Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 28 Jun 2016 19:37:37 +0200
From:      "Kristof Provost" <kp@FreeBSD.org>
To:        "C. L. Martinez" <carlopmart@gmail.com>
Cc:        freebsd-questions@freebsd.org
Subject:   Re: Problems with pf rules for intercept squid proxy
Message-ID:  <2822287D-FE6F-4A4B-995A-639B696911DF@FreeBSD.org>
In-Reply-To: <20160628130759.GA13226@beagle.bcn.sia.es>
References:  <20160628130759.GA13226@beagle.bcn.sia.es>
next in thread | previous in thread | raw e-mail | index | archive | help 


On 28 Jun 2016, at 15:07, C. L. Martinez wrote:
>  I have some problems with my pf rules on a FreeBSD 10.3 host that 
> acts as a squid intercept proxy. My actual pf rules are:
>
> rdr pass on $vpnif proto tcp from $int_network to any port http -> lo0 
> port 5144
> rdr pass on $vpnif proto tcp from $int_network to any port https -> 
> lo0 port 5145
>
>  At first stage it seems that these rules works, but don't. Traffic is 
> redirected to squid, but squid denies all connections:
>
>  1467111934.502      1 172.22.55.1 TCP_DENIED/403 4221 GET 
> http://www.osnews.com/ - HIER_NONE/- text/html
>
>  Using same squid.conf's file under an OpenBSD test machine, squid 
> works without problems. For this reason, I don't think there is some 
> problem with my squid's config. The only difference between this 
> OpenBSD host and FreeBSD are the pf rules.
>
You may have a different squid version, or they may be patched 
differently.
Your redirect rules are working, as demonstrated by the fact that squid 
gets a request, and replies to it.

Note that pf does not change your HTTP payload, it only affects TCP. In 
other words: if Squid sees the connection (and it does) it’s a Squid 
problem.

Also note that you’re redirecting on FreeBSD, but using divert-to on 
OpenBSD.
This may be triggering different behaviour from Squid. The man page says 
that with divert-to:

	The packets will not be modified, so getsockname(2) on the socket will 
return
	the original destination address of the packet.

That might be affecting an ACL in Squid.

Regards,
Kristof

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?2822287D-FE6F-4A4B-995A-639B696911DF>