Re: Anyone using squid and pf?
Damien Fleuriot skrev 2012-11-29 00:28: # 1/ redirect web traffic to the proxy $proxy on port $proxyport rdr in on $int_if inet proto tcp from !$proxy to any port 80 -> $proxy port $proxyport tag rdr_proxy # 2/ redirect FTP traffic to the ftp-proxy running on the local machine on port 8021 rdr in on $int_if inet proto tcp from $int_if:network to any port 21 -> 127.0.0.1 port 8021 tag rdr_ftp # 3/ access rule to allow traffic from the local net to your proxy pass in quick on $int_if inet proto tcp flags S/SAFR tagged rdr_proxy # 4/ access rule to allow traffic from the local net to your FTP proxy pass in quick on $int_if inet proto tcp flags S/SAFR tagged rdr_ftp # 5/ access rule to allow your proxy to do whatever it wants in a very limited fashion pass in quick on $int_if inet proto tcp from $proxy to any port { 80 443 } flags S/SAFR Hello Damien I'm concentrating on getting the web traffic to work first. I've changed rule #1 as you can see below but pf returns a syntax error. # redirect www trafic to proxy rdr in on $int_if inet proto tcp from !$proxy to any port $proxy_services -> $proxy $proxyport tag rdr_proxy My variables are: proxy = "172.18.0.1" proxy_services = "{ 21, 80 }" proxyport="8080" Am I supposed to ad rule #5 as well or is it a suggestion? Thanks /Leslie ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Anyone using squid and pf?
On 30 Nov 2012, at 08:30, Leslie Jensen wrote: > > > Damien Fleuriot skrev 2012-11-29 00:28: >> On 27 November 2012 22:01, Leslie Jensen wrote: >>> >>> >> >> >> Well, that depends on what you want to do. >> >> If you want FTP traffic to go to ftp-proxy running on the firewall, >> then redirect to 8021. >> If you want it to go to your squid proxy, then send it to port 8080 on >> $proxy. >> >> >> >> Let's redo your redirects correctly. >> I'll expand upon Volodymyr's idea of not confusing normal rules with >> ones matching a packet that was redirected, through the use of tags. >> >> >> >> # 1/ redirect web traffic to the proxy $proxy on port $proxyport >> rdr in on $int_if inet proto tcp from !$proxy to any port 80 -> $proxy >> port $proxyport tag rdr_proxy >> >> # 2/ redirect FTP traffic to the ftp-proxy running on the local >> machine on port 8021 >> rdr in on $int_if inet proto tcp from $int_if:network to any port 21 >> -> 127.0.0.1 port 8021 tag rdr_ftp >> >> # 3/ access rule to allow traffic from the local net to your proxy >> pass in quick on $int_if inet proto tcp flags S/SAFR tagged rdr_proxy >> >> # 4/ access rule to allow traffic from the local net to your FTP proxy >> pass in quick on $int_if inet proto tcp flags S/SAFR tagged rdr_ftp >> >> # 5/ access rule to allow your proxy to do whatever it wants in a very >> limited fashion >> pass in quick on $int_if inet proto tcp from $proxy to any port { 80 >> 443 } flags S/SAFR >> >> >> >> I liked Volodymyr's original intent behind the "rdr pass", the use of >> tags here allows you to setup actual pass/block rules and still match >> packets coming from a redirect. >> This has many advantages, including: >> - quick keyword >> - flags matching >> - use of labels to keep stats, if you'd like to >> >> Well basically it only has advantages. >> >> >> Let me know if that helped. >> ___ >> freebsd-questions@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-questions >> To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org" >> > > Thank you Damien. > > I'll try out your suggestions and report back. > > Thanks :-) > > /Leslie > The rdr rules should read: Rdr in on $int_if from !$proxy to any port 80 tag rdr_proxy -> $proxy port $proxyport Notice the packet gets tagged before the "-> destination" syntax. Otherwise, should be just fine. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Anyone using squid and pf?
