Problems with pf rules for intercept squid proxy

Discussion:

(too old to reply)

C. L. Martinez

2016-06-28 13:07:59 UTC

Hi all,

I have some problems with my pf rules on a FreeBSD 10.3 host that acts as a squid intercept proxy. My actual pf rules are:

rdr pass on $vpnif proto tcp from $int_network to any port http -> lo0 port 5144
rdr pass on $vpnif proto tcp from $int_network to any port https -> lo0 port 5145

At first stage it seems that these rules works, but don't. Traffic is redirected to squid, but squid denies all connections:

1467111934.502 1 172.22.55.1 TCP_DENIED/403 4221 GET http://www.osnews.com/ - HIER_NONE/- text/html

Using same squid.conf's file under an OpenBSD test machine, squid works without problems. For this reason, I don't think there is some problem with my squid's config. The only difference between this OpenBSD host and FreeBSD are the pf rules. In OpenBSD host, pf rules are:

pass in inet proto tcp from $int_network to any port http divert-to 127.0.0.1 port 5144
pass in inet proto tcp from $int_network to any port https divert-to 127.0.0.1 port 5145

.. and all works ok.

Any idea why squid denies connections using FreeBSD's pf rules??

Thanks.

--
Greetings,
C. L. Martinez

Kristof Provost

2016-06-28 17:37:37 UTC

Permalink

Post by C. L. Martinez
I have some problems with my pf rules on a FreeBSD 10.3 host that
rdr pass on $vpnif proto tcp from $int_network to any port http -> lo0
port 5144
rdr pass on $vpnif proto tcp from $int_network to any port https ->
lo0 port 5145
At first stage it seems that these rules works, but don't. Traffic is
1467111934.502 1 172.22.55.1 TCP_DENIED/403 4221 GET
http://www.osnews.com/ - HIER_NONE/- text/html
Using same squid.conf's file under an OpenBSD test machine, squid
works without problems. For this reason, I don't think there is some
problem with my squid's config. The only difference between this
OpenBSD host and FreeBSD are the pf rules.

You may have a different squid version, or they may be patched
differently.
Your redirect rules are working, as demonstrated by the fact that squid
gets a request, and replies to it.

Note that pf does not change your HTTP payload, it only affects TCP. In
other words: if Squid sees the connection (and it does) it’s a Squid
problem.

Also note that you’re redirecting on FreeBSD, but using divert-to on
OpenBSD.
This may be triggering different behaviour from Squid. The man page says
that with divert-to:

The packets will not be modified, so getsockname(2) on the socket will
return
the original destination address of the packet.

That might be affecting an ACL in Squid.

Regards,
Kristof

C. L. Martinez

2016-06-29 11:33:24 UTC

Permalink

Post by C. L. Martinez
I have some problems with my pf rules on a FreeBSD 10.3 host that acts
rdr pass on $vpnif proto tcp from $int_network to any port http -> lo0
port 5144
rdr pass on $vpnif proto tcp from $int_network to any port https -> lo0
port 5145
At first stage it seems that these rules works, but don't. Traffic is
1467111934.502 1 172.22.55.1 TCP_DENIED/403 4221 GET
http://www.osnews.com/ - HIER_NONE/- text/html
Using same squid.conf's file under an OpenBSD test machine, squid works
without problems. For this reason, I don't think there is some problem
with my squid's config. The only difference between this OpenBSD host
and FreeBSD are the pf rules.

You may have a different squid version, or they may be patched differently.
Your redirect rules are working, as demonstrated by the fact that squid gets
a request, and replies to it.
Note that pf does not change your HTTP payload, it only affects TCP. In
other words: if Squid sees the connection (and it does) it’s a Squid
problem.
Also note that you’re redirecting on FreeBSD, but using divert-to on
OpenBSD.
This may be triggering different behaviour from Squid. The man page says
The packets will not be modified, so getsockname(2) on the socket will
return
the original destination address of the packet.
That might be affecting an ACL in Squid.
Regards,
Kristof

Thanks Kristof. I am using squid installed from pkg under a FreeBSD 10.3, fully updated:

