if_bridge + pf rdr (bridged inline proxy)
Hi list, I recently setup a bridge box with inline cache proxy. if_bridge with pf filtering was working perfectly. However, squid-cache listening on loopback device did not get any packets from pf rdr. I have seen successful setups with OpenBSD's bridge spamd which rather a similar setup. Is something broken on FreeBSD's if_bridge or am I missing some configuration here? pfctl -ss (on bridge box): -- all tcp 127.0.0.1:3128 <- 71.14.235.147:80 <- 192.168.1.100:1041 CLOSED:SYN_SENT all tcp 192.168.1.100:1041 -> 127.0.0.1:3128 SYN_SENT:CLOSED Environment -- FreeBSD bridge.mybox 7.1-PRERELEASE FreeBSD 7.1-PRERELEASE #0: Tue Nov 25 22:56:22 MYT 2008 [EMAIL PROTECTED]:/usr/obj/usr/src/sys/BRIDGE i386 Squid Cache: Version 2.7.STABLE5 with --enable-pf-transparent rc.conf: -- cloned_interfaces="bridge0" ifconfig_bridge0="addm bge0 addm bge1 up" ifconfig_bge0="up" ifconfig_bge1="up" pf_enable="YES" squid_enabld="YES" pf.conf: -- int_if="bge0" ext_if="bge1" rdr pass on $int_if inet proto tcp from any to any port 80 -> 127.0.0.1 port 3128 pass in all pass out all pass on $int_if route-to lo0 proto tcp from any to 127.0.0.1 port 3128 sysctl net.link.bridge : -- net.link.bridge.ipfw: 0 net.link.bridge.log_stp: 0 net.link.bridge.pfil_local_phys: 1 net.link.bridge.pfil_member: 1 net.link.bridge.pfil_bridge: 0 net.link.bridge.ipfw_arp: 0 net.link.bridge.pfil_onlyip: 0 Hping Testing (from client 192.168.1.100): -- hping -S -p 80 -c 10 www.google.com A quick search on freebsd-pf archive, I found a thread on similar setup in 2004. http://lists.freebsd.org/pipermail/freebsd-pf/2004-October/000522.html However, the bridge code of FreeBSD was blamed for poor performance and lack of functionalities. A more recent post on freebsd-net mailing list on similar issue. http://lists.freebsd.org/pipermail/freebsd-net/2008-September/019556.html Any ideas? TIA. P/S : please cc me as I'm not subscribed to freebsd-pf nor freebsd-net mailing list. Thanks. -- Regards Kevin Foo ___ freebsd-pf@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: if_bridge + pf rdr (bridged inline proxy)
Kevin, good day.
Thu, Nov 27, 2008 at 08:26:55PM +0800, Kevin Foo wrote:
> I recently setup a bridge box with inline cache proxy. if_bridge with
> pf filtering was working perfectly. However, squid-cache listening on
> loopback device did not get any packets from pf rdr. I have seen
> successful setups with OpenBSD's bridge spamd which rather a similar
> setup. Is something broken on FreeBSD's if_bridge or am I missing some
> configuration here?
pf can 'rdr' only incoming packets (from 'man pf.conf'):
-
Evaluation order of the translation rules is dependent on the type of the
translation rules and of the direction of a packet. binat rules are
always evaluated first. Then either the rdr rules are evaluated on an
inbound packet or the nat rules on an outbound packet. Rules of the same
type are evaluated in the same order in which they appear in the ruleset.
The first matching rule decides what action is taken.
-
So this can be just pf-related. And may be not, as usual...
--
Eygene
____ _.--. #
\`.|\.....-'` `-._.-'_.-'` # Remember that it is hard
/ ' ` , __.--' # to read the on-line manual
)/' _/ \ `-_, /# while single-stepping the kernel.
`-'" `"\_ ,_.-;_.-\_ ', fsc/as #
_.-'_./ {_.' ; / #-- FreeBSD Developers handbook
{_.-``-' {_/#
pgp7r3RYXkW0Q.pgp
Description: PGP signature
synproxy state does not work on FreeBSD 7.1-PRERELEASE
hello I tried to rule with `synproxy state` uname FreeBSD 7.1-PRERELEASE FreeBSD 7.1-PRERELEASE #0: Wed Oct 29 12:47:36 UTC 2008 (amd64 & i386 arch) the synproxy state is not working uname FreeBSD 7.0-RELEASE GENERIC (amd64 & i386 arch) the synproxy state is working # cat /etc/pf.conf pass on em0 proto tcp from any to 192.168.0.1 port http synproxy state to all, please check and confirm or deny /Vladimir Ermakov ___ freebsd-pf@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: if_bridge + pf rdr (bridged inline proxy)
Thank Eygene for the reply. It might be but I'm not sure. Anyone is
having the same setting or any info on this?
--
Regards
Kevin Foo
On Thu, Nov 27, 2008 at 10:00 PM, Eygene Ryabinkin <[EMAIL PROTECTED]> wrote:
> Kevin, good day.
>
> Thu, Nov 27, 2008 at 08:26:55PM +0800, Kevin Foo wrote:
>> I recently setup a bridge box with inline cache proxy. if_bridge with
>> pf filtering was working perfectly. However, squid-cache listening on
>> loopback device did not get any packets from pf rdr. I have seen
>> successful setups with OpenBSD's bridge spamd which rather a similar
>> setup. Is something broken on FreeBSD's if_bridge or am I missing some
>> configuration here?
>
> pf can 'rdr' only incoming packets (from 'man pf.conf'):
> -
> Evaluation order of the translation rules is dependent on the type of the
> translation rules and of the direction of a packet. binat rules are
> always evaluated first. Then either the rdr rules are evaluated on an
> inbound packet or the nat rules on an outbound packet. Rules of the same
> type are evaluated in the same order in which they appear in the ruleset.
> The first matching rule decides what action is taken.
> -
> So this can be just pf-related. And may be not, as usual...
> --
> Eygene
> ____ _.--. #
> \`.|\.....-'` `-._.-'_.-'` # Remember that it is hard
> / ' ` , __.--' # to read the on-line manual
> )/' _/ \ `-_, /# while single-stepping the kernel.
> `-'" `"\_ ,_.-;_.-\_ ', fsc/as #
> _.-'_./ {_.' ; / #-- FreeBSD Developers handbook
>{_.-``-' {_/#
>
___
freebsd-pf@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
