On 08/02/18 12:44, setuid wrote: > On 2/7/18 6:36 PM, Yuri wrote: >> Did you used ipfw NAT configuration on same box with squid? > > Yes, my ipfw configuration is: > > $cmd 00700 deny ip from any to any dst-port 3128 via em0 > $cmd 00800 fwd 3128 tcp from 192.168.1.25 to any dst-port 80 via em0 > $cmd 00820 allow ip from any to any dst-port 3128 dst-ip 192.168.1.25 > src-ip 192.168.1.1 > $cmd add 60000 permit ip from any to any Earlier you wrote: > My Squid configuration is 100% default, identical to the generic config, > with the exception of the following lines: > > ====================== > http_port 3128 > http_port 3129 intercept > tcp_outgoing_address 192.168.1.25 > debug_options ALL,9 > ====================== Your IPFW rules are sending intercepted traffic to port 3128. HTTP traffic comes in multiple flavours/types. Squid-3+ enforce the port "mode" for matches the type of traffic arriving to maintain traffic integrity in the face of security vulnerabilities relevant (or not) to each traffic type. This adds some natural limitations which were not previously visible in Squid-2 which was broken, just not informing you of the problem(s). These are: * you MUST configure NAT on the same device / machine / VM that Squid is running on. Squid requires access directly to the kernel NAT tables. * you MUST only send traffic of a given type to the port with matching "mode" flag. - explicit/forward proxy is implied when *no* more specific mode is supplied, - NAT traffic requires "intercept" flag, - TPROXY traffic requires "tproxy" flag, and - interception of HTTPS traffic requires "ssl-bump" flag (which can be combined with the others) Also, were the build options displayed earlier the same ones you used for testing *BSD and Linux systems? The Linux Netfilter and *BSD PF NAT systems will never work if you disable them and permit *only* IPFW-transparent in the Squid build. Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users