[squid-users] Stuggling with 3.5.16 on FreeBSD-9.3
Nick Rogers
ncrogers at gmail.com
Mon Apr 18 17:14:37 UTC 2016
On Fri, Apr 15, 2016 at 8:45 AM, Odhiambo Washington <odhiambo at gmail.com>
wrote:
> Hello Amos,
>
> All noted.
>
> Lemme consult with some FreeBSD guys on these .
>
As a FreeBSD user, here's my two cents.
You should be using the www/squid port.
If the port doesn't compile with the options you wish, open a problem
report with FreeBSD and/or ask on the FreeBSD ports mailing list. The
maintainer of the www/squid port is pretty responsive and helpful.
I don't have any issues with www/squid on FreeBSD 10.1-RELEASE.
>
> On 15 April 2016 at 18:13, Amos Jeffries <squid3 at treenet.co.nz> wrote:
>
>> On 16/04/2016 1:29 a.m., Odhiambo Washington wrote:
>> >
>> > With luck, I have managed to get squid to compile successfully (after
>> > upgrading a few components here and there). I used:
>>
>> Yay!
>>
>> >
>> > I have it running now (redirecting using IPFilter/IPNAT), but once in a
>> > while I see this error about NAT:
>> >
>> <snip>
>> > 2016/04/15 16:17:23| ERROR: NAT/TPROXY lookup failed to locate original
>> IPs
>> > on local=192.168.55.254:13128 remote=192.168.55.62:57724 FD 29 flags=33
>>
>> These are the kernel NAT system telling Squid the connection being
>> looked up has not record there.
>>
>> It could be TCP connections being made straight to the intercept port.
>> If so you need to update the firewall config to prevent them, even from
>> localhost.
>> In Linux we use a mangle table rule, since that is the filter pre-NAT
>> that can do it. I'm not sure how FreeBSD would do that. It has to be
>> done on packets first arrival pre-NAT. Any filter that is applied after
>> the NAT action will get it wrong due to the NAT changes.
>>
>>
>> It could be the NAT systems table of connections filling up and
>> overflowing. If so there should be a kernel sysctl somewhere to increase
>> that table size.
>>
>> >
>> > In any case, I am planning to rewrite the IPNAT rules into PF and use
>> PF.
>> > It's the inception stage so I haven't delved deep into ssl-bump
>> > configurations...
>> >
>>
>> HTH
>> Amos
>>
>>
>
>
> --
> Best regards,
> Odhiambo WASHINGTON,
> Nairobi,KE
> +254 7 3200 0004/+254 7 2274 3223
> "Oh, the cruft."
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160418/e643d152/attachment.html>
More information about the squid-users
mailing list