Search squid archive

Re: OpenBSD + PF + Squid: forwarding loop

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 2013-05-31 16:07, Loïc BLOT wrote:

Instead of your ugly:
pass quick on lo0
use:
skip lo0
which is better :)


Thanks, I forgot about skip.
You must redirect trafic on your lan interface directed to any remote 80 
to your lan IP:3129 and also allow tcp 3129 on pf
pass out quick on $lan_if proto tcp to port 80 rdr-to $lan_ip port 3129 
pass in quick on $lan_if proto tcp to $lan_ip port 3129

You mustn't redirecto to localhost iface it's bad.
I'd rather not futz around with pf anymore for now, since I don't think that's where the problem is. (Unless Squid for some reason requires "http_port...intercept" to be passed through an rdr rule...?) I'd rather just get the most basic test case working first before involving any pf rules which might further complicate troubleshooting.
For normal and transparent you are correct. Have you compiled squid with 
--enable-pf-transparent option ? (/usr/local/squid/sbin/squid -v show
you)


I've got Squid 3.2.7. Here's the output from -v:
configure options: '--enable-shared' '--datadir=/usr/local/share/squid' '--libexecdir=/usr/local/libexec/squid' '--disable-loadable-modules' '--enable-arp-acl' '--enable-auth' '--enable-auth-basic=NCSA SMB NIS radius LDAP' '--enable-auth-digest=file LDAP' '--enable-auth-negotiate=kerberos' '--enable-auth-ntlm=fake smb_lm' '--enable-delay-pools' '--enable-external-acl-helpers=file_userip session unix_group wbinfo_group LDAP_group' '--enable-follow-x-forwarded-for' '--enable-forw-via-db' '--enable-http-violations' '--enable-icap-client' '--enable-ipv6' '--enable-referer-log' '--enable-removal-policies=lru heap' '--enable-ssl' '--enable-stacktraces' '--enable-storeio=aufs ufs diskd ' '--with-default-user=_squid' '--with-filedescriptors=8192' '--with-pidfile=/var/run/squid.pid' '--with-pthreads' '--with-swapdir=/var/squid/cache' '--disable-pf-transparent' '--enable-ipfw-transparent' '--prefix=/usr/local' '--sysconfdir=/etc/squid' '--mandir=/usr/local/man' '--infodir=/usr/local/info' '--localstatedir=/var/squid' '--disable-silent-rules' 'CC=cc' 'CFLAGS=-O2 -pipe' 'LDFLAGS=-L/usr/local/lib' 'CPPFLAGS=-I/usr/local/include' 'CXX=c++' 'CXXFLAGS=-O2 -pipe'
...it looks correct for that version, according to http://wiki.squid-cache.org/ConfigExamples/Intercept/OpenBsdPf#NAT_Interception_proxy, --enable-pf-transparent doesn't work until Squid 3.4, "--disable-pf-transparent --enable-ipfw-transparent" is the recommended way for 3.3 and 3.2. 

Thanks,

- R.

--
[__ Robert Sheldon
[__ No Problem
[__ Information technology support and services
[__ (530) 575-0278
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux