[root@SRAID-Server ~]# /home/squid/sbin/squid -v Squid Cache: Version 2.7.STABLE4 configure options: '--prefix=/home/squid' '--enable-dlmalloc' '--with-pthreads' '--enable-poll' '--disable-internal-dns' '--enable-stacktrace' '--enable-removal-policies=heap,lru' '--enable-delay-pools' '--enable-storeio=aufs,coss,diskd,ufs' 2008-12-17 thematice 发件人: Leslie Jensen 发送时间: 2008-12-17 15:33:56 收件人: Amos Jeffries; Chris Robertson; squid-users 抄送: 主题: Re: clientNatLookup: PF open failed: (13) Permissiondenied Amos Jeffries skrev: > Chris Robertson wrote: >> Leslie Jensen wrote: >>> I'm running Squid-3.0.10 on FreeBSD 7.0-RELEASE-p4 with PF. >>> >>> I've noticed that in cache.log are a lot of entries as the one below >>> >>> clientNatLookup: PF open failed: (13) Permission denied >>> >>> I've found some information on the problem via Google. >>> >>> One is "start Squid as root". Squid is started via rc.conf so I think >>> that is sorted. >>> >>> There is a concern about rights on /dev/pf >>> >>> Finally there's some advice >>> >>> ---- snip---- >>> If you are performing any kind of transparent interception with squid >>> you will need one of the --*-transparent options. Without it squid will >>> fail to correctly spoof the clients IP. >>> ----- snip ---- >>> >>> I do not fully understand where the "--*-transparent options" are to >>> be found. And if it's the solution to the problem. >>> >>> Will someone Please enlighten me? >> >> First, I don't know if it is the solution to the problem, but it's an >> easy thing to check... >> >> Run "/path/to/squid -v". That will show what options squid was >> compiled with. For example: >> >> -bash-3.00$ /home/squid2/bin/squid -v >> Squid Cache: Version 2.6.STABLE3 >> configure options: '--bindir=/home/squid2/bin' >> '--sbindir=/home/squid2/bin' '--libexecdir=/home/squid2/bin' >> '--datadir=/home/squid2/etc' '--sysconfdir=/etc/squid' >> '--localstatedir=/home/squid2' '--mandir=/usr/man' >> '--enable-err-languages=English' '--enable-snmp' '--with-large-files' >> '--disable-ident-lookups' '--disable-useragent-log' >> '--disable-referer-log' '--enable-async-io' '--enable-epoll' >> -bash-3.00$ >> >> If you don't see --enable-pf-transparent in that list, you are going >> to need to recompile. >> > > I believe the option is present. The line "PF open failed" should never > occur without it. > > The rc.conf may not necessarily be correct. Bug 2396 bout PF > permissions, has only been fixed since 3.0.STABLE8. > > Amos Yes, it's there! Squid is working from what I can see but the error messages are of concern to me. Mine is Squid Cache: Version 3.0.STABLE10 /Leslie -------------- snip --------------- :/usr/local/sbin/squid -v Squid Cache: Version 3.0.STABLE10 configure options: '--with-default-user=squid' '--bindir=/usr/local/sbin' '--sbindir=/usr/local/sbin' '--datadir=/usr/local/etc/squid' '--libexecdir=/usr/local/libexec/squid' '--localstatedir=/usr/local/squid' '--sysconfdir=/usr/local/etc/squid' '--enable-removal-policies=lru heap' '--disable-linux-netfilter' '--disable-linux-tproxy' '--disable-epoll' '--enable-auth=basic ntlm digest' '--enable-basic-auth-helpers=DB NCSA PAM MSNT SMB squid_radius_auth YP' '--enable-digest-auth-helpers=password' '--enable-external-acl-helpers=ip_user session unix_group wbinfo_group' '--enable-ntlm-auth-helpers=SMB' '--enable-storeio=ufs diskd null' '--enable-delay-pools' '--disable-ident-lookups' '--enable-ipfw-transparent' '--enable-pf-transparent' '--enable-kqueue' '--enable-err-languages=Armenian Azerbaijani Bulgarian Catalan Czech Danish Dutch English Estonian Finnish French German Greek Hebrew Hungarian Italian Japanese Korean Lithuanian Polish Portuguese Romanian Russian-1251 Russian-koi8-r Serbian Simplify_Chinese Slovak Spanish Swedish Traditional_Chinese Turkish Ukrainian-1251 Ukrainian-koi8-u Ukrainian-utf8' '--enable-default-err-language=templates' '--prefix=/usr/local' '--mandir=/usr/local/man' '--infodir=/usr/local/info/' '--build=i386-portbld-freebsd7.0' 'build_alias=i386-portbld-freebsd7.0' 'CC=cc' 'CFLAGS=-O2 -fno-strict-aliasing -pipe' 'LDFLAGS=' 'CPPFLAGS=' 'CXX=c++' 'CXXFLAGS=-O2 -fno-strict-aliasing -pipe' -------------- snip ---------------
