Hello Patrick ! Yes, I could not make it work, I'm using another environment that is working:
FreeBSD 9.1-RELEASE with patch for use FORWARD and bridge These patch: http://www.mundounix.com.br/~gugabsd/tproxy_bridge_ipfw-9.1-RELEASE.diff Apply over a complete src of Freebsd 9.1-RELEASE Use ipfw for forward, was: ipfw add 100 fwd 127.0.0.1,3128 tcp from $lan_net to any 80 via em1 ipfw add 100 fwd 127.0.0.1 tcp from any 80 to $lan_net via em0 em0 = WAN interface em1 = LAN interface With this, working 100% ! You can use squid 3.4HEAD or Lusca (from ports) with TPROXY environment For use squid 3.4HEAD, i make a port config (FreeBSD): http://www.mundounix.com.br/~gugabsd/squid34devel.tgz Original patch: http://loos.no-ip.org/lusca_tproxy.diff On Sun, 26 May 2013 18:07:38 +0200 Patrick Wildt <[email protected]> wrote: > Hi Luiz, > > I actually have seen that on a bridge setup I had, too. > > Although the divert-to points to localhost, I see the packet trying to pass > out on the interface to the original destination, as your data shows, too. > No idea why that's happening though. > > \Patrick > > Am 23.05.2013 um 22:45 schrieb Luiz Gustavo S. Costa > <[email protected]>: > > > Hi List ! > > > > I'm trying to implement a firewall with squid TPROXY in an environment with > > bridge. > > > > vio0 = external if > > vio1 = internal if > > bridge0 = (vio0 + vio1) > > > > I have these rules, the connections pass through it, but nothing comes on > > the side of the divert-to (did tests with nc -l 3128) > > > > [17:31:25] root:logs # cat /etc/pf.conf > > pass in log quick on vio1 inet proto tcp from any to any port 80 divert-to > > 127.0.0.1 port 3128 > > > > pass out log quick on vio0 inet proto tcp from any to any port 80 > > divert-reply > > > > pass all > > > > [17:39:40] root:~ # pfctl -vvsr > > @0 pass in log quick on vio1 inet proto tcp from any to any port = 80 flags > > S/SA divert-to 127.0.0.1 port 3128 > > [ Evaluations: 92 Packets: 194 Bytes: 43964 States: 1 > > ] > > [ Inserted: uid 0 pid 22438 State Creations: 21 ] > > @1 pass out log quick on vio0 inet proto tcp from any to any port = 80 > > flags S/SA divert-reply > > [ Evaluations: 49 Packets: 194 Bytes: 43964 States: 1 > > ] > > [ Inserted: uid 0 pid 22438 State Creations: 21 ] > > @2 pass all flags S/SA > > [ Evaluations: 50 Packets: 93 Bytes: 13453 States: 6 > > ] > > [ Inserted: uid 0 pid 22438 State Creations: 50 ] > > > > [17:35:54] root:~ # tcpdump -n -e -ttt -i pflog0 > > tcpdump: WARNING: snaplen raised from 116 to 160 > > tcpdump: listening on pflog0, link-type PFLOG > > May 23 17:36:13.429174 rule 0/(match) pass in on vio1: 192.168.15.13.38330 > > > 74.125.234.238.80: S 2238109532:2238109532(0) win 14600 <mss > > 1460,sackOK,timestamp 45163358 0,nop,wscale 7> (DF) > > tcpdump: WARNING: compensating for unaligned libpcap packets > > May 23 17:36:13.429228 rule 1/(match) pass out on vio0: 192.168.15.13.38330 > > > 74.125.234.238.80: S 2238109532:2238109532(0) win 14600 <mss > > 1460,sackOK,timestamp 45163358 0,nop,wscale 7> (DF) > > > > but, command nc not receiving any packet or connection. > > > > divert-to not working with bridge ? > > > > My reference is this -> > > http://wiki.squid-cache.org/ConfigExamples/Intercept/OpenBsdPf > > > > Thanks > > > > --- > > Luiz Gustavo Costa (Powered by BSD) > > *+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+ > > mundoUnix - Consultoria em Software Livre > > http://www.mundounix.com.br > > ICQ: 2890831 / MSN: [email protected] > > Tel: 55 (21) 4063-7110 / 8194-1905 / (11) 4063-0407 > > Blog: http://www.luizgustavo.pro.br > > > --- Luiz Gustavo Costa (Powered by BSD) *+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+*+ mundoUnix - Consultoria em Software Livre http://www.mundounix.com.br ICQ: 2890831 / MSN: [email protected] Tel: 55 (21) 4063-7110 / 8194-1905 / (11) 4063-0407 Blog: http://www.luizgustavo.pro.br
