[squid-users] Squid versions and FreeBSD-10.1 headache

Odhiambo Washington odhiambo at gmail.com
Fri Jan 23 15:57:11 UTC 2015 

On 23 January 2015 at 18:29, Odhiambo Washington <odhiambo at gmail.com> wrote:

>
>
> On 23 January 2015 at 17:33, Amos Jeffries <squid3 at treenet.co.nz> wrote:
>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> On 24/01/2015 3:11 a.m., Odhiambo Washington wrote:
>> > On 23 January 2015 at 16:53, Amos Jeffries <squid3 at treenet.co.nz>
>> > wrote:
>> >
>> >> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
>> >>
>> >> On 24/01/2015 2:47 a.m., Odhiambo Washington wrote:
>> >>> On 23 January 2015 at 16:40, Amos Jeffries
>> >>> <squid3 at treenet.co.nz> wrote:
>> >>>
>> >>>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
>> >>>>
>> >>>> On 24/01/2015 2:20 a.m., Odhiambo Washington wrote:
>> >>>>> On 23 January 2015 at 16:07, Amos Jeffries
>> >>>>> <squid3 at treenet.co.nz> wrote:
>> >>>>>
>> >>>>>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
>> >>>>>>
>> >>>>>> On 24/01/2015 1:47 a.m., Yuri Voinov wrote:
>> >>>>>>>
>> >>>>>>> Once more. You CANNOT have neither web-server nor
>> >>>>>>> other service with listening port 80 on the same host
>> >>>>>>> as transparent Squid proxy. This is one and only reason
>> >>>>>>> you have looping.
>> >>>>>>>
>> >>>>>>
>> >>>>>> That is not correct. It can be done, but depends on how
>> >>>>>> the firewall operates and what ruleset is used.
>> >>>>>>
>> >>>>>> One has to intercept traffic transiting the machine, but
>> >>>>>> ignore traffic destined *to* or *from* the local
>> >>>>>> machines running processes.
>> >>>>>>
>> >>>>>>> Look. On my transparent 3.4.11 (which was early 2.7)
>> >>>>>>> IPFilter redirects 80 port to proxy. My web server on
>> >>>>>>> the same host listens only 8080, 8088 and 8888 ports.
>> >>>>>>> No one service except NAT is using 80 port.
>> >>>>>>>
>> >>>>>>> And finally I have no looping 4 years.
>> >>>>>>>
>> >>>>>>> Obvious, is it?
>> >>>>>>>
>> >>>>>>
>> >>>>>> Maybe there was, maybe there wasn't.
>> >>>>>>
>> >>>>>> Squid-2.7 ignored a lot of NAT related errors and even
>> >>>>>> silently did some Very Bad Things(tm) - none of which
>> >>>>>> Squid-3.2+ will allow to happen anymore.
>> >>>>>>
>> >>>>>>
>> >>>>>> Odhiambo: I suspect it might be related to your use of
>> >>>>>> "rdr" firewall rules. In OpenBSD PF at least rdr rules do
>> >>>>>> not work properly and divert-to rules needs to be used
>> >>>>>> instead (divert-to can be used for either TPROXY or NAT
>> >>>>>> Squid listening ports on BSD).
>> >>>>>>
>> >>>>>
>> >>>>>
>> >>>>> I am thinking Squid-3.2+ is evil :-)
>> >>>>>
>> >>>>> Anyway, my PF rules are here : http://pastebin.com/pKv1jN2v
>> >>>>> And my IPFilter rules are here:
>> >>>>> http://pastebin.com/JQ77X01H
>> >>>>>
>> >>>>> I need to figure out why squid is DENYing all access ..
>> >>>>>
>> >>>>
>> >>>> Can you update me on what the squid -v output is from the
>> >>>> Squid build you are having issues with pleae?
>> >>>>
>> >>>> Amos
>> >>>>
>> >>>
>> >>> root at mail:/usr/src # /opt/squid35/sbin/squid -v Squid Cache:
>> >>> Version 3.5.1-20150120-r13736 Service Name: squid configure
>> >>> options:  '--prefix=/opt/squid35'
>> >>> '--enable-removal-policies=lru heap' '--disable-epoll'
>> >>> '--enable-auth' '--enable-auth-basic=DB NCSA PAM PAM POP3 SSPI'
>> >>> '--enable-external-acl-helpers=session unix_group file_userip'
>> >>> '--enable-auth-negotiate=kerberos' '--with-pthreads'
>> >>> '--enable-storeio=ufs diskd rock aufs' '--enable-delay-pools'
>> >>> '--enable-snmp' '--with-openssl=/usr' '--enable-forw-via-db'
>> >>> '--enable-cache-digests' '--enable-wccpv2'
>> >>> '--enable-follow-x-forwarded-for' '--with-large-files'
>> >>> '--enable-large-cache-files' '--enable-esi' '--enable-kqueue'
>> >>> '--enable-icap-client' '--enable-kill-parent-hack'
>> >>> '--enable-ssl' '--enable-leakfinder' '--enable-ssl-crtd'
>> >>> '--enable-url-rewrite-helpers' '--enable-xmalloc-statistics'
>> >>> '--enable-stacktraces' '--enable-zph-qos' '--enable-eui'
>> >>> '--enable-pf-transparent' 'CC=clang' 'CXX=clang++'
>> >>> --enable-ltdl-convenience
>> >>>
>> >>
>> >> Okay. Can you explicitly add --disable-ipf-transparent -
>> >> --disable-ipfw-transparent and see if that helps.
>> >>
>> >> Also in squid.conf adding debugs_options ALL,1 89,9  will show
>> >> just the NAT lookup results where things are going wrong.
>> >>
>> >
>> > So, before I recompile, we can look at the debug output:
>> >
>> > 2015/01/23 17:07:45| storeLateRelease: released 0 objects
>> > 2015/01/23 17:07:46.959| Intercept.cc(362) Lookup: address BEGIN:
>> > me/client= 192.168.2.254:13128, destination/me=
>> > 192.168.2.115:58632 2015/01/23 17:07:46.959| Intercept.cc(293)
>> > PfInterception: address NAT divert-to: local=192.168.2.254:13128
>> > remote=192.168.2.115:58632 FD 14 flag s=33
>>
>>
>> Arggg..   Add --with-nat-devpf to your build options in FreeBSD.
>>
>> http://www.squid-cache.org/Versions/v3/3.4/RELEASENOTES.html#ss2.4
>>
>> Amos
>>
>>
>
> Done that and now, debug shows:
>
> 2015/01/23 18:15:47.498| Intercept.cc(362) Lookup: address BEGIN:
> me/client= 192.168.2.254:13128, destination/me= 192.168.2.2:58541
> 2015/01/23 18:15:47.498| Intercept.cc(337) PfInterception: address NAT:
> local=190.93.244.112:80 remote=192.168.2.2:58541 FD 35 flags=33
> 2015/01/23 18:15:47.500| Intercept.cc(362) Lookup: address BEGIN:
> me/client= 192.168.2.254:13128, destination/me= 192.168.2.2:58542
> 2015/01/23 18:15:47.500| Intercept.cc(337) PfInterception: address NAT:
> local=190.93.244.112:80 remote=192.168.2.2:58542 FD 37 flags=33
> 2015/01/23 18:15:47.501| Intercept.cc(362) Lookup: address BEGIN:
> me/client= 192.168.2.254:13128, destination/me= 192.168.2.2:58543
> 2015/01/23 18:15:47.501| Intercept.cc(337) PfInterception: address NAT:
> local=190.93.244.112:80 remote=192.168.2.2:58543 FD 39 flags=33
> 2015/01/23 18:15:48.033| Intercept.cc(362) Lookup: address BEGIN:
> me/client= 192.168.2.254:13128, destination/me= 192.168.2.2:58544
> 2015/01/23 18:15:48.033| Intercept.cc(337) PfInterception: address NAT:
> local=196.0.3.114:80 remote=192.168.2.2:58544 FD 51 flags=33
> 2015/01/23 18:15:48.033| Intercept.cc(362) Lookup: address BEGIN:
> me/client= 192.168.2.254:13128, destination/me= 192.168.2.2:58545
