS val 3521710434 ecr 560947], length 0
00:00:00.000200 rule 12/0(match): pass out on ale0: 178.63.86.132.80 > 172.16.0.35.56256: Flags [P.], ack 3758, win 8326, options [nop,nop,TS val 3521710442 ecr 560947], length 376
00:00:00.000017 rule 12/0(match): pass out on ale0: 178.63.86.132.80 > 172.16.0.35.56256: Flags [P.], ack 3758, win 8326, options [nop,nop,TS val 3521710442 ecr 560947], length 180
00:00:00.098247 rule 12/0(match): pass out on ale0: 178.63.86.132.80 > 172.16.0.35.56256: Flags [.], ack 4307, win 8326, options [nop,nop,TS val 3521710989 ecr 561085], length 0
00:00:00.000207 rule 12/0(match): pass out on ale0: 178.63.86.132.80 > 172.16.0.35.56256: Flags [P.], ack 4307, win 8326, options [nop,nop,TS val 3521711168 ecr 561085], length 514

but when i'm trying to catch it and direct to queue it fails 

pass out log (all) on $if_lan inet proto { tcp, udp } from any port { $ports_proxy } to $if_lan:network queue lan_http
pass  in log (all) on $if_lan inet proto { tcp, udp } from any port { $ports_proxy } to $if_lan:network queue lan_http

> Run pfctl -vvss and see what states you have, and what rules they
> are based on (compare with numbers in pfctl -gsr output), probably
> not the right ones (with proper log and queue options).

in pfctl output i still can see only outgoing to internet states ... no incoming 

> Also, add a default block rule, then it becomes clear when a
> connection doesn't match the expected rule, it gets blocked instead
> of passing with wrong options...

i have the rull (i was posting pf.conf in the first message)

-- 
Zeus V. Panchenko
IT Dpt., IBS ltd			      	        GMT+2 (EET)