Re: [squid-users] clientNatLookup: PF open failed: (13) Permission denied

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Wed, 17 Dec 2008 14:26:08 +1300

Chris Robertson wrote:
> Leslie Jensen wrote:
>> I'm running Squid-3.0.10 on FreeBSD 7.0-RELEASE-p4 with PF.
>>
>> I've noticed that in cache.log are a lot of entries as the one below
>>
>> clientNatLookup: PF open failed: (13) Permission denied
>>
>> I've found some information on the problem via Google.
>>
>> One is "start Squid as root". Squid is started via rc.conf so I think
>> that is sorted.
>>
>> There is a concern about rights on /dev/pf
>>
>> Finally there's some advice
>>
>> ---- snip----
>> If you are performing any kind of transparent interception with squid
>> you will need one of the --*-transparent options. Without it squid will
>> fail to correctly spoof the clients IP.
>> ----- snip ----
>>
>> I do not fully understand where the "--*-transparent options" are to
>> be found. And if it's the solution to the problem.
>>
>> Will someone Please enlighten me?
>
> First, I don't know if it is the solution to the problem, but it's an
> easy thing to check...
>
> Run "/path/to/squid -v". That will show what options squid was compiled
> with. For example:
>
> -bash-3.00$ /home/squid2/bin/squid -v
> Squid Cache: Version 2.6.STABLE3
> configure options: '--bindir=/home/squid2/bin'
> '--sbindir=/home/squid2/bin' '--libexecdir=/home/squid2/bin'
> '--datadir=/home/squid2/etc' '--sysconfdir=/etc/squid'
> '--localstatedir=/home/squid2' '--mandir=/usr/man'
> '--enable-err-languages=English' '--enable-snmp' '--with-large-files'
> '--disable-ident-lookups' '--disable-useragent-log'
> '--disable-referer-log' '--enable-async-io' '--enable-epoll'
> -bash-3.00$
>
> If you don't see --enable-pf-transparent in that list, you are going to
> need to recompile.
>

I believe the option is present. The line "PF open failed" should never
occur without it.

The rc.conf may not necessarily be correct. Bug 2396 bout PF
permissions, has only been fixed since 3.0.STABLE8.

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE5 or 3.0.STABLE10
   Current Beta Squid 3.1.0.3 or 3.0.STABLE11-RC1
Received on Wed Dec 17 2008 - 01:26:12 MST

This archive was generated by hypermail 2.2.0 : Wed Dec 17 2008 - 12:00:03 MST