Date: Mon, 26 Nov 2012 22:50:11 +0200 From: Volodymyr Kostyrko <c.kworr@gmail.com> To: Leslie Jensen <leslie@eskk.nu> Cc: freebsd questions list <freebsd-questions@freebsd.org> Subject: Re: Anyone using squid and pf? Message-ID: <50B3D603.6050904@gmail.com> In-Reply-To: <50B3B788.6040801@eskk.nu> References: <50B0EA28.7060904@eskk.nu> <50B338B2.3090600@gmail.com> <50B3B788.6040801@eskk.nu>
next in thread | previous in thread | raw e-mail | index | archive | help
26.11.2012 20:40, Leslie Jensen: > Rules from pf.conf > > -------------------------------------------- > # macros > ext_if="xl0" > int_if="bge0" > > tcp_services="{ 22, 993, 5910:5917 }" > tcp_priv_services="{ 389, 443 }" > proxy_services = "{ 21, 80 }" > icmp_types="{ echoreq unreach squench timex }" > internal_net = "172.18.0.0/16" > proxy = "172.18.0.1" > proxyport="8021" > > # tables > table <goodguys> persist > table <sshguard> persist > > # options > set block-policy return # ports are closed but can be seen > set loginterface $ext_if > > set skip on lo0 > > # scrub > scrub in > > rdr pass proto tcp from any to any port ftp -> 127.0.0.1 port 8021 > > # redirect www trafic to proxy > rdr on $int_if inet proto tcp from $internal_net to any port > $proxy_services -> $proxy port 8080 I could be wrong here but I think you have a loop. You are redirecting from local interface to local interface i.e. the result of redirect is still subject for redirect. Could you try one of the following: 1. Make this a `rdr in on $int_if`. 2. Make this a `rdr pass ... -> 127.0.0.1 port 8080`. I prefer this way so port for transparent forwarding is unreachable except when explicitly redirecting to it. Personally I newer allow such ambiguity in my configs. -- Sphinx of black quartz judge my vow.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?50B3D603.6050904>