-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 24/01/2015 2:47 a.m., Odhiambo Washington wrote: > On 23 January 2015 at 16:40, Amos Jeffries <squid3@xxxxxxxxxxxxx> > wrote: > >> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 >> >> On 24/01/2015 2:20 a.m., Odhiambo Washington wrote: >>> On 23 January 2015 at 16:07, Amos Jeffries >>> <squid3@xxxxxxxxxxxxx> wrote: >>> >>>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 >>>> >>>> On 24/01/2015 1:47 a.m., Yuri Voinov wrote: >>>>> >>>>> Once more. You CANNOT have neither web-server nor other >>>>> service with listening port 80 on the same host as >>>>> transparent Squid proxy. This is one and only reason you >>>>> have looping. >>>>> >>>> >>>> That is not correct. It can be done, but depends on how the >>>> firewall operates and what ruleset is used. >>>> >>>> One has to intercept traffic transiting the machine, but >>>> ignore traffic destined *to* or *from* the local machines >>>> running processes. >>>> >>>>> Look. On my transparent 3.4.11 (which was early 2.7) >>>>> IPFilter redirects 80 port to proxy. My web server on the >>>>> same host listens only 8080, 8088 and 8888 ports. No one >>>>> service except NAT is using 80 port. >>>>> >>>>> And finally I have no looping 4 years. >>>>> >>>>> Obvious, is it? >>>>> >>>> >>>> Maybe there was, maybe there wasn't. >>>> >>>> Squid-2.7 ignored a lot of NAT related errors and even >>>> silently did some Very Bad Things(tm) - none of which >>>> Squid-3.2+ will allow to happen anymore. >>>> >>>> >>>> Odhiambo: I suspect it might be related to your use of "rdr" >>>> firewall rules. In OpenBSD PF at least rdr rules do not work >>>> properly and divert-to rules needs to be used instead >>>> (divert-to can be used for either TPROXY or NAT Squid >>>> listening ports on BSD). >>>> >>> >>> >>> I am thinking Squid-3.2+ is evil :-) >>> >>> Anyway, my PF rules are here : http://pastebin.com/pKv1jN2v And >>> my IPFilter rules are here: http://pastebin.com/JQ77X01H >>> >>> I need to figure out why squid is DENYing all access .. >>> >> >> Can you update me on what the squid -v output is from the Squid >> build you are having issues with pleae? >> >> Amos >> > > root@mail:/usr/src # /opt/squid35/sbin/squid -v Squid Cache: > Version 3.5.1-20150120-r13736 Service Name: squid configure > options: '--prefix=/opt/squid35' '--enable-removal-policies=lru > heap' '--disable-epoll' '--enable-auth' '--enable-auth-basic=DB > NCSA PAM PAM POP3 SSPI' '--enable-external-acl-helpers=session > unix_group file_userip' '--enable-auth-negotiate=kerberos' > '--with-pthreads' '--enable-storeio=ufs diskd rock aufs' > '--enable-delay-pools' '--enable-snmp' '--with-openssl=/usr' > '--enable-forw-via-db' '--enable-cache-digests' '--enable-wccpv2' > '--enable-follow-x-forwarded-for' '--with-large-files' > '--enable-large-cache-files' '--enable-esi' '--enable-kqueue' > '--enable-icap-client' '--enable-kill-parent-hack' '--enable-ssl' > '--enable-leakfinder' '--enable-ssl-crtd' > '--enable-url-rewrite-helpers' '--enable-xmalloc-statistics' > '--enable-stacktraces' '--enable-zph-qos' '--enable-eui' > '--enable-pf-transparent' 'CC=clang' 'CXX=clang++' > --enable-ltdl-convenience > Okay. Can you explicitly add --disable-ipf-transparent - --disable-ipfw-transparent and see if that helps. Also in squid.conf adding debugs_options ALL,1 89,9 will show just the NAT lookup results where things are going wrong. Amos -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (MingW32) iQEcBAEBAgAGBQJUwlJHAAoJELJo5wb/XPRjpDYIAN2BdWscIrwu+eq0I/JuQP1k XkXWeKm+yDMIbEZCxf6KALBUiVKsvzEyvDJGoKYR7gPDIoYUD1vvviwYWoL5qo5V yTP/Te8QyXiwgOzR4+ol9aisS4RvxgALvX75UlVV521qUl97fMcD/VUNqvRYSbaN 6p/RA3GEcTwxeP8HeXNz5mvai9Ja2Pr6cJzUJa2fkEQkIptfYW7GNoMPBNuQDbGl 4cJe8GkqNdyb782BByp/k8AOBKHHZPIJm7PV8VN2PJfMXTgwkmrtKouenWetkh1+ BUlqr8IgZF6kYDk23/T9C6vWE68qO0nJvf0rrnADx4Fw28nDEXbu/oQK2qx/cdY= =o2Sg -----END PGP SIGNATURE----- _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