> 2015/01/23 18:15:48.033| Intercept.cc(337) PfInterception: address NAT:
> local=108.168.145.227:80 remote=192.168.2.2:58545 FD 52 flags=33
> 2015/01/23 18:15:48.034| Intercept.cc(362) Lookup: address BEGIN:
> me/client= 192.168.2.254:13128, destination/me= 192.168.2.2:58546
> 2015/01/23 18:15:48.034| Intercept.cc(337) PfInterception: address NAT:
> local=108.168.145.227:80 remote=192.168.2.2:58546 FD 53 flags=33
> 2015/01/23 18:15:48.034| Intercept.cc(362) Lookup: address BEGIN:
> me/client= 192.168.2.254:13128, destination/me= 192.168.2.2:58547
> 2015/01/23 18:15:48.034| Intercept.cc(337) PfInterception: address NAT:
> local=108.168.145.227:80 remote=192.168.2.2:58547 FD 54 flags=33
> 2015/01/23 18:15:48.035| Intercept.cc(362) Lookup: address BEGIN:
> me/client= 192.168.2.254:13128, destination/me= 192.168.2.2:58548
> 2015/01/23 18:15:48.035| Intercept.cc(337) PfInterception: address NAT:
> local=108.168.145.227:80 remote=192.168.2.2:58548 FD 55 flags=33
> 2015/01/23 18:15:48.035| Intercept.cc(362) Lookup: address BEGIN:
> me/client= 192.168.2.254:13128, destination/me= 192.168.2.2:58549
>
> And the good news is that squid-3.5.1 is now allowing client PCs to
> browse. Thank you for that.
>
> I still have issues to raise (though my small brain is now so saturated):
>
>
> Here is what I use:
>
> ./configure --prefix=/opt/squid35 \
>         --enable-removal-policies="lru heap" \
>         --disable-epoll \
>         --enable-auth \
>         --enable-auth-basic="DB NCSA PAM PAM POP3 SSPI" \
>         --enable-external-acl-helpers="session unix_group file_userip" \
>         --enable-auth-negotiate="kerberos" \
>         --with-pthreads \
>         --enable-storeio="ufs diskd rock aufs" \
>         --enable-delay-pools \
>         --enable-snmp  \
>         --with-openssl=/usr \
>         --enable-forw-via-db \
>         --enable-cache-digests \
>         --enable-wccpv2 \
>         --enable-follow-x-forwarded-for \
>         --with-large-files \
>         --enable-large-cache-files \
>         --enable-esi \
>         --enable-kqueue \
>         --enable-icap-client \
>         --enable-kill-parent-hack \
>         --enable-ssl \
>         --enable-leakfinder \
>         --enable-ssl-crtd \
>         --enable-url-rewrite-helpers \
>         --enable-xmalloc-statistics \
>         --enable-stacktraces \
>         --enable-zph-qos \
>         --enable-eui \
>         --with-nat-devpf \
>         --enable-pf-transparent \
>         --enable-ipf-transparent
>
>
> It seems I have to remove --enable-ipf-transparent otherwise the build
> fails. I was thinking I could have both of --enable-ipf-transparent and
>  --enable-ipf-transparent so that I can be able to use either PF or
> IPFilter - whichever I want.
>
>
To simplify:

Suppose  I wanted to use IPFilter as the Firewall with IPNat, what are my
options?




-- 
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254733744121/+254722743223
"I can't hear you -- I'm using the scrambler."
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20150123/6f9e2fc8/attachment-0001.html>

More information about the squid-users mailing list