Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 27 Nov 2012 22:01:14 +0100
From:      Leslie Jensen <leslie@eskk.nu>
To:        Volodymyr Kostyrko <c.kworr@gmail.com>
Cc:        freebsd questions list <freebsd-questions@freebsd.org>
Subject:   Re: Anyone using squid and pf?
Message-ID:  <50B52A1A.6070103@eskk.nu>
In-Reply-To: <50B3D603.6050904@gmail.com>
References:  <50B0EA28.7060904@eskk.nu> <50B338B2.3090600@gmail.com> <50B3B788.6040801@eskk.nu> <50B3D603.6050904@gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help 


Volodymyr Kostyrko skrev 2012-11-26 21:50:
> 26.11.2012 20:40, Leslie Jensen:
>> Rules from pf.conf
>>
>> --------------------------------------------
>> # macros
>> ext_if="xl0"
>> int_if="bge0"
>>
>> tcp_services="{ 22, 993, 5910:5917 }"
>> tcp_priv_services="{ 389, 443 }"
>> proxy_services = "{ 21, 80 }"
>> icmp_types="{ echoreq unreach squench timex }"
>> internal_net = "172.18.0.0/16"
>> proxy = "172.18.0.1"
>> proxyport="8021"
>>
>> # tables
>> table <goodguys> persist
>> table <sshguard> persist
>>
>> # options
>> set block-policy return     # ports are closed but can be seen
>> set loginterface $ext_if
>>
>> set skip on lo0
>>
>> # scrub
>> scrub in
>>
>> rdr pass proto tcp from any to any port ftp -> 127.0.0.1 port 8021
>>
>> # redirect www trafic to proxy
>> rdr on $int_if inet proto tcp from $internal_net to any port
>> $proxy_services -> $proxy port 8080
>
> I could be wrong here but I think you have a loop. You are redirecting
> from local interface to local interface i.e. the result of redirect is
> still subject for redirect. Could you try one of the following:
>
> 1. Make this a `rdr in on $int_if`.
>
> 2. Make this a `rdr pass ... -> 127.0.0.1 port 8080`. I prefer this way
> so port for transparent forwarding is unreachable except when explicitly
> redirecting to it.
>
> Personally I newer allow such ambiguity in my configs.
>

#1 gives a syntax error when I try to load it.

#2 My intention is to redirect only ftp traffic with this rule so that's 
why I use port 8021.

Do you mean that I should redirect even ftp traffic to port 8080?

Thanks!

/Leslie

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?50B52A1A.6070103>