pf/net-stack bug ? - anyone using pf nat+rdr and squid ?

Andrew Atrens atrens at nortelnetworks.com
Thu Apr 28 22:06:49 PDT 2005 

Hi Folks,

I'm trying to use PF and squid.

My application is a front-end box connected to my cable/dsl provider.

It does nat (there are two computers behind it) and I'd also like to 
put a squid cache on it, since both computers tend to surf similar
things.

I've spent a few hours tweaking my pf.conf file to try and get this
to work with no success...

Here's my pf.conf file -

> ext_if="sis0"
> int_if="wi0"
> lan_if="sis1"
> 
> scrub on $ext_if all no-df random-id
> 
> altq on $ext_if cbq bandwidth 5Mb queue { std, http, mail, ssh }
> 
> queue std bandwidth  20% cbq(default borrow)
> queue http bandwidth 60% priority 2 cbq(borrow red)
> queue mail bandwidth 10% priority 0 cbq(borrow ecn)
> queue ssh bandwidth  10% cbq(borrow) { ssh_interactive, ssh_bulk }
> queue ssh_interactive priority 7
> queue ssh_bulk priority 0
> 
> nat on $ext_if inet from !($ext_if) to any -> ($ext_if)
> 
> rdr on $int_if inet proto tcp from $int_if:network to any port www -> 127.0.0.1 port 3128
> rdr on $lan_if inet proto tcp from $lan_if:network to any port www -> 127.0.0.1 port 3128
> 
> pass in log on $int_if inet proto tcp from any to 127.0.0.1 port 3128 keep state
> pass in log on $lan_if inet proto tcp from any to 127.0.0.1 port 3128 keep state
> 
> pass out on $ext_if inet proto tcp from any to any port www keep state queue http
> 
> pass out on $ext_if inet proto tcp from any to any port 22 \
>          keep state queue(ssh_bulk, ssh_interactive)
> 
> pass out on $ext_if inet proto tcp from any to any port 25 \
>          keep state queue mail
> 
> pass out on $ext_if all keep state queue std
> 
> block in quick on $ext_if from any to 255.255.255.255
> block in quick on $ext_if inet proto tcp from any to $ext_if port 22

note that everything here appears to work, except the rdr rules.

With the rdr rules in place I can't connect through this box on port 80, although I do
get entries logged in /var/log/pflog. But I must say pflog fills up in a very bursty
fashion - makes it difficult to match cause and effect when you're tweaking pf.conf
and then doing a 'try it now'. :)

With the rdr rules removed, it just works.

Note that squid is running, listening on port 3128. I can telnet to 127.0.0.1 1328 there
locally and get a connection, no problem. But the access logs indicate that squid isn't
hearing anything when I try to 'telnet www.google.com 80' through one of my natted boxes,
though, as I said, correct looking entries do show up in /var/log/pflog -

00:31:23.051383 IP (tos 0x10, ttl  64, id 13651, offset 0, flags [none], length: 64)10.0.10.2.1161 > localhost.3128: S [tcp sum ok] 3988830909:3988830909(0) win 57344 <mss 1460,nop,wscale 0,nop,nop,sackOK,nop,nop,timestamp 517945 0>
00:31:23.759448 IP (tos 0x10, ttl  64, id 13657, offset 0, flags [none], length: 64)10.0.10.2.1162 > localhost.3128: S [tcp sum ok] 1249153945:1249153945(0) win 57344 <mss 1460,nop,wscale 0,nop,nop,sackOK,nop,nop,timestamp 518016 0>
00:31:24.465903 IP (tos 0x10, ttl  64, id 13663, offset 0, flags [none], length: 64)10.0.10.2.1163 > localhost.3128: S [tcp sum ok] 897021150:897021150(0) win 57344 <mss 1460,nop,wscale 0,nop,nop,sackOK,nop,nop,timestamp 518086 0>

So the rdr rule is performing the translation, but the packets aren't getting pushed
out the lo0 interface ..

Any help you folks could provide would be greatly appreciated. :)

Cheers,

Andrew.

More information about the Kernel mailing list