Hi List ! I'm trying to implement a firewall with squid TPROXY in an environment with bridge.
vio0 = external if vio1 = internal if bridge0 = (vio0 + vio1) I have these rules, the connections pass through it, but nothing comes on the side of the divert-to (did tests with nc -l 3128) [17:31:25] root:logs # cat /etc/pf.conf pass in log quick on vio1 inet proto tcp from any to any port 80 divert-to 127.0.0.1 port 3128 pass out log quick on vio0 inet proto tcp from any to any port 80 divert-reply pass all [17:39:40] root:~ # pfctl -vvsr @0 pass in log quick on vio1 inet proto tcp from any to any port = 80 flags S/SA divert-to 127.0.0.1 port 3128 [ Evaluations: 92 Packets: 194 Bytes: 43964 States: 1 ] [ Inserted: uid 0 pid 22438 State Creations: 21 ] @1 pass out log quick on vio0 inet proto tcp from any to any port = 80 flags S/SA divert-reply [ Evaluations: 49 Packets: 194 Bytes: 43964 States: 1 ] [ Inserted: uid 0 pid 22438 State Creations: 21 ] @2 pass all flags S/SA [ Evaluations: 50 Packets: 93 Bytes: 13453 States: 6 ] [ Inserted: uid 0 pid 22438 State Creations: 50 ] [17:35:54] root:~ # tcpdump -n -e -ttt -i pflog0 tcpdump: WARNING: snaplen raised from 116 to 160 tcpdump: listening on pflog0, link-type PFLOG May 23 17:36:13.429174 rule 0/(match) pass in on vio1: 192.168.15.13.38330 > 74.125.234.238.80: S 2238109532:2238109532(0) win 14600 <mss 1460,sackOK,timestamp 45163358 0,nop,wscale 7> (DF) tcpdump: WARNING: compensating for unaligned libpcap packets May 23 17:36:13.429228 rule 1/(match) pass out on vio0: 192.168.15.13.38330 > 74.125.234.238.80: S 2238109532:2238109532(0) win 14600 <mss 1460,sackOK,timestamp 45163358 0,nop,wscale 7> (DF) but, command nc not receiving any packet or connection. divert-to not working with bridge ? My reference is this -> http://wiki.squid-cache.org/ConfigExamples/Intercept/OpenBsdPf Thanks --- Luiz Gustavo Costa (Powered by BSD) *+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+ mundoUnix - Consultoria em Software Livre http://www.mundounix.com.br ICQ: 2890831 / MSN: [email protected] Tel: 55 (21) 4063-7110 / 8194-1905 / (11) 4063-0407 Blog: http://www.luizgustavo.pro.br
