-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 24/01/2015 1:47 a.m., Yuri Voinov wrote: > > Once more. You CANNOT have neither web-server nor other service > with listening port 80 on the same host as transparent Squid proxy. > This is one and only reason you have looping. > That is not correct. It can be done, but depends on how the firewall operates and what ruleset is used. One has to intercept traffic transiting the machine, but ignore traffic destined *to* or *from* the local machines running processes. > Look. On my transparent 3.4.11 (which was early 2.7) IPFilter > redirects 80 port to proxy. My web server on the same host listens > only 8080, 8088 and 8888 ports. No one service except NAT is using > 80 port. > > And finally I have no looping 4 years. > > Obvious, is it? > Maybe there was, maybe there wasn't. Squid-2.7 ignored a lot of NAT related errors and even silently did some Very Bad Things(tm) - none of which Squid-3.2+ will allow to happen anymore. Odhiambo: I suspect it might be related to your use of "rdr" firewall rules. In OpenBSD PF at least rdr rules do not work properly and divert-to rules needs to be used instead (divert-to can be used for either TPROXY or NAT Squid listening ports on BSD). Amos -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (MingW32) iQEcBAEBAgAGBQJUwkeWAAoJELJo5wb/XPRjImUIANjXvqdDsm7FUGmSG0lCikPS EBl2xGqatglZnQOQQ1KnVX4oLtcDqtFUaAMNUedGrQc0JNsGHIIOqNioehJuTSko ET/gYf6otuqGyjGz2CZIXcoaFUOwXNd7jkt8jx3n4k5D0HemfOYH//bAdMRarNuZ NV7YPoWOxjYQHFvBE2fFCDl9yslXSYrvBbCJxueFVTkI0SQ1NoRtotaOeOZFe9hy Y1zWihly/5koQfTg99tYCuUpNgRYuNslRaSYSfx1PTFQQTTYkw20OeYES6ZFxMp1 jt2vARsvxePndzVFT+rmadoQQDgCk6NbwON4LpexoulhJcGzuH5xb6z1CQaZvE0= =Joqh -----END PGP SIGNATURE----- _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
