Date: Tue, 28 Jun 2016 19:37:37 +0200 From: "Kristof Provost" <kp@FreeBSD.org> To: "C. L. Martinez" <carlopmart@gmail.com> Cc: freebsd-questions@freebsd.org Subject: Re: Problems with pf rules for intercept squid proxy Message-ID: <2822287D-FE6F-4A4B-995A-639B696911DF@FreeBSD.org> In-Reply-To: <20160628130759.GA13226@beagle.bcn.sia.es> References: <20160628130759.GA13226@beagle.bcn.sia.es>
next in thread | previous in thread | raw e-mail | index | archive | help
On 28 Jun 2016, at 15:07, C. L. Martinez wrote: > I have some problems with my pf rules on a FreeBSD 10.3 host that > acts as a squid intercept proxy. My actual pf rules are: > > rdr pass on $vpnif proto tcp from $int_network to any port http -> lo0 > port 5144 > rdr pass on $vpnif proto tcp from $int_network to any port https -> > lo0 port 5145 > > At first stage it seems that these rules works, but don't. Traffic is > redirected to squid, but squid denies all connections: > > 1467111934.502 1 172.22.55.1 TCP_DENIED/403 4221 GET > http://www.osnews.com/ - HIER_NONE/- text/html > > Using same squid.conf's file under an OpenBSD test machine, squid > works without problems. For this reason, I don't think there is some > problem with my squid's config. The only difference between this > OpenBSD host and FreeBSD are the pf rules. > You may have a different squid version, or they may be patched differently. Your redirect rules are working, as demonstrated by the fact that squid gets a request, and replies to it. Note that pf does not change your HTTP payload, it only affects TCP. In other words: if Squid sees the connection (and it does) it’s a Squid problem. Also note that you’re redirecting on FreeBSD, but using divert-to on OpenBSD. This may be triggering different behaviour from Squid. The man page says that with divert-to: The packets will not be modified, so getsockname(2) on the socket will return the original destination address of the packet. That might be affecting an ACL in Squid. Regards, Kristof
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?2822287D-FE6F-4A4B-995A-639B696911DF>