> [root@SRAID-Server ~]# /home/squid/sbin/squid -v > Squid Cache: Version 2.7.STABLE4 > configure options: '--prefix=/home/squid' '--enable-dlmalloc' > '--with-pthreads' '--enable-poll' '--disable-internal-dns' > '--enable-stacktrace' '--enable-removal-policies=heap,lru' > '--enable-delay-pools' '--enable-storeio=aufs,coss,diskd,ufs' > > > 2008-12-17 > > > > thematice > > > > å??件人ï¼? Leslie Jensen > å??é??æ?¶é?´ï¼? 2008-12-17 15:33:56 > æ?¶ä»¶äººï¼? Amos Jeffries; Chris Robertson; squid-users > æ??é??ï¼? > 主é¢?ï¼? Re: clientNatLookup: PF open failed: (13) > Permissiondenied > > Amos Jeffries skrev: >> Chris Robertson wrote: >>> Leslie Jensen wrote: >>>> I'm running Squid-3.0.10 on FreeBSD 7.0-RELEASE-p4 with PF. >>>> >>>> I've noticed that in cache.log are a lot of entries as the one below >>>> >>>> clientNatLookup: PF open failed: (13) Permission denied >>>> >>>> I've found some information on the problem via Google. >>>> >>>> One is "start Squid as root". Squid is started via rc.conf so I think >>>> that is sorted. >>>> >>>> There is a concern about rights on /dev/pf >>>> >>>> Finally there's some advice >>>> >>>> ---- snip---- >>>> If you are performing any kind of transparent interception with squid >>>> you will need one of the --*-transparent options. Without it squid >>>> will >>>> fail to correctly spoof the clients IP. >>>> ----- snip ---- >>>> >>>> I do not fully understand where the "--*-transparent options" are to >>>> be found. And if it's the solution to the problem. >>>> >>>> Will someone Please enlighten me? >>> >>> First, I don't know if it is the solution to the problem, but it's an >>> easy thing to check... >>> >>> Run "/path/to/squid -v". That will show what options squid was >>> compiled with. For example: >>> >>> -bash-3.00$ /home/squid2/bin/squid -v >>> Squid Cache: Version 2.6.STABLE3 >>> configure options: '--bindir=/home/squid2/bin' >>> '--sbindir=/home/squid2/bin' '--libexecdir=/home/squid2/bin' >>> '--datadir=/home/squid2/etc' '--sysconfdir=/etc/squid' >>> '--localstatedir=/home/squid2' '--mandir=/usr/man' >>> '--enable-err-languages=English' '--enable-snmp' '--with-large-files' >>> '--disable-ident-lookups' '--disable-useragent-log' >>> '--disable-referer-log' '--enable-async-io' '--enable-epoll' >>> -bash-3.00$ >>> >>> If you don't see --enable-pf-transparent in that list, you are going >>> to need to recompile. >>> >> >> I believe the option is present. The line "PF open failed" should never >> occur without it. >> >> The rc.conf may not necessarily be correct. Bug 2396 bout PF >> permissions, has only been fixed since 3.0.STABLE8. >> >> Amos > Yes, it's there! Squid is working from what I can see but the error > messages are of concern to me. Yes, the NAT/FW table is not accessible to squid, so some of the controls will be failing. > Mine is Squid Cache: Version 3.0.STABLE10 > /Leslie > -------------- snip --------------- > :/usr/local/sbin/squid -v > Squid Cache: Version 3.0.STABLE10 > configure options: '--with-default-user=squid' <snip> > '--enable-ipfw-transparent' '--enable-pf-transparent' '--enable-kqueue' Did you check the rc.conf actions? I see squid is also built with-default-user, thats the username your proxy will set itself to run as by default after the startup root stuff is finished. Can we also have a look at the /dev/pf permissions and the group membership of the squid user. (don't change any of that yet, I just think it might be useful to know). Amos
