[squid-users] Squid versions and FreeBSD-10.1 headache

[Amos Jeffries]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 24/01/2015 1:47 a.m., Yuri Voinov wrote:
> 
> Once more. You CANNOT have neither web-server nor other service
> with listening port 80 on the same host as transparent Squid proxy.
> This is one and only reason you have looping.
> 

That is not correct. It can be done, but depends on how the firewall
operates and what ruleset is used.

One has to intercept traffic transiting the machine, but ignore
traffic destined *to* or *from* the local machines running processes.

> Look. On my transparent 3.4.11 (which was early 2.7) IPFilter
> redirects 80 port to proxy. My web server on the same host listens
> only 8080, 8088 and 8888 ports. No one service except NAT is using
> 80 port.
> 
> And finally I have no looping 4 years.
> 
> Obvious, is it?
> 

Maybe there was, maybe there wasn't.

Squid-2.7 ignored a lot of NAT related errors and even silently did
some Very Bad Things(tm) - none of which Squid-3.2+ will allow to
happen anymore.


Odhiambo:
I suspect it might be related to your use of "rdr" firewall rules. In
OpenBSD PF at least rdr rules do not work properly and divert-to rules
needs to be used instead (divert-to can be used for either TPROXY or
NAT Squid listening ports on BSD).

Amos
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)

iQEcBAEBAgAGBQJUwkeWAAoJELJo5wb/XPRjImUIANjXvqdDsm7FUGmSG0lCikPS
EBl2xGqatglZnQOQQ1KnVX4oLtcDqtFUaAMNUedGrQc0JNsGHIIOqNioehJuTSko
ET/gYf6otuqGyjGz2CZIXcoaFUOwXNd7jkt8jx3n4k5D0HemfOYH//bAdMRarNuZ
NV7YPoWOxjYQHFvBE2fFCDl9yslXSYrvBbCJxueFVTkI0SQ1NoRtotaOeOZFe9hy
Y1zWihly/5koQfTg99tYCuUpNgRYuNslRaSYSfx1PTFQQTTYkw20OeYES6ZFxMp1
jt2vARsvxePndzVFT+rmadoQQDgCk6NbwON4LpexoulhJcGzuH5xb6z1CQaZvE0=
=Joqh
-----END PGP SIGNATURE-----