Re: [squid-users] clientNatLookup: PF open failed: (13) Permission denied

From: Leslie Jensen <leslie_at_eskk.nu>
Date: Wed, 17 Dec 2008 08:29:20 +0100

Amos Jeffries skrev:
> Chris Robertson wrote:
>> Leslie Jensen wrote:
>>> I'm running Squid-3.0.10 on FreeBSD 7.0-RELEASE-p4 with PF.
>>>
>>> I've noticed that in cache.log are a lot of entries as the one below
>>>
>>> clientNatLookup: PF open failed: (13) Permission denied
>>>
>>> I've found some information on the problem via Google.
>>>
>>> One is "start Squid as root". Squid is started via rc.conf so I think
>>> that is sorted.
>>>
>>> There is a concern about rights on /dev/pf
>>>
>>> Finally there's some advice
>>>
>>> ---- snip----
>>> If you are performing any kind of transparent interception with squid
>>> you will need one of the --*-transparent options. Without it squid will
>>> fail to correctly spoof the clients IP.
>>> ----- snip ----
>>>
>>> I do not fully understand where the "--*-transparent options" are to
>>> be found. And if it's the solution to the problem.
>>>
>>> Will someone Please enlighten me?
>>
>> First, I don't know if it is the solution to the problem, but it's an
>> easy thing to check...
>>
>> Run "/path/to/squid -v". That will show what options squid was
>> compiled with. For example:
>>
>> -bash-3.00$ /home/squid2/bin/squid -v
>> Squid Cache: Version 2.6.STABLE3
>> configure options: '--bindir=/home/squid2/bin'
>> '--sbindir=/home/squid2/bin' '--libexecdir=/home/squid2/bin'
>> '--datadir=/home/squid2/etc' '--sysconfdir=/etc/squid'
>> '--localstatedir=/home/squid2' '--mandir=/usr/man'
>> '--enable-err-languages=English' '--enable-snmp' '--with-large-files'
>> '--disable-ident-lookups' '--disable-useragent-log'
>> '--disable-referer-log' '--enable-async-io' '--enable-epoll'
>> -bash-3.00$
>>
>> If you don't see --enable-pf-transparent in that list, you are going
>> to need to recompile.
>>
>
> I believe the option is present. The line "PF open failed" should never
> occur without it.
>
> The rc.conf may not necessarily be correct. Bug 2396 bout PF
> permissions, has only been fixed since 3.0.STABLE8.
>
> Amos

Yes, it's there! Squid is working from what I can see but the error
messages are of concern to me. Mine is Squid Cache: Version 3.0.STABLE10
/Leslie

-------------- snip ---------------

:/usr/local/sbin/squid -v
Squid Cache: Version 3.0.STABLE10
configure options: '--with-default-user=squid'
'--bindir=/usr/local/sbin' '--sbindir=/usr/local/sbin'
'--datadir=/usr/local/etc/squid' '--libexecdir=/usr/local/libexec/squid'
'--localstatedir=/usr/local/squid' '--sysconfdir=/usr/local/etc/squid'
'--enable-removal-policies=lru heap' '--disable-linux-netfilter'
'--disable-linux-tproxy' '--disable-epoll' '--enable-auth=basic ntlm
digest' '--enable-basic-auth-helpers=DB NCSA PAM MSNT SMB
squid_radius_auth YP' '--enable-digest-auth-helpers=password'
'--enable-external-acl-helpers=ip_user session unix_group wbinfo_group'
'--enable-ntlm-auth-helpers=SMB' '--enable-storeio=ufs diskd null'
'--enable-delay-pools' '--disable-ident-lookups'
'--enable-ipfw-transparent' '--enable-pf-transparent' '--enable-kqueue'
'--enable-err-languages=Armenian Azerbaijani Bulgarian Catalan Czech
Danish Dutch English Estonian Finnish French German Greek Hebrew
Hungarian Italian Japanese Korean Lithuanian Polish Portuguese Romanian
Russian-1251 Russian-koi8-r Serbian Simplify_Chinese Slovak Spanish
Swedish Traditional_Chinese Turkish Ukrainian-1251 Ukrainian-koi8-u
Ukrainian-utf8' '--enable-default-err-language=templates'
'--prefix=/usr/local' '--mandir=/usr/local/man'
'--infodir=/usr/local/info/' '--build=i386-portbld-freebsd7.0'
'build_alias=i386-portbld-freebsd7.0' 'CC=cc' 'CFLAGS=-O2
-fno-strict-aliasing -pipe' 'LDFLAGS=' 'CPPFLAGS=' 'CXX=c++'
'CXXFLAGS=-O2 -fno-strict-aliasing -pipe'

-------------- snip ---------------
Received on Wed Dec 17 2008 - 07:29:27 MST

This archive was generated by hypermail 2.2.0 : Wed Dec 17 2008 - 12:00:03 MST