transparent proxy in jail with pf in host

[reivaj]

Hello,

I hope some of you please can help me with the following problem. I have a FreeBSD server 9.1 with several jails installed one which is a web proxy. For that I have a rule of redirection configured in pf for that all the traffic from my internal net go to the proxy jail.

rdr pass inet proto tcp from $int_net to any port www -> $pxy_ip port 3128 
pass in log (all, to pflog0) on $int_if inet proto tcp from $int_net to $pxy_ip port 3128
pass out on $int_if inet from $int_net to $int_net
pass out log  (all, to pflog0) on $ext_if inet from $ext_ip to any (I do NAT to the internal network)

In the jail I have Squid version 3.3.8 compiled with support for pf transparent proxy and configured with the following directive to allow the transparent proxy:

http_port 127.0.0.1:3128 transparent (I tried with intercept here too)

For the comprobation [ What? -- Mod. ] of the redirection shutting down Squid to use nc I made two tests from Firefox:

With the proxy configured manually:

# nc -l 3128
GET http://www.hostgator.com/ HTTP/1.1
Host: www.hostgator.com
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:16.0) Gecko/20100101 Firefox/16.0

With no proxy (direct) seems that the URL in GET not arrives only "/".

# nc -l 3128
GET / HTTP/1.1
Host: www.hostgator.com
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:16.0) Gecko/20100101 Firefox/16.0

Later when I started Squid, I saw in /var/log/squid/cache.log several errors about pf:

2013/09/23 17:05:23 kid1| PF open failed: (2) No such file or directory

I know that Squid must have permissions to access the device used by pf, but it is not pf in the jail but on the host server.

Even so when I think in put in /etc/devfs.conf:

own     pf      root:squid
perm    pf      0640

I don't know where this must go, because the host server does not have the squid user nor group and in the jail there is no pf.

What can I do?

Thank you very much.

Javier

 

[SirDice]

I don't think this is ever going to work. You can't change the settings of PF from within a jail. So Squid can't do what it needs to do.

 

[wonslung]

This works on my system where I have pf as the firewall/NAT and a jail with Squid configured to run transparent. You will need a redirect rule in your /etc/pf.conf. Here is an example:

rdr on $Int_if inet proto tcp from $Int_if:network to any port http  -> 10.0.0.1 port 3128

This assumes your jail is running at 10.0.0.1, you will want to change this to suit your needs. The key to getting this to work is to use /etc/devfs.rules. You will want to add/edit a listing for your jails. Here is mine:

devfsrules_jail=4]
add include $devfsrules_hide_all
add include $devfsrules_unhide_basic
add include $devfsrules_unhide_login
add path zfs unhide
add path pf unhide mode 0640 group 100

This works even though you don't explicitly have a squid user in your base system by using the GID.

On FreeBSD 10 you must also add

devfs_load_rulesets="YES"

to /etc/rc.conf.