Damien Fleuriot skrev 2012-11-29 00:28: On 27 November 2012 22:01, Leslie Jensen wrote: Well, that depends on what you want to do. If you want FTP traffic to go to ftp-proxy running on the firewall, then redirect to 8021. If you want it to go to your squid proxy, then send it to port 8080 on $proxy. Let's redo your redirects correctly. I'll expand upon Volodymyr's idea of not confusing normal rules with ones matching a packet that was redirected, through the use of tags. # 1/ redirect web traffic to the proxy $proxy on port $proxyport rdr in on $int_if inet proto tcp from !$proxy to any port 80 -> $proxy port $proxyport tag rdr_proxy # 2/ redirect FTP traffic to the ftp-proxy running on the local machine on port 8021 rdr in on $int_if inet proto tcp from $int_if:network to any port 21 -> 127.0.0.1 port 8021 tag rdr_ftp # 3/ access rule to allow traffic from the local net to your proxy pass in quick on $int_if inet proto tcp flags S/SAFR tagged rdr_proxy # 4/ access rule to allow traffic from the local net to your FTP proxy pass in quick on $int_if inet proto tcp flags S/SAFR tagged rdr_ftp # 5/ access rule to allow your proxy to do whatever it wants in a very limited fashion pass in quick on $int_if inet proto tcp from $proxy to any port { 80 443 } flags S/SAFR I liked Volodymyr's original intent behind the "rdr pass", the use of tags here allows you to setup actual pass/block rules and still match packets coming from a redirect. This has many advantages, including: - quick keyword - flags matching - use of labels to keep stats, if you'd like to Well basically it only has advantages. Let me know if that helped. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org" Thank you Damien. I'll try out your suggestions and report back. Thanks :-) /Leslie ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Anyone using squid and pf?
On 27 November 2012 22:01, Leslie Jensen wrote: > > > Volodymyr Kostyrko skrev 2012-11-26 21:50: >> >> 26.11.2012 20:40, Leslie Jensen: >> >>> Rules from pf.conf >>> >>> >>> # macros >>> ext_if="xl0" >>> int_if="bge0" >>> >>> tcp_services="{ 22, 993, 5910:5917 }" >>> tcp_priv_services="{ 389, 443 }" >>> proxy_services = "{ 21, 80 }" >>> icmp_types="{ echoreq unreach squench timex }" >>> internal_net = "172.18.0.0/16" >>> proxy = "172.18.0.1" >>> proxyport="8021" >>> >>> # tables >>> table persist >>> table persist >>> >>> # options >>> set block-policy return # ports are closed but can be seen >>> set loginterface $ext_if >>> >>> set skip on lo0 >>> >>> # scrub >>> scrub in >>> >>> rdr pass proto tcp from any to any port ftp -> 127.0.0.1 port 8021 >>> >>> # redirect www trafic to proxy >>> rdr on $int_if inet proto tcp from $internal_net to any port >>> $proxy_services -> $proxy port 8080 >> >> >> I could be wrong here but I think you have a loop. You are redirecting >> from local interface to local interface i.e. the result of redirect is >> still subject for redirect. Could you try one of the following: >> >> 1. Make this a `rdr in on $int_if`. >> >> 2. Make this a `rdr pass ... -> 127.0.0.1 port 8080`. I prefer this way >> so port for transparent forwarding is unreachable except when explicitly >> redirecting to it. >> >> Personally I newer allow such ambiguity in my configs. >> > > #1 gives a syntax error when I try to load it. > > #2 My intention is to redirect only ftp traffic with this rule so that's why > I use port 8021. > > Do you mean that I should redirect even ftp traffic to port 8080? > > Thanks! > > /Leslie > Well, that depends on what you want to do. If you want FTP traffic to go to ftp-proxy running on the firewall, then redirect to 8021. If you want it to go to your squid proxy, then send it to port 8080 on $proxy. Let's redo your redirects correctly. I'll expand upon Volodymyr's idea of not confusing normal rules with ones matching a packet that was redirected, through the use of tags. # 1/ redirect web traffic to the proxy $proxy on port $proxyport rdr in on $int_if inet proto tcp from !$proxy to any port 80 -> $proxy port $proxyport tag rdr_proxy # 2/ redirect FTP traffic to the ftp-proxy running on the local machine on port 8021 rdr in on $int_if inet proto tcp from $int_if:network to any port 21 -> 127.0.0.1 port 8021 tag rdr_ftp # 3/ access rule to allow traffic from the local net to your proxy pass in quick on $int_if inet proto tcp flags S/SAFR tagged rdr_proxy # 4/ access rule to allow traffic from the local net to your FTP proxy pass in quick on $int_if inet proto tcp flags S/SAFR tagged rdr_ftp # 5/ access rule to allow your proxy to do whatever it wants in a very limited fashion pass in quick on $int_if inet proto tcp from $proxy to any port { 80 443 } flags S/SAFR I liked Volodymyr's original intent behind the "rdr pass", the use of tags here allows you to setup actual pass/block rules and still match packets coming from a redirect. This has many advantages, including: - quick keyword - flags matching - use of labels to keep stats, if you'd like to Well basically it only has advantages. Let me know if that helped. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Anyone using squid and pf?
Volodymyr Kostyrko skrev 2012-11-26 21:50: 26.11.2012 20:40, Leslie Jensen: Rules from pf.conf # macros ext_if="xl0" int_if="bge0" tcp_services="{ 22, 993, 5910:5917 }" tcp_priv_services="{ 389, 443 }" proxy_services = "{ 21, 80 }" icmp_types="{ echoreq unreach squench timex }" internal_net = "172.18.0.0/16" proxy = "172.18.0.1" proxyport="8021" # tables table persist table persist # options set block-policy return # ports are closed but can be seen set loginterface $ext_if set skip on lo0 # scrub scrub in rdr pass proto tcp from any to any port ftp -> 127.0.0.1 port 8021 # redirect www trafic to proxy rdr on $int_if inet proto tcp from $internal_net to any port $proxy_services -> $proxy port 8080 I could be wrong here but I think you have a loop. You are redirecting from local interface to local interface i.e. the result of redirect is still subject for redirect. Could you try one of the following: 1. Make this a `rdr in on $int_if`. 2. Make this a `rdr pass ... -> 127.0.0.1 port 8080`. I prefer this way so port for transparent forwarding is unreachable except when explicitly redirecting to it. Personally I newer allow such ambiguity in my configs. #1 gives a syntax error when I try to load it. #2 My intention is to redirect only ftp traffic with this rule so that's why I use port 8021. Do you mean that I should redirect even ftp traffic to port 8080? Thanks! /Leslie ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Anyone using squid and pf?
Doug Sampson skrev 2012-11-27 18:34: [...] Rules from pf.conf # macros ext_if="xl0" int_if="bge0" tcp_services="{ 22, 993, 5910:5917 }" tcp_priv_services="{ 389, 443 }" proxy_services = "{ 21, 80 }" icmp_types="{ echoreq unreach squench timex }" internal_net = "172.18.0.0/16" proxy = "172.18.0.1" proxyport="8021" ^ No whitespace here # tables table persist table persist # options set block-policy return # ports are closed but can be seen set loginterface $ext_if set skip on lo0 # scrub scrub in rdr pass proto tcp from any to any port ftp -> 127.0.0.1 port 8021 # redirect www trafic to proxy rdr on $int_if inet proto tcp from $internal_net to any port $proxy_services -> $proxy port 8080 ^ Whitespace here. Maybe that's the issue here? # ext_if IP address could be dynamic, hence ($ext_if) nat on $ext_if from !($ext_if) to any -> ($ext_if) [...] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org" Thanks! No if you see I have a $proxy and a $proxyport (I shall rename this one. It's confusing, I know) So the whitespace is not the problem. /Leslie ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Anyone using squid and pf?
On Nov 27, 2012, at 6:34 PM, Doug Sampson wrote: > [...] > >> Rules from pf.conf >> >> >> # macros >> ext_if="xl0" >> int_if="bge0" >> >> tcp_services="{ 22, 993, 5910:5917 }" >> tcp_priv_services="{ 389, 443 }" >> proxy_services = "{ 21, 80 }" >> icmp_types="{ echoreq unreach squench timex }" >> internal_net = "172.18.0.0/16" >> proxy = "172.18.0.1" >> proxyport="8021" > ^ > No whitespace here > >> >> # tables >> table persist >> table persist >> >> # options >> set block-policy return # ports are closed but can be seen >> set loginterface $ext_if >> >> set skip on lo0 >> >> # scrub >> scrub in >> >> rdr pass proto tcp from any to any port ftp -> 127.0.0.1 port 8021 >> >> # redirect www trafic to proxy >> rdr on $int_if inet proto tcp from $internal_net to any port >> $proxy_services -> $proxy port 8080 > ^ > Whitespace here. Maybe that's the issue here? > Erm, working as intended, Doug. He's redirecting from his internal net to any port defined as proxiable, to his $proxy machine on port 8080. Looks good to me. >> # ext_if IP address could be dynamic, hence ($ext_if) >> nat on $ext_if from !($ext_if) to any -> ($ext_if) > > [...] > ___ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org" ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
RE: Anyone using squid and pf?
