Date: Mon, 26 Nov 2012 22:50:11 +0200 From: Volodymyr Kostyrko <c.kworr@gmail.com> To: Leslie Jensen <leslie@eskk.nu> Cc: freebsd questions list <freebsd-questions@freebsd.org> Subject: Re: Anyone using squid and pf? Message-ID: <50B3D603.6050904@gmail.com> In-Reply-To: <50B3B788.6040801@eskk.nu> References: <50B0EA28.7060904@eskk.nu> <50B338B2.3090600@gmail.com> <50B3B788.6040801@eskk.nu>
next in thread | previous in thread | raw e-mail | index | archive | help
26.11.2012 20:40, Leslie Jensen:
> Rules from pf.conf
>
> --------------------------------------------
> # macros
> ext_if="xl0"
> int_if="bge0"
>
> tcp_services="{ 22, 993, 5910:5917 }"
> tcp_priv_services="{ 389, 443 }"
> proxy_services = "{ 21, 80 }"
> icmp_types="{ echoreq unreach squench timex }"
> internal_net = "172.18.0.0/16"
> proxy = "172.18.0.1"
> proxyport="8021"
>
> # tables
> table <goodguys> persist
> table <sshguard> persist
>
> # options
> set block-policy return # ports are closed but can be seen
> set loginterface $ext_if
>
> set skip on lo0
>
> # scrub
> scrub in
>
> rdr pass proto tcp from any to any port ftp -> 127.0.0.1 port 8021
>
> # redirect www trafic to proxy
> rdr on $int_if inet proto tcp from $internal_net to any port
> $proxy_services -> $proxy port 8080
I could be wrong here but I think you have a loop. You are redirecting
from local interface to local interface i.e. the result of redirect is
still subject for redirect. Could you try one of the following:
1. Make this a `rdr in on $int_if`.
2. Make this a `rdr pass ... -> 127.0.0.1 port 8080`. I prefer this way
so port for transparent forwarding is unreachable except when explicitly
redirecting to it.
Personally I newer allow such ambiguity in my configs.
--
Sphinx of black quartz judge my vow.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?50B3D603.6050904>