rdr and bridge
Hi All,
I'm trying to get redirection working on an OpenBSD 4.3 stable bridge
and not having any luck getting redirection to work.
I'm doing the filtering and redirection on the external interface and
passing everything on the internal interfaces. I want to redirect
traffic coming into the external interface, destined for machines behind
the bridge, to the external interface to authenticate using authpf.
When i ssh to a host behind the bridge (192.168.5.2 for example) I don't
see any redirection happening when i watch the traffic with tcpdump. I
also tried doing the redirection on bridge0 with the same results.
Any help would be greatly appreciated.
TIA,
Aaron
interfaces:
lo0: flags=8049UP,LOOPBACK,RUNNING,MULTICAST mtu 33208
groups: lo
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4
inet 127.0.0.1 netmask 0xff00
re0: flags=8943UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST mtu 1500
lladdr 00:30:18:b1:eb:17
groups: egress
media: Ethernet autoselect (100baseTX full-duplex,rxpause,txpause)
status: active
inet6 fe80::230:18ff:feb1:eb17%re0 prefixlen 64 scopeid 0x1
inet 192.168.5.100 netmask 0xff00 broadcast 192.168.5.255
re1: flags=8943UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST mtu 1500
lladdr 00:30:18:b1:eb:18
media: Ethernet autoselect (autoselect half-duplex)
status: active
inet6 fe80::230:18ff:feb1:eb18%re1 prefixlen 64 scopeid 0x2
enc0: flags=0 mtu 1536
bridge0: flags=41UP,RUNNING mtu 1500
groups: bridge
pflog0: flags=141UP,RUNNING,PROMISC mtu 33208
groups: pflog
tcpdump output:
19:41:40.024232 arp who-has 192.168.5.2 tell 192.168.5.254
19:41:40.024484 arp reply 192.168.5.2 is-at 00:30:f1:01:d3:d8
19:41:40.024640 192.168.3.142.1177 192.168.5.2.22: S [tcp sum ok]
506892432:506892432(0) win 65535 mss 1260,nop,nop,sackOK (DF) (ttl
126, id 50179, len 48)
19:41:42.975391 192.168.3.142.1177 192.168.5.2.22: S [tcp sum ok]
506892432:506892432(0) win 65535 mss 1260,nop,nop,sackOK (DF) (ttl
126, id 51142, len 48)
19:41:49.011873 192.168.3.142.1177 192.168.5.2.22: S [tcp sum ok]
506892432:506892432(0) win 65535 mss 1260,nop,nop,sackOK (DF) (ttl
126, id 52381, len 48)
Here are my rules:
ext_if = re0
int_if = re1
lan = 192.168.5.0/24
allowed_in = www https
table lan_hosts const { 192.168.5.0/24 !fe80::230:18ff:feb1:eb18 }
table authpf_users persist
set limit states 2
set limit frags 1
set limit table-entries 500
set optimization normal
set block-policy drop
set timeout frag 10
set timeout tcp.established 3600
set skip on { lo }
set fingerprints /etc/pf.os
scrub out on re0 all random-id fragment reassemble
scrub in all fragment reassemble
nat-anchor /* all
nat-anchor /* all
rdr-anchor /* all
rdr-anchor /* all
rdr pass on re0 inet proto tcp from any to any port = ssh - 192.168.5.100
binat-anchor /* all
anchor /* from authpf_users to any
anchor /* all
block drop log all
block drop in quick from urpf-failed to any
pass in on re1 inet from lan_hosts to ! 127.0.0.1 flags S/SA keep state
pass in on re1 inet from lan_hosts to ! 192.168.5.100 flags S/SA keep
state
pass in on re0 inet proto tcp from any to any port = www flags S/SA keep
state
pass in on re0 inet proto tcp from any to any port = https flags S/SA
keep state
pass out on re1 inet all flags S/SA keep state
pass out on re0 inet proto udp from any to any port = domain keep state
pass in on re0 proto icmp all keep state
Further - rdr on bridge - 4.1, something strange.
vilkai wrote: same problem here :) Steve Williams-2 wrote: Hi, I am trying to get squid working in transparent mode on a bridge. With hints from previous emails on the list to use route-to, by all appearances, the packets are getting redirected properly, they just don't arrive at the destination.?? This isn't production yet, or vulnerable, so don't stress about my pf rules :-). I have also tried to eliminate Squid from the equation by using nc... please read below for my troubleshooting to date. http://marc.info/?l=openbsd-pfm=67152325405w=2 Alexey.
Further - rdr on bridge - 4.1, something strange.
