Hi Luiz, I actually have seen that on a bridge setup I had, too.
Although the divert-to points to localhost, I see the packet trying to pass out on the interface to the original destination, as your data shows, too. No idea why that's happening though. \Patrick Am 23.05.2013 um 22:45 schrieb Luiz Gustavo S. Costa <[email protected]>: > Hi List ! > > I'm trying to implement a firewall with squid TPROXY in an environment with > bridge. > > vio0 = external if > vio1 = internal if > bridge0 = (vio0 + vio1) > > I have these rules, the connections pass through it, but nothing comes on the > side of the divert-to (did tests with nc -l 3128) > > [17:31:25] root:logs # cat /etc/pf.conf > pass in log quick on vio1 inet proto tcp from any to any port 80 divert-to > 127.0.0.1 port 3128 > > pass out log quick on vio0 inet proto tcp from any to any port 80 divert-reply > > pass all > > [17:39:40] root:~ # pfctl -vvsr > @0 pass in log quick on vio1 inet proto tcp from any to any port = 80 flags > S/SA divert-to 127.0.0.1 port 3128 > [ Evaluations: 92 Packets: 194 Bytes: 43964 States: 1 > ] > [ Inserted: uid 0 pid 22438 State Creations: 21 ] > @1 pass out log quick on vio0 inet proto tcp from any to any port = 80 flags > S/SA divert-reply > [ Evaluations: 49 Packets: 194 Bytes: 43964 States: 1 > ] > [ Inserted: uid 0 pid 22438 State Creations: 21 ] > @2 pass all flags S/SA > [ Evaluations: 50 Packets: 93 Bytes: 13453 States: 6 > ] > [ Inserted: uid 0 pid 22438 State Creations: 50 ] > > [17:35:54] root:~ # tcpdump -n -e -ttt -i pflog0 > tcpdump: WARNING: snaplen raised from 116 to 160 > tcpdump: listening on pflog0, link-type PFLOG > May 23 17:36:13.429174 rule 0/(match) pass in on vio1: 192.168.15.13.38330 > > 74.125.234.238.80: S 2238109532:2238109532(0) win 14600 <mss > 1460,sackOK,timestamp 45163358 0,nop,wscale 7> (DF) > tcpdump: WARNING: compensating for unaligned libpcap packets > May 23 17:36:13.429228 rule 1/(match) pass out on vio0: 192.168.15.13.38330 > > 74.125.234.238.80: S 2238109532:2238109532(0) win 14600 <mss > 1460,sackOK,timestamp 45163358 0,nop,wscale 7> (DF) > > but, command nc not receiving any packet or connection. > > divert-to not working with bridge ? > > My reference is this -> > http://wiki.squid-cache.org/ConfigExamples/Intercept/OpenBsdPf > > Thanks > > --- > Luiz Gustavo Costa (Powered by BSD) > *+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+ > mundoUnix - Consultoria em Software Livre > http://www.mundounix.com.br > ICQ: 2890831 / MSN: [email protected] > Tel: 55 (21) 4063-7110 / 8194-1905 / (11) 4063-0407 > Blog: http://www.luizgustavo.pro.br
