From owner-freebsd-pf@FreeBSD.ORG Sun Mar 27 09:29:14 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 19CF9106566B for ; Sun, 27 Mar 2011 09:29:14 +0000 (UTC) (envelope-from jhellenthal@gmail.com) Received: from mail-iw0-f182.google.com (mail-iw0-f182.google.com [209.85.214.182]) by mx1.freebsd.org (Postfix) with ESMTP id D16378FC0A for ; Sun, 27 Mar 2011 09:29:13 +0000 (UTC) Received: by iwn33 with SMTP id 33so3183062iwn.13 for ; Sun, 27 Mar 2011 02:29:13 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:sender:date:from:to:cc:subject:in-reply-to :message-id:references:user-agent:x-openpgp-key-id :x-openpgp-key-fingerprint:mime-version:content-type; bh=DIvwCrChHm40du0vDIxZdlYjXidT/pjqvjL0ZoHdY/0=; b=edkGYivWGKXJYRBFGA5dxCXsQsW+sMhxAlm3hy1x9Pz2XdLO82k84hpgy143XC8y8D 8bkyMpMpmUn7nQTS2k3noVacaOhKQLZYb8MQRrvyFzX75WOiFGmgPmG/NDtw1My/k+h0 oyoMtnWeyxjdMEULqY28+jWipQEqFT7ENJ7Io= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=sender:date:from:to:cc:subject:in-reply-to:message-id:references :user-agent:x-openpgp-key-id:x-openpgp-key-fingerprint:mime-version :content-type; b=i4VlqX6sNle73WvJfLO8M6hSIZ8PxygtWJC2ANHkeuYQh9/F8q2RTVfcXvMcLH6xBj 58Zm4uFAH1/Wh0TDho8uijUcGLhTpy+1h08bmrRBRTFcln9vSq1wD1XTVxhKJ1Snj/iE OlJ9o0fThkar/G1NAI5a5ZOI05DlwXkqXFESA= Received: by 10.231.32.75 with SMTP id b11mr2783403ibd.95.1301218152976; Sun, 27 Mar 2011 02:29:12 -0700 (PDT) Received: from disbatch.dataix.local ([99.181.153.110]) by mx.google.com with ESMTPS id gx2sm2072620ibb.9.2011.03.27.02.29.10 (version=TLSv1/SSLv3 cipher=OTHER); Sun, 27 Mar 2011 02:29:11 -0700 (PDT) Sender: "J. Hellenthal" Date: Sun, 27 Mar 2011 05:28:52 -0400 From: "J. Hellenthal" To: Leslie Jensen In-Reply-To: <4D8E11CB.2070501@eskk.nu> Message-ID: References: <4D8E11CB.2070501@eskk.nu> User-Agent: Alpine 2.00 (BSF 1167 2008-08-23) X-OpenPGP-Key-Id: 0x89D8547E X-OpenPGP-Key-Fingerprint: 85EF E26B 07BB 3777 76BE B12A 9057 8789 89D8 547E MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: freebsd-pf@freebsd.org Subject: Re: Lost in rules! X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 27 Mar 2011 09:29:14 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sat, 26 Mar 2011 12:18, leslie@ wrote: > Hello list. > > I've had a machine running Freebsd 7.2-RELEASE as a firewall and Squid proxy > server on a network with 10 pc behind it for some years. > > Now I've got some new hardware and have installed Freebsd 8.2-RELEASE with > exactly the same set-up. > > My problem is that PF is not acting the same. Everything is blocked, if I > remove the first rule "block in log on $ext_if all" I get some functionality > but it won't redirect the traffic to Squid for example. > > I've been trying to fix it but I need some new eyes to help me. > > Below are the pf.conf on the new 8.2 machine and further below is the > original pf.conf from the 7.2 system > > I'm aware that there has been some changes to the pf syntax, but when doing > pfctl -n -f /etc/pf.conf there's no indication that my syntax is wrong. > > Will you Please take a look and see if you can see what's wrong. > > Thank you :-) > Hi Leslie, I just extracted your rules sets from the email and from what I gather I hope its just not a formatting issue with your mailer that I have seen in coincidence. After pulling out the patch pipe and loading with a diff this is what I've come up with: (-)=New Config (+)=Old Config # Let the goodguys access the machine from the outside - -pass in log on $ext_if inet proto tcp from to ($ext_if) +pass in on $ext_if inet proto tcp from to ($ext_if) \ port $tcp_services flags S/SA keep state # We need this for the rdr to VNC (change of portnumber) - -pass in on $ext_if inet proto tcp from to $internal_net +pass in on $ext_if inet proto tcp from to $internal_net \ port $vncports flags S/SA synproxy state You mentioned that when removing your block rule that you would get some functionality back and this stuck out like a sore thumb!. Pay close attention to the new line character at the new or in other words "don't forget the backslash" Also you used to have: # filter rules - -block in log on $ext_if all +block in log (all) but that is probably not relative to what you are seeing in your rule sets at this time. If this all is not a formatting error you should be able to verify that all your rules are loaded with ( pfctl -s rules ) and manually inspect the ones in question whether the backslash really makes the difference. Good luck. - -- Regards, J. Hellenthal (0x89D8547E) JJH48-ARIN -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (FreeBSD) Comment: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x89D8547E iQEcBAEBAgAGBQJNjwNeAAoJEJBXh4mJ2FR+02EH/RUG17OuvE1ltgIMtGJpTy17 26oLFCiWY0AlH7LR8L1hImXFL8VPdsrybsCN6F7YgKFOpKtAPYoqV50zI5gF81cI FOGErW1I8rNB4aHZsjBlQyARlSFtJO5uRr/desuCrL4SIK8FzD9QPb8qdEoWaehc fMjHPhC5277NljkHH22HPKKRb1yA2+jvrZ91LOjUVO8AanPHDcXWvmNGOmbnTcB9 yG8K1gJymxzs4Atlw1m0PPCxmrwYzw4IbLB1TGzsZIhnGcmfR8M0eKCi/G98uyCP LWXr8f/qL8lE4tjbr3jiKXEqeQWNXACI2vjqCEn6QG4t24U2gZtOrlnssneAY/M= =vzmL -----END PGP SIGNATURE----- From owner-freebsd-pf@FreeBSD.ORG Mon Mar 28 03:58:22 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3D343106566C for ; Mon, 28 Mar 2011 03:58:22 +0000 (UTC) (envelope-from vilem.kebrt@gmail.com) Received: from mail-bw0-f54.google.com (mail-bw0-f54.google.com [209.85.214.54]) by mx1.freebsd.org (Postfix) with ESMTP id BA3BD8FC0C for ; Mon, 28 Mar 2011 03:58:21 +0000 (UTC) Received: by bwz12 with SMTP id 12so2742721bwz.13 for ; Sun, 27 Mar 2011 20:58:20 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:message-id:date:from:user-agent:mime-version:to :subject:references:in-reply-to:content-type :content-transfer-encoding; bh=w5Kcw13wHEObP2dFvfoTPgNfrJt8cgHTk8hoP5az3uE=; b=E+4ApXmYRlHeczRG8D8WI/bRQalOl2sVIFjfpyBz/0uLlPT3DpyKl/Fw6xxPwvpABs 2YJz7wj1840CvGmWFxOl3g78gHNL+FjYSiXel6Fsjj9n1xBzEtisqlUtXDtYcENeltko 2Ofy52UQLqjP/YxSpIrVaFJb7vko5+cmkQoTI= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-type:content-transfer-encoding; b=j6kj7rFNJjsm/xc//UBAaRnbvNqtcUBVXQnn93KNdrMbyKYEa8fAF4yPrf9I2bIa3k r+qqsC9kh5M9wvpxc/CaOV/41CVAdks0oi8PMsdozrs/DisR9FqGpl3Dxt0kHk3Ddh6g xnPEWJHMynWuzwYwElbZ9MIeM1anNyFI9utnM= Received: by 10.204.57.135 with SMTP id c7mr3058356bkh.88.1301284700548; Sun, 27 Mar 2011 20:58:20 -0700 (PDT) Received: from [192.168.133.10] (ip-89-103-9-22.net.upcbroadband.cz [89.103.9.22]) by mx.google.com with ESMTPS id b6sm2329792bkb.10.2011.03.27.20.58.19 (version=SSLv3 cipher=OTHER); Sun, 27 Mar 2011 20:58:19 -0700 (PDT) Message-ID: <4D90075A.3030300@gmail.com> Date: Mon, 28 Mar 2011 05:58:18 +0200 From: Vilem Kebrt User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.14) Gecko/20110223 Thunderbird/3.1.8 MIME-Version: 1.0 To: freebsd-pf@freebsd.org References: <4D8E11CB.2070501@eskk.nu> In-Reply-To: <4D8E11CB.2070501@eskk.nu> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: Lost in rules! X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Mar 2011 03:58:22 -0000 Dne 26.3.2011 17:18, Leslie Jensen napsal(a): > block drop in log quick proto ipv6 all > > block drop out log quick proto ipv6 all Hi Leslie, imho these rules will "drop random everything" , definition of ipv6 in PF is inet6 :) and they are quick so no other rules aply. block drop in on $ext_if inet6 all block drop out on $ext_if inet6 all should be these rules i think. William From owner-freebsd-pf@FreeBSD.ORG Mon Mar 28 11:07:01 2011 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id CF9D3106564A for ; Mon, 28 Mar 2011 11:07:01 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id BC0008FC1B for ; Mon, 28 Mar 2011 11:07:01 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id p2SB713f026716 for ; Mon, 28 Mar 2011 11:07:01 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.4/8.14.4/Submit) id p2SB711b026714 for freebsd-pf@FreeBSD.org; Mon, 28 Mar 2011 11:07:01 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 28 Mar 2011 11:07:01 GMT Message-Id: <201103281107.p2SB711b026714@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-pf@FreeBSD.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Mar 2011 11:07:02 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/155736 pf [pf] [altq] borrow from parent queue does not work wit o kern/153307 pf [pf] Bug with PF firewall o kern/148290 pf [pf] "sticky-address" option of Packet Filter (PF) blo o kern/148260 pf [pf] [patch] pf rdr incompatible with dummynet o kern/147789 pf [pf] Firewall PF no longer drops connections by sendin o kern/146832 pf [pf] "(self)" not always matching all local IPv6 addre o kern/143543 pf [pf] [panic] PF route-to causes kernel panic o bin/143504 pf [patch] outgoing states are not killed by authpf(8) o conf/142961 pf [pf] No way to adjust pidfile in pflogd o conf/142817 pf [patch] etc/rc.d/pf: silence pfctl o kern/141905 pf [pf] [panic] pf kernel panic on 7.2-RELEASE with empty o kern/140697 pf [pf] pf behaviour changes - must be documented o kern/137982 pf [pf] when pf can hit state limits, random IP failures o kern/136781 pf [pf] Packets appear to drop with pf scrub and if_bridg o kern/135948 pf [pf] [gre] pf not natting gre protocol o kern/135162 pf [pfsync] pfsync(4) not usable with GENERIC kernel o kern/134996 pf [pf] Anchor tables not included when pfctl(8) is run w o kern/133732 pf [pf] max-src-conn issue o kern/132769 pf [pf] [lor] 2 LOR's with pf task mtx / ifnet and rtent f kern/132176 pf [pf] pf stalls connection when using route-to [regress o conf/130381 pf [rc.d] [pf] [ip6] ipv6 not fully configured when pf st o kern/129861 pf [pf] [patch] Argument names reversed in pf_table.c:_co o kern/127920 pf [pf] ipv6 and synproxy don't play well together o conf/127814 pf [pf] The flush in pf_reload in /etc/rc.d/pf does not w o kern/127439 pf [pf] deadlock in pf f kern/127345 pf [pf] Problem with PF on FreeBSD7.0 [regression] o kern/127121 pf [pf] [patch] pf incorrect log priority o kern/127042 pf [pf] [patch] pf recursion panic if interface group is o kern/125467 pf [pf] pf keep state bug while handling sessions between s kern/124933 pf [pf] [ip6] pf does not support (drops) IPv6 fragmented o kern/124364 pf [pf] [panic] Kernel panic with pf + bridge o kern/122773 pf [pf] pf doesn't log uid or pid when configured to o kern/122014 pf [pf] [panic] FreeBSD 6.2 panic in pf o kern/120281 pf [pf] [request] lost returning packets to PF for a rdr o kern/120057 pf [pf] [patch] Allow proper settings of ALTQ_HFSC. The c o bin/118355 pf [pf] [patch] pfctl(8) help message options order false o kern/114567 pf [pf] [lor] pf_ioctl.c + if.c o kern/114095 pf [carp] carp+pf delay with high state limit s conf/110838 pf [pf] tagged parameter on nat not working on FreeBSD 5. o kern/103283 pf pfsync fails to sucessfully transfer some sessions o kern/103281 pf pfsync reports bulk update failures o kern/93825 pf [pf] pf reply-to doesn't work o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/92949 pf [pf] PF + ALTQ problems with latency o bin/86635 pf [patch] pfctl(8): allow new page character (^L) in pf. o kern/82271 pf [pf] cbq scheduler cause bad latency 46 problems total. From owner-freebsd-pf@FreeBSD.ORG Tue Mar 29 11:16:47 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3F1C31065670 for ; Tue, 29 Mar 2011 11:16:47 +0000 (UTC) (envelope-from leslie@eskk.nu) Received: from mx1.bjare.net (mx1.bjare.net [212.31.160.3]) by mx1.freebsd.org (Postfix) with ESMTP id EE6B98FC15 for ; Tue, 29 Mar 2011 11:16:46 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by mx1.bjare.net (Postfix) with ESMTP id 7BC555E187; Tue, 29 Mar 2011 13:16:45 +0200 (CEST) X-Virus-Scanned: Debian amavisd-new at mx1.bjare.net X-Spam-Flag: NO X-Spam-Score: -2.418 X-Spam-Level: X-Spam-Status: No, score=-2.418 tagged_above=-999 required=5 tests=[AWL=0.182, BAYES_00=-2.599, SPF_PASS=-0.001] Received: from mx1.bjare.net ([127.0.0.1]) by localhost (mx1.bjare.net [127.0.0.1]) (amavisd-new, port 10024) with LMTP id d-xE9ngktGGB; Tue, 29 Mar 2011 13:16:29 +0200 (CEST) X-BN-MX1: ja X-BN-MailInfo: BjareNet Received: from bljbsd01.no-ip.org (c-195-216-040-164.static.bjare.net [195.216.40.164]) by mx1.bjare.net (Postfix) with ESMTP id 7C97C5E133; Tue, 29 Mar 2011 13:16:29 +0200 (CEST) Message-ID: <4D91BF90.2080608@eskk.nu> Date: Tue, 29 Mar 2011 13:16:32 +0200 From: Leslie Jensen User-Agent: Mozilla/5.0 (X11; U; FreeBSD amd64; sv-SE; rv:1.9.2.15) Gecko/20110307 Thunderbird/3.1.9 MIME-Version: 1.0 To: Vilem Kebrt References: <4D8E11CB.2070501@eskk.nu> <4D90075A.3030300@gmail.com> In-Reply-To: <4D90075A.3030300@gmail.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-pf@freebsd.org Subject: Re: Lost in rules! X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 Mar 2011 11:16:47 -0000 On 2011-03-28 05:58, Vilem Kebrt wrote: > Dne 26.3.2011 17:18, Leslie Jensen napsal(a): >> block drop in log quick proto ipv6 all >> >> block drop out log quick proto ipv6 all > > Hi Leslie, > imho these rules will "drop random everything" , definition of ipv6 in > PF is inet6 :) and they are quick so no other rules aply. > > block drop in on $ext_if inet6 all > block drop out on $ext_if inet6 all > > should be these rules i think. > William > Thank you! That cured some of the problem. The remaining problem is that the squid transparency is not working. I can set proxy in my browser and it will use squid. But it seems that my rdr rule is no used. I've tried starting squid manually with squid -NCd10 but there's no indication of any errors. I'm also running tcpdump -s 256 -n -e -tttt -i pflog0 But I cannot see any of the outgoing packets getting detected by pf and sent to the proxy. Do you have any suggestions on how to log more information? Thanks /Leslie From owner-freebsd-pf@FreeBSD.ORG Tue Mar 29 14:08:01 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 54B581065677 for ; Tue, 29 Mar 2011 14:08:01 +0000 (UTC) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (106-30.3-213.fix.bluewin.ch [213.3.30.106]) by mx1.freebsd.org (Postfix) with ESMTP id 5C0DB8FC12 for ; Tue, 29 Mar 2011 14:07:58 +0000 (UTC) Received: from insomnia.benzedrine.cx (localhost.benzedrine.cx [127.0.0.1]) by insomnia.benzedrine.cx (8.14.1/8.13.4) with ESMTP id p2TE7tWl018839 (version=TLSv1/SSLv3 cipher=DHE-DSS-AES256-SHA bits=256 verify=NO); Tue, 29 Mar 2011 16:07:55 +0200 (MEST) Received: (from dhartmei@localhost) by insomnia.benzedrine.cx (8.14.1/8.12.10/Submit) id p2TE7srs002158; Tue, 29 Mar 2011 16:07:54 +0200 (MEST) Date: Tue, 29 Mar 2011 16:07:54 +0200 From: Daniel Hartmeier To: Leslie Jensen Message-ID: <20110329140754.GA3026@insomnia.benzedrine.cx> References: <4D8E11CB.2070501@eskk.nu> <4D90075A.3030300@gmail.com> <4D91BF90.2080608@eskk.nu> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <4D91BF90.2080608@eskk.nu> User-Agent: Mutt/1.5.12-2006-07-14 Cc: freebsd-pf@freebsd.org Subject: Re: Lost in rules! X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 Mar 2011 14:08:01 -0000 On Tue, Mar 29, 2011 at 01:16:32PM +0200, Leslie Jensen wrote: > I'm also running > tcpdump -s 256 -n -e -tttt -i pflog0 > > But I cannot see any of the outgoing packets getting detected by pf and > sent to the proxy. You have logging enabled on the rule explicitely passing the redirected connections: pass in log on $int_if inet proto tcp from $internal_net to $proxy port 8080 keep state but subequently have another matching rule without logging: pass in quick on $int_if Either add 'quick' to the former rule, or add 'log' to the latter rule, then you should see establishements of forwarded connections on pflog0. Also, you can run # pfctl -vvss immediately after a connection attempt of a client. You should see a forwarded connection in the list. Other things to check: Make sure IP forwarding is enabled # sysctl net.inet.ip.forwarding net.inet.ip.forwarding: 1 and the interface names are (still) what you expect them to be # ifconfig and pf is enabled # pfctl -si | head -1 Status: Enabled for 19 days 06:45:57 Debug: Misc and the rules are loaded correctly # pfctl -f /etc/pf.conf # Is squid really listening on port 8080 (default is 3128)? # netstat -an | grep LISTEN tcp4 0 0 *.8080 *.