Lost in rules!
Daniel Hartmeier
daniel at benzedrine.cx
Tue Mar 29 14:08:01 UTC 2011
On Tue, Mar 29, 2011 at 01:16:32PM +0200, Leslie Jensen wrote:
> I'm also running
> tcpdump -s 256 -n -e -tttt -i pflog0
>
> But I cannot see any of the outgoing packets getting detected by pf and
> sent to the proxy.
You have logging enabled on the rule explicitely passing the
redirected connections:
pass in log on $int_if inet proto tcp from $internal_net to $proxy port 8080 keep state
but subequently have another matching rule without logging:
pass in quick on $int_if
Either add 'quick' to the former rule, or add 'log' to the latter rule,
then you should see establishements of forwarded connections on pflog0.
Also, you can run
# pfctl -vvss
immediately after a connection attempt of a client. You should see
a forwarded connection in the list.
Other things to check:
Make sure IP forwarding is enabled
# sysctl net.inet.ip.forwarding
net.inet.ip.forwarding: 1
and the interface names are (still) what you expect them to be
# ifconfig
and pf is enabled
# pfctl -si | head -1
Status: Enabled for 19 days 06:45:57 Debug: Misc
and the rules are loaded correctly
# pfctl -f /etc/pf.conf
#
Is squid really listening on port 8080 (default is 3128)?
# netstat -an | grep LISTEN
tcp4 0 0 *.8080 *.* LISTEN
If this doesn't lead to any clues, I'd tcpdump tcp port 80 on the
internal interface, try to establish one connection, see if the
TCP handshake completes, if a HTTP request is sent, etc.
HTH,
Daniel
More information about the freebsd-pf
mailing list