Order of rule application for redirects

Steve Evans

I have a thread pfSense 2.2: Squid 3.4.10_2 pkg 0.2.6 redirection not working in transparent mode addressing a specific issue I'm having with transparent squid, but I think it's boiling down to a redirection issue, so I thought I ask more detailed questions in this forum.

Squid, when run in transparent mode, creates a redirect and corresponding firewall rule.

rdr on msk2 proto tcp from any to !(msk2) port 80 -> 127.0.0.1 port 3128
pass in quick on msk2 proto tcp from any to !(msk2) port {80,3128} flags S/SA keep state

The rule ends up getting evaluated after a default "block all" rule I've added, however I have a suitable equivalent defined in my ruleset thus.

pass  in log  quick  on $LAN inet proto tcp  from any to $pfSense port $SquidProxy tracker 1422139913 flags S/SA keep state  label "USER_RULE: Squid Proxy"
pass  in log  quick  on $LAN inet proto tcp  from any to 127.0.0.1 port $SquidProxy tracker 1422382055 flags S/SA keep state  label "USER_RULE: Squid Proxy loopback"

With these rules active if I try to access a website outside of my LAN (which is on msk2) I see an entry in my firewall log showing that a packet has been passed from my laptop to 127.0.0.1:3128 thus.

One might assume that this packet would be delivered, but no.

If I kill Squid, the above rules are still active. If, on the pfSense console I then run

: nc -vl 3128

it will accept a connection if I telnet to 10.5.1.1 (the pfSense address on the LAN), port 3128, however if I try to access a website outside of the LAN, I see the packed redirected and passed by the firewall, but nc never sees it.

Am I correct in thinking that the flow of the packet would be source->gateway(pfSense)->redirect->firewall->destination? If so, given that I see passage through the firewall logged, where might the packet be getting lost?

Thanks,

Steve