-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Good. I don't see any 80 port listens. This is root of problem. PF does not work. 05.03.15 23:59, Monah Baki пишет: > On 10.0.0.24 > > root@ISN-PHC-CACHE:/home/support # netstat -an Active Internet > connections (including servers) Proto Recv-Q Send-Q Local Address > Foreign Address (state) tcp4 0 52 10.0.0.24.22 > 96.255.8.226.50911 ESTABLISHED tcp4 0 0 *.3129 > *.* LISTEN tcp4 0 0 *.3128 > *.* LISTEN tcp4 0 0 *.81 > *.* LISTEN tcp6 0 0 *.81 > *.* LISTEN tcp4 0 0 *.22 > *.* LISTEN tcp6 0 0 *.22 > *.* LISTEN tcp6 0 0 ::1.562 > ::1.40066 ESTABLISHED tcp6 0 0 ::1.40066 > ::1.562 ESTABLISHED tcp6 0 0 *.561 *.* > LISTEN tcp6 0 0 *.562 *.* > LISTEN tcp4 0 0 *.199 *.* > LISTEN tcp4 0 0 *.10000 *.* > LISTEN udp4 0 0 *.3401 *.* udp4 0 > 0 *.34985 *.* udp4 0 0 *.* > *.* udp4 0 0 *.161 *.* udp4 0 > 0 *.162 *.* udp4 0 0 *.10000 > *.* udp4 0 0 127.0.0.1.123 *.* udp6 0 > 0 fe80::1%lo0.123 *.* udp6 0 0 ::1.123 > *.* udp4 0 0 10.0.0.24.123 *.* udp6 0 > 0 *.123 *.* udp4 0 0 *.123 > *.* udp4 0 0 *.514 *.* udp6 0 > 0 *.514 *.* > > > > On Thu, Mar 5, 2015 at 12:12 PM, Yuri Voinov <yvoinov@xxxxxxxxx> > wrote: > > - From your PC run telnet 10.0.0.24 80. You've seen if TCP socket > opens. > > 05.03.15 23:10, Monah Baki пишет: >>>> How can I confirm, I have access only to the BSD box >>>> >>>> Thanks >>>> >>>> On Thu, Mar 5, 2015 at 11:12 AM, Yuri Voinov >>>> <yvoinov@xxxxxxxxx> wrote: >>>> >>>> Does 80 port outside BSD-box listens? >>>> >>>> 05.03.15 21:25, Monah Baki пишет: >>>>>>> root@ISN-PHC-CACHE:/cache/squid/bin # tcpdump -n -e >>>>>>> -ttt -i pflog0 tcpdump: WARNING: pflog0: no IPv4 >>>>>>> address assigned tcpdump: verbose output suppressed, >>>>>>> use -v or -vv for full protocol decode listening on >>>>>>> pflog0, link-type PFLOG (OpenBSD pflog file), capture >>>>>>> size 65535 bytes capability mode sandbox enabled >>>>>>> 00:00:00.000000 rule 0..16777216/0(match): pass in on >>>>>>> bge0: 10.0.0.106.5678 >>>>>>>> 255.255.255.255.5678: UDP, length 88 >>>>>>> 00:00:08.342860 rule 0..16777216/0(match): pass in on >>>>>>> bge0: 10.0.0.14.54264 >>>>>>>> 10.0.0.24.22: Flags [S], seq 3823043622, win 8192, >>>>>>>> options [mss >>>>>>> 1460,nop,wscale 2,nop,nop,sackOK], length 0 >>>>>>> >>>>>>> >>>>>>> >>>>>>> On Thu, Mar 5, 2015 at 10:20 AM, Yuri Voinov >>>>>>> <yvoinov@xxxxxxxxx> wrote: >>>>>>> >>>>>>> Hm. No. >>>>>>> >>>>>>> We not checked only OS. >>>>>>> >>>>>>> Does your BSD really loads PF module? >>>>>>> >>>>>>> 05.03.15 21:16, Monah Baki пишет: >>>>>>>>>> Not sure why the client is running old hard/soft >>>>>>>>>> ware, could it be cause of the hardware? Is >>>>>>>>>> FreeBSD an issue, should I switch to linux? >>>>>>>>>> >>>>>>>>>> On Thu, Mar 5, 2015 at 10:14 AM, Yuri Voinov >>>>>>>>>> <yvoinov@xxxxxxxxx> wrote: >>>>>>>>>> >>>>>>>>>> Wow, 7600! >>>>>>>>>> >>>>>>>>>> But why is so antique iOS?! Current is 15.4 >>>>>>>>>> >>>>>>>>>> 05.03.15 21:09, Monah Baki пишет: >>>>>>>>>>>>> PORT STATE SERVICE VERSION 23/tcp open >>>>>>>>>>>>> telnet Cisco IOS telnetd MAC Address: >>>>>>>>>>>>> 88:5A:92:63:77:81 (Cisco) Device type: >>>>>>>>>>>>> router Running: Cisco IOS 12.X OS CPE: >>>>>>>>>>>>> cpe:/h:cisco:7600_router >>>>>>>>>>>>> cpe:/o:cisco:ios:12.2 OS details: Cisco >>>>>>>>>>>>> 7600 router (IOS 12.2) Network Distance: 1 >>>>>>>>>>>>> hop TCP Sequence Prediction: Difficulty=258 >>>>>>>>>>>>> (Good luck!) IP ID Sequence Generation: >>>>>>>>>>>>> Randomized Service Info: OS: IOS; Device: >>>>>>>>>>>>> switch; CPE: cpe:/o:cisco:ios >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> On Thu, Mar 5, 2015 at 9:31 AM, Yuri >>>>>>>>>>>>> Voinov <yvoinov@xxxxxxxxx> wrote: >>>>>>>>>>>>> >>>>>>>>>>>>> What is Cisco model and iOS version? >>>>>>>>>>>>> >>>>>>>>>>>>> 05.03.15 20:25, Monah Baki пишет: >>>>>>>>>>>>>>>> Yes, correct >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> On