<div dir="ltr"><br><div class="gmail_extra"><br><div class="gmail_quote">On 23 January 2015 at 17:33, Amos Jeffries <span dir="ltr"><<a href="mailto:squid3@treenet.co.nz" target="_blank">squid3@treenet.co.nz</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><span class="">-----BEGIN PGP SIGNED MESSAGE-----<br>
Hash: SHA1<br>
<br>
</span><div><div class="h5">On 24/01/2015 3:11 a.m., Odhiambo Washington wrote:<br>
> On 23 January 2015 at 16:53, Amos Jeffries <<a href="mailto:squid3@treenet.co.nz">squid3@treenet.co.nz</a>><br>
> wrote:<br>
><br>
>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1<br>
>><br>
>> On 24/01/2015 2:47 a.m., Odhiambo Washington wrote:<br>
>>> On 23 January 2015 at 16:40, Amos Jeffries<br>
>>> <<a href="mailto:squid3@treenet.co.nz">squid3@treenet.co.nz</a>> wrote:<br>
>>><br>
>>>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1<br>
>>>><br>
>>>> On 24/01/2015 2:20 a.m., Odhiambo Washington wrote:<br>
>>>>> On 23 January 2015 at 16:07, Amos Jeffries<br>
>>>>> <<a href="mailto:squid3@treenet.co.nz">squid3@treenet.co.nz</a>> wrote:<br>
>>>>><br>
>>>>>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1<br>
>>>>>><br>
>>>>>> On 24/01/2015 1:47 a.m., Yuri Voinov wrote:<br>
>>>>>>><br>
>>>>>>> Once more. You CANNOT have neither web-server nor<br>
>>>>>>> other service with listening port 80 on the same host<br>
>>>>>>> as transparent Squid proxy. This is one and only reason<br>
>>>>>>> you have looping.<br>
>>>>>>><br>
>>>>>><br>
>>>>>> That is not correct. It can be done, but depends on how<br>
>>>>>> the firewall operates and what ruleset is used.<br>
>>>>>><br>
>>>>>> One has to intercept traffic transiting the machine, but<br>
>>>>>> ignore traffic destined *to* or *from* the local<br>
>>>>>> machines running processes.<br>
>>>>>><br>
>>>>>>> Look. On my transparent 3.4.11 (which was early 2.7)<br>
>>>>>>> IPFilter redirects 80 port to proxy. My web server on<br>
>>>>>>> the same host listens only 8080, 8088 and 8888 ports.<br>
>>>>>>> No one service except NAT is using 80 port.<br>
>>>>>>><br>
>>>>>>> And finally I have no looping 4 years.<br>
>>>>>>><br>
>>>>>>> Obvious, is it?<br>
>>>>>>><br>
>>>>>><br>
>>>>>> Maybe there was, maybe there wasn't.<br>
>>>>>><br>
>>>>>> Squid-2.7 ignored a lot of NAT related errors and even<br>
>>>>>> silently did some Very Bad Things(tm) - none of which<br>
>>>>>> Squid-3.2+ will allow to happen anymore.<br>
>>>>>><br>
>>>>>><br>
>>>>>> Odhiambo: I suspect it might be related to your use of<br>
>>>>>> "rdr" firewall rules. In OpenBSD PF at least rdr rules do<br>
>>>>>> not work properly and divert-to rules needs to be used<br>
>>>>>> instead (divert-to can be used for either TPROXY or NAT<br>
>>>>>> Squid listening ports on BSD).<br>
>>>>>><br>
>>>>><br>
>>>>><br>
>>>>> I am thinking Squid-3.2+ is evil :-)<br>
>>>>><br>
>>>>> Anyway, my PF rules are here : <a href="http://pastebin.com/pKv1jN2v" target="_blank">http://pastebin.com/pKv1jN2v</a><br>
>>>>> And my IPFilter rules are here:<br>
>>>>> <a href="http://pastebin.com/JQ77X01H" target="_blank">http://pastebin.com/JQ77X01H</a><br>
>>>>><br>
>>>>> I need to figure out why squid is DENYing all access ..<br>
>>>>><br>
>>>><br>
>>>> Can you update me on what the squid -v output is from the<br>
>>>> Squid build you are having issues with pleae?<br>
>>>><br>
>>>> Amos<br>
>>>><br>
>>><br>