* LISTEN If this doesn't lead to any clues, I'd tcpdump tcp port 80 on the internal interface, try to establish one connection, see if the TCP handshake completes, if a HTTP request is sent, etc. HTH, Daniel From owner-freebsd-pf@FreeBSD.ORG Tue Mar 29 16:58:17 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6C628106566B for ; Tue, 29 Mar 2011 16:58:17 +0000 (UTC) (envelope-from gibblertron@gmail.com) Received: from mail-vx0-f182.google.com (mail-vx0-f182.google.com [209.85.220.182]) by mx1.freebsd.org (Postfix) with ESMTP id 22CCB8FC15 for ; Tue, 29 Mar 2011 16:58:16 +0000 (UTC) Received: by vxc34 with SMTP id 34so367607vxc.13 for ; Tue, 29 Mar 2011 09:58:16 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=kKx0x1FYmPT4ILjOx8EEUc72ZhYgQI+hR9hG6BYhnJQ=; b=GU6DZ4p/9ymNnK1XRK+VnVmFtU/mytqEK0pSJfCln78CVD1ImV1hGplUZrBsMZEA5k Li3uFLI0YRXWUxjkvDXsRwzCXyrDZ9wqZuN34gGA9rANIIg/bIg3GdDrtaeRMc8idXIw axEpCM9lW2tdnShfa0vkOgAr6X/dMP6AbAIas= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; b=Kc5Akl58y2nTkYK702gW75nRlYHT/P3NjLGq6hTfj+BXWMRMwPHGvPA5Zxbhqv+n6I pjuyJdp2WenneT4cT0n8DJj0cJclc9n6gmhL8ZPCo2mXmTU5j8x9GxGdL/3dshlWVZBl rPunMugLYtbtAM9QPoVD+t4v6djSVihwzg3zs= MIME-Version: 1.0 Received: by 10.220.45.134 with SMTP id e6mr190395vcf.55.1301416003492; Tue, 29 Mar 2011 09:26:43 -0700 (PDT) Received: by 10.220.161.147 with HTTP; Tue, 29 Mar 2011 09:26:43 -0700 (PDT) In-Reply-To: <4D91BF90.2080608@eskk.nu> References: <4D8E11CB.2070501@eskk.nu> <4D90075A.3030300@gmail.com> <4D91BF90.2080608@eskk.nu> Date: Tue, 29 Mar 2011 09:26:43 -0700 Message-ID: From: Patrick To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: Subject: Re: Lost in rules! X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 Mar 2011 16:58:17 -0000 Just wanted to confirm that you compiled Squid with SQUID_PF set... On Tue, Mar 29, 2011 at 4:16 AM, Leslie Jensen wrote: > > > On 2011-03-28 05:58, Vilem Kebrt wrote: >> >> Dne 26.3.2011 17:18, Leslie Jensen napsal(a): >>> >>> block drop in log quick proto ipv6 all >>> >>> block drop out log quick proto ipv6 all >> >> Hi Leslie, >> imho these rules will "drop random everything" , definition of ipv6 in >> PF is inet6 :) and they are quick so no other rules aply. >> >> block drop in on $ext_if inet6 all >> block drop out on $ext_if inet6 all >> >> should be these rules i think. >> William >> > > Thank you! > > That cured some of the problem. > > The remaining problem is that the squid transparency is not working. > I can set proxy in my browser and it will use squid. But it seems that my > rdr rule is no used. > > I've tried starting squid manually with squid -NCd10 but there's no > indication of any errors. > > I'm also running > =A0tcpdump -s 256 -n -e -tttt -i pflog0 > > But I cannot see any of the outgoing packets getting detected by pf and s= ent > to the proxy. > > Do you have any suggestions on how to log more information? > > Thanks > > /Leslie > > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" >