Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 26 Apr 2011 10:57:47 +0200
From:      Daniel Hartmeier <daniel@benzedrine.cx>
To:        freebsd-pf@freebsd.org
Subject:   Re: former "transparent proxy traffic queue ..."
Message-ID:  <20110426085747.GA1204@insomnia.benzedrine.cx>
In-Reply-To: <20110426074924.GH87913@relay.ibs.dn.ua>
References:  <20110210155622.GA60117@icarus.home.lan> <20110411054544.GC22812@relay.ibs.dn.ua> <20110411061730.GA26940@insomnia.benzedrine.cx> <20110411080648.GD22812@relay.ibs.dn.ua> <20110411085730.GB26940@insomnia.benzedrine.cx> <20110411152230.GA88862@relay.ibs.dn.ua> <20110415063632.GA14296@insomnia.benzedrine.cx> <20110426074924.GH87913@relay.ibs.dn.ua>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Tue, Apr 26, 2011 at 10:49:24AM +0300, Zeus V Panchenko wrote:

> here we see outgoing via $if_wan traffic successfully coming through wan_http queue, the rull 18
> but no traffic comming trough the rull 24 but 10 instead ...
> 
> so, what am i missing, please?
> 
> why pflog row:
> ... rule 10/0(match): pass out on ale0: 213.130.10.226.80 > 172.16.10.12.40650: ...
> not matches my pf.conf rull @24:
> pass out log (all) on ale0 inet proto tcp from any port = http to 172.12.10.12 flags S/SA keep state (if-bound) queue lan_http
> ?

Ah, I see. Your rule @24 restricts the _source_ port:

  pass  in log (all) on $if_lan inet proto tcp from any port { $ports_proxy } \
    to 172.12.10.12 queue lan_http

Remember, only the initial (first) packet of a connection causes
ruleset evaluation, hence rules can be said to apply to the initial
packets of connections (everything else is covered by states). You
don't need to think about the packets flowing in reverse at all.

So, take the initial packet of that connection (the HTTP connection from
client to proxy, incoming on the LAN interface), what are its source and
destination ports? The source port is random, the destination port is
3128.

So, change the above rule to

  pass  in log (all) on $if_lan inet proto tcp from any \
    to 172.12.10.12 port 3128 queue lan_http

HTH,
Daniel

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20110426085747.GA1204>