[squid-users] Squid versions and FreeBSD-10.1 headache

Amos Jeffries squid3 at treenet.co.nz
Fri Jan 23 13:40:30 UTC 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 24/01/2015 2:20 a.m., Odhiambo Washington wrote:
> On 23 January 2015 at 16:07, Amos Jeffries <squid3 at treenet.co.nz>
> wrote:
> 
>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
>> 
>> On 24/01/2015 1:47 a.m., Yuri Voinov wrote:
>>> 
>>> Once more. You CANNOT have neither web-server nor other
>>> service with listening port 80 on the same host as transparent
>>> Squid proxy. This is one and only reason you have looping.
>>> 
>> 
>> That is not correct. It can be done, but depends on how the
>> firewall operates and what ruleset is used.
>> 
>> One has to intercept traffic transiting the machine, but ignore 
>> traffic destined *to* or *from* the local machines running
>> processes.
>> 
>>> Look. On my transparent 3.4.11 (which was early 2.7) IPFilter 
>>> redirects 80 port to proxy. My web server on the same host
>>> listens only 8080, 8088 and 8888 ports. No one service except
>>> NAT is using 80 port.
>>> 
>>> And finally I have no looping 4 years.
>>> 
>>> Obvious, is it?
>>> 
>> 
>> Maybe there was, maybe there wasn't.
>> 
>> Squid-2.7 ignored a lot of NAT related errors and even silently
>> did some Very Bad Things(tm) - none of which Squid-3.2+ will
>> allow to happen anymore.
>> 
>> 
>> Odhiambo: I suspect it might be related to your use of "rdr"
>> firewall rules. In OpenBSD PF at least rdr rules do not work
>> properly and divert-to rules needs to be used instead (divert-to
>> can be used for either TPROXY or NAT Squid listening ports on
>> BSD).
>> 
> 
> 
> I am thinking Squid-3.2+ is evil :-)
> 
> Anyway, my PF rules are here : http://pastebin.com/pKv1jN2v And my
> IPFilter rules are here: http://pastebin.com/JQ77X01H
> 
> I need to figure out why squid is DENYing all access ..
> 

Can you update me on what the squid -v output is from the Squid build
you are having issues with pleae?

Amos

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)

iQEcBAEBAgAGBQJUwk9OAAoJELJo5wb/XPRjvncIAOAp0zReRGxQdsAw5KmvSQaY
/wgL0sU9xEVHNDIaMZqzdKKphsPUa8/ILiND1mZF3Wg2fiZ8vEj/BvAnOutKAggL
hZdx+tz/C8ZAIVw0WuY+GobY2tiKrwvU/HuP4zu8yd086xbqJkSrV4SeyW4Zw0uc
ZEziWHezR47S1TvCVCjNc/4dIsuvdiQ2Q9T7EPpEqUZXyaVkrULIzyC3VJQ6xklt
q95xN9ce6NvWcXTFfkVV0D+Y6xY8VQgllvauRZI45J4KzEST65hmhoybNoJQADyb
x1OjbFqudNZFeU5ItrkRSd1g1HYuQUl97ae5IiyIlfMuzb2oounE9t4qZc1/yZY=
=w4Lh
-----END PGP SIGNATURE-----


More information about the squid-users mailing list