Hi, I am trying to get squid working in transparent mode on a bridge. With hints from previous emails on the list to use route-to, by all appearances, the packets are getting redirected properly, they just don't arrive at the destination.?? This isn't production yet, or vulnerable, so don't stress about my pf rules :-). I have also tried to eliminate Squid from the equation by using nc... please read below for my troubleshooting to date. Here's my config: # sysctl net.inet.ip.forwarding net.inet.ip.forwarding=0 # head /etc/rc.conf.local pf=YES # Packet filter / NAT # cat /etc/pf.conf ext_if=fxp0 int_if=rl0 # Squid proxy rdr on $int_if inet proto tcp from any to any port www - 127.0.0.1 port 3128 pass in all pass out all pass in log quick on $int_if route-to lo0 proto tcp from any to 127.0.0.1 port 3128 # cat /etc/hostname.fxp0 ** Closest to default gateway (outside/external) up # cat /etc/hostname.rl0 ** Inside/internal inet 10.5.2.143 255.255.255.0 10.5.2.255 up # cat /etc/bridgename.bridge0 add fxp0 add rl0 up I have a PC attached to rl0 (inside) interface. When I try to use a web browser, it just times out. If I tweak squid to listen on 10.5.2.143 and configure the web browser to use the proxy at 10.5.2.143 port 3128, it works 100%. Here is what I see on the OpenBSD system when I try to access the Internet with my PC running Firefox (behind the transparent bridge) # tcpdump -ni rl0 port 80 (bridge interface closest to my PC) 17:08:15.094629 10.5.2.46.4814 66.35.250.150.80: S 1268146009:1268146009(0) win 65535 mss 1260,nop,nop,sackOK (DF) # tcpdump -ni pflog0 (I have logging on for this rule in the pf.conf) 17:08:15.094656 10.5.2.46.4814 127.0.0.1.3128: [|tcp] (DF) # tcpdump -ni lo0 port 3128 17:08:15.094693 10.5.2.46.4814 127.0.0.1.3128: S 1268146009:1268146009(0) win 65535 mss 1260,nop,nop,sackOK (DF) However, Squid ( squid-2.6.STABLE9-transparent ) never seems to see the packet come in. I have turned on debugging in squid around the comm_select: routine and it never sees any data. ( I have done ALL,9 as well, but nothing jumps out at me as wrong, but there's so much data it's hard to sort through) Per the documentation, I have: http_port 127.0.0.1:3128 transparent and to prove it's doing the right thing: # netstat -an | grep 3128 tcp0 0 127.0.0.1.3128 *.*LISTEN So, thinking that Squid might be the problem, I did some reading on nc, which I have seen referred to as the swiss army tool. Seems simple enough: # squid -k shutdown # nc -l 127.0.0.1 3128 Then from another window I telnet localhost 3128 and what I type in the one window shows up in the nc window. On my PC behind the bridge, I try a telnet 66.225.135.194 80. I would think I should have gotten connected to my nc sessions. I can see the packet getting routed to 127.0.0.1: 17:18:03.050119 10.5.2.46.4864 127.0.0.1.3128: S 2290476346:2290476346(0) win 65535 mss 1260,nop,nop,sackOK (DF) but nothing happens and the telnet session times out fails :-( By using nc telnet, I think I have eliminated application level configuration problems. Does anyone have any ideas?? This is driving me crazy. It shouldn't be so difficult, but then again, it's a computer ;-) I will include my entire squid.conf dmesg below: Thanks for any assistance, Steve Williams http_port 127.0.0.1:3128 transparent hierarchy_stoplist cgi-bin ? acl QUERY urlpath_regex cgi-bin \? cache deny QUERY acl apache rep_header Server ^Apache broken_vary_encoding allow apache cache_mem 100 MB cache_dir ufs /squid/cache 5000 256 256 access_log /squid/logs/access.log squid cache_log /squid/logs/cache.log cache_store_log /squid/logs/store.log pid_filename /squid/logs/squid.pid debug_options 5,9 refresh_pattern ^ftp: 144020% 10080 refresh_pattern ^gopher:14400% 1440 refresh_pattern . 0 20% 4320 acl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl to_localhost dst 127.0.0.0/8 acl SSL_ports port 443 acl CONNECT method CONNECT http_access allow manager localhost http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access deny all http_reply_access allow all icp_access allow all coredump_dir /var/squid/cache # and my dmesg just in case.. can't imagine it's relevant at all, but who knows. OpenBSD 4.1 (GENERIC) #1435: Sat Mar 10 19:07:45 MST 2007 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Intel Pentium III (GenuineIntel 686-class, 128KB L2 cache) 948 MHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,MMX,FXSR,SSE real mem = 400912384 (391516K) avail mem = 357761024 (349376K) using 4278 buffers containing 20168704 bytes (19696K) of memory mainbus0 (root) bios0 at mainbus0: AT/286+ BIOS, date 09/21/00, BIOS32 rev. 0 @ 0xfda74,
Re: rdr on bridge interface possible? (squid transparent proxy on bridge)