>>> root@mail:/usr/src # /opt/squid35/sbin/squid -v Squid Cache:<br>
>>> Version 3.5.1-20150120-r13736 Service Name: squid configure<br>
>>> options: '--prefix=/opt/squid35'<br>
>>> '--enable-removal-policies=lru heap' '--disable-epoll'<br>
>>> '--enable-auth' '--enable-auth-basic=DB NCSA PAM PAM POP3 SSPI'<br>
>>> '--enable-external-acl-helpers=session unix_group file_userip'<br>
>>> '--enable-auth-negotiate=kerberos' '--with-pthreads'<br>
>>> '--enable-storeio=ufs diskd rock aufs' '--enable-delay-pools'<br>
>>> '--enable-snmp' '--with-openssl=/usr' '--enable-forw-via-db'<br>
>>> '--enable-cache-digests' '--enable-wccpv2'<br>
>>> '--enable-follow-x-forwarded-for' '--with-large-files'<br>
>>> '--enable-large-cache-files' '--enable-esi' '--enable-kqueue'<br>
>>> '--enable-icap-client' '--enable-kill-parent-hack'<br>
>>> '--enable-ssl' '--enable-leakfinder' '--enable-ssl-crtd'<br>
>>> '--enable-url-rewrite-helpers' '--enable-xmalloc-statistics'<br>
>>> '--enable-stacktraces' '--enable-zph-qos' '--enable-eui'<br>
>>> '--enable-pf-transparent' 'CC=clang' 'CXX=clang++'<br>
>>> --enable-ltdl-convenience<br>
>>><br>
>><br>
>> Okay. Can you explicitly add --disable-ipf-transparent -<br>
>> --disable-ipfw-transparent and see if that helps.<br>
>><br>
>> Also in squid.conf adding debugs_options ALL,1 89,9 will show<br>
>> just the NAT lookup results where things are going wrong.<br>
>><br>
><br>
> So, before I recompile, we can look at the debug output:<br>
><br>
> 2015/01/23 17:07:45| storeLateRelease: released 0 objects<br>
> 2015/01/23 17:07:46.959| Intercept.cc(362) Lookup: address BEGIN:<br>
> me/client= <a href="http://192.168.2.254:13128" target="_blank">192.168.2.254:13128</a>, destination/me=<br>
> <a href="http://192.168.2.115:58632" target="_blank">192.168.2.115:58632</a> 2015/01/23 17:07:46.959| Intercept.cc(293)<br>
> PfInterception: address NAT divert-to: local=<a href="http://192.168.2.254:13128" target="_blank">192.168.2.254:13128</a><br>
> remote=<a href="http://192.168.2.115:58632" target="_blank">192.168.2.115:58632</a> FD 14 flag s=33<br>
<br>
<br>
</div></div>Arggg.. Add --with-nat-devpf to your build options in FreeBSD.<br>
<br>
<a href="http://www.squid-cache.org/Versions/v3/3.4/RELEASENOTES.html#ss2.4" target="_blank">http://www.squid-cache.org/Versions/v3/3.4/RELEASENOTES.html#ss2.4</a><br>
<span class=""><br>
Amos<br>
</span><br></blockquote><div><br></div><div><br></div><div>Done that and now, debug shows:</div><div><br></div><div><div>2015/01/23 18:15:47.498| Intercept.cc(362) Lookup: address BEGIN: me/client= <a href="http://192.168.2.254:13128">192.168.2.254:13128</a>, destination/me= <a href="http://192.168.2.2:58541">192.168.2.2:58541</a></div><div>2015/01/23 18:15:47.498| Intercept.cc(337) PfInterception: address NAT: local=<a href="http://190.93.244.112:80">190.93.244.112:80</a> remote=<a href="http://192.168.2.2:58541">192.168.2.2:58541</a> FD 35 flags=33</div><div>2015/01/23 18:15:47.500| Intercept.cc(362) Lookup: address BEGIN: me/client= <a href="http://192.168.2.254:13128">192.168.2.254:13128</a>, destination/me= <a href="http://192.168.2.2:58542">192.168.2.2:58542</a></div><div>2015/01/23 18:15:47.500| Intercept.cc(337) PfInterception: address NAT: local=<a href="http://190.93.244.112:80">190.93.244.112:80</a> remote=<a href="http://192.168.2.2:58542">192.168.2.2:58542</a> FD 37 flags=33</div><div>2015/01/23 18:15:47.501| Intercept.cc(362) Lookup: address BEGIN: me/client= <a href="http://192.168.2.254:13128">192.168.2.254:13128</a>, destination/me= <a href="http://192.168.2.2:58543">192.168.2.2:58543</a></div><div>2015/01/23 18:15:47.501| Intercept.cc(337) PfInterception: address NAT: local=<a href="http://190.93.244.112:80">190.93.244.112:80</a> remote=<a href="http://192.168.2.2:58543">192.168.2.2:58543</a> FD 39 flags=33</div><div>2015/01/23 18:15:48.033| Intercept.cc(362) Lookup: address BEGIN: me/client= <a href="http://192.168.2.254:13128">192.168.2.254:13128</a>, destination/me= <a href="http://192.168.2.2:58544">192.168.2.2:58544</a></div><div>2015/01/23 18:15:48.033| Intercept.cc(337) PfInterception: address NAT: local=<a href="http://196.0.3.114:80">196.0.3.114:80</a> remote=<a href="http://192.168.2.2:58544">192.168.2.2:58544</a> FD 51 flags=33</div><div>2015/01/23 18:15:48.033| Intercept.cc(362) Lookup: address BEGIN: me/client= <a href="http://192.168.2.254:13128">192.168.2.254:13128</a>, destination/me= <a href="http://192.168.2.2:58545">192.168.2.2:58545</a></div><div>2015/01/23 18:15:48.033| Intercept.cc(337) PfInterception: address NAT: local=<a href="http://108.168.145.227:80">108.168.145.227:80</a> remote=<a href="http://192.168.2.2:58545">192.168.2.2:58545</a> FD 52 flags=33</div><div>2015/01/23 18:15:48.034| Intercept.cc(362) Lookup: address BEGIN: me/client= <a href="http://192.168.2.254:13128">192.168.2.254:13128</a>, destination/me= <a href="http://192.168.2.2:58546">192.168.2.2:58546</a></div><div>2015/01/23 18:15:48.034| Intercept.cc(337) PfInterception: address NAT: local=<a href="http://108.168.145.227:80">108.168.145.227:80</a> remote=<a href="http://192.168.2.2:58546">192.168.2.2:58546</a> FD 53 flags=33</div><div>2015/01/23 18:15:48.034| Intercept.cc(362) Lookup: address BEGIN: me/client= <a href="http://192.168.2.254:13128">192.168.2.254:13128</a>, destination/me= <a href="http://192.168.2.2:58547">192.168.2.2:58547</a></div><div>2015/01/23 18:15:48.034| Intercept.cc(337) PfInterception: address NAT: local=<a href="http://108.168.145.227:80">108.168.145.227:80</a> remote=<a href="http://192.168.2.2:58547">192.168.2.2:58547</a> FD 54 flags=33</div><div>2015/01/23 18:15:48.035| Intercept.cc(362) Lookup: address BEGIN: me/client= <a href="http://192.168.2.254:13128">192.168.2.254:13128</a>, destination/me= <a href="http://192.168.2.2:58548">192.168.2.2:58548</a></div><div>2015/01/23 18:15:48.035| Intercept.cc(337) PfInterception: address NAT: local=<a href="http://108.168.145.227:80">108.168.145.227:80</a> remote=<a href="http://192.168.2.2:58548">192.168.2.2:58548</a> FD 55 flags=33</div><div>2015/01/23 18:15:48.035| Intercept.cc(362) Lookup: address BEGIN: me/client= <a href="http://192.168.2.254:13128">192.168.2.254:13128</a>, destination/me= <a href="http://192.168.2.2:58549">192.168.2.2:58549</a></div></div><div><br></div><div>And the good news is that squid-3.5.1 is now allowing client PCs to browse. Thank you for that.