<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<br>
-----BEGIN PGP SIGNED MESSAGE----- <br>
Hash: SHA1 <br>
<br>
Yep, they are mutually exclusive.<br>
23.01.2015 21:29, Odhiambo Washington пишет:<br>
<span style="white-space: pre;">><br>
><br>
> On 23 January 2015 at 17:33, Amos Jeffries
<<a class="moz-txt-link-abbreviated" href="mailto:squid3@treenet.co.nz">squid3@treenet.co.nz</a> <a class="moz-txt-link-rfc2396E" href="mailto:squid3@treenet.co.nz"><mailto:squid3@treenet.co.nz></a>>
wrote:<br>
><br>
> -----BEGIN PGP SIGNED MESSAGE-----<br>
> Hash: SHA1<br>
><br>
> On 24/01/2015 3:11 a.m., Odhiambo Washington wrote:<br>
> > On 23 January 2015 at 16:53, Amos Jeffries
<<a class="moz-txt-link-abbreviated" href="mailto:squid3@treenet.co.nz">squid3@treenet.co.nz</a> <a class="moz-txt-link-rfc2396E" href="mailto:squid3@treenet.co.nz"><mailto:squid3@treenet.co.nz></a>><br>
> > wrote:<br>
> ><br>
> >> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1<br>
> >><br>
> >> On 24/01/2015 2:47 a.m., Odhiambo Washington
wrote:<br>
> >>> On 23 January 2015 at 16:40, Amos Jeffries<br>
> >>> <<a class="moz-txt-link-abbreviated" href="mailto:squid3@treenet.co.nz">squid3@treenet.co.nz</a>
<a class="moz-txt-link-rfc2396E" href="mailto:squid3@treenet.co.nz"><mailto:squid3@treenet.co.nz></a>> wrote:<br>
> >>><br>
> >>>> -----BEGIN PGP SIGNED MESSAGE----- Hash:
SHA1<br>
> >>>><br>
> >>>> On 24/01/2015 2:20 a.m., Odhiambo
Washington wrote:<br>
> >>>>> On 23 January 2015 at 16:07, Amos
Jeffries<br>
> >>>>> <<a class="moz-txt-link-abbreviated" href="mailto:squid3@treenet.co.nz">squid3@treenet.co.nz</a>
<a class="moz-txt-link-rfc2396E" href="mailto:squid3@treenet.co.nz"><mailto:squid3@treenet.co.nz></a>> wrote:<br>
> >>>>><br>
> >>>>>> -----BEGIN PGP SIGNED
MESSAGE----- Hash: SHA1<br>
> >>>>>><br>
> >>>>>> On 24/01/2015 1:47 a.m., Yuri
Voinov wrote:<br>
> >>>>>>><br>
> >>>>>>> Once more. You CANNOT have
neither web-server nor<br>
> >>>>>>> other service with listening
port 80 on the same host<br>
> >>>>>>> as transparent Squid proxy.
This is one and only reason<br>
> >>>>>>> you have looping.<br>
> >>>>>>><br>
> >>>>>><br>
> >>>>>> That is not correct. It can be
done, but depends on how<br>
> >>>>>> the firewall operates and what
ruleset is used.<br>
> >>>>>><br>
> >>>>>> One has to intercept traffic
transiting the machine, but<br>
> >>>>>> ignore traffic destined *to* or
*from* the local<br>
> >>>>>> machines running processes.<br>
> >>>>>><br>
> >>>>>>> Look. On my transparent
3.4.11 (which was early 2.7)<br>
> >>>>>>> IPFilter redirects 80 port
to proxy. My web server on<br>
> >>>>>>> the same host listens only
8080, 8088 and 8888 ports.<br>
> >>>>>>> No one service except NAT is
using 80 port.<br>
> >>>>>>><br>
> >>>>>>> And finally I have no
looping 4 years.<br>
> >>>>>>><br>
> >>>>>>> Obvious, is it?<br>
> >>>>>>><br>
> >>>>>><br>
> >>>>>> Maybe there was, maybe there
wasn't.<br>
> >>>>>><br>
> >>>>>> Squid-2.7 ignored a lot of NAT
related errors and even<br>
> >>>>>> silently did some Very Bad
Things(tm) - none of which<br>
> >>>>>> Squid-3.2+ will allow to happen
anymore.<br>
> >>>>>><br>
> >>>>>><br>
> >>>>>> Odhiambo: I suspect it might be
related to your use of<br>
> >>>>>> "rdr" firewall rules. In OpenBSD
PF at least rdr rules do<br>
> >>>>>> not work properly and divert-to
rules needs to be used<br>
> >>>>>> instead (divert-to can be used
for either TPROXY or NAT<br>
> >>>>>> Squid listening ports on BSD).<br>
> >>>>>><br>
> >>>>><br>
> >>>>><br>
> >>>>> I am thinking Squid-3.2+ is evil :-)<br>
> >>>>><br>
> >>>>> Anyway, my PF rules are here :
<a class="moz-txt-link-freetext" href="http://pastebin.com/pKv1jN2v">http://pastebin.com/pKv1jN2v</a><br>
> >>>>> And my IPFilter rules are here:<br>
> >>>>> <a class="moz-txt-link-freetext" href="http://pastebin.com/JQ77X01H">http://pastebin.com/JQ77X01H</a><br>
> >>>>><br>
> >>>>> I need to figure out why squid is
DENYing all access ..<br>
> >>>>><br>
> >>>><br>
> >>>> Can you update me on what the squid -v
output is from the<br>
> >>>> Squid build you are having issues with
pleae?<br>
> >>>><br>
> >>>> Amos<br>
> >>>><br>
> >>><br>
> >>> root@mail:/usr/src # /opt/squid35/sbin/squid
-v Squid Cache:<br>
> >>> Version 3.5.1-20150120-r13736 Service Name:
squid configure<br>
> >>> options: '--prefix=/opt/squid35'<br>
> >>> '--enable-removal-policies=lru heap'
'--disable-epoll'<br>
> >>> '--enable-auth' '--enable-auth-basic=DB NCSA
PAM PAM POP3 SSPI'<br>
> >>> '--enable-external-acl-helpers=session
unix_group file_userip'<br>
> >>> '--enable-auth-negotiate=kerberos'
'--with-pthreads'<br>
> >>> '--enable-storeio=ufs diskd rock aufs'
'--enable-delay-pools'<br>
> >>> '--enable-snmp' '--with-openssl=/usr'
'--enable-forw-via-db'<br>
> >>> '--enable-cache-digests' '--enable-wccpv2'<br>
> >>> '--enable-follow-x-forwarded-for'
'--with-large-files'<br>
> >>> '--enable-large-cache-files' '--enable-esi'
'--enable-kqueue'<br>
> >>> '--enable-icap-client'
'--enable-kill-parent-hack'<br>
> >>> '--enable-ssl' '--enable-leakfinder'
'--enable-ssl-crtd'<br>
> >>> '--enable-url-rewrite-helpers'
'--enable-xmalloc-statistics'<br>
> >>> '--enable-stacktraces' '--enable-zph-qos'
'--enable-eui'<br>
> >>> '--enable-pf-transparent' 'CC=clang'
'CXX=clang++'<br>
> >>> --enable-ltdl-convenience<br>
> >>><br>
> >><br>
> >> Okay. Can you explicitly add
--disable-ipf-transparent -<br>
> >> --disable-ipfw-transparent and see if that
helps.<br>
> >><br>
> >> Also in squid.conf adding debugs_options ALL,1
89,9 will show<br>
> >> just the NAT lookup results where things are
going wrong.<br>
> >><br>
> ><br>
> > So, before I recompile, we can look at the debug
output:<br>
> ><br>
> > 2015/01/23 17:07:45| storeLateRelease: released 0
objects<br>
> > 2015/01/23 17:07:46.959| Intercept.cc(362) Lookup:
address BEGIN:<br>
> > me/client= 192.168.2.254:13128
<a class="moz-txt-link-rfc2396E" href="http://192.168.2.254:13128"><http://192.168.2.254:13128></a>, destination/me=<br>
> > 192.168.2.115:58632
<a class="moz-txt-link-rfc2396E" href="http://192.168.2.115:58632"><http://192.168.2.115:58632></a> 2015/01/23 17:07:46.959|
Intercept.cc(293)<br>
> > PfInterception: address NAT divert-to:
local=192.168.2.254:13128 <a class="moz-txt-link-rfc2396E" href="http://192.168.2.254:13128"><http://192.168.2.254:13128></a><br>
> > remote=192.168.2.115:58632
<a class="moz-txt-link-rfc2396E" href="http://192.168.2.115:58632"><http://192.168.2.115:58632></a> FD 14 flag s=33<br>
><br>
><br>
> Arggg.. Add --with-nat-devpf to your build options in
FreeBSD.<br>
><br>
>
<a class="moz-txt-link-freetext" href="http://www.squid-cache.org/Versions/v3/3.4/RELEASENOTES.html#ss2.4">http://www.squid-cache.org/Versions/v3/3.4/RELEASENOTES.html#ss2.4</a><br>
><br>
> Amos<br>
><br>
><br>
><br>
> Done that and now, debug shows:<br>
><br>
> 2015/01/23 18:15:47.498| Intercept.cc(362) Lookup: address
BEGIN: me/client= 192.168.2.254:13128
<a class="moz-txt-link-rfc2396E" href="http://192.168.2.254:13128"><http://192.168.2.254:13128></a>, destination/me=
192.168.2.2:58541 <a class="moz-txt-link-rfc2396E" href="http://192.168.2.2:58541"><http://192.168.2.2:58541></a><br>
> 2015/01/23 18:15:47.498| Intercept.cc(337) PfInterception:
address NAT: local=190.93.244.112:80
<a class="moz-txt-link-rfc2396E" href="http://190.93.244.112:80"><http://190.93.244.112:80></a> remote=192.168.2.2:58541
<a class="moz-txt-link-rfc2396E" href="http://192.168.2.2:58541"><http://192.168.2.2:58541></a> FD 35 flags=33<br>
> 2015/01/23 18:15:47.500| Intercept.cc(362) Lookup: address
BEGIN: me/client= 192.168.2.254:13128
<a class="moz-txt-link-rfc2396E" href="http://192.168.2.254:13128"><http://192.168.2.254:13128></a>, destination/me=
192.168.2.2:58542 <a class="moz-txt-link-rfc2396E" href="http://192.168.2.2:58542"><http://192.168.2.2:58542></a><br>
> 2015/01/23 18:15:47.500| Intercept.cc(337) PfInterception:
address NAT: local=190.93.244.112:80
<a class="moz-txt-link-rfc2396E" href="http://190.93.244.112:80"><http://190.93.244.112:80></a> remote=192.168.2.2:58542
<a class="moz-txt-link-rfc2396E" href="http://192.168.2.2:58542"><http://192.168.2.2:58542></a> FD 37 flags=33<br>
> 2015/01/23 18:15:47.501| Intercept.cc(362) Lookup: address
BEGIN: me/client= 192.168.2.254:13128
<a class="moz-txt-link-rfc2396E" href="http://192.168.2.254:13128"><http://192.168.2.254:13128></a>, destination/me=
192.168.2.2:58543 <a class="moz-txt-link-rfc2396E" href="http://192.168.2.2:58543"><http://192.168.2.2:58543></a><br>
> 2015/01/23 18:15:47.501| Intercept.cc(337) PfInterception:
address NAT: local=190.93.244.112:80
<a class="moz-txt-link-rfc2396E" href="http://190.93.244.112:80"><http://190.93.244.112:80></a> remote=192.168.2.2:58543
<a class="moz-txt-link-rfc2396E" href="http://192.168.2.2:58543"><http://192.168.2.2:58543></a> FD 39 flags=33<br>
> 2015/01/23 18:15:48.033| Intercept.cc(362) Lookup: address
BEGIN: me/client= 192.168.2.254:13128
<a class="moz-txt-link-rfc2396E" href="http://192.168.2.254:13128"><http://192.168.2.254:13128></a>, destination/me=
192.168.2.2:58544 <a class="moz-txt-link-rfc2396E" href="http://192.168.2.2:58544"><http://192.168.2.2:58544></a><br>
> 2015/01/23 18:15:48.033| Intercept.cc(337) PfInterception:
address NAT: local=196.0.3.114:80 <a class="moz-txt-link-rfc2396E" href="http://196.0.3.114:80"><http://196.0.3.114:80></a>
remote=192.168.2.2:58544 <a class="moz-txt-link-rfc2396E" href="http://192.168.2.2:58544"><http://192.168.2.2:58544></a> FD 51
flags=33<br>
> 2015/01/23 18:15:48.033| Intercept.cc(362) Lookup: address
BEGIN: me/client= 192.168.2.254:13128
<a class="moz-txt-link-rfc2396E" href="http://192.168.2.254:13128"><http://192.168.2.254:13128></a>, destination/me=
192.168.2.2:58545 <a class="moz-txt-link-rfc2396E" href="http://192.168.2.2:58545"><http://192.168.2.2:58545></a><br>
> 2015/01/23 18:15:48.033| Intercept.cc(337) PfInterception:
address NAT: local=108.168.145.227:80
<a class="moz-txt-link-rfc2396E" href="http://108.168.145.227:80"><http://108.168.145.227:80></a> remote=192.168.2.2:58545
<a class="moz-txt-link-rfc2396E" href="http://192.168.2.2:58545"><http://192.168.2.2:58545></a> FD 52 flags=33<br>
> 2015/01/23 18:15:48.034| Intercept.cc(362) Lookup: address
BEGIN: me/client= 192.168.2.254:13128
<a class="moz-txt-link-rfc2396E" href="http://192.168.2.254:13128"><http://192.168.2.254:13128></a>, destination/me=
192.168.2.2:58546 <a class="moz-txt-link-rfc2396E" href="http://192.168.2.2:58546"><http://192.168.2.2:58546></a><br>
> 2015/01/23 18:15:48.034| Intercept.cc(337) PfInterception:
address NAT: local=108.168.145.227:80
<a class="moz-txt-link-rfc2396E" href="http://108.168.145.227:80"><http://108.168.145.227:80></a> remote=192.168.2.2:58546
<a class="moz-txt-link-rfc2396E" href="http://192.168.2.2:58546"><http://192.168.2.2:58546></a> FD 53 flags=33<br>
> 2015/01/23 18:15:48.034| Intercept.cc(362) Lookup: address
BEGIN: me/client= 192.168.2.254:13128
<a class="moz-txt-link-rfc2396E" href="http://192.168.2.254:13128"><http://192.168.2.254:13128></a>, destination/me=
192.168.2.2:58547 <a class="moz-txt-link-rfc2396E" href="http://192.168.2.2:58547"><http://192.168.2.2:58547></a><br>
> 2015/01/23 18:15:48.034| Intercept.cc(337) PfInterception:
address NAT: local=108.168.145.227:80
<a class="moz-txt-link-rfc2396E" href="http://108.168.145.227:80"><http://108.168.145.227:80></a> remote=192.168.2.2:58547
<a class="moz-txt-link-rfc2396E" href="http://192.168.2.2:58547"><http://192.168.2.2:58547></a> FD 54 flags=33<br>
> 2015/01/23 18:15:48.035| Intercept.cc(362) Lookup: address
BEGIN: me/client= 192.168.2.254:13128
<a class="moz-txt-link-rfc2396E" href="http://192.168.2.254:13128"><http://192.168.2.254:13128></a>, destination/me=
192.168.2.2:58548 <a class="moz-txt-link-rfc2396E" href="http://192.168.2.2:58548"><http://192.168.2.2:58548></a><br>
> 2015/01/23 18:15:48.035| Intercept.cc(337) PfInterception:
address NAT: local=108.168.145.227:80
<a class="moz-txt-link-rfc2396E" href="http://108.168.145.227:80"><http://108.168.145.227:80></a> remote=192.168.2.2:58548
<a class="moz-txt-link-rfc2396E" href="http://192.168.2.2:58548"><http://192.168.2.2:58548></a> FD 55 flags=33<br>
> 2015/01/23 18:15:48.035| Intercept.cc(362) Lookup: address
BEGIN: me/client= 192.168.2.254:13128
<a class="moz-txt-link-rfc2396E" href="http://192.168.2.254:13128"><http://192.168.2.254:13128></a>, destination/me=
192.168.2.2:58549 <a class="moz-txt-link-rfc2396E" href="http://192.168.2.2:58549"><http://192.168.2.2:58549></a><br>
><br>
> And the good news is that squid-3.5.1 is now allowing client
PCs to browse. Thank you for that.<br>
><br>
> I still have issues to raise (though my small brain is now so
saturated):<br>
><br>
><br>
> Here is what I use:<br>
><br>
> ./configure --prefix=/opt/squid35 \<br>
> --enable-removal-policies="lru heap" \<br>
> --disable-epoll \<br>
> --enable-auth \<br>
> --enable-auth-basic="DB NCSA PAM PAM POP3 SSPI" \<br>
> --enable-external-acl-helpers="session unix_group
file_userip" \<br>
> --enable-auth-negotiate="kerberos" \<br>
> --with-pthreads \<br>
> --enable-storeio="ufs diskd rock aufs" \<br>
> --enable-delay-pools \<br>
> --enable-snmp \<br>
> --with-openssl=/usr \<br>
> --enable-forw-via-db \<br>
> --enable-cache-digests \<br>
> --enable-wccpv2 \<br>
> --enable-follow-x-forwarded-for \<br>
> --with-large-files \<br>
> --enable-large-cache-files \<br>
> --enable-esi \<br>
> --enable-kqueue \<br>
> --enable-icap-client \<br>
> --enable-kill-parent-hack \<br>
> --enable-ssl \<br>
> --enable-leakfinder \<br>
> --enable-ssl-crtd \<br>
> --enable-url-rewrite-helpers \<br>
> --enable-xmalloc-statistics \<br>
> --enable-stacktraces \<br>
> --enable-zph-qos \<br>
> --enable-eui \<br>
> --with-nat-devpf \<br>
> --enable-pf-transparent \<br>
> --enable-ipf-transparent<br>
><br>
><br>
> It seems I have to remove --enable-ipf-transparent otherwise
the build fails. I was thinking I could have both of
--enable-ipf-transparent and --enable-ipf-transparent so that I
can be able to use either PF or IPFilter - whichever I want.<br>
><br>
><br>
> Are those two mutually exclusive? When I have the two, the
build fails with:<br>
><br>
> <a class="moz-txt-link-abbreviated" href="mailto:root@mail:/usr/home/wash/squid-3.5.1-20150120-r13736">root@mail:/usr/home/wash/squid-3.5.1-20150120-r13736</a> # gmake<br>
> Making all in compat<br>
> gmake[1]: Entering directory
'/usr/home/wash/squid-3.5.1-20150120-r13736/compat'<br>
> depbase=`echo assert.lo | sed
's|[^/]*$|.deps/&|;s|\.lo$||'`;\<br>
> /bin/sh ../libtool --tag=CXX --mode=compile clang++
-DHAVE_CONFIG_H -I.. -I../include -I../lib -I../src
-I../include -I/usr/include -I/usr/include -I../libltdl
-I/usr/include -I/usr/local/include/libxml2
-I/usr/local/include/libxml2 -Werror -Qunused-arguments
-D_REENTRANT -g -O2 -march=native -I/usr/local/include -MT
assert.lo -MD -MP -MF $depbase.Tpo -c -o assert.lo assert.cc
&&\<br>
> mv -f $depbase.Tpo $depbase.Plo<br>
> libtool: compile: clang++ -DHAVE_CONFIG_H -I.. -I../include
-I../lib -I../src -I../include -I/usr/include -I/usr/include
-I../libltdl -I/usr/include -I/usr/local/include/libxml2
-I/usr/local/include/libxml2 -Werror -Qunused-arguments
-D_REENTRANT -g -O2 -march=native -I/usr/local/include -MT
assert.lo -MD -MP -MF .deps/assert.Tpo -c assert.cc -fPIC -DPIC
-o .libs/assert.o<br>
> In file included from assert.cc:9:<br>
> In file included from ../include/squid.h:43:<br>
> ../compat/compat.h:49:57: error: expected value in expression<br>
> #if IPF_TRANSPARENT &&
USE_SOLARIS_IPFILTER_MINOR_T_HACK<br>
> ^<br>
> 1 error generated.<br>
> Makefile:921: recipe for target 'assert.lo' failed<br>
> gmake[1]: *** [assert.lo] Error 1<br>
> gmake[1]: Leaving directory
'/usr/home/wash/squid-3.5.1-20150120-r13736/compat'<br>
> Makefile:567: recipe for target 'all-recursive' failed<br>
> gmake: *** [all-recursive] Error 1<br>
> <a class="moz-txt-link-abbreviated" href="mailto:root@mail:/usr/home/wash/squid-3.5.1-20150120-r13736">root@mail:/usr/home/wash/squid-3.5.1-20150120-r13736</a><br>
><br>
><br>
><br>
> -- <br>
> Best regards,<br>
> Odhiambo WASHINGTON,<br>
> Nairobi,KE<br>
> +254733744121/+254722743223<br>
> "I can't hear you -- I'm using the scrambler."<br>
><br>
><br>
> _______________________________________________<br>
> squid-users mailing list<br>
> <a class="moz-txt-link-abbreviated" href="mailto:squid-users@lists.squid-cache.org">squid-users@lists.squid-cache.org</a><br>
> <a class="moz-txt-link-freetext" href="http://lists.squid-cache.org/listinfo/squid-users">http://lists.squid-cache.org/listinfo/squid-users</a></span><br>
<br>
-----BEGIN PGP SIGNATURE-----
<br>
Version: GnuPG v2
<br>
<br>
iQEcBAEBAgAGBQJUwmvoAAoJENNXIZxhPexGJ60IAKh1nJoRU2Q7gHHy6lFt+j0S
<br>
kA5tlDf4elneoUYzQPvbI5Uofs89ShfSVn94sfOxg4m9w9Wcsl4BODvU2XoNZ6v/
<br>
J1rh/Lxqz0hu7f3O53GEMI136g/T1Vfff9SQr25E15kj9c47SJdYvbvnuIthECTM
<br>
orpsPTjgYikgvB6uRKqDpX5ikaTzHcTfB9xMDVf5mDonE3FVUEjcPoMkLXKJO89S
<br>
wCEsg3PlGLv64zVJVzUaFLM6BvSa+ua4lZ9n6KnCAcWKzVXClIvHUXLe7YL5nKKp
<br>
e5osUdaeoXmyOWyWkvdnsKPb3Qad6OZ6mezH+uKBVVTd66IMen39+As1oF7EfqM=
<br>
=UCjZ
<br>
-----END PGP SIGNATURE-----
<br>
<br>
</body>
</html>