former "transparent proxy traffic queue ..."
Daniel Hartmeier
daniel at benzedrine.cx
Tue Apr 26 08:57:52 UTC 2011
On Tue, Apr 26, 2011 at 10:49:24AM +0300, Zeus V Panchenko wrote:
> here we see outgoing via $if_wan traffic successfully coming through wan_http queue, the rull 18
> but no traffic comming trough the rull 24 but 10 instead ...
>
> so, what am i missing, please?
>
> why pflog row:
> ... rule 10/0(match): pass out on ale0: 213.130.10.226.80 > 172.16.10.12.40650: ...
> not matches my pf.conf rull @24:
> pass out log (all) on ale0 inet proto tcp from any port = http to 172.12.10.12 flags S/SA keep state (if-bound) queue lan_http
> ?
Ah, I see. Your rule @24 restricts the _source_ port:
pass in log (all) on $if_lan inet proto tcp from any port { $ports_proxy } \
to 172.12.10.12 queue lan_http
Remember, only the initial (first) packet of a connection causes
ruleset evaluation, hence rules can be said to apply to the initial
packets of connections (everything else is covered by states). You
don't need to think about the packets flowing in reverse at all.
So, take the initial packet of that connection (the HTTP connection from
client to proxy, incoming on the LAN interface), what are its source and
destination ports? The source port is random, the destination port is
3128.
So, change the above rule to
pass in log (all) on $if_lan inet proto tcp from any \
to 172.12.10.12 port 3128 queue lan_http
HTH,
Daniel
More information about the freebsd-pf
mailing list