</div><div><br></div><div>I still have issues to raise (though my small brain is now so saturated):</div><div><br></div><div><br></div><div>Here is what I use:</div><div><br></div><div><div>./configure --prefix=/opt/squid35 \</div><div> --enable-removal-policies="lru heap" \</div><div> --disable-epoll \</div><div> --enable-auth \</div><div> --enable-auth-basic="DB NCSA PAM PAM POP3 SSPI" \</div><div> --enable-external-acl-helpers="session unix_group file_userip" \</div><div> --enable-auth-negotiate="kerberos" \</div><div> --with-pthreads \</div><div> --enable-storeio="ufs diskd rock aufs" \</div><div> --enable-delay-pools \</div><div> --enable-snmp \</div><div> --with-openssl=/usr \</div><div> --enable-forw-via-db \</div><div> --enable-cache-digests \</div><div> --enable-wccpv2 \</div><div> --enable-follow-x-forwarded-for \</div><div> --with-large-files \</div><div> --enable-large-cache-files \</div><div> --enable-esi \</div><div> --enable-kqueue \</div><div> --enable-icap-client \</div><div> --enable-kill-parent-hack \</div><div> --enable-ssl \</div><div> --enable-leakfinder \</div><div> --enable-ssl-crtd \</div><div> --enable-url-rewrite-helpers \</div><div> --enable-xmalloc-statistics \</div><div> --enable-stacktraces \</div><div> --enable-zph-qos \</div><div> --enable-eui \</div><div> --with-nat-devpf \</div><div> --enable-pf-transparent \</div><div> --enable-ipf-transparent</div></div><div><br></div><div><br></div><div>It seems I have to remove --enable-ipf-transparent otherwise the build fails. I was thinking I could have both of --enable-ipf-transparent and --enable-ipf-transparent so that I can be able to use either PF or IPFilter - whichever I want.</div><div><br></div><div><br></div><div>Are those two mutually exclusive? When I have the two, the build fails with:</div><div><br></div><div><div>root@mail:/usr/home/wash/squid-3.5.1-20150120-r13736 # gmake</div><div>Making all in compat</div><div>gmake[1]: Entering directory '/usr/home/wash/squid-3.5.1-20150120-r13736/compat'</div><div>depbase=`echo assert.lo | sed 's|[^/]*$|.deps/&|;s|\.lo$||'`;\</div><div>/bin/sh ../libtool --tag=CXX --mode=compile clang++ -DHAVE_CONFIG_H -I.. -I../include -I../lib -I../src -I../include -I/usr/include -I/usr/include -I../libltdl -I/usr/include -I/usr/local/include/libxml2 -I/usr/local/include/libxml2 -Werror -Qunused-arguments -D_REENTRANT -g -O2 -march=native -I/usr/local/include -MT assert.lo -MD -MP -MF $depbase.Tpo -c -o assert.lo assert.cc &&\</div><div>mv -f $depbase.Tpo $depbase.Plo</div><div>libtool: compile: clang++ -DHAVE_CONFIG_H -I.. -I../include -I../lib -I../src -I../include -I/usr/include -I/usr/include -I../libltdl -I/usr/include -I/usr/local/include/libxml2 -I/usr/local/include/libxml2 -Werror -Qunused-arguments -D_REENTRANT -g -O2 -march=native -I/usr/local/include -MT assert.lo -MD -MP -MF .deps/assert.Tpo -c assert.cc -fPIC -DPIC -o .libs/assert.o</div><div>In file included from assert.cc:9:</div><div>In file included from ../include/squid.h:43:</div><div>../compat/compat.h:49:57: error: expected value in expression</div><div>#if IPF_TRANSPARENT && USE_SOLARIS_IPFILTER_MINOR_T_HACK</div><div> ^</div><div>1 error generated.</div><div>Makefile:921: recipe for target 'assert.lo' failed</div><div>gmake[1]: *** [assert.lo] Error 1</div><div>gmake[1]: Leaving directory '/usr/home/wash/squid-3.5.1-20150120-r13736/compat'</div><div>Makefile:567: recipe for target 'all-recursive' failed</div><div>gmake: *** [all-recursive] Error 1</div><div>root@mail:/usr/home/wash/squid-3.5.1-20150120-r13736</div></div><div><br></div><div><br></div></div><div><br></div>-- <br><div class="gmail_signature">Best regards,<br>Odhiambo WASHINGTON,<br>Nairobi,KE<br>+254733744121/+254722743223<br>"I can't hear you -- I'm using the scrambler."<br></div>
</div></div>