transparent proxy traffic queue ...

Daniel Hartmeier daniel at benzedrine.cx
Fri Apr 15 06:36:37 UTC 2011 

On Mon, Apr 11, 2011 at 06:22:30PM +0300, Zeus V Panchenko wrote:

> first rull catches traffic from LAN to inet so, the sequence is:
> 
> LAN -> if_lan -> proxy server -> if_wan -> inet -> some_web_server
> 
> and backward ...
> 
> some_web_server -> if_wan -> proxy server -> if_lan -> LAN 
> 
> is it because proxy LAN address is bent to if_lan:0 the traffic on
> if_lan is incoming rather than outgoing?

First, incoming and outgoing in context of pf.conf rules are
relative to the firewall (and not your LAN vs. the internet),
e.g. incoming means 'enters the firewall through an interface
from a network' and outgoing means 'exits the firewall through
an interface to a network'.

Second, with a squid proxy, there are actually two distinct
connections: one connection from the client to the proxy, and
another connection from the proxy to the server. There are
two different (random) source ports, and two different
destination ports (3128 and 80):

  1) client:random1 -> proxy:3128 (incoming on if_lan)
  2) proxy:random2 -> server:80 (outgoing on if_wan)

Both are filtered by pf, and both must be passed explicitely.

Only the first is affected by rdr (destination port translation),
and the pass rule must match the connection AFTER translation, i.e.

  rdr on $if_lan ... to any port 80 -> $if_lan:0 port 3128
  pass in on $if_lan ... to $if_lan:0 port 3128

The fact that the proxy's listening socket is bound to if_lan:0
doesn't change any of this, you could just as well bind it to
127.0.0.1 or ext_if.

> > Run pfctl -vvss and see what states you have, and what rules they
> > are based on (compare with numbers in pfctl -gsr output), probably
> > not the right ones (with proper log and queue options).
>  
> in pfctl output i still can see only outgoing to internet states ... no incoming 

You can add 'set state-policy if-bound', so states get bound to
interfaces, and pfctl -ss shows both, which can help.

The arrows (-> or <-) in the pfctl -ss output indicate the
direction of a state (-> for outoing, <- for incoming).

You should see pairs of states, like described above. As long
as you only see one state, there is something wrong.

HTH,
Daniel

More information about the freebsd-pf mailing list