[...] > Rules from pf.conf > > > # macros > ext_if="xl0" > int_if="bge0" > > tcp_services="{ 22, 993, 5910:5917 }" > tcp_priv_services="{ 389, 443 }" > proxy_services = "{ 21, 80 }" > icmp_types="{ echoreq unreach squench timex }" > internal_net = "172.18.0.0/16" > proxy = "172.18.0.1" > proxyport="8021" ^ No whitespace here > > # tables > table persist > table persist > > # options > set block-policy return # ports are closed but can be seen > set loginterface $ext_if > > set skip on lo0 > > # scrub > scrub in > > rdr pass proto tcp from any to any port ftp -> 127.0.0.1 port 8021 > > # redirect www trafic to proxy > rdr on $int_if inet proto tcp from $internal_net to any port > $proxy_services -> $proxy port 8080 ^ Whitespace here. Maybe that's the issue here? > # ext_if IP address could be dynamic, hence ($ext_if) > nat on $ext_if from !($ext_if) to any -> ($ext_if) [...] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Anyone using squid and pf?
Volodymyr Kostyrko skrev 2012-11-26 21:50: rdr pass proto tcp from any to any port ftp -> 127.0.0.1 port 8021 # redirect www trafic to proxy rdr on $int_if inet proto tcp from $internal_net to any port $proxy_services -> $proxy port 8080 I could be wrong here but I think you have a loop. You are redirecting from local interface to local interface i.e. the result of redirect is still subject for redirect. Could you try one of the following: 1. Make this a `rdr in on $int_if`. 2. Make this a `rdr pass ... -> 127.0.0.1 port 8080`. I prefer this way so port for transparent forwarding is unreachable except when explicitly redirecting to it. Personally I newer allow such ambiguity in my configs. Thanks! I'll try it out. I need to wait until tonight, the machine is in use at the moment. #1 I see your point. #2 this rule is for intended ftp traffic. That's why I'm sending to another port number. /Leslie ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Anyone using squid and pf?
26.11.2012 20:40, Leslie Jensen: Rules from pf.conf # macros ext_if="xl0" int_if="bge0" tcp_services="{ 22, 993, 5910:5917 }" tcp_priv_services="{ 389, 443 }" proxy_services = "{ 21, 80 }" icmp_types="{ echoreq unreach squench timex }" internal_net = "172.18.0.0/16" proxy = "172.18.0.1" proxyport="8021" # tables table persist table persist # options set block-policy return # ports are closed but can be seen set loginterface $ext_if set skip on lo0 # scrub scrub in rdr pass proto tcp from any to any port ftp -> 127.0.0.1 port 8021 # redirect www trafic to proxy rdr on $int_if inet proto tcp from $internal_net to any port $proxy_services -> $proxy port 8080 I could be wrong here but I think you have a loop. You are redirecting from local interface to local interface i.e. the result of redirect is still subject for redirect. Could you try one of the following: 1. Make this a `rdr in on $int_if`. 2. Make this a `rdr pass ... -> 127.0.0.1 port 8080`. I prefer this way so port for transparent forwarding is unreachable except when explicitly redirecting to it. Personally I newer allow such ambiguity in my configs. -- Sphinx of black quartz judge my vow. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Anyone using squid and pf?
