Can't get PF rdr working.

idle

Member

Reaction score: 8
Messages: 64

I have server working like bridge between LAN and ISP with transparent squid.
All fine, but rdr rule.

Code:
rdr on $int_if proto tcp from <users> to ! <works> port { 80 3128 } -> $int_if port 3128
pass all

It is all rules for now.
$int_if here is re0 looking into LAN with real ip.

Client doesn't attempt to connect to squid at all. And to the sites can not.
tcpdump client_ip and port 3128 or port 80 show only attempts to 80 port but not 3128.
But pf for some reason create the appropriate states.
telnet server 3128 from client work fine.

Whats maybe wrong?

8.0-RELEASE-p3
squid-2.7.7
 

butzke

Member


Messages: 20

I noticed that you are using a couple of talbes; <users> and <works>. Are you trying to exclude <works> from being redirected?

I would suggest simplifying the rule somewhat to get it working. Perhaps try this:

Code:
rdr in $int_if proto tcp from $int_if:network to any port 80 -> 127.0.0.1 3128

This rule will redirect any traffic from the internal network on port 80 to localhost 3128. If this works, then you can add in the tables to refine the rule to what you need.

Notes on Squid: Squid should listen to the localhost by default unless you have changed that. Since you are attempting to run Squid transparently I would not bother to configure Squid to listen to the IP of your internal adapter.
 

butzke

Member


Messages: 20

Apologies, I mistyped the rule; it should be this:
Code:
rdr in $int_if proto tcp from $int_if:network to any port 80 -> 127.0.0.1 port 3128
 
OP
idle

idle

Member

Reaction score: 8
Messages: 64

butzke
This is doesn't work either.
I found solution that work for me.
Code:
rdr on $int_if proto tcp from <users> to ! <works> port { 80 3128 } -> 127.0.0.1
pass in log quick route-to lo0 inet proto tcp from any to port 3128
But now client can't reach several sites from table works, but this is another issue I think.

Interesting that on FreeBSD-7 all work fine with old config, with one limitation, its can not rdr to lo0, thats why I tried rdr to $int_if.
I guess in FreeBSD-8 something changed.
 

DutchDaemon

Administrator
Staff member
Administrator
Moderator
Developer

Reaction score: 3,155
Messages: 11,424

Yeah, a bridge always requires a route-to statement when rdr'ing to localhost. Good that you found it. It's easily and often overlooked.
 
OP
idle

idle

Member

Reaction score: 8
Messages: 64

I see.
But whats wrong with rdr to $int_if?
 

DutchDaemon

Administrator
Staff member
Administrator
Moderator
Developer

Reaction score: 3,155
Messages: 11,424

Binding to localhost is pretty common on transparent Squid setups. Why make it more difficult and less safe, and expose an open port to the network when it's unneeded? And why redirect port 3128? It's not commonly used for regular http traffic, so blocking it is usually fine. Just use the SafePorts from Squid's config (except https) and redirect those.
 

DutchDaemon

Administrator
Staff member
Administrator
Moderator
Developer

Reaction score: 3,155
Messages: 11,424

More common than you think. Something like this usually works just fine.
Code:
web="{ 80:83 1080 3689 8080:8081 8088 11523 }"
rdr on $int_if inet proto tcp from <networks> to any port $web -> 127.0.0.1 port 3128
pass in quick on $int_if route-to lo0 inet proto tcp from <networks> to 127.0.0.1 port 3128 keep state
 
Top