Hello,

I have very odd problem with pf connection pool(2 ISPs) and squid 3. Just to
mention, I support 3 other networks without connection pool. All of them
work using squid and pf but do not use connection pool. If I setup my
browser to use proxy (e.g. gateway port 3128), all traffic passes through
squid. If I use rdr rule (as I should) I am unable to browse web. My
question is what is the difference between the request from browser
instructed to use proxy, and the rdr rule of pf. Why are my requests dying?
I will not attach squid.conf since I have changed just the allowed network
and have added "transparent".Here is my sample pf.conf:

lan_net = "192.168.0.0/24"
int_if  = "rl0"
ext_if1 = "dc0"
ext_if2 = "rl1"
ext_gw1 = "X1"
ext_gw2 = "X2"
local_host = "127.0.0.1"

# define ports
ports_in = "{9000}"
ports_out = "{21, 25, 53, 80, 110, 443, 1863, 1194, 5190, 5222, 9000}"

# define allowed hosts
table <allowed> persist file "/etc/allowed"

# skip l0
set skip on lo0

# default block policy
set block-policy drop

# normalize packets
scrub in all fragment reassemble

# squid it
#rdr on $int_if inet proto tcp to port 80 -> $local_host port 3128

#  nat outgoing connections on each internet interface
# nat on $ext_if1 from $lan_net to any -> ($ext_if1)
# nat on $ext_if2 from $lan_net to any -> ($ext_if2)
nat on $ext_if1 from <allowed> to any -> ($ext_if1)
nat on $ext_if2 from <allowed> to any -> ($ext_if2)

# spoof protection
antispoof quick for {$int_if, $ext_if1, $ext_if2}

#  default deny
block in log from any to any
block out log from any to any

#  pass all outgoing packets on internal interface
pass out on $int_if from any to $lan_net

#  pass in quick any packets destined for the gateway itself
pass in quick on $int_if from $lan_net to $int_if
pass out quick on $int_if from $int_if to $lan_net

#  load balance outgoing tcp traffic from internal network.
pass in on $int_if route-to \
    { ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2) } round-robin \
    proto tcp from $lan_net to any flags S/SA modulate state

#  load balance outgoing udp and icmp traffic from internal network
pass in on $int_if route-to \
    { ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2) } round-robin \
    proto { udp, icmp } from $lan_net to any keep state

# general "pass in" rules for external interfaces
pass in on $ext_if1 proto tcp from any to $ext_if1 port $ports_in
pass in on $ext_if2 proto tcp from any to $ext_if2 port $ports_in

#  general "pass out" rules for external interfaces
pass out on $ext_if1 proto tcp from any to any port $ports_out flags S/SA
modulate state
pass out on $ext_if1 proto udp from any to any port $ports_out keep state
pass out on $ext_if1 proto icmp from any to any keep state

pass out on $ext_if2 proto tcp from any to any port $ports_out flags S/SA
modulate state
pass out on $ext_if2 proto udp from any to any port $ports_out keep state
pass out on $ext_if2 proto icmp from any to any keep state

#  route packets from any IPs on $ext_if1 to $ext_gw1 and the same for
#  $ext_if2 and $ext_gw2
pass out on $ext_if1 route-to ($ext_if2 $ext_gw2) from $ext_if2 to any
pass out on $ext_if2 route-to ($ext_if1 $ext_gw1) from $ext_if1 to any

Thanks in advance.
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Reply via email to