-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 24/01/2015 3:11 a.m., Odhiambo Washington wrote: > On 23 January 2015 at 16:53, Amos Jeffries <squid3@xxxxxxxxxxxxx> > wrote: > >> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 >> >> On 24/01/2015 2:47 a.m., Odhiambo Washington wrote: >>> On 23 January 2015 at 16:40, Amos Jeffries >>> <squid3@xxxxxxxxxxxxx> wrote: >>> >>>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 >>>> >>>> On 24/01/2015 2:20 a.m., Odhiambo Washington wrote: >>>>> On 23 January 2015 at 16:07, Amos Jeffries >>>>> <squid3@xxxxxxxxxxxxx> wrote: >>>>> >>>>>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 >>>>>> >>>>>> On 24/01/2015 1:47 a.m., Yuri Voinov wrote: >>>>>>> >>>>>>> Once more. You CANNOT have neither web-server nor >>>>>>> other service with listening port 80 on the same host >>>>>>> as transparent Squid proxy. This is one and only reason >>>>>>> you have looping. >>>>>>> >>>>>> >>>>>> That is not correct. It can be done, but depends on how >>>>>> the firewall operates and what ruleset is used. >>>>>> >>>>>> One has to intercept traffic transiting the machine, but >>>>>> ignore traffic destined *to* or *from* the local >>>>>> machines running processes. >>>>>> >>>>>>> Look. On my transparent 3.4.11 (which was early 2.7) >>>>>>> IPFilter redirects 80 port to proxy. My web server on >>>>>>> the same host listens only 8080, 8088 and 8888 ports. >>>>>>> No one service except NAT is using 80 port. >>>>>>> >>>>>>> And finally I have no looping 4 years. >>>>>>> >>>>>>> Obvious, is it? >>>>>>> >>>>>> >>>>>> Maybe there was, maybe there wasn't. >>>>>> >>>>>> Squid-2.7 ignored a lot of NAT related errors and even >>>>>> silently did some Very Bad Things(tm) - none of which >>>>>> Squid-3.2+ will allow to happen anymore. >>>>>> >>>>>> >>>>>> Odhiambo: I suspect it might be related to your use of >>>>>> "rdr" firewall rules. In OpenBSD PF at least rdr rules do >>>>>> not work properly and divert-to rules needs to be used >>>>>> instead (divert-to can be used for either TPROXY or NAT >>>>>> Squid listening ports on BSD). >>>>>> >>>>> >>>>> >>>>> I am thinking Squid-3.2+ is evil :-) >>>>> >>>>> Anyway, my PF rules are here : http://pastebin.com/pKv1jN2v >>>>> And my IPFilter rules are here: >>>>> http://pastebin.com/JQ77X01H >>>>> >>>>> I need to figure out why squid is DENYing all access .. >>>>> >>>> >>>> Can you update me on what the squid -v output is from the >>>> Squid build you are having issues with pleae? >>>> >>>> Amos >>>> >>> >>> root@mail:/usr/src # /opt/squid35/sbin/squid -v Squid Cache: >>> Version 3.5.1-20150120-r13736 Service Name: squid configure >>> options: '--prefix=/opt/squid35' >>> '--enable-removal-policies=lru heap' '--disable-epoll' >>> '--enable-auth' '--enable-auth-basic=DB NCSA PAM PAM POP3 SSPI' >>> '--enable-external-acl-helpers=session unix_group file_userip' >>> '--enable-auth-negotiate=kerberos' '--with-pthreads' >>> '--enable-storeio=ufs diskd rock aufs' '--enable-delay-pools' >>> '--enable-snmp' '--with-openssl=/usr' '--enable-forw-via-db' >>> '--enable-cache-digests' '--enable-wccpv2' >>> '--enable-follow-x-forwarded-for' '--with-large-files' >>> '--enable-large-cache-files' '--enable-esi' '--enable-kqueue' >>> '--enable-icap-client' '--enable-kill-parent-hack' >>> '--enable-ssl' '--enable-leakfinder' '--enable-ssl-crtd' >>> '--enable-url-rewrite-helpers' '--enable-xmalloc-statistics' >>> '--enable-stacktraces' '--enable-zph-qos' '--enable-eui' >>> '--enable-pf-transparent' 'CC=clang' 'CXX=clang++' >>> --enable-ltdl-convenience >>> >> >> Okay. Can you explicitly add --disable-ipf-transparent - >> --disable-ipfw-transparent and see if that helps. >> >> Also in squid.conf adding debugs_options ALL,1 89,9 will show >> just the NAT lookup results where things are going wrong. >> > > So, before I recompile, we can look at the debug output: > > 2015/01/23 17:07:45| storeLateRelease: released 0 objects > 2015/01/23 17:07:46.959| Intercept.cc(362) Lookup: address BEGIN: > me/client= 192.168.2.254:13128, destination/me= > 192.168.2.115:58632 2015/01/23 17:07:46.959| Intercept.cc(293) > PfInterception: address NAT divert-to: local=192.168.2.254:13128 > remote=192.168.2.115:58632 FD 14 flag s=33 Arggg.. Add --with-nat-devpf to your build options in FreeBSD. http://www.squid-cache.org/Versions/v3/3.4/RELEASENOTES.html#ss2.4 Amos -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (MingW32) iQEcBAEBAgAGBQJUwlu0AAoJELJo5wb/XPRjUnIH/3Y60zIs+2VCRy5SBONGopQa lYn+c735DrbL8bgeyNiWHzRL+Uo6djE8ou9tqBeAaoJ0mrNJ7znONPib65Y9gcSD fv3apNi59GL+U5/lUK7dSF3zBYwx9CVVg0CFeVzb9hbrHGFPMtt8qtKK553861kL BWTXWVt3zHJo9RIsrPdyZxvPu0QcW3l+IM5zMDpPX6jTesCZjtEfr6x30j5VPDzF CWSj1OA1gYX2j9O+aoQwMc2X72J55XbZNtBhtRJNEFVO71NDKd2h2mGHbp0e3qaf BI8Ki0GEEofWHizk40Bw3obCVwLwjGn6+UdoxAZqzn4AcXDTT75dzCQBfTdqFgs= =nKS1 -----END PGP SIGNATURE----- _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
