From owner-freebsd-questions@FreeBSD.ORG Mon Nov 26 20:50:17 2012 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id AB27E625 for ; Mon, 26 Nov 2012 20:50:17 +0000 (UTC) (envelope-from c.kworr@gmail.com) Received: from mail-ee0-f54.google.com (mail-ee0-f54.google.com [74.125.83.54]) by mx1.freebsd.org (Postfix) with ESMTP id 357358FC13 for ; Mon, 26 Nov 2012 20:50:16 +0000 (UTC) Received: by mail-ee0-f54.google.com with SMTP id c13so8109954eek.13 for ; Mon, 26 Nov 2012 12:50:16 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type:content-transfer-encoding; bh=tVQv0eGsM9lLJLD2yxXFs5CQfo3AqXJBNKrdTR3Pssk=; b=zwfWiaUD16LIFOIdF7PuW9R1RdiJDIQI78w1rtobkKTEH1wUXV0YCninmDE7OY+Cri MMIxf4G+EK81jGqTR2kaLopSausOm7nrKuPNuHPBsuQO7PsKFEzzmZhqYwUtHPBz3F5g KJIBIYDWKpC1MCUWxgNCINemnR2LpD5sY+ZvaWYCwHnT5dgIlOUqdRmzB+iNPWK+XlC3 PDmRMrzYH1DWkbs/0Ip7bg1qGrvujSX0pSFOiL815oHgPSKGxdKLLI0Kl/ztyF9Hba1W YA4BlRpD1hU6hFyVOg/5iHmyvQV72vXPH6zeUom7eZl9y43B8+DVPMNb2okHOjRwOkFM ux7A== Received: by 10.14.2.196 with SMTP id 44mr21104505eef.25.1353963016172; Mon, 26 Nov 2012 12:50:16 -0800 (PST) Received: from limbo.xim.bz ([46.150.100.6]) by mx.google.com with ESMTPS id d44sm36342538eeo.10.2012.11.26.12.50.13 (version=SSLv3 cipher=OTHER); Mon, 26 Nov 2012 12:50:15 -0800 (PST) Message-ID: <50B3D603.6050904@gmail.com> Date: Mon, 26 Nov 2012 22:50:11 +0200 From: Volodymyr Kostyrko User-Agent: Mozilla/5.0 (X11; FreeBSD i386; rv:17.0) Gecko/17.0 Firefox/17.0 SeaMonkey/2.14 MIME-Version: 1.0 To: Leslie Jensen Subject: Re: Anyone using squid and pf? References: <50B0EA28.7060904@eskk.nu> <50B338B2.3090600@gmail.com> <50B3B788.6040801@eskk.nu> In-Reply-To: <50B3B788.6040801@eskk.nu> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd questions list X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 26 Nov 2012 20:50:17 -0000 26.11.2012 20:40, Leslie Jensen: > Rules from pf.conf > > -------------------------------------------- > # macros > ext_if="xl0" > int_if="bge0" > > tcp_services="{ 22, 993, 5910:5917 }" > tcp_priv_services="{ 389, 443 }" > proxy_services = "{ 21, 80 }" > icmp_types="{ echoreq unreach squench timex }" > internal_net = "172.18.0.0/16" > proxy = "172.18.0.1" > proxyport="8021" > > # tables > table persist > table persist > > # options > set block-policy return # ports are closed but can be seen > set loginterface $ext_if > > set skip on lo0 > > # scrub > scrub in > > rdr pass proto tcp from any to any port ftp -> 127.0.0.1 port 8021 > > # redirect www trafic to proxy > rdr on $int_if inet proto tcp from $internal_net to any port > $proxy_services -> $proxy port 8080 I could be wrong here but I think you have a loop. You are redirecting from local interface to local interface i.e. the result of redirect is still subject for redirect. Could you try one of the following: 1. Make this a `rdr in on $int_if`. 2. Make this a `rdr pass ... -> 127.0.0.1 port 8080`. I prefer this way so port for transparent forwarding is unreachable except when explicitly redirecting to it. Personally I newer allow such ambiguity in my configs. -- Sphinx of black quartz judge my vow.