What you are attempting is known as "assymetric routing". An extensive
search of the archives will show that it has been discussed a number of
times, and the configuration you are attempting _can_ be made to work.
However, to get it working [properly] requires a fairly advanced
routing an pf know-how and is most likely not the desired solution.
Here is a hint to simpler life: to avoid assymtric routing make sure
that all you redirect (RDR) rules fully traverse the firewall, i.e. the
source and destination are connected to different interfaces. In your
case that would mean that the squid proxy should either run on the
firewall or reside outside the firewall (and each of these solutions
has its own advantages).
On 26 Dec 2008 at 16:40, fRANz wrote:
> Hi.
>
> I've some trouble with this configuration:
>
> LAN -- fw (openbsd 4.4) -- adsl router
>
> LAN: 192.168.100.0/24
> fw int int: sis1
> fw int ind: 192.168.100.2
> fw ext int: sis0
> fw ext ind: 10.0.0.2
> router int ind: 10.0.0.1
>
> I try to configure pf to redirect all web traffic from internal lan to
> an internal squid server (192.168.100.8) but rdr doens't works.
> Now clients works _without_ proxy; when I enable this rule:
>
> rdr pass on $int_if inet proto tcp from any to port www ->
> 192.168.100.8 port 3128
>
> no one can navigate.
> If I manually config browser to use squid as proxy, everything goes
> fine (so squid is active and functionally).
> What's the trouble in this config?!
> Regards,
> -f
>
> #pf.conf
> ############################
> # macros ###################
> ############################
> ext_if = "sis0"
> int_if = "sis1"
>
> out_tcp = "{25, 53, 80, 110, 443}"
> out_udp = "{53}"
>
> table <class1> { 192.168.100.1/32, 192.168.100.2/32, 192.168.100.4/32,
> 192.168.
> 100.5/32, 192.168.100.6/32, 192.168.100.7/32, 192.168.100.8/32,
> 192.168.100.250/
> 32 }
> table <class2> { 192.168.100.50/32, 192.168.100.51/32, 192.168.100.52/32,
> 192.1
> 68.100.53/32 }
> table <class3> { 192.168.100.3/32, 192.168.100.100/32, 192.168.100.230/32 }
>
> ############################
> # options ##################
> ############################
> set block-policy return
> set skip on lo0
> scrub in
>
> ############################
> # nat ######################
> ############################
> nat on $ext_if from !($ext_if) to any -> ($ext_if)
> nat-anchor "ftp-proxy/*"
> rdr-anchor "ftp-proxy/*"
> rdr on $int_if inet proto tcp from any to port ftp -> 127.0.0.1 port 8021
> #rdr pass on $int_if inet proto tcp from any to port www ->
> 192.168.100.8 port 3128
> rdr on $int_if inet proto tcp from any to 192.168.100.251/32 port 8080
> -> 10.0.0.1 port 80
>
> ############################
> # filter ###################
> ############################
> anchor "ftp-proxy/*"
> antispoof quick for { lo $int_if }
>
> block in all
> pass in on $int_if proto icmp all keep state
> pass in on $int_if proto tcp from any to 192.168.100.8 port 3128 keep state
> pass in on $int_if proto {tcp, udp} from <class1> to any keep state
> pass in on $int_if proto {tcp, udp} from <class3> to any keep state
> pass in on $int_if proto tcp from <class2> to any port $out_tcp keep state
> pass in on $int_if proto udp from <class2> to any port $out_udp keep state
> pass out keep state
>
>
---------------------------------------------------------
System Administrator ad...@bitwise.net
Bitwise Internet Technologies, Inc.
22 Drydock Avenue tel: (617) 737-1837
Boston, MA 02210 fax: (617) 439-4941
