[FUG-BR] [Off-topic] pf não redireciona com route-to
Fabricio Lima
listas em fabriciolima.com.br
Quarta Novembro 5 14:27:17 BRST 2014
Um tiro no escuro... Mas não uso regras assim com any any em proxy
transparente...
Sao perigosas...
Vamos travar sua origem da regra q intercepta as requisições pra jogar no
proxy.
Faz algo tipo:
Pass from $lan_NET to any 80
Tenta fazer isso no outro redirect tb. Ou vê se um só resolve.
Tenta migrar pra ipfw e vê se o bug se apresenta
Vou ler seu tcpdump antes de falar o proximo teste
Fabricio
Em quarta-feira, 5 de novembro de 2014, spiderslack <
spiderslack em yahoo.com.br> escreveu:
> Ola pessoal.
>
> Se o assunto for off-topic me desculpe. Por nao se tratar especificamente
> de FreeBSD. Mas axo já tentei de tudo. Estou tentando fazer um
> redirecionamento de porta 80 para um proxy. Tenho um FreeBSD com 3
> interfaces.
>
> 1 re0 - wan
> 2 re1 - lan
> 3 alc0 - rede do proxy
>
> Todas as interfaces são ips válidos não tenho nat nesse FreeBSD. O
> endereço IP do proxy é 200.1.1.1(IP exemplo)
>
> pass in quick on re1 route-to (alc0 200.1.1.1) proto tcp from any to any
> port 80
> pass in quick on re0 route-to (alc0 200.1.1.1) proto tcp from any port 80
> to any
>
> A ida e volta porem notei via tcpdump a volta nao é redirecionada (fiz
> testes tentando acessar o site da Cisco: 23.216.160.170):
> *
> **captura na re1**- LAN*
>
> 14:02:31.529558 00:22:57:64:08:c5 > 00:00:5e:00:01:0c, ethertype IPv4
> (0x0800), length 74: 200.2.2.2.59297 > 23.216.160.170.80: Flags [S], seq
> 2881852864, win 14600, options [mss 1460,sackOK,TS val 8945318 ecr
> 0,nop,wscale 7], length 0
> 14:02:31.529733 00:1a:3f:b1:51:05 > 00:22:57:64:08:c5, ethertype IPv4
> (0x0800), length 74: 23.216.160.170.80 > 200.2.2.2.59297: Flags [S.], seq
> 2813051021, ack 2881852865, win 28960, options [mss 1460,sackOK,TS val
> 50571790 ecr 8945318,nop,wscale 7], length 0
> 14:02:31.533785 00:22:57:64:08:c5 > 00:00:5e:00:01:0c, ethertype IPv4
> (0x0800), length 66: 200.2.2.2.59297 > 23.216.160.170.80: Flags [.], ack 1,
> win 115, options [nop,nop,TS val 8945322 ecr 50571790], length 0
>
> *Three way handshake feito*
>
> 14:02:32.181023 00:1a:3f:b1:51:05 > 00:22:57:64:08:c5, ethertype IPv4
> (0x0800), length 74: 23.216.160.170.80 > 200.2.2.2.24450: Flags [S.], seq
> 1894693316, ack 299551138, win 14480, options [mss 1460,sackOK,TS val
> 2263835919 ecr 50571844,nop,wscale 5], length 0
> 14:02:32.182614 00:22:57:64:08:c5 > 00:00:5e:00:01:0c, ethertype IPv4
> (0x0800), length 60: 200.2.2.2.24450 > 23.216.160.170.80: Flags [R], seq
> 299551138, win 0, length 0
> *
> **Quando o site da cisco responde com SYN/ACK o cliente responde com um
> Reset, ou seja não esta encaminhando a volta para o proxy minha regra de
> volta não esta funcionando**. O que não entendo porque o cliente envia o
> RST. Sera que ele considera uma nova conexão? e como nao tem three way
> handshake feito ele reseta? E o processo ocorre algumas vezes enquanto o
> cliente tenta*.
>
> 14:02:33.324284 00:1a:3f:b1:51:05 > 00:22:57:64:08:c5, ethertype IPv4
> (0x0800), length 74: 23.216.160.170.80 > 200.2.2.2.24450: Flags [S.], seq
> 1910248059, ack 299551138, win 14480, options [mss 1460,sackOK,TS val
> 2263836914 ecr 50571944,nop,wscale 5], length 0
> 14:02:33.325800 00:22:57:64:08:c5 > 00:00:5e:00:01:0c, ethertype IPv4
> (0x0800), length 60: 200.2.2.2.24450 > 23.216.160.170.80: Flags [R], seq
> 299551138, win 0, length 0
> 14:02:35.215487 00:1a:3f:b1:51:05 > 00:22:57:64:08:c5, ethertype IPv4
> (0x0800), length 74: 23.216.160.170.80 > 200.2.2.2.24450: Flags [S.], seq
> 28856710, ack 299551138, win 14480, options [mss 1460,sackOK,TS val
> 2227668864 ecr 50572144,nop,wscale 5], length 0
> 14:02:35.216626 00:22:57:64:08:c5 > 00:00:5e:00:01:0c, ethertype IPv4
> (0x0800), length 60: 200.2.2.2.24450 > 23.216.160.170.80: Flags [R], seq
> 299551138, win 0, length 0
> 14:02:35.668511 00:22:57:64:08:c5 > 00:00:5e:00:01:0c, ethertype IPv4
> (0x0800), length 66: 200.2.2.2.59297 > 23.216.160.170.80: Flags [F.], seq
> 112, ack 1, win 115, options [nop,nop,TS val 8949456 ecr 50571790], length 0
> 14:02:35.668802 00:1a:3f:b1:51:05 > 00:22:57:64:08:c5, ethertype IPv4
> (0x0800), length 66: 23.216.160.170.80 > 200.2.2.2.59297: Flags [F.], seq
> 1, ack 113, win 227, options [nop,nop,TS val 50572204 ecr 8949456], length 0
> 14:02:35.709774 00:22:57:64:08:c5 > 00:00:5e:00:01:0c, ethertype IPv4
> (0x0800), length 66: 200.2.2.2.59297 > 23.216.160.170.80: Flags [.], ack 2,
> win 115, options [nop,nop,TS val 8949498 ecr 50572204], length 0
>
>
> *captura na alc0**- Interface onde o proxy esta conectado
> *
> 14:02:31.529573 00:1a:3f:b1:51:05 > 40:f2:e9:db:6b:23, ethertype IPv4
> (0x0800), length 74: 200.2.2.2.59297 > 23.216.160.170.80: Flags [S], seq
> 2881852864, win 14600, options [mss 1460,sackOK,TS val 8945318 ecr
> 0,nop,wscale 7], length 0
> 14:02:31.529726 40:f2:e9:db:6b:23 > 00:00:5e:00:01:0f, ethertype IPv4
> (0x0800), length 74: 23.216.160.170.80 > 200.2.2.2.59297: Flags [S.], seq
> 2813051021, ack 2881852865, win 28960, options [mss 1460,sackOK,TS val
> 50571790 ecr 8945318,nop,wscale 7], length 0
> 14:02:31.533789 00:1a:3f:b1:51:05 > 40:f2:e9:db:6b:23, ethertype IPv4
> (0x0800), length 66: 200.2.2.2.59297 > 23.216.160.170.80: Flags [.], ack 1,
> win 115, options [nop,nop,TS val 8945322 ecr 50571790], length 0
>
> *Three way handshake feito**
> **Aqui noto que o proxy tenta sair creio que ele abre 2 conexão uma para o
> cliente outra para o server tipo como o modulo tproxy do linux/squid faz.**
> *
> 14:02:32.070663 40:f2:e9:db:6b:23 > 00:00:5e:00:01:0f, ethertype IPv4
> (0x0800), length 74: 200.2.2.2.24450 > 23.216.160.170.80: Flags [S], seq
> 299551137, win 29200, options [mss 1460,sackOK,TS val 50571844 ecr
> 0,nop,wscale 7], length 0
> 14:02:33.066233 40:f2:e9:db:6b:23 > 00:00:5e:00:01:0f, ethertype IPv4
> (0x0800), length 74: 200.2.2.2.24450 > 23.216.160.170.80: Flags [S], seq
> 299551137, win 29200, options [mss 1460,sackOK,TS val 50571944 ecr
> 0,nop,wscale 7], length 0
> 14:02:35.066212 40:f2:e9:db:6b:23 > 00:00:5e:00:01:0f, ethertype IPv4
> (0x0800), length 74: 200.2.2.2.24450 > 23.216.160.170.80: Flags [S], seq
> 299551137, win 29200, options [mss 1460,sackOK,TS val 50572144 ecr
> 0,nop,wscale 7], length 0
>
> *varios SYNs**e o FIN do cliente.
> *
> 14:02:35.668516 00:1a:3f:b1:51:05 > 40:f2:e9:db:6b:23, ethertype IPv4
> (0x0800), length 66: 200.2.2.2.59297 > 23.216.160.170.80: Flags [F.], seq
> 112, ack 1, win 115, options [nop,nop,TS val 8949456 ecr 50571790], length 0
> 14:02:35.668795 40:f2:e9:db:6b:23 > 00:00:5e:00:01:0f, ethertype IPv4
> (0x0800), length 66: 23.216.160.170.80 > 200.2.2.2.59297: Flags [F.], seq
> 1, ack 113, win 227, options [nop,nop,TS val 50572204 ecr 8949456], length 0
> 14:02:35.709782 00:1a:3f:b1:51:05 > 40:f2:e9:db:6b:23, ethertype IPv4
> (0x0800), length 66: 200.2.2.2.59297 > 23.216.160.170.80: Flags [.], ack 2,
> win 115, options [nop,nop,TS val 8949498 ecr 50572204], length 0
>
> *Captura na re0**- WAN
> *
> 14:02:32.070684 00:1a:3f:b1:58:0c > f8:72:ea:74:a1:b0, ethertype IPv4
> (0x0800), length 74: 200.2.2.2.24450 > 23.216.160.170.80: Flags [S], seq
> 299551137, win 29200, options [mss 1460,sackOK,TS val 50571844 ecr
> 0,nop,wscale 7], length 0
> 14:02:32.181013 f8:72:ea:74:a1:b0 > 00:00:5e:00:01:01, ethertype IPv4
> (0x0800), length 74: 23.216.160.170.80 > 200.2.2.2.24450: Flags [S.], seq
> 1894693316, ack 299551138, win 14480, options [mss 1460,sackOK,TS val
> 2263835919 ecr 50571844,nop,wscale 5], length 0
> *
> **O three way handshake ocorre pela metade. So tenho o SYN e SYN/ACK. Ai o
> cliente manda o R(reset).**
> *
> 14:02:32.182622 00:1a:3f:b1:58:0c > f8:72:ea:74:a1:b0, ethertype IPv4
> (0x0800), length 54: 200.2.2.2.24450 > 23.216.160.170.80: Flags [R], seq
> 299551138, win 0, length 0
> *
> **E o processo ocorre novamente varias vezes
>
> *14:02:33.066251 00:1a:3f:b1:58:0c > f8:72:ea:74:a1:b0, ethertype IPv4
> (0x0800), length 74: 200.2.2.2.24450 > 23.216.160.170.80: Flags [S], seq
> 299551137, win 29200, options [mss 1460,sackOK,TS val 50571944 ecr
> 0,nop,wscale 7], length 0
> 14:02:33.324277 f8:72:ea:74:a1:b0 > 00:00:5e:00:01:01, ethertype IPv4
> (0x0800), length 74: 23.216.160.170.80 > 200.2.2.2.24450: Flags [S.], seq
> 1910248059, ack 299551138, win 14480, options [mss 1460,sackOK,TS val
> 2263836914 ecr 50571944,nop,wscale 5], length 0
> 14:02:33.325807 00:1a:3f:b1:58:0c > f8:72:ea:74:a1:b0, ethertype IPv4
> (0x0800), length 54: 200.2.2.2.24450 > 23.216.160.170.80: Flags [R], seq
> 299551138, win 0, length 0
> 14:02:35.066237 00:1a:3f:b1:58:0c > f8:72:ea:74:a1:b0, ethertype IPv4
> (0x0800), length 74: 200.2.2.2.24450 > 23.216.160.170.80: Flags [S], seq
> 299551137, win 29200, options [mss 1460,sackOK,TS val 50572144 ecr
> 0,nop,wscale 7], length 0
> 14:02:35.215480 f8:72:ea:74:a1:b0 > 00:00:5e:00:01:01, ethertype IPv4
> (0x0800), length 74: 23.216.160.170.80 > 200.2.2.2.24450: Flags [S.], seq
> 28856710, ack 299551138, win 14480, options [mss 1460,sackOK,TS val
> 2227668864 ecr 50572144,nop,wscale 5], length 0
> 14:02:35.216632 00:1a:3f:b1:58:0c > f8:72:ea:74:a1:b0, ethertype IPv4
> (0x0800), length 54: 200.2.2.2.24450 > 23.216.160.170.80: Flags [R], seq
> 299551138, win 0, length 0
>
> Desculpe pelo e-mail longo. Mas ja tentei de tudo. Tentei ao invés de
> route-to o reply-to sem sucesso tentei o divert-to tentei o rdr tambem sem
> sucesso o problema do RDR ele manda direto com destino ao proxy na verdade
> o destino e o site da cisco.
>
> Se alguem já passou por isso. Algum palpite que possa me ajuda desde já
> agradeço.
>
> Att.
> -------------------------
> Histórico: http://www.fug.com.br/historico/html/freebsd/
> Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd
>
--
[ ]'s
Fabricio Lima
When your hammer is C++, everything begins to look like a thumb.
Mais detalhes sobre a lista de discussão freebsd