Search squid archive

Re: OpenBSD + PF + Squid: forwarding loop

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 2013-06-01 5:03, Amos Jeffries wrote:
On 1/06/2013 11:20 p.m., Rob Sheldon wrote:

So I just turned on host_verify_strict and now I'm getting the 409 error described in the docs.

It looks to me like the problem is the destination rewrite in rdr-to, but that still doesn't really make sense; surely someone else would've bumped into this by now.

It would seem not. IIRC the documentation on recent OpenBSD
installations indicated to use divert instead of rdr-to.

OK. This has gotten me a step closer; I thought there was another routing option, but couldn't remember what it was (nor find it last night). divert-to is exactly it.

However, there's a bit of a catch-22 here: since divert-to doesn't rewrite the destination address, internal interfaces don't want to accept the traffic (unless I change their broadcast address to 0.0.0.0, which seems ugly and prone to failure). pf doesn't allow me to divert-to on outbound traffic, and I can't trap the traffic inbound on the external interfaces.

This has gotten really wickedly tricky.

I'm going to start a thread over on OpenBSD-Misc and ask the pf wizards there for advice. I'm thinking at this point I may need to set up a virtual interface or something, but that could really mess with outbound NAT, especially since I've got multipath routing over more than one external interface.

Assuming I can get this all working somehow, I'll do a solid write-up of it on our company site. Was the security check added in a sort-of recent version of Squid? I still find it hard to believe that this has been broken for other people and gone unreported or that I'm the first person recently to try to get Squid working on OpenBSD ... I'm still expecting to find that I'm doing something wrong.

Thanks for your kind help.

- R.

--
[__ Robert Sheldon
[__ No Problem
[__ Information technology support and services
[__ (530) 575-0278




[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux