Search squid archive

Re: More NAT/TPROXY lookup fails (NetBSD 7.0, IPFilter 5.1)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 17/01/2016 2:16 a.m., Egerváry Gergely wrote:
> Hi,
> 
> I'm running on:
> - NetBSD 7.0_STABLE (checked out today)
> - Squid 3.5.12 from NetBSD pkgsrc 2015Q4
> - IP Filter: v5.1.2 (536)
> 
> Configured with "--enable-ipf-transparent":
> 
>   $ ./configure --sysconfdir=/usr/pkg/etc/squid
> --localstatedir=/var/squid --datarootdir=/usr/pkg/share/squid
> --disable-strict-e
> rror-checking --enable-auth --enable-cachemgr-hostname=localhost
> --enable-delay-pools --enable-icap-client --enable-icmp --enabl
> e-poll --enable-removal-policies=lru,heap --enable-storeio=ufs diskd
> --with-aio --with-default-user=squid --with-pidfile=/var/ru
> n/squid.pid --disable-arch-native --enable-ipf-transparent --enable-carp
> --without-mit-krb5 --without-heimdal-krb5 --enable-snmp
>  --enable-ssl --with-openssl=/usr --enable-auth-basic=NCSA getpwnam PAM
> --enable-auth-digest=file --disable-auth-negotiate --ena
> ble-auth-ntlm=fake smb_lm --enable-external-acl-helpers=file_userip
> unix_group --prefix=/usr/pkg --build=x86_64--netbsd --host=x
> 86_64--netbsd --mandir=/usr/pkg/man
> 
> For testing, I flushed ALL ipfilter and ipnat rules, except one:
> 
> rdr wm1 from 172.28.0.0/16 to any port = 80 -> 172.28.0.20 port 80 tcp
> 
> wm1 is the LAN interface, 172.28.0.20 is the squid IP.
> 
> $ egrep -v '(^$|^#)' squid.conf
> 
> acl Safe_ports port 80          # http
> acl CONNECT method CONNECT
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access allow localhost manager
> http_access deny manager
> http_access allow localnet
> http_access allow localhost
> http_access deny all
> http_port 127.0.0.1:80 intercept
> http_port 127.0.0.1:8080
> http_port 172.28.0.20:80 intercept
> http_port 172.28.0.20:8080
> coredump_dir /var/squid/cache/squid
> refresh_pattern ^ftp:           1440    20%     10080
> refresh_pattern ^gopher:        1440    0%      1440
> refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
> refresh_pattern .               0       20%     4320
> 
> ... and I get the famous message:
> 
> 2016/01/16 13:57:45 kid1| ERROR: NAT/TPROXY lookup failed to locate
> original IPs on local=172.28.0.20:80 remote=172.28.0.20:6536
> 3 FD 19 flags=33
> 
> Do I miss something?
> 

You missed out saying how you tested it. That matters.

For example, from the Squid log line it appears you made a connection
directly to the intercept port without going through the NAT system. Of
course the NAT system would have no record of it under those circumstances.

Amos


_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users




[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux