Problems with pf rules for intercept squid proxy
Kristof Provost
kp at FreeBSD.org
Tue Jun 28 17:37:42 UTC 2016
On 28 Jun 2016, at 15:07, C. L. Martinez wrote:
> I have some problems with my pf rules on a FreeBSD 10.3 host that
> acts as a squid intercept proxy. My actual pf rules are:
>
> rdr pass on $vpnif proto tcp from $int_network to any port http -> lo0
> port 5144
> rdr pass on $vpnif proto tcp from $int_network to any port https ->
> lo0 port 5145
>
> At first stage it seems that these rules works, but don't. Traffic is
> redirected to squid, but squid denies all connections:
>
> 1467111934.502 1 172.22.55.1 TCP_DENIED/403 4221 GET
> http://www.osnews.com/ - HIER_NONE/- text/html
>
> Using same squid.conf's file under an OpenBSD test machine, squid
> works without problems. For this reason, I don't think there is some
> problem with my squid's config. The only difference between this
> OpenBSD host and FreeBSD are the pf rules.
>
You may have a different squid version, or they may be patched
differently.
Your redirect rules are working, as demonstrated by the fact that squid
gets a request, and replies to it.
Note that pf does not change your HTTP payload, it only affects TCP. In
other words: if Squid sees the connection (and it does) it’s a Squid
problem.
Also note that you’re redirecting on FreeBSD, but using divert-to on
OpenBSD.
This may be triggering different behaviour from Squid. The man page says
that with divert-to:
The packets will not be modified, so getsockname(2) on the socket will
return
the original destination address of the packet.
That might be affecting an ACL in Squid.
Regards,
Kristof
More information about the freebsd-questions
mailing list