<div>Hi and thanks for your help.<br></div><div><br></div><div>as for your request, here's the content of my IPFW rules and my squid configuration:<br></div><div><br></div><div>IPFW rules:<br></div><div><br></div><div>ipfw -f flush<br></div><div>ipfw add 50 pass all from any to any via lo0<br></div><div>ipfw add 100 pass all from any to any proto udp<br></div><div>ipfw add 150 pass icmp from any to any<br></div><div>ipfw add 200 fwd 127.0.0.1,3128 tag 1111 tcp from me to any<br></div><div>ipfw add 250 pass all from 10.0.2.15 to any tagged 1111<br></div><div><br></div><div>squid.conf:<br></div><div><br></div><div>acl my_machine src 10.0.2.15 # this is the ip of my machine.<br></div><div>http_access allow my_machine<br></div><div><br></div><div>acl localnet src 10.0.0.0/8 # RFC1918 possible internal network<br></div><div>acl localnet src 172.16.0.0/12 # RFC1918 possible internal network<br></div><div>acl localnet src 192.168.0.0/16 # RFC1918 possible internal network<br></div><div>acl localnet src fc00::/7 # RFC 4193 local private network range<br></div><div>acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines<br></div><div><br></div><div>acl SSL_ports port 443<br></div><div>acl Safe_ports port 80 # http<br></div><div>acl Safe_ports port 21 # ftp<br></div><div>acl Safe_ports port 443 # https<br></div><div>acl Safe_ports port 70 # gopher<br></div><div>acl Safe_ports port 210 # wais<br></div><div>acl Safe_ports port 1025-65535 # unregistered ports<br></div><div>acl Safe_ports port 280 # http-mgmt<br></div><div>acl Safe_ports port 488 # gss-http<br></div><div>acl Safe_ports port 591 # filemaker<br></div><div>acl Safe_ports port 777 # multiling http<br></div><div>acl CONNECT method CONNECT<br></div><div><br></div><div>http_access deny !Safe_ports<br></div><div><br></div><div>http_access deny CONNECT !SSL_ports<br></div><div><br></div><div><br></div><div>http_access allow localhost manager<br></div><div>http_access deny manager<br></div><div><br></div><div>visible_hostname mynet.mydomain<br></div><div>acl MYSITE dstdomain cnn.com<br></div><div>acl MYSITE dstdomain 10.0.2.15<br></div><div>http_access allow MYSITE<br></div><div><br></div><div>http_access allow localnet<br></div><div>http_access allow localhost<br></div><div><br></div><div>http_access deny all<br></div><div><br></div><div>http_port 127.0.0.1:3128 intercept<br></div><div>http_port 3129<br></div><div><br></div><div>coredump_dir /var/squid/cache<br></div><div><br></div><div>refresh_pattern ^ftp: 1440 20% 10080<br></div><div>refresh_pattern ^gopher: 1440 0% 1440<br></div><div>refresh_pattern -i (/cgi-bin/|\?) 0 0% 0<br></div><div>refresh_pattern . 0 20% 4320<br></div><div><br></div><div>I'm almost surely that the problem is that as other people said here, the firewall redirect the traffic originated from the squid server back to squid and hence the forwarding loop.<br></div><div><br></div><div>I've tried to allow the traffic originated from the squid server by using the "tag/tagged" feature in the IPFW rules but this doesn't work, apparently because squid issue a new connection that is not tagged.<br></div><div>since squid and the firewall resides on the same machine I've no idea how to tell the firewall to allow the traffic which squid initiate.<br></div><div><br></div><div>Regards,<br></div><div><br></div><div>Ataro.</div><div><br></div><blockquote class="protonmail_quote" type="cite"><div>-------- Original Message --------<br></div><div>Subject: Re: [squid-users] Running squid on a machine with only one network interface.<br></div><div>Local Time: June 27, 2016 11:56 PM<br></div><div>UTC Time: June 27, 2016 8:56 PM<br></div><div>From: Antony.Stone@squid.open.source.it<br></div><div>To: ataro@protonmail.ch<br></div><div><br></div><div>On Monday 27 June 2016 at 22:45:19, Ataro wrote:<br></div><div>
<br></div><div>
> Hi there,<br></div><div>
> <br></div><div>
> I've set up a FreeBSD machine inside a VirtualBox machine and used IPFW to<br></div><div>
> forward all the requests to the internet through a squid server running on<br></div><div>
> the same machine in port 3128 in intercept mode.<br></div><div>
<br></div><div>
Please show us your IPFW rules.<br></div><div>
<br></div><div>
> The problem is that I get 403 http responses on every site I try to access<br></div><div>
> to, even on the sites that I've explicitly allowed in the squid.conf file.<br></div><div>
<br></div><div>
Maybe show us your squid.conf as well (without comments or blank lines).<br></div><div>
<br></div><div>
> I also get a warning message on the tty that squid is running on (I've run<br></div><div>
> squid in no daemon mode) which says: Warning: Forwarding loop detected<br></div><div>
> for:.....<br></div><div>
<br></div><div>
So, NAT is not working correctly...<br></div><div>
<br></div><div>
> I guess that this error occurs since the squid server and the IPFW firewall<br></div><div>
> are running on the same machine which have only one network interface.<br></div><div>
> <br></div><div>
> Am I right?<br></div><div>
<br></div><div>
Not in the sense that "you can't do this with only one interface", no.<br></div><div>
<br></div><div>
However, quite possibly in the sense that you haven't told IPFW how to <br></div><div>
distinguish between requests in from your clients, and requests out from your <br></div><div>
squid instance.<br></div><div>
<br></div><div>
The former need to go to squid, the latter need to go to the Internet.<br></div><div>
<br></div><div>
<br></div><div>
Give us a bit more information and we might be able to give you a bit more <br></div><div>
help.<br></div><div>
<br></div><div>
<br></div><div>
<br></div><div>
Antony.<br></div><div>
<br></div><div>
-- <br></div><div>
I don't know, maybe if we all waited then cosmic rays would write all our <br></div><div>
software for us. Of course it might take a while.<br></div><div>
<br></div><div>
- Ron Minnich, Los Alamos National Laboratory<br></div><div>
<br></div><div>
Please reply to the list;<br></div><div>
please *don't* CC me.<br></div></blockquote><div><br></div>