DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 25th August 2011
silverstream silverstream is offline
New User
 
Join Date: Aug 2011
Posts: 1
Default pf routing to proxy

I've run into an odd problem trying to get pf to route properly to a proxy box. The set up we have is: individual testing PC, pf (OpenBSD 4.7), proxy (CentOS 5.2, Apache 2.2).

Code:
                                          Internet
                                            /     \
                                           /       \
                                          /         \
                                 proxy -------- firewall
                                                         |
                                                         |
                                                     test box
We're trying to get packets bound for any:80 from the test box to go to the proxy, then out to the Internet, then back through the proxy to the test box.

The rules for this are:
pass out quick on $ext_if proto tcp from $test_box to any port 80 rdr-to $proxy port 8080

(Test box and proxy IPs are obscured here, but they're spelled out in the actual rule.)

On the test box, the proxy works fine if it's set directly in Firefox. Otherwise, connections hang and no data is returned. Running tcpdump on the proxy, I can see the traffic coming in from the test box at first, but it never responds to any ack packets going back out from the proxy. On the firewall, tcpdump and pf -ss show the packets going from the test box to the proxy, but they're getting lost.

The proxy and test box are on two different private networks, but the proxy has a static route to use the firewall as its router when trying to reach the test box network.

Can anyone think of what the problem could be?

TIA.

Last edited by phoenix; 25th August 2011 at 06:43 PM.
Reply With Quote
  #2   (View Single Post)  
Old 25th August 2011
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

Without more information, such as the rest of your ruleset (including any NAT rules), I can only recommend the following:

1. Add logging to every rule, whether pass or block. Your desired packets may be matching an earlier "quick", or not matching this rule for some reason.
2. Use tcpdump(8) with pflog(4) on the firewall, to see what rules are used with the packets of interest. You want to determine if they are being lost due to a block rule, or a pass rule that is not redirecting packets.
Reply With Quote
  #3   (View Single Post)  
Old 25th August 2011
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

The more I think about your topology, the more I think this is an addressing issue. I wonder if your test box sends http to address a.a.a.a, and is not acknowledging unanticipated responses from address b.b.b.b.

Last edited by jggimi; 26th August 2011 at 05:49 PM.
Reply With Quote
  #4   (View Single Post)  
Old 26th August 2011
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

Gah. I hate auto-correcting text editors. I just repaired the previous post. It said "teddy" -- now it says "test".

Swype. Can't live without it, but sometimes .... it really is a pain.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
routing and ARP questions unixjingleman OpenBSD General 9 19th January 2011 08:27 PM
ftp-proxy kazuya25 OpenBSD Installation and Upgrading 4 25th November 2010 06:48 PM
Firewall routing Magoo FreeBSD General 9 4th November 2008 04:39 PM
Routing and routing some more! Weaseal FreeBSD General 1 19th August 2008 01:39 PM
pf and ftp-proxy clinty OpenBSD Security 5 7th May 2008 10:36 PM


All times are GMT. The time now is 09:09 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick