Amos Jeffries skrev:
Chris Robertson wrote:
Leslie Jensen wrote:
I'm running Squid-3.0.10 on FreeBSD 7.0-RELEASE-p4 with PF.
I've noticed that in cache.log are a lot of entries as the one below
clientNatLookup: PF open failed: (13) Permission denied
I've found some information on the problem via Google.
One is "start Squid as root". Squid is started via rc.conf so I think
that is sorted.
There is a concern about rights on /dev/pf
Finally there's some advice
---- snip----
If you are performing any kind of transparent interception with squid
you will need one of the --*-transparent options. Without it squid
will
fail to correctly spoof the clients IP.
----- snip ----
I do not fully understand where the "--*-transparent options" are to
be found. And if it's the solution to the problem.
Will someone Please enlighten me?
First, I don't know if it is the solution to the problem, but it's an
easy thing to check...
Run "/path/to/squid -v". That will show what options squid was
compiled with. For example:
-bash-3.00$ /home/squid2/bin/squid -v
Squid Cache: Version 2.6.STABLE3
configure options: '--bindir=/home/squid2/bin'
'--sbindir=/home/squid2/bin' '--libexecdir=/home/squid2/bin'
'--datadir=/home/squid2/etc' '--sysconfdir=/etc/squid'
'--localstatedir=/home/squid2' '--mandir=/usr/man'
'--enable-err-languages=English' '--enable-snmp' '--with-large-files'
'--disable-ident-lookups' '--disable-useragent-log'
'--disable-referer-log' '--enable-async-io' '--enable-epoll'
-bash-3.00$
If you don't see --enable-pf-transparent in that list, you are going
to need to recompile.
I believe the option is present. The line "PF open failed" should never
occur without it.
The rc.conf may not necessarily be correct. Bug 2396 bout PF
permissions, has only been fixed since 3.0.STABLE8.
Amos
Yes, it's there! Squid is working from what I can see but the error
messages are of concern to me.
Yes, the NAT/FW table is not accessible to squid, so some of the controls
will be failing.
Mine is Squid Cache: Version 3.0.STABLE10
/Leslie
-------------- snip ---------------
:/usr/local/sbin/squid -v
Squid Cache: Version 3.0.STABLE10
configure options: '--with-default-user=squid'
<snip>
'--enable-ipfw-transparent' '--enable-pf-transparent' '--enable-kqueue'
Did you check the rc.conf actions?
I see squid is also built with-default-user, thats the username your proxy
will set itself to run as by default after the startup root stuff is
finished.
Can we also have a look at the /dev/pf permissions and the group
membership of the squid user. (don't change any of that yet, I just think
it might be useful to know).
Amos
What do you mean with rc.conf actions?
I have squid_enable="YES"
ll /dev/pf
crw------- 1 root wheel 0, 90 Dec 18 09:44 /dev/pf
Do I need to give squid rights to read and write /dev/pf ?
squid user is member of squid group only
/Leslie