Volodymyr Kostyrko skrev 2012-11-26 10:38: 24.11.2012 17:39, Leslie Jensen: I've upgraded squid from 3.1 to 3.2. Starting squid 3.2 with the same configuration file now gives me errors in cache.log when one tries to access any site, and of course no access! 2012/11/24 16:24:56 kid1| WARNING: Forwarding loop detected for: Reverting back to 3.1 works. I know there are some changes in 3.2 that does this + 3.2 intercept port receiving forward-proxy requests will reject them due to NAT failure/lies. + 3.2 Host header validation *will* reject if forward traffic is validated as being intercepted. I would appreciate suggestions for changes to squid.conf so that squid will work for me with version 3.2. When switching to 3.2 I had to split listening ports - one for transparency and one for the local machine. However this doesn't looks like your case. Can you please provide relevant parts of pf.conf and full log output, not just the first line? Just to clarify. I'm running pf and squid on the same machine. Yes I've also split the listening ports. http_port 172.18.0.1:8080 intercept http_port 127.0.0.1:8080 Output from cache.log: 2012/11/24 14:10:09 kid1| WARNING: Forwarding loop detected for: GET /Artwork/SN.png HTTP/1.1 Host: www.squid-cache.org User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0.2) Gecko/20100101 Firefox/6.0.2 Accept: image/png,image/*;q=0.8,*/*;q=0.5 Accept-Language: sv-se,sv;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Referer: http://www.aftonbladet.se/ Via: 1.1 "FQDN machine name" (squid/3.2.3) X-Forwarded-For: 172.18.0.100 Cache-Control: max-age=259200 Connection: keep-alive Rules from pf.conf # macros ext_if="xl0" int_if="bge0" tcp_services="{ 22, 993, 5910:5917 }" tcp_priv_services="{ 389, 443 }" proxy_services = "{ 21, 80 }" icmp_types="{ echoreq unreach squench timex }" internal_net = "172.18.0.0/16" proxy = "172.18.0.1" proxyport="8021" # tables table persist table persist # options set block-policy return # ports are closed but can be seen set loginterface $ext_if set skip on lo0 # scrub scrub in rdr pass proto tcp from any to any port ftp -> 127.0.0.1 port 8021 # redirect www trafic to proxy rdr on $int_if inet proto tcp from $internal_net to any port $proxy_services -> $proxy port 8080 # ext_if IP address could be dynamic, hence ($ext_if) nat on $ext_if from !($ext_if) to any -> ($ext_if) # filter rules block in log on $ext_if all block drop in log quick inet6 all block drop out log quick inet6 all block in log quick on $ext_if from label "ssh bruteforce" # Allow traffic through SQUID pass in log on $int_if inet proto tcp from $internal_net to $proxy port 8080 keep state pass out log on $ext_if inet proto tcp from $proxy to any port $proxy_services keep state # pass out pass out log # ICMP answers (traffic) needs to be passed: pass in inet proto icmp all icmp-type $icmp_types keep state # traffic must be passed to and from the internal network pass in log quick on $int_if # Thanks /Leslie ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Anyone using squid and pf?
24.11.2012 17:39, Leslie Jensen: I've upgraded squid from 3.1 to 3.2. Starting squid 3.2 with the same configuration file now gives me errors in cache.log when one tries to access any site, and of course no access! 2012/11/24 16:24:56 kid1| WARNING: Forwarding loop detected for: Reverting back to 3.1 works. I know there are some changes in 3.2 that does this + 3.2 intercept port receiving forward-proxy requests will reject them due to NAT failure/lies. + 3.2 Host header validation *will* reject if forward traffic is validated as being intercepted. I would appreciate suggestions for changes to squid.conf so that squid will work for me with version 3.2. When switching to 3.2 I had to split listening ports - one for transparency and one for the local machine. However this doesn't looks like your case. Can you please provide relevant parts of pf.conf and full log output, not just the first line? -- Sphinx of black quartz, judge my vow. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Anyone using squid and pf?
I've upgraded squid from 3.1 to 3.2. Starting squid 3.2 with the same configuration file now gives me errors in cache.log when one tries to access any site, and of course no access! 2012/11/24 16:24:56 kid1| WARNING: Forwarding loop detected for: Reverting back to 3.1 works. I know there are some changes in 3.2 that does this + 3.2 intercept port receiving forward-proxy requests will reject them due to NAT failure/lies. + 3.2 Host header validation *will* reject if forward traffic is validated as being intercepted. I would appreciate suggestions for changes to squid.conf so that squid will work for me with version 3.2. Thanks /Leslie ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"