Date: Thu, 29 Nov 2012 00:28:06 +0100 From: Damien Fleuriot <ml@my.gd> To: Leslie Jensen <leslie@eskk.nu> Cc: Volodymyr Kostyrko <c.kworr@gmail.com>, freebsd questions list <freebsd-questions@freebsd.org> Subject: Re: Anyone using squid and pf? Message-ID: <CAE63ME6NOY0XFNteK=-YOy_NT7j-xLxFd4YETpTvLBTp7gh47w@mail.gmail.com> In-Reply-To: <50B52A1A.6070103@eskk.nu> References: <50B0EA28.7060904@eskk.nu> <50B338B2.3090600@gmail.com> <50B3B788.6040801@eskk.nu> <50B3D603.6050904@gmail.com> <50B52A1A.6070103@eskk.nu>
next in thread | previous in thread | raw e-mail | index | archive | help
On 27 November 2012 22:01, Leslie Jensen <leslie@eskk.nu> wrote:
>
>
> Volodymyr Kostyrko skrev 2012-11-26 21:50:
>>
>> 26.11.2012 20:40, Leslie Jensen:
>>
>>> Rules from pf.conf
>>>
>>> --------------------------------------------
>>> # macros
>>> ext_if="xl0"
>>> int_if="bge0"
>>>
>>> tcp_services="{ 22, 993, 5910:5917 }"
>>> tcp_priv_services="{ 389, 443 }"
>>> proxy_services = "{ 21, 80 }"
>>> icmp_types="{ echoreq unreach squench timex }"
>>> internal_net = "172.18.0.0/16"
>>> proxy = "172.18.0.1"
>>> proxyport="8021"
>>>
>>> # tables
>>> table <goodguys> persist
>>> table <sshguard> persist
>>>
>>> # options
>>> set block-policy return # ports are closed but can be seen
>>> set loginterface $ext_if
>>>
>>> set skip on lo0
>>>
>>> # scrub
>>> scrub in
>>>
>>> rdr pass proto tcp from any to any port ftp -> 127.0.0.1 port 8021
>>>
>>> # redirect www trafic to proxy
>>> rdr on $int_if inet proto tcp from $internal_net to any port
>>> $proxy_services -> $proxy port 8080
>>
>>
>> I could be wrong here but I think you have a loop. You are redirecting
>> from local interface to local interface i.e. the result of redirect is
>> still subject for redirect. Could you try one of the following:
>>
>> 1. Make this a `rdr in on $int_if`.
>>
>> 2. Make this a `rdr pass ... -> 127.0.0.1 port 8080`. I prefer this way
>> so port for transparent forwarding is unreachable except when explicitly
>> redirecting to it.
>>
>> Personally I newer allow such ambiguity in my configs.
>>
>
> #1 gives a syntax error when I try to load it.
>
> #2 My intention is to redirect only ftp traffic with this rule so that's why
> I use port 8021.
>
> Do you mean that I should redirect even ftp traffic to port 8080?
>
> Thanks!
>
> /Leslie
>
Well, that depends on what you want to do.
If you want FTP traffic to go to ftp-proxy running on the firewall,
then redirect to 8021.
If you want it to go to your squid proxy, then send it to port 8080 on $proxy.
Let's redo your redirects correctly.
I'll expand upon Volodymyr's idea of not confusing normal rules with
ones matching a packet that was redirected, through the use of tags.
# 1/ redirect web traffic to the proxy $proxy on port $proxyport
rdr in on $int_if inet proto tcp from !$proxy to any port 80 -> $proxy
port $proxyport tag rdr_proxy
# 2/ redirect FTP traffic to the ftp-proxy running on the local
machine on port 8021
rdr in on $int_if inet proto tcp from $int_if:network to any port 21
-> 127.0.0.1 port 8021 tag rdr_ftp
# 3/ access rule to allow traffic from the local net to your proxy
pass in quick on $int_if inet proto tcp flags S/SAFR tagged rdr_proxy
# 4/ access rule to allow traffic from the local net to your FTP proxy
pass in quick on $int_if inet proto tcp flags S/SAFR tagged rdr_ftp
# 5/ access rule to allow your proxy to do whatever it wants in a very
limited fashion
pass in quick on $int_if inet proto tcp from $proxy to any port { 80
443 } flags S/SAFR
I liked Volodymyr's original intent behind the "rdr pass", the use of
tags here allows you to setup actual pass/block rules and still match
packets coming from a redirect.
This has many advantages, including:
- quick keyword
- flags matching
- use of labels to keep stats, if you'd like to
Well basically it only has advantages.
Let me know if that helped.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAE63ME6NOY0XFNteK=-YOy_NT7j-xLxFd4YETpTvLBTp7gh47w>