From owner-freebsd-pf@FreeBSD.ORG Wed Dec 6 15:31:25 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 978B016A407 for ; Wed, 6 Dec 2006 15:31:25 +0000 (UTC) (envelope-from gergely.czuczy@harmless.hu) Received: from marvin.harmless.hu (marvin.harmless.hu [195.56.55.204]) by mx1.FreeBSD.org (Postfix) with ESMTP id C7AD843CA5 for ; Wed, 6 Dec 2006 15:30:38 +0000 (GMT) (envelope-from gergely.czuczy@harmless.hu) Received: from localhost (marvin-mail [192.168.0.2]) by marvin.harmless.hu (Postfix) with ESMTP id 870447BFCE6; Wed, 6 Dec 2006 16:31:23 +0100 (CET) X-Virus-Scanned: by amavisd-new-2.4.2 (20060627) (Debian) at harmless.hu Received: from marvin.harmless.hu ([192.168.0.2]) by localhost (marvin.harmless.hu [192.168.0.2]) (amavisd-new, port 10024) with ESMTP id NIiYPpeBQ-02; Wed, 6 Dec 2006 16:31:20 +0100 (CET) Received: from marvin.harmless.hu (localhost [127.0.0.1]) by marvin.harmless.hu (Postfix) with ESMTP id 17F667BFCE5; Wed, 6 Dec 2006 16:31:19 +0100 (CET) Date: Wed, 6 Dec 2006 16:31:19 +0100 From: Gergely CZUCZY To: "Roger Miranda (Digital Relay)" Message-ID: <20061206153119.GA95733@harmless.hu> References: <200612060916.53866.rmiranda@digitalrelay.ca> <20061206152214.GA95527@harmless.hu> <200612060928.47988.rmiranda@digitalrelay.ca> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=x-unknown; protocol="application/pgp-signature"; boundary="jI8keyz6grp/JLjh" Content-Disposition: inline In-Reply-To: <200612060928.47988.rmiranda@digitalrelay.ca> User-Agent: mutt-ng/devel-r804 (FreeBSD) Cc: freebsd-pf@freebsd.org Subject: Re: PF rdr from one port to another X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Dec 2006 15:31:25 -0000 --jI8keyz6grp/JLjh Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Dec 06, 2006 at 09:28:47AM -0600, Roger Miranda (Digital Relay) wro= te: > On Wednesday 06 December 2006 09:22, Gergely CZUCZY wrote: > > On Wed, Dec 06, 2006 at 09:16:52AM -0600, Roger Miranda (Digital Relay)= =20 > wrote: > > > Hey Everyone, First time poster here. > > > > > > I have a freebsd 6.1 setup with if_bridge. Two nics. > > > I am running squid on the bridge itself. > > > > > > I having some issues doing the routing with PF. > > > i have: > > > > > > rdr on $int_if inet proto tcp from $net to any port www -> $proxy port > > > 3128 > > > > is $int_if the internal or the bridged interface? > > what is $proxy? >=20 > Sorry about that, >=20 > ext_if=3D"em0" > int_if=3D"em1" > bridge_if=3D"bridge0" > net=3D"192.168.0.0/16" > proxy=3D"127.0.0.1" nice. use brdige_if. i remember somewhere reading about this, the bridge interface should be used for filtering, and not the induvidual interfaces > em0 =3D 192.168.0.74 > em1 =3D 192.168.0.75 > > > > > > pass in log all keep state > > > pass out log all keep state > > > > it'd be wise to specify interfaces also here. > > > > > Now fromt the workstation I type in "http://slashdot.org" and it see = pass > > > through squid, but now it is trying to connect to > > > "http://slashdot.org:3128" > > > > what is "it" that conects to :3128 ? > > 1) it =3D=3D the client > > 2) it =3D=3D the squid proxy > It's the proxy trying to redirect it to :3128, I just see that by looking= at > tcpdump. interesting, it shouldn't. have you configured squid to act as a transproxy on that port, and have pf support built into squid? i think that you must have to use this feature. Bye, Gergely Czuczy mailto: gergely.czuczy@harmless.hu --=20 Weenies test. Geniuses solve problems that arise. --jI8keyz6grp/JLjh Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (FreeBSD) owGNVb9vHEUUNo4Q0koURvwBTydLIcrtevdsn8+HzgZsJwTJ/AhGEaGI5nbf3g7e ndnMzN5lQ4OoQFAgGgqEKKgRCKWkQdRQ0SOBaFJAjUTBm5m7sxO5oLt7M9/3vvfe 92Y/ffrSyuraL989eOfqJ5998cQ3T703vlo1xohJWDE15SJM4jgJd7d3NjfD7TDZ SgYDjHF7nA92elt4NP39+oEUBoUJT9oah2DwntmoS8bF85AWTGk0o8bk4SBY3Dvk upaaGy7FELgoucDl2YliQueowiORyoyLyRDuNtJgFtaKC8PGJQbBawJuYdaFQ0wh 7nehF8d9YAbi3WFvMNzaefEYwrgfx124KSeo4JgTa8bguUM+4YaVcBNL1l6BmZKj wOAw2ANPKVBnrCVOS43VmLCO2xL3unAd1QTLFg5uv3Vw+20L9+AF/EJFSX+43fuf ikbBqBcT4TnmPXgZWziaomqlwC5c40obMLxCoCYa4ipQYeTvzhE3oGBTBAa5Qhzr DPpRAjSHpoYZNwXw/M5Y8WyCEZzMJAie6mgJZRWoRghqPei7Dc9ACjAFgkcANxrL /IJ8DiBJFte6QQ2ZtBGLVLIx9rfL/fq1RSruVA4fYVKZsvnWadR3eE7mQAM1NUOC SWsqR1awbmMUYKKlDigDs9kMwj1Yp3v3fGhOtpn0BsGCm+slq9VEP1EJarxU56rL fDxnKe471KygIVqoI6eYn8+bUqkW2JgKIzQz3cUBeZ8yjDYPO1jFHQr4lD6Q2IBP NI/5P+4iVWUjyW4vSvqDKI7ijaRvD1xmd9TbseGIaGhiNLtGW90Zd3RRwEFh5U1r 5zCzvqAQs1u01Mp195FpLsoNdCGbMoMxWtoMcupLzks6JXSXmp2BkGbeuqyZ8qyh 5i3hOrDFVzGQUDirYWfLhZPHw9vBXnA29JppTVRQStJZlnCKWIM2zOD5C1b/xTf8 fM1lp37GqStkD11jyvP2nERCanm2LXPuV+XM+crXNpPq1PLS00SuNvSgWWGdwph6 uLGhS6aLTJpIqknH9YQb2iuEUWAlzhlNQYafFH57ujAm3YKScGcko1q3FhJSKQSm 1spz3EVZhtbDnaXchR073HSc8SwLkWhL6O6C921yxeajrtvG28LSktPz6s56j5/5 NXc+ows3zGXtwn6fzgQrzLiyirlZputSl95ttO+CEzRuaUrylDCjgF5AIqTNzZqq JoPaUaA2zlG2c85y4rKJ/HvVysbWk/NJQ7nmsuympyZgND7SQh8HL8s9SpTOrru3 p6Ooc9BN7Z6FcUP2teOXnmmfFoT8L0490CarrHKHo0t2m+x+QI7MNNYkwUstdoNg +erfb9L7bVAx4pVDmPhwlLrwC/Slq0rUOiqaIAhD+xzcQhScfGeo5og+HoJTDk3L WU5dd+lbVmmvhimybRR8uH/pyRX7SV18j9dWf/th5cu1k6/f/6P5+9s3/vng9Nd2 9d/vn3l2svLVSRB99PCVevPzj49/fpClP/7158Of/gM= =/MWx -----END PGP SIGNATURE----- --jI8keyz6grp/JLjh--