[squid-users] Squid versions and FreeBSD-10.1 headache
Amos Jeffries
squid3 at treenet.co.nz
Fri Jan 23 13:40:30 UTC 2015
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 24/01/2015 2:20 a.m., Odhiambo Washington wrote:
> On 23 January 2015 at 16:07, Amos Jeffries <squid3 at treenet.co.nz>
> wrote:
>
>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
>>
>> On 24/01/2015 1:47 a.m., Yuri Voinov wrote:
>>>
>>> Once more. You CANNOT have neither web-server nor other
>>> service with listening port 80 on the same host as transparent
>>> Squid proxy. This is one and only reason you have looping.
>>>
>>
>> That is not correct. It can be done, but depends on how the
>> firewall operates and what ruleset is used.
>>
>> One has to intercept traffic transiting the machine, but ignore
>> traffic destined *to* or *from* the local machines running
>> processes.
>>
>>> Look. On my transparent 3.4.11 (which was early 2.7) IPFilter
>>> redirects 80 port to proxy. My web server on the same host
>>> listens only 8080, 8088 and 8888 ports. No one service except
>>> NAT is using 80 port.
>>>
>>> And finally I have no looping 4 years.
>>>
>>> Obvious, is it?
>>>
>>
>> Maybe there was, maybe there wasn't.
>>
>> Squid-2.7 ignored a lot of NAT related errors and even silently
>> did some Very Bad Things(tm) - none of which Squid-3.2+ will
>> allow to happen anymore.
>>
>>
>> Odhiambo: I suspect it might be related to your use of "rdr"
>> firewall rules. In OpenBSD PF at least rdr rules do not work
>> properly and divert-to rules needs to be used instead (divert-to
>> can be used for either TPROXY or NAT Squid listening ports on
>> BSD).
>>
>
>
> I am thinking Squid-3.2+ is evil :-)
>
> Anyway, my PF rules are here : http://pastebin.com/pKv1jN2v And my
> IPFilter rules are here: http://pastebin.com/JQ77X01H
>
> I need to figure out why squid is DENYing all access ..
>
Can you update me on what the squid -v output is from the Squid build
you are having issues with pleae?
Amos
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)
iQEcBAEBAgAGBQJUwk9OAAoJELJo5wb/XPRjvncIAOAp0zReRGxQdsAw5KmvSQaY
/wgL0sU9xEVHNDIaMZqzdKKphsPUa8/ILiND1mZF3Wg2fiZ8vEj/BvAnOutKAggL
hZdx+tz/C8ZAIVw0WuY+GobY2tiKrwvU/HuP4zu8yd086xbqJkSrV4SeyW4Zw0uc
ZEziWHezR47S1TvCVCjNc/4dIsuvdiQ2Q9T7EPpEqUZXyaVkrULIzyC3VJQ6xklt
q95xN9ce6NvWcXTFfkVV0D+Y6xY8VQgllvauRZI45J4KzEST65hmhoybNoJQADyb
x1OjbFqudNZFeU5ItrkRSd1g1HYuQUl97ae5IiyIlfMuzb2oounE9t4qZc1/yZY=
=w4Lh
-----END PGP SIGNATURE-----
More information about the squid-users
mailing list