On Fri, Apr 15, 2016 at 8:45 AM, Odhiambo Washington <odhiambo@xxxxxxxxx> wrote:
Hello Amos,All noted.Lemme consult with some FreeBSD guys on these .
As a FreeBSD user, here's my two cents.
You should be using the www/squid port.
If the port doesn't compile with the options you wish, open a problem report with FreeBSD and/or ask on the FreeBSD ports mailing list. The maintainer of the www/squid port is pretty responsive and helpful.
I don't have any issues with www/squid on FreeBSD 10.1-RELEASE.
--On 15 April 2016 at 18:13, Amos Jeffries <squid3@xxxxxxxxxxxxx> wrote:On 16/04/2016 1:29 a.m., Odhiambo Washington wrote:
>
> With luck, I have managed to get squid to compile successfully (after
> upgrading a few components here and there). I used:
Yay!
>
> I have it running now (redirecting using IPFilter/IPNAT), but once in a
> while I see this error about NAT:
>
<snip>
> 2016/04/15 16:17:23| ERROR: NAT/TPROXY lookup failed to locate original IPs
> on local=192.168.55.254:13128 remote=192.168.55.62:57724 FD 29 flags=33
These are the kernel NAT system telling Squid the connection being
looked up has not record there.
It could be TCP connections being made straight to the intercept port.
If so you need to update the firewall config to prevent them, even from
localhost.
In Linux we use a mangle table rule, since that is the filter pre-NAT
that can do it. I'm not sure how FreeBSD would do that. It has to be
done on packets first arrival pre-NAT. Any filter that is applied after
the NAT action will get it wrong due to the NAT changes.
It could be the NAT systems table of connections filling up and
overflowing. If so there should be a kernel sysctl somewhere to increase
that table size.
>
> In any case, I am planning to rewrite the IPNAT rules into PF and use PF.
> It's the inception stage so I haven't delved deep into ssl-bump
> configurations...
>
HTH
Amos
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254 7 3200 0004/+254 7 2274 3223
"Oh, the cruft."
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users