Re: [squid-users] clientNatLookup: PF open failed: (13) Permission denied

From: Chris Robertson <crobertson_at_gci.net>
Date: Tue, 16 Dec 2008 14:13:24 -0900

Leslie Jensen wrote:
> I'm running Squid-3.0.10 on FreeBSD 7.0-RELEASE-p4 with PF.
>
> I've noticed that in cache.log are a lot of entries as the one below
>
> clientNatLookup: PF open failed: (13) Permission denied
>
> I've found some information on the problem via Google.
>
> One is "start Squid as root". Squid is started via rc.conf so I think
> that is sorted.
>
> There is a concern about rights on /dev/pf
>
> Finally there's some advice
>
> ---- snip----
> If you are performing any kind of transparent interception with squid
> you will need one of the --*-transparent options. Without it squid will
> fail to correctly spoof the clients IP.
> ----- snip ----
>
> I do not fully understand where the "--*-transparent options" are to
> be found. And if it's the solution to the problem.
>
> Will someone Please enlighten me?

First, I don't know if it is the solution to the problem, but it's an
easy thing to check...

Run "/path/to/squid -v". That will show what options squid was compiled
with. For example:

-bash-3.00$ /home/squid2/bin/squid -v
Squid Cache: Version 2.6.STABLE3
configure options: '--bindir=/home/squid2/bin'
'--sbindir=/home/squid2/bin' '--libexecdir=/home/squid2/bin'
'--datadir=/home/squid2/etc' '--sysconfdir=/etc/squid'
'--localstatedir=/home/squid2' '--mandir=/usr/man'
'--enable-err-languages=English' '--enable-snmp' '--with-large-files'
'--disable-ident-lookups' '--disable-useragent-log'
'--disable-referer-log' '--enable-async-io' '--enable-epoll'
-bash-3.00$

If you don't see --enable-pf-transparent in that list, you are going to
need to recompile.

> Thank you
> /Leslie

Chris
Received on Tue Dec 16 2008 - 23:13:30 MST

This archive was generated by hypermail 2.2.0 : Wed Dec 17 2008 - 12:00:03 MST