Instead of your ugly: pass quick on lo0 use: skip lo0 which is better :) You must redirect trafic on your lan interface directed to any remote 80 to your lan IP:3129 and also allow tcp 3129 on pf pass out quick on $lan_if proto tcp to port 80 rdr-to $lan_ip port 3129 pass in quick on $lan_if proto tcp to $lan_ip port 3129 You mustn't redirecto to localhost iface it's bad. For normal and transparent you are correct. Have you compiled squid with --enable-pf-transparent option ? (/usr/local/squid/sbin/squid -v show you) -- Best regards, Loïc BLOT, UNIX systems, security and network expert http://www.unix-experience.fr Le vendredi 31 mai 2013 à 15:19 -0700, Rob Sheldon a écrit : > On 2013-05-31 5:27, Marko Cupać wrote: > > > > Try setting squid to listen on loopback address: > > > > http_port 127.0.0.1:3128 intercept > > > > Redirect web traffic to loopback address in pf: > > pass in quick on $if_int inet proto tcp from 192.168.0.209 to any \ > > port { www https } rdr-to 127.0.0.1 port 3128 > > No joy. > > I'm pretty sure that I've just ruled out that it's anything at all to > do with pf or routing, other than maaaaybe the pooled outbound > connections (which only leaves me even more stumped). I enabled all > traffic in and out of loopback: > > pass quick on lo0 proto tcp from any to any > > ...and I commented out the rdr rule(s) for anything Squid-related. Just > for extra measure I also commented out all other rdr rules, still no > change. > > I set up the following http_port config in Squid: > > http_port 127.0.0.1:3128 > http_port 127.0.0.1:3139 intercept > > ...so Squid should be doing normal proxying on localhost 3128 and > interception proxying on 3139, yes? > > To test it, on the firewall I, "telnet localhost 3128", and "GET > http://www.google.com/ HTTP/1.0", and this works as expected. BUT, > "telnet localhost 3139", and "GET / HTTP/1.0" followed by "Host: > www.google.com", and the forwarding loop error occurs. > > This is driving me batty. > > I also tcpdump'd lo0 while testing both 3128 and 3139, and I'm not > seeing any traffic outbound to 80 from that interface ... so I think > Squid must be attaching to another interface for outbound requests? > There doesn't seem to be a configuration option for that, it's possible > Squid's getting stuck in the pooled outbound interfaces somehow ... (I > did also try a site that wouldn't be cached by Squid, just to be sure.) > > How can I troubleshoot this further? Is there a good way to look inside > of what Squid's doing when receiving and sending out requests? > > - R. >
Attachment:
signature.asc
Description: This is a digitally signed message part