Squid Cache: Version 3.5.19
Service Name: squid
configure options: '--with-default-user=squid' '--bindir=/usr/local/sbin' '--sbindir=/usr/local/sbin' '--datadir=/usr/local/etc/squid' '--libexecdir=/usr/local/libexec/squid' '--localstatedir=/var' '--sysconfdir=/usr/local/etc/squid' '--with-logdir=/var/log/squid' '--with-pidfile=/var/run/squid/squid.pid' '--with-swapdir=/var/squid/cache' '--without-gnutls' '--enable-auth' '--enable-build-info' '--enable-loadable-modules' '--enable-removal-policies=lru heap' '--disable-epoll' '--disable-linux-netfilter' '--disable-linux-tproxy' '--disable-translation' '--disable-arch-native' '--enable-eui' '--enable-cache-digests' '--enable-delay-pools' '--disable-ecap' '--disable-esi' '--enable-follow-x-forwarded-for' '--enable-htcp' '--enable-icap-client' '--enable-icmp' '--enable-ident-lookups' '--enable-ipv6' '--enable-kqueue' '--with-large-files' '--enable-http-violations' '--without-nettle' '--enable-snmp' '--enable-ssl' '--with-openssl=/usr' 'LIBOPENSSL_CFLAGS=-I/usr/include' 'LIBOPENSSL_LIBS=-lcrypto -lssl' '--enable-ssl-crtd' '--disable-stacktraces' '--enable-ipf-transparent' '--enable-ipfw-transparent' '--enable-pf-transparent' '--with-nat-devpf' '--enable-forw-via-db' '--enable-wccp' '--enable-wccpv2' '--with-heimdal-krb5=/usr' 'CFLAGS=-I/usr/include -O2 -pipe -fstack-protector -fno-strict-aliasing' 'LDFLAGS=-L/usr/lib -pthread -fstack-protector' 'LIBS=-lkrb5 -lgssapi -lgssapi_krb5 ' 'KRB5CONFIG=/usr/bin/krb5-config' '--enable-auth-basic=DB SMB_LM MSNT-multi-domain NCSA PAM POP3 RADIUS fake getpwnam NIS' '--enable-auth-digest=file' '--enable-external-acl-helpers=file_userip time_quota unix_group' '--enable-auth-negotiate=kerberos wrapper' '--enable-auth-ntlm=fake smb_lm' '--enable-storeio=aufs diskd rock ufs' '--enable-disk-io=DiskThreads DiskDaemon AIO Blocking IpcIo Mmapped' '--enable-log-daemon-helpers=file' '--enable-url-rewrite-helpers=fake' '--enable-storeid-rewrite-helpers=file' '--prefix=/usr/local' '--mandir=/usr/local/man' '--infodir=/usr/local/info/' '--build=amd64-portbld-freebsd10.1' 'build_alias=amd64-portbld-freebsd10.1' 'CC=cc' 'CPPFLAGS=' 'CXX=c++' 'CXXFLAGS=-O2 -pipe -fstack-protector -fno-strict-aliasing ' 'CPP=cpp' --enable-ltdl-convenience

According to this options, intercept is enabled ... Then, I don't understand why it doesn't works ...

--
Greetings,
C. L. Martinez

krad

2016-06-29 12:39:46 UTC

Permalink

have you got these lines in your /etc/devfs.conf file

own pf root:squid
perm pf 0770

you also need lines like this in the squid.conf

http_port 192.168.1.1:3128 intercept

Post by Kristof Provost

works

Post by Kristof Provost

Post by C. L. Martinez
without problems. For this reason, I don't think there is some problem
with my squid's config. The only difference between this OpenBSD host
and FreeBSD are the pf rules.

You may have a different squid version, or they may be patched

differently.

Post by Kristof Provost
Your redirect rules are working, as demonstrated by the fact that squid

gets

Post by Kristof Provost
a request, and replies to it.
Note that pf does not change your HTTP payload, it only affects TCP. In
other words: if Squid sees the connection (and it does) it’s a Squid
problem.
Also note that you’re redirecting on FreeBSD, but using divert-to on
OpenBSD.
This may be triggering different behaviour from Squid. The man page says
The packets will not be modified, so getsockname(2) on the socket

will

Post by Kristof Provost
return
the original destination address of the packet.
That might be affecting an ACL in Squid.
Regards,
Kristof

