[squid-users] Stuggling with 3.5.16 on FreeBSD-9.3
Odhiambo Washington
odhiambo at gmail.com
Fri Apr 15 15:45:14 UTC 2016
Hello Amos,
All noted.
Lemme consult with some FreeBSD guys on these .
On 15 April 2016 at 18:13, Amos Jeffries <squid3 at treenet.co.nz> wrote:
> On 16/04/2016 1:29 a.m., Odhiambo Washington wrote:
> >
> > With luck, I have managed to get squid to compile successfully (after
> > upgrading a few components here and there). I used:
>
> Yay!
>
> >
> > I have it running now (redirecting using IPFilter/IPNAT), but once in a
> > while I see this error about NAT:
> >
> <snip>
> > 2016/04/15 16:17:23| ERROR: NAT/TPROXY lookup failed to locate original
> IPs
> > on local=192.168.55.254:13128 remote=192.168.55.62:57724 FD 29 flags=33
>
> These are the kernel NAT system telling Squid the connection being
> looked up has not record there.
>
> It could be TCP connections being made straight to the intercept port.
> If so you need to update the firewall config to prevent them, even from
> localhost.
> In Linux we use a mangle table rule, since that is the filter pre-NAT
> that can do it. I'm not sure how FreeBSD would do that. It has to be
> done on packets first arrival pre-NAT. Any filter that is applied after
> the NAT action will get it wrong due to the NAT changes.
>
>
> It could be the NAT systems table of connections filling up and
> overflowing. If so there should be a kernel sysctl somewhere to increase
> that table size.
>
> >
> > In any case, I am planning to rewrite the IPNAT rules into PF and use PF.
> > It's the inception stage so I haven't delved deep into ssl-bump
> > configurations...
> >
>
> HTH
> Amos
>
>
--
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254 7 3200 0004/+254 7 2274 3223
"Oh, the cruft."
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160415/7ffbc95c/attachment.html>
More information about the squid-users
mailing list