Hello
I'm trying to setup a transparent Squid proxy on a bridge using PF. It looks like the redirected TCP connection is blocked. But it cannot be blocked because I have "pass" for everything. It's almost like the redirected traffic disapeared.
The rdr rule comes from pf.conf(5) and it works when the system acts as a router instead of bridge.
Rule (a.k.a /tmp/rules):
I've tested the following sequence using live CD FreeBSD-10.3-RELEASE-amd64-mini-memstick and FreeBSD-11.0-RELEASE-amd64-mini-memstick. Both with the same result.
The nc receives nothing, and the
But the rdr rule matched, the
What am I missing? PF should not block anything here.
The same rule works without a bridge (system acts as a router instead). And is suggested at http://wiki.squid-cache.org/ConfigExamples/Intercept/FreeBsdPf.
Slightly modified rule works on a bridge - when the traffic is redirected to other host and still goes to the same output interface.
I'm trying to setup a transparent Squid proxy on a bridge using PF. It looks like the redirected TCP connection is blocked. But it cannot be blocked because I have "pass" for everything. It's almost like the redirected traffic disapeared.
The rdr rule comes from pf.conf(5) and it works when the system acts as a router instead of bridge.
Rule (a.k.a /tmp/rules):
Code:
set skip on lo0
set block-policy return
rdr pass log on fxp0 proto tcp from any to any port 80 -> 127.0.0.1 port 8080
pass in log
pass out keep state
I've tested the following sequence using live CD FreeBSD-10.3-RELEASE-amd64-mini-memstick and FreeBSD-11.0-RELEASE-amd64-mini-memstick. Both with the same result.
Code:
ifconfig bridge create
ifconfig bridge0 addm fxp0 addm em0
ifconfig fxp0 up
ifconfig em0 up
ifconfig bridge0 192.168.26.2
service pf onestart
service pflog onestart
vi /tmp/rules
pfctl -f /tmp/rules
pfctl -e
nc -l 127.0.0.1 8080
The nc receives nothing, and the
pfctl -s states
shows that the connection is not established
Code:
all tcp 127.0.0.1:8080 (8.8.178.110:80) <- 192.168.26.37:1438 CLOSED:SYN_SENT
tcpdump -tt -eni pflog0
shows:
Code:
1481179615.198895 rule 0..16777216/0(match): rdr in on fxp0: 192.168.26.37.1438 > 127.0.0.1.8080: Flags [\S], seq 1732094875, win 65228, options [mss 1460,nop,wscale 7,sackOK,TS val 117825669 ecr 0], length 0
What am I missing? PF should not block anything here.
The same rule works without a bridge (system acts as a router instead). And is suggested at http://wiki.squid-cache.org/ConfigExamples/Intercept/FreeBsdPf.
Slightly modified rule works on a bridge - when the traffic is redirected to other host and still goes to the same output interface.