Search squid archive

Re: OpenBSD + PF + Squid: forwarding loop

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Instead of your ugly:
pass quick on lo0
use:
skip lo0
which is better :)

You must redirect trafic on your lan interface directed to any remote 80
to your lan IP:3129 and also allow tcp 3129 on pf

pass out quick on $lan_if proto tcp to port 80 rdr-to $lan_ip port 3129
pass in quick on $lan_if proto tcp to $lan_ip port 3129

You mustn't redirecto to localhost iface it's bad.

For normal and transparent you are correct. Have you compiled squid with
--enable-pf-transparent option ? (/usr/local/squid/sbin/squid -v show
you)

-- 
Best regards,
Loïc BLOT, 
UNIX systems, security and network expert
http://www.unix-experience.fr



Le vendredi 31 mai 2013 à 15:19 -0700, Rob Sheldon a écrit :
> On 2013-05-31 5:27, Marko Cupać wrote:
> > 
> > Try setting squid to listen on loopback address:
> > 
> > http_port 127.0.0.1:3128 intercept
> > 
> > Redirect web traffic to loopback address in pf:
> > pass in quick on $if_int inet proto tcp from 192.168.0.209 to any \
> > 	port { www https } rdr-to 127.0.0.1 port 3128
> 
> No joy.
> 
> I'm pretty sure that I've just ruled out that it's anything at all to 
> do with pf or routing, other than maaaaybe the pooled outbound 
> connections (which only leaves me even more stumped). I enabled all 
> traffic in and out of loopback:
> 
> pass quick on lo0 proto tcp from any to any
> 
> ...and I commented out the rdr rule(s) for anything Squid-related. Just 
> for extra measure I also commented out all other rdr rules, still no 
> change.
> 
> I set up the following http_port config in Squid:
> 
> http_port 127.0.0.1:3128
> http_port 127.0.0.1:3139 intercept
> 
> ...so Squid should be doing normal proxying on localhost 3128 and 
> interception proxying on 3139, yes?
> 
> To test it, on the firewall I, "telnet localhost 3128", and "GET 
> http://www.google.com/ HTTP/1.0", and this works as expected. BUT, 
> "telnet localhost 3139", and "GET / HTTP/1.0" followed by "Host: 
> www.google.com", and the forwarding loop error occurs.
> 
> This is driving me batty.
> 
> I also tcpdump'd lo0 while testing both 3128 and 3139, and I'm not 
> seeing any traffic outbound to 80 from that interface ... so I think 
> Squid must be attaching to another interface for outbound requests? 
> There doesn't seem to be a configuration option for that, it's possible 
> Squid's getting stuck in the pooled outbound interfaces somehow ... (I 
> did also try a site that wouldn't be cached by Squid, just to be sure.)
> 
> How can I troubleshoot this further? Is there a good way to look inside 
> of what Squid's doing when receiving and sending out requests?
> 
> - R.
> 

Attachment: signature.asc
Description: This is a digitally signed message part


[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux