[squid-users] Squid versions and FreeBSD-10.1 headache

Fri Jan 23 13:20:59 UTC 2015

On 23 January 2015 at 16:07, Amos Jeffries <squid3 at treenet.co.nz> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 24/01/2015 1:47 a.m., Yuri Voinov wrote:
> >
> > Once more. You CANNOT have neither web-server nor other service
> > with listening port 80 on the same host as transparent Squid proxy.
> > This is one and only reason you have looping.
> >
>
> That is not correct. It can be done, but depends on how the firewall
> operates and what ruleset is used.
>
> One has to intercept traffic transiting the machine, but ignore
> traffic destined *to* or *from* the local machines running processes.
>
> > Look. On my transparent 3.4.11 (which was early 2.7) IPFilter
> > redirects 80 port to proxy. My web server on the same host listens
> > only 8080, 8088 and 8888 ports. No one service except NAT is using
> > 80 port.
> >
> > And finally I have no looping 4 years.
> >
> > Obvious, is it?
> >
>
> Maybe there was, maybe there wasn't.
>
> Squid-2.7 ignored a lot of NAT related errors and even silently did
> some Very Bad Things(tm) - none of which Squid-3.2+ will allow to
> happen anymore.
>
>
> Odhiambo:
> I suspect it might be related to your use of "rdr" firewall rules. In
> OpenBSD PF at least rdr rules do not work properly and divert-to rules
> needs to be used instead (divert-to can be used for either TPROXY or
> NAT Squid listening ports on BSD).
>

I am thinking Squid-3.2+ is evil :-)

Anyway, my PF rules are here : http://pastebin.com/pKv1jN2v
And my IPFilter rules are here: http://pastebin.com/JQ77X01H

I need to figure out why squid is DENYing all access ..

-- 
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254733744121/+254722743223
"I can't hear you -- I'm using the scrambler."
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20150123/e9a3992d/attachment-0001.html>