<div dir="ltr">Hello Amos,<div><br></div><div>All noted.</div><div><br></div><div>Lemme consult with some FreeBSD guys on these .</div></div><div class="gmail_extra"><br><div class="gmail_quote">On 15 April 2016 at 18:13, Amos Jeffries <span dir="ltr"><<a href="mailto:squid3@treenet.co.nz" target="_blank">squid3@treenet.co.nz</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">On 16/04/2016 1:29 a.m., Odhiambo Washington wrote:<br>
><br>
> With luck, I have managed to get squid to compile successfully (after<br>
> upgrading a few components here and there). I used:<br>
<br>
</span>Yay!<br>
<span class=""><br>
><br>
> I have it running now (redirecting using IPFilter/IPNAT), but once in a<br>
> while I see this error about NAT:<br>
><br>
</span><snip><br>
<span class="">> 2016/04/15 16:17:23| ERROR: NAT/TPROXY lookup failed to locate original IPs<br>
> on local=<a href="http://192.168.55.254:13128" rel="noreferrer" target="_blank">192.168.55.254:13128</a> remote=<a href="http://192.168.55.62:57724" rel="noreferrer" target="_blank">192.168.55.62:57724</a> FD 29 flags=33<br>
<br>
</span>These are the kernel NAT system telling Squid the connection being<br>
looked up has not record there.<br>
<br>
It could be TCP connections being made straight to the intercept port.<br>
If so you need to update the firewall config to prevent them, even from<br>
localhost.<br>
In Linux we use a mangle table rule, since that is the filter pre-NAT<br>
that can do it. I'm not sure how FreeBSD would do that. It has to be<br>
done on packets first arrival pre-NAT. Any filter that is applied after<br>
the NAT action will get it wrong due to the NAT changes.<br>
<br>
<br>
It could be the NAT systems table of connections filling up and<br>
overflowing. If so there should be a kernel sysctl somewhere to increase<br>
that table size.<br>
<span class=""><br>
><br>
> In any case, I am planning to rewrite the IPNAT rules into PF and use PF.<br>
> It's the inception stage so I haven't delved deep into ssl-bump<br>
> configurations...<br>
><br>
<br>
</span>HTH<br>
<span class="HOEnZb"><font color="#888888">Amos<br>
<br>
</font></span></blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature"><div dir="ltr"><div>Best regards,<br>Odhiambo WASHINGTON,<br>Nairobi,KE<br>+254 7 3200 0004/+254 7 2274 3223<br>"<span style="font-size:12.8px">Oh, the cruft.</span><span style="font-size:12.8px">"</span></div></div></div>
</div>