Thu, Mar 5, 2015 at 9:23 AM, Yuri >>>>>>>>>>>>>>>> Voinov <yvoinov@xxxxxxxxx> wrote: >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> 10.0.0.23 is your host? And 10.0.0.24 >>>>>>>>>>>>>>>> is proxy box? >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> 05.03.15 20:15, Monah Baki пишет: >>>>>>>>>>>>>>>>>>> '--prefix=/cache/squid' >>>>>>>>>>>>>>>>>>> '--enable-follow-x-forwarded-for' >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> '--with-large-files' '--enable-ssl' >>>>>>>>>>>>>>>>>>> '--disable-ipv6' >>>>>>>>>>>>>>>>>>> '--enable-esi' >>>>>>>>>>>>>>>>>>> '--enable-kill-parent-hack' >>>>>>>>>>>>>>>>>>> '--enable-snmp' >>>>>>>>>>>>>>>>>>> '--with-pthreads' >>>>>>>>>>>>>>>>>>> '--with-filedescriptors=65535' >>>>>>>>>>>>>>>>>>> '--enable-cachemgr-hostname=hostname' >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>>>> '--enable-storeio=ufs,aufs,diskd,rock' >>>>>>>>>>>>>>>>>>> '--enable-ipfw-transparent' >>>>>>>>>>>>>>>>>>> '--enable-pf-transparent' >>>>>>>>>>>>>>>>>>> '--with-nat-devpf' >>>>>>>>>>>>>>>>>>> --enable-ltdl-convenience >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> On Thu, Mar 5, 2015 at 9:14 AM, >>>>>>>>>>>>>>>>>>> Yuri Voinov <yvoinov@xxxxxxxxx> >>>>>>>>>>>>>>>>>>> wrote: >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> This looking good too. >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> Stupid question: >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> With witch interception option >>>>>>>>>>>>>>>>>>> squid builed? >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> I.e, squid -v? >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> 05.03.15 18:19, Monah Baki >>>>>>>>>>>>>>>>>>> пишет: >>>>>>>>>>>>>>>>>>>>>> Hi all, can anyone verify >>>>>>>>>>>>>>>>>>>>>> if this is correct, need >>>>>>>>>>>>>>>>>>>>>> to make ure that users >>>>>>>>>>>>>>>>>>>>>> will be able to access >>>>>>>>>>>>>>>>>>>>>> the internet via the >>>>>>>>>>>>>>>>>>>>>> squid. >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> Running FreeBSD with a >>>>>>>>>>>>>>>>>>>>>> single interface with >>>>>>>>>>>>>>>>>>>>>> Squid-3.5.2 >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> Policy based routing on >>>>>>>>>>>>>>>>>>>>>> Cisco with the >>>>>>>>>>>>>>>>>>>>>> following: >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> interface >>>>>>>>>>>>>>>>>>>>>> GigabitEthernet0/0/1.1 >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> encapsulation dot1Q 1 >>>>>>>>>>>>>>>>>>>>>> native >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> ip address 10.0.0.9 >>>>>>>>>>>>>>>>>>>>>> 255.255.255.0 >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> no ip redirects >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> no ip unreachables >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> ip nat inside >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> standby 1 ip 10.0.0.10 >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> standby 1 priority 120 >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> standby 1 preempt >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> standby 1 name HSRP >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> ip policy route-map >>>>>>>>>>>>>>>>>>>>>> CFLOW >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> ip access-list extended >>>>>>>>>>>>>>>>>>>>>> REDIRECT >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> deny tcp host 10.0.0.24 >>>>>>>>>>>>>>>>>>>>>> any eq www >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> permit tcp host 10.0.0.23 >>>>>>>>>>>>>>>>>>>>>> any eq www >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> route-map CFLOW permit >>>>>>>>>>>>>>>>>>>>>> 10 >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> match ip address REDIRECT >>>>>>>>>>>>>>>>>>>>>> set ip next-hop >>>>>>>>>>>>>>>>>>>>>> 10.0.0.24 >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> In my /etc/pf.conf rdr >>>>>>>>>>>>>>>>>>>>>> pass inet proto tcp from >>>>>>>>>>>>>>>>>>>>>> 10.0.0.0/8 to any port 80 >>>>>>>>>>>>>>>>>>>>>> -> 10.0.0.24 port 3129 >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> # block in pass in log >>>>>>>>>>>>>>>>>>>>>> quick on bge0 pass out >>>>>>>>>>>>>>>>>>>>>> log quick on bge0 pass >>>>>>>>>>>>>>>>>>>>>> out keep state >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> and finally in my >>>>>>>>>>>>>>>>>>>>>> squid.conf: http_port >>>>>>>>>>>>>>>>>>>>>> 3128 http_port 3129 >>>>>>>>>>>>>>>>>>>>>> intercept >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> And for testing purposes >>>>>>>>>>>>>>>>>>>>>> from the squid server: >>>>>>>>>>>>>>>>>>>>>> ./squidclient -h >>>>>>>>>>>>>>>>>>>>>> 10.0.0.24 -p 3128 >>>>>>>>>>>>>>>>>>>>>> http://www.freebsd.org/ >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> If I replace -p 3128 with >>>>>>>>>>>>>>>>>>>>>> -p 80, I get a access >>>>>>>>>>>>>>>>>>>>>> denied, and if I omit the >>>>>>>>>>>>>>>>>>>>>> -p 3128 completely, I can >>>>>>>>>>>>>>>>>>>>>> access the websites. >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> tcpdump with (-p 3128) >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> 13:15:02.681106 IP >>>>>>>>>>>>>>>>>>>>>> ISN-PHC-CACHE.44017 > >>>>>>>>>>>>>>>>>>>>>> wfe0.ysv.freebsd.org.http: >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> Flags [.], ack 17377, win 1018, >>>>>>>>>>>>>>>>>>>>>> options [nop,nop,TS val >>>>>>>>>>>>>>>>>>>>>> 985588797 ecr >>>>>>>>>>>>>>>>>>>>>> 1054387720], length 0 >>>>>>>>>>>>>>>>>>>>>> 13:15:02.681421 IP >>>>>>>>>>>>>>>>>>>>>> wfe0.ysv.freebsd.org.http >>>>>>>>>>>>>>>>>>>>>> > ISN-PHC-CACHE.44017: >>>>>>>>>>>>>>>>>>>>>> Flags [.], seq >>>>>>>>>>>>>>>>>>>>>> 17377:18825, ack 289, >>>>>>>>>>>>>>>>>>>>>> win 1040, options >>>>>>>>>>>>>>>>>>>>>> [nop,nop,TS val >>>>>>>>>>>>>>>>>>>>>> 1054387720 ecr >>>>>>>>>>>>>>>>>>>>>> 985588501], length 1448 >>>>>>>>>>>>>>>>>>>>>> 13:15:02.681575 IP >>>>>>>>>>>>>>>>>>>>>> wfe0.ysv.freebsd.org.http >>>>>>>>>>>>>>>>>>>>>> > ISN-PHC-CACHE.44017: >>>>>>>>>>>>>>>>>>>>>> Flags [.], seq >>>>>>>>>>>>>>>>>>>>>> 18825:20273, ack 289, >>>>>>>>>>>>>>>>>>>>>> win 1040, options >>>>>>>>>>>>>>>>>>>>>> [nop,nop,TS val >>>>>>>>>>>>>>>>>>>>>> 1054387720 ecr >>>>>>>>>>>>>>>>>>>>>> 985588501], length 1448 >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> Did I miss anything? >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> Thanks Monah >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> _______________________________________________ >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> >>>>>>> >>>>>>>>>>>>>>>>>>>>>> >>>> >>>>>>>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>>>>>>> squid-users mailing list >>>>>>>>>>>>>>>>>>>>>> squid-users@xxxxxxxxxxxxxxxxxxxxx >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>>>>>>> http://lists.squid-cache.org/listinfo/squid-users >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> >>>>>>> >>>>>>>>>>>>>>>>>>>>>> >>>> _______________________________________________ >>>>>>>>>>>>>>>>>>>> squid-users mailing list >>>>>>>>>>>>>>>>>>>> squid-users@xxxxxxxxxxxxxxxxxxxxx >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> http://lists.squid-cache.org/listinfo/squid-users >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> >>>>>>>> >>>>>>> >>>>> >>>> >> > -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBAgAGBQJU+JnwAAoJENNXIZxhPexGZyAIALntLpMhoacCb/BEpimuJtq/ 9lddOw02qrA9imxJvXfGRmqz5cosbecQcCAeZoXaY2XRtvWF0jM5y+GgeHeLDnjA 3n0mXORBS9LkWNgaOmP6CTyvs4InDEHJExk1SPF1su+4bvDUXwv5XuCJEQERDy3E r80/p4bmtNTg4WR30abxICBIzffDodzAVg81wt5IvDrkKUdX6c5CYt25ASDBFqIU gJOKMcAFgUgeyQzjrnTxNt+wxDGLRoIGXitYPy1h+EZ+XnNfrUDxx3DFfoFXmZyQ P/IPE3XbBZXkRw1sDBnz2jgZddUBknqsGgl1o5Bl8UiLtSPqEDQrLD003GB8krI= =TnLr -----END PGP SIGNATURE----- _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users