Amos Jeffries wrote:
Leslie Jensen wrote:
Amos Jeffries skrev:
Chris Robertson wrote:
Leslie Jensen wrote:
I'm running Squid-3.0.10 on FreeBSD 7.0-RELEASE-p4 with PF.
I've noticed that in cache.log are a lot of entries as the one below
clientNatLookup: PF open failed: (13) Permission denied
I've found some information on the problem via Google.
One is "start Squid as root". Squid is started via rc.conf so I
think
that is sorted.
There is a concern about rights on /dev/pf
Finally there's some advice
---- snip----
If you are performing any kind of transparent interception with
squid
you will need one of the --*-transparent options. Without it squid
will
fail to correctly spoof the clients IP.
----- snip ----
I do not fully understand where the "--*-transparent options" are to
be found. And if it's the solution to the problem.
Will someone Please enlighten me?
First, I don't know if it is the solution to the problem, but it's an
easy thing to check...
Run "/path/to/squid -v". That will show what options squid was
compiled with. For example:
-bash-3.00$ /home/squid2/bin/squid -v
Squid Cache: Version 2.6.STABLE3
configure options: '--bindir=/home/squid2/bin'
'--sbindir=/home/squid2/bin' '--libexecdir=/home/squid2/bin'
'--datadir=/home/squid2/etc' '--sysconfdir=/etc/squid'
'--localstatedir=/home/squid2' '--mandir=/usr/man'
'--enable-err-languages=English' '--enable-snmp' '--with-large-files'
'--disable-ident-lookups' '--disable-useragent-log'
'--disable-referer-log' '--enable-async-io' '--enable-epoll'
-bash-3.00$
If you don't see --enable-pf-transparent in that list, you are going
to need to recompile.
I believe the option is present. The line "PF open failed" should
never
occur without it.
The rc.conf may not necessarily be correct. Bug 2396 bout PF
permissions, has only been fixed since 3.0.STABLE8.
Amos
Yes, it's there! Squid is working from what I can see but the error
messages are of concern to me.
Yes, the NAT/FW table is not accessible to squid, so some of the
controls
will be failing.
Mine is Squid Cache: Version 3.0.STABLE10
/Leslie
-------------- snip ---------------
:/usr/local/sbin/squid -v
Squid Cache: Version 3.0.STABLE10
configure options: '--with-default-user=squid'
<snip>
'--enable-ipfw-transparent' '--enable-pf-transparent' '--enable-kqueue'
Did you check the rc.conf actions?
I see squid is also built with-default-user, thats the username your
proxy
will set itself to run as by default after the startup root stuff is
finished.
Can we also have a look at the /dev/pf permissions and the group
membership of the squid user. (don't change any of that yet, I just
think
it might be useful to know).
Amos
What do you mean with rc.conf actions?
I have squid_enable="YES"
Okay. I don't know Solaris at all. The other OS I know have an init
script called rc.something that starts squid with certain parameters and
points it at the config file.
ll /dev/pf
crw------- 1 root wheel 0, 90 Dec 18 09:44 /dev/pf
Do I need to give squid rights to read and write /dev/pf ?
Um, Ill leave this for someone who known PF and solaris privileges
betters (anyone??)
One way or another squid needs read-only privilege. I would have thought
that device would be crw-r--r-
but as I don't know Solaris so don't quote me on that.
Ah Fooey. Don't know quite what I was saying either ;)
Sorry about the OS mixup.
If we ignore that, the rest still makes sense and the point.
Amos
--
Please be using
Current Stable Squid 2.7.STABLE5 or 3.0.STABLE10
Current Beta Squid 3.1.0.3 or 3.0.STABLE11-RC1