On 23 January 2015 at 16:07, Amos Jeffries <squid3@xxxxxxxxxxxxx> wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 24/01/2015 1:47 a.m., Yuri Voinov wrote:
>
> Once more. You CANNOT have neither web-server nor other service
> with listening port 80 on the same host as transparent Squid proxy.
> This is one and only reason you have looping.
>
That is not correct. It can be done, but depends on how the firewall
operates and what ruleset is used.
One has to intercept traffic transiting the machine, but ignore
traffic destined *to* or *from* the local machines running processes.
> Look. On my transparent 3.4.11 (which was early 2.7) IPFilter
> redirects 80 port to proxy. My web server on the same host listens
> only 8080, 8088 and 8888 ports. No one service except NAT is using
> 80 port.
>
> And finally I have no looping 4 years.
>
> Obvious, is it?
>
Maybe there was, maybe there wasn't.
Squid-2.7 ignored a lot of NAT related errors and even silently did
some Very Bad Things(tm) - none of which Squid-3.2+ will allow to
happen anymore.
Odhiambo:
I suspect it might be related to your use of "rdr" firewall rules. In
OpenBSD PF at least rdr rules do not work properly and divert-to rules
needs to be used instead (divert-to can be used for either TPROXY or
NAT Squid listening ports on BSD).
Anyway, my PF rules are here : http://pastebin.com/pKv1jN2v
And my IPFilter rules are here: http://pastebin.com/JQ77X01H
I need to figure out why squid is DENYing all access ..
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254733744121/+254722743223
"I can't hear you -- I'm using the scrambler."
Odhiambo WASHINGTON,
Nairobi,KE
+254733744121/+254722743223
"I can't hear you -- I'm using the scrambler."
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users