Why can't I use localhost as an interface in the firewall?



  • I've been looking at this thread: http://forum.pfsense.org/index.php/topic,38882.0.html and it felt a bit strange to create a rule to change the gateway so late in the chain (outgoing WAN-interface)…

    I was more thinking of a rule that redirects traffic coming from the localhost (squid) going to port 80 and not going to any of the local interfaces and redirect that to the loadbalancing gateway.

    Maybe because it's because I'm "thinking iptables" and don't know anything about pfilter.

    The reason why I don't want to do it like in that thread is because I don't want to implement the transparent proxy on all LAN-interfaces yet. The day I experimented with squid I had a lot of complaints concerning the performance.....



  • Just go on firewall -> rules and create a rule on floating rules.

    This howto explains how to apply rules to squid running on localhost

    http://securite-ti.com/pfSense_Web_Proxy_with_multi-WAN_links.pdf



  • Yes, I read that post….

    But my question wasn't about following the wiki to install squid with loadbalancing....
    I followed it and it was working....
    Someone also pointed out that I don't need to choose all WAN-interfaces, but only the interface that holds the default gateway

    But I don't want to implement the transparent proxy on all interfaces.
    I'm not sure it will leave alone the packets that are coming directly from the LAN-interfaces.

    Even if that wiki is correct for my implementation as well, my question remains.... Why I can't choose the 'lo0' in interfaces?
    All the other interfaces are there.
    In "iptables" the localhost is handled using the "INPUT" and "OUTPUT" chain, as opposed to the "FORWARD" chain.
    If pfilter works in a similar manner I understand that rules involving the local interface needs special handling.
    Is it just something that could be implemented in the GUI, but just hasn't been done (yet)?

    Again... I'm not familiar with pfilter and always used netfilter (iptables) in Linux.



  • If you choose no interface on floating rule and define source address as 127.0.0.1 could do the job? ???



  • @marcelloc:

    If you choose no interface on floating rule and define source address as 127.0.0.1 could do the job.

    Ah…
    Didn't know that.
    Thanks

    But you are sure it works?
    In iptables it would need to go in another chain (not the FORWARD)...
    But as I said earlier... I don't even know how the packetflow is in BSD....

    I created a rule that all TCP packets going to port 80 coming from 127.0.0.0/8 should be logged and then did a "telnet www.google.nl 80" from the console....
    Nothing entered the log....



  • what direction did you configured on this rule?



  • @marcelloc:

    what direction did you configured on this rule?

    Out

    pfctl -sr | grep 127
    block drop in log quick on dc0_vlan10 inet from 127.0.0.0/8 to any label "block private networks from wan block 127/8"
    block drop in log quick on pppoe0 inet from 127.0.0.0/8 to any label "block private networks from wan block 127/8"
    pass out log inet proto tcp from 127.0.0.0/8 to any port = http flags S/SA keep state label "USER_RULE"
    
    

    Maybe the test I'm doing is not good?



  • pass out log inet proto tcp from 127.0.0.0/8 to any port = http flags S/SA keep state label "USER_RULE"
    

    This rule looks fine to me.

    Did you include in squid.conf the tcp_outgoing_address 127.0.0.1 directive?



  • @marcelloc:

    Did you include in squid.conf the tcp_outgoing_address 127.0.0.1 directive?

    Yes I did… 
    But I'm not using squid (yet)...
    The pfsense is currently being used extensively....

    I just want to test this rule if it is working by enabling log and then doing a telnet.

    BTW..  this has been bothering me a while. I'm using "putty" in its default config and I can't use stuff like "tail" to check filter.log because it somehow gets weird characters. How can I fix this?



  • @frater:

    BTW..  this has been bothering me a while. I'm using "putty" in its default config and I can't use stuff like "tail" to check filter.log because it somehow gets weird characters. How can I fix this?

    The logs are sent to gui every 5 secons I guess and cleaned from filesystem.

    Use clog -f /var/log/system.log to read logs.



  • I just chose block and it does seem to block the traffic coming from squid…
    It doesn't log it however....

    I expected I could now choose the loadbalancing gateway so it could loadbalance, but all traffic still goes out over the default gateway....
    I think I need to know more about pf, before I can do these kind of things...

    Is it strange to try and do it this way?

     pfctl -sr | grep 127
    block drop in log quick on dc0_vlan10 inet from 127.0.0.0/8 to any label "block private networks from wan block 127/8"
    block drop in log quick on pppoe0 inet from 127.0.0.0/8 to any label "block private networks from wan block 127/8"
    pass out log quick inet proto tcp from 127.0.0.0/8 to <negate_networks>flags S/SA keep state label "NEGATE_ROUTE: Negate policy routing for destination"
    pass out log quick route-to { (pppoe0 217.16.40.239), (dc0_vlan13 89.250.180.1), (dc0_vlan10 89.250.179.1) } round-robin inet proto tcp from 127.0.0.0/8 to any port = http flags S/SA keep state label "USER_RULE"</negate_networks> 
    


  • I now have it working although I thought that setting marker and reading marker were reversed…...
    I'm still not sure if everything is as it should, but in plain english I want to do this:

    I want to mark all TCP-packets going to port 80 coming from 127.0.0.0/8 (the localhost IF)
    These packets would arrive on the default gateway.
    On that interface I want to read that marker and then choose the loadbalancing gateway....

    I still don't understand what that 2nd rule is doing?

    pfctl -sr | grep fmh
    pass out quick inet proto tcp from 127.0.0.0/8 to any port = http flags S/SA keep state label "USER_RULE" tagged fmh
    pass out log on dc0_vlan10 proto tcp from any to <negate_networks>flags S/SA keep state label "NEGATE_ROUTE: Negate policy routing for destination" tag fmh
    pass out log on dc0_vlan10 route-to { (pppoe0 217.16.40.239), (dc0_vlan13 89.250.180.1), (dc0_vlan10 89.250.179.1) } round-robin inet proto tcp from any to any port = http flags S/SA keep state label "USER_RULE: For Squid" tag fmh</negate_networks> 
    

Log in to reply