Thanks Kristof. I am using squid installed from pkg under a FreeBSD 10.3,
Squid Cache: Version 3.5.19
Service Name: squid
configure options: '--with-default-user=squid' '--bindir=/usr/local/sbin'
'--sbindir=/usr/local/sbin' '--datadir=/usr/local/etc/squid'
'--libexecdir=/usr/local/libexec/squid' '--localstatedir=/var'
'--sysconfdir=/usr/local/etc/squid' '--with-logdir=/var/log/squid'
'--with-pidfile=/var/run/squid/squid.pid' '--with-swapdir=/var/squid/cache'
'--without-gnutls' '--enable-auth' '--enable-build-info'
'--enable-loadable-modules' '--enable-removal-policies=lru heap'
'--disable-epoll' '--disable-linux-netfilter' '--disable-linux-tproxy'
'--disable-translation' '--disable-arch-native' '--enable-eui'
'--enable-cache-digests' '--enable-delay-pools' '--disable-ecap'
'--disable-esi' '--enable-follow-x-forwarded-for' '--enable-htcp'
'--enable-icap-client' '--enable-icmp' '--enable-ident-lookups'
'--enable-ipv6' '--enable-kqueue' '--with-large-files'
'--enable-http-violations' '--without-nettle' '--enable-snmp'
'--enable-ssl' '--with-openssl=/usr' 'LIBOPENSSL_CFLAGS=-I/usr/include'
'LIBOPENSSL_LIBS=-lcrypto -lssl' '--enable-ssl-crtd'
'--disable-stacktraces' '--enable-ipf-transparent'
'--enable-ipfw-transparent' '--enable-pf-transparent' '--with-nat-devpf'
'--enable-forw-via-db' '--enable-wccp' '--enable-wccpv2'
'--with-heimdal-krb5=/usr' 'CFLAGS=-I/usr/include -O2 -pipe
-fstack-protector -fno-strict-aliasing' 'LDFLAGS=-L/usr/lib -pthread
-fstack-protector' 'LIBS=-lkrb5 -lgssapi -lgssapi_krb5 '
'KRB5CONFIG=/usr/bin/krb5-config' '--enable-auth-basic=DB SMB_LM
MSNT-multi-domain NCSA PAM POP3 RADIUS fake getpwnam NIS'
'--enable-auth-digest=file' '--enable-external-acl-helpers=file_userip
time_quota unix_group' '--enable-auth-negotiate=kerberos wrapper'
'--enable-auth-ntlm=fake smb_lm' '--enable-storeio=aufs diskd rock ufs'
'--enable-disk-io=DiskThreads DiskDaemon AIO Blocking IpcIo Mmapped'
'--enable-log-daemon-helpers=file' '--enable-url-rewrite-helpers=fake'
'--enable-storeid-rewrite-helpers=file' '--prefix=/usr/local'
'--mandir=/usr/local/man' '--infodir=/usr/local/info/'
'--build=amd64-portbld-freebsd10.1' 'build_alias=amd64-portbld-freebsd10.1'
'CC=cc' 'CPPFLAGS=' 'CXX=c++' 'CXXFLAGS=-O2 -pipe -fstack-protector
-fno-strict-aliasing ' 'CPP=cpp' --enable-ltdl-convenience
According to this options, intercept is enabled ... Then, I don't
understand why it doesn't works ...
--
Greetings,
C. L. Martinez
_______________________________________________
https://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "

C. L. Martinez

2016-06-29 13:20:58 UTC

Permalink

Yep, is it not too dangerous to assign 0770 to /dev/pf??

Anyway, I have tried, but with same error: traffic is denied by squid ...

Post by krad
have you got these lines in your /etc/devfs.conf file
own pf root:squid
perm pf 0770
you also need lines like this in the squid.conf
http_port 192.168.1.1:3128 intercept

Post by Kristof Provost

works

Post by Kristof Provost

Post by C. L. Martinez
without problems. For this reason, I don't think there is some problem
with my squid's config. The only difference between this OpenBSD host
and FreeBSD are the pf rules.

You may have a different squid version, or they may be patched

differently.

Post by Kristof Provost
Your redirect rules are working, as demonstrated by the fact that squid

gets

will

Post by Kristof Provost
return
the original destination address of the packet.
That might be affecting an ACL in Squid.
Regards,
Kristof

--
Greetings,
C. L. Martinez

krad

2016-06-29 13:32:08 UTC

Permalink

you need to as squid needs read write access to the /dev/pf to work in
intercept mode. As long as you dont have any other users in the squid group
you are good. Did you restart devfs or reboot?

Post by C. L. Martinez
Yep, is it not too dangerous to assign 0770 to /dev/pf??
Anyway, I have tried, but with same error: traffic is denied by squid ...

Post by krad
have you got these lines in your /etc/devfs.conf file
own pf root:squid
perm pf 0770
you also need lines like this in the squid.conf
http_port 192.168.1.1:3128 intercept

Post by Kristof Provost

Post by C. L. Martinez
I have some problems with my pf rules on a FreeBSD 10.3 host that

acts