[squid-users] Running squid on a machine with only one network interface.

Tue Jun 28 13:49:46 UTC 2016

Hi and thanks for your help.

as for your request, here's the content of my IPFW rules and my squid configuration:

IPFW rules:

ipfw -f flush
ipfw add 50 pass all from any to any via lo0
ipfw add 100 pass all from any to any proto udp
ipfw add 150 pass icmp from any to any
ipfw add 200 fwd 127.0.0.1,3128 tag 1111 tcp from me to any
ipfw add 250 pass all from 10.0.2.15 to any tagged 1111

squid.conf:

acl my_machine src 10.0.2.15 # this is the ip of my machine.
http_access allow my_machine

acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7 # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines

acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT

http_access deny !Safe_ports

http_access deny CONNECT !SSL_ports

http_access allow localhost manager
http_access deny manager

visible_hostname mynet.mydomain
acl MYSITE dstdomain cnn.com
acl MYSITE dstdomain 10.0.2.15
http_access allow MYSITE

http_access allow localnet
http_access allow localhost

http_access deny all

http_port 127.0.0.1:3128 intercept
http_port 3129

coredump_dir /var/squid/cache

refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320

I'm almost surely that the problem is that as other people said here, the firewall redirect the traffic originated from the squid server back to squid and hence the forwarding loop.

I've tried to allow the traffic originated from the squid server by using the "tag/tagged" feature in the IPFW rules but this doesn't work, apparently because squid issue a new connection that is not tagged.
since squid and the firewall resides on the same machine I've no idea how to tell the firewall to allow the traffic which squid initiate.

Regards,

Ataro.

-------- Original Message --------
Subject: Re: [squid-users] Running squid on a machine with only one network interface.
Local Time: June 27, 2016 11:56 PM
UTC Time: June 27, 2016 8:56 PM
From: Antony.Stone at squid.open.source.it
To: ataro at protonmail.ch

On Monday 27 June 2016 at 22:45:19, Ataro wrote:

> Hi there,
>
> I've set up a FreeBSD machine inside a VirtualBox machine and used IPFW to
> forward all the requests to the internet through a squid server running on
> the same machine in port 3128 in intercept mode.

Please show us your IPFW rules.

> The problem is that I get 403 http responses on every site I try to access
> to, even on the sites that I've explicitly allowed in the squid.conf file.

Maybe show us your squid.conf as well (without comments or blank lines).

> I also get a warning message on the tty that squid is running on (I've run
> squid in no daemon mode) which says: Warning: Forwarding loop detected
> for:.....

So, NAT is not working correctly...

> I guess that this error occurs since the squid server and the IPFW firewall
> are running on the same machine which have only one network interface.
>
> Am I right?

Not in the sense that "you can't do this with only one interface", no.

However, quite possibly in the sense that you haven't told IPFW how to
distinguish between requests in from your clients, and requests out from your
squid instance.

The former need to go to squid, the latter need to go to the Internet.

Give us a bit more information and we might be able to give you a bit more
help.

Antony.

--
I don't know, maybe if we all waited then cosmic rays would write all our
software for us. Of course it might take a while.

- Ron Minnich, Los Alamos National Laboratory

Please reply to the list;
please *don't* CC me.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160628/121756ff/attachment.html>