On Fri, May 04, 2007 at 10:57:51PM -0600, Steve Williams wrote: Mark Pecaut wrote: http://marc.info/?l=openbsd-miscm=108089194621750w=2 so try rdr on $int_if inet proto tcp from any to port www - 127.0.0.1port 3128 ... pass in on $int_if route-to lo0 proto tcp from any to 127.0.0.1 port 3128 Which interface do you have the IP address on? Is it on the interface closest to the default gateway? Thanks VERY much for your pointers. I will try this ASAP. I've used this as well, for spamd in a transparent bridge. In my case the rdr and pass/route-to were on the $ext_if, which is where I had my IP address being that it needed to talk to the outside world rather than internal hosts. -- Darrin Chandler| Phoenix BSD User Group | MetaBUG [EMAIL PROTECTED] | http://phxbug.org/ | http://metabug.org/ http://www.stilyagin.com/ | Daemons in the Desert | Global BUG Federation
rdr on bridge interface possible? (squid transparent proxy on bridge)
Hi, I have googled with no success, read all the relevant man pages I could also with no success. I have an OpenBSD 4.1 box configured as a bridge. It is working 100%. I have a few monitoring programs (pmacct) feeding to some analysis tools ( flox, pnrg ). It's also running symon, symux, syweb. I'm very pleased with the config so far. I now would like to throw squid into the mix acting as a transparent proxy. I have the squid-transparent port installed. If I change the box from a bridge to a router doing NAT, the transparent proxy works 100%. I can also hit the box on 3128 and access the Internet (even in bridge mode). However, I want the installation of this system to be non-intrusive. To run as a router, it needs to be the default gateway of all the systems, and that amount of change for a transient analysis tool is not acceptable. I have tried everything I can think of to get this to work in bridge mode to no avail. I have net.inet.ip.forwarding=1. I have pf=YES in /etc/rc.conf.local. I have the default route to be the network default gateway and DNS is working on the OpenBSD box. I have put an IP address on the external (router facing) NIC and told Squid to listen to it. Configuring my browser to use that IP address as a proxy works 100%. I was thinking that a rule like below should work: rdr on $int_if inet proto tcp from any to any port www tag SQUID - 10.5.2.143 port 3128 int_if has no ip address. 10.5.2.143 is the IP address assigned on the external interface. My reasoning was that this would conceptually route the packet across the 2 interfaces, coming in on the internal and going out on the external. Doing a tcpdump on the int_if I can see the packet arriving with a destination port 80. Doing a tcpdump on the ext_if, I can see the packet arriving with a destination port of 3128. Squid never sees the packet...or maybe it does, but it does not log anything. I'm completely at a loss, as the squid itself is working properly if I can just get the packets to it! I have tried most combinations of IP address on inside interface, outside interface, redirecting to inside, outside, localhost, etc. to no avail. I'm begining to wonder if rdr is even possible on a bridge interface. I have not been able to find a complete list of commands available to the brconfig (eg: brconfig bridge0 rule pass in on fxp0 src 9:8:7:6:5:4 tag boss) I cannot believe that at the bridge level (ethernet) I have access to any ip information (eg: port), so I can't tag at the bridge level for processing in pf. Any attempts I made to specify that type of information with the brconfig command failed. Can anyone shed any light? And no, no packets should be getting blocked as I have 2 rules, pass in all kepp state pass out all keep state Thanks, Steve Williams
Re: rdr on bridge interface possible? (squid transparent proxy on bridge)
On 5/4/07, Steve Williams [EMAIL PROTECTED] wrote: I now would like to throw squid into the mix acting as a transparent proxy. I have the squid-transparent port installed. If I change the ... I have tried everything I can think of to get this to work in bridge mode to no avail. I have net.inet.ip.forwarding=1. I have pf=YES in /etc/rc.conf.local. http://marc.info/?l=openbsd-miscm=108089194621750w=2 so try rdr on $int_if inet proto tcp from any to port www - 127.0.0.1port 3128 ... pass in on $int_if route-to lo0 proto tcp from any to 127.0.0.1 port 3128 I have it working here like this. Also, you aren't doing IP forwarding, so turn that off. The bridge does not need it. -Mark
Re: rdr on bridge interface possible? (squid transparent proxy on bridge)
Mark Pecaut wrote: On 5/4/07, Steve Williams [EMAIL PROTECTED] wrote: I now would like to throw squid into the mix acting as a transparent proxy. I have the squid-transparent port installed. If I change the ... I have tried everything I can think of to get this to work in bridge mode to no avail. I have net.inet.ip.forwarding=1. I have pf=YES in /etc/rc.conf.local. http://marc.info/?l=openbsd-miscm=108089194621750w=2 so try rdr on $int_if inet proto tcp from any to port www - 127.0.0.1port 3128 ... pass in on $int_if route-to lo0 proto tcp from any to 127.0.0.1 port 3128 I have it working here like this. Also, you aren't doing IP forwarding, so turn that off. The bridge does not need it. -Mark Which interface do you have the IP address on? Is it on the interface closest to the default gateway? Thanks VERY much for your pointers. I will try this ASAP. Cheers, Steve Williams
