Re: [squid-users] clientNatLookup: PF open failed: (13) Permission denied

Leslie Jensen wrote:
>
>>> Amos Jeffries skrev:
>>>> Chris Robertson wrote:
>>>>> Leslie Jensen wrote:
>>>>>> I'm running Squid-3.0.10 on FreeBSD 7.0-RELEASE-p4 with PF.
>>>>>>
>>>>>> I've noticed that in cache.log are a lot of entries as the one below
>>>>>>
>>>>>> clientNatLookup: PF open failed: (13) Permission denied
>>>>>>
>>>>>> I've found some information on the problem via Google.
>>>>>>
>>>>>> One is "start Squid as root". Squid is started via rc.conf so I think
>>>>>> that is sorted.
>>>>>>
>>>>>> There is a concern about rights on /dev/pf
>>>>>>
>>>>>> Finally there's some advice
>>>>>>
>>>>>> ---- snip----
>>>>>> If you are performing any kind of transparent interception with squid
>>>>>> you will need one of the --*-transparent options. Without it squid
>>>>>> will
>>>>>> fail to correctly spoof the clients IP.
>>>>>> ----- snip ----
>>>>>>
>>>>>> I do not fully understand where the "--*-transparent options" are to
>>>>>> be found. And if it's the solution to the problem.
>>>>>>
>>>>>> Will someone Please enlighten me?
>>>>> First, I don't know if it is the solution to the problem, but it's an
>>>>> easy thing to check...
>>>>>
>>>>> Run "/path/to/squid -v". That will show what options squid was
>>>>> compiled with. For example:
>>>>>
>>>>> -bash-3.00$ /home/squid2/bin/squid -v
>>>>> Squid Cache: Version 2.6.STABLE3
>>>>> configure options: '--bindir=/home/squid2/bin'
>>>>> '--sbindir=/home/squid2/bin' '--libexecdir=/home/squid2/bin'
>>>>> '--datadir=/home/squid2/etc' '--sysconfdir=/etc/squid'
>>>>> '--localstatedir=/home/squid2' '--mandir=/usr/man'
>>>>> '--enable-err-languages=English' '--enable-snmp' '--with-large-files'
>>>>> '--disable-ident-lookups' '--disable-useragent-log'
>>>>> '--disable-referer-log' '--enable-async-io' '--enable-epoll'
>>>>> -bash-3.00$
>>>>>
>>>>> If you don't see --enable-pf-transparent in that list, you are going
>>>>> to need to recompile.
>>>>>
>>>> I believe the option is present. The line "PF open failed" should never
>>>> occur without it.
>>>>
>>>> The rc.conf may not necessarily be correct. Bug 2396 bout PF
>>>> permissions, has only been fixed since 3.0.STABLE8.
>>>>
>>>> Amos
>>> Yes, it's there! Squid is working from what I can see but the error
>>> messages are of concern to me.
>>
>> Yes, the NAT/FW table is not accessible to squid, so some of the controls
>> will be failing.
>>
>>> Mine is Squid Cache: Version 3.0.STABLE10
>>> /Leslie
>>> -------------- snip ---------------
>>> :/usr/local/sbin/squid -v
>>> Squid Cache: Version 3.0.STABLE10
>>> configure options: '--with-default-user=squid'
>> <snip>
>>> '--enable-ipfw-transparent' '--enable-pf-transparent' '--enable-kqueue'
>>
>> Did you check the rc.conf actions?
>>
>> I see squid is also built with-default-user, thats the username your
>> proxy
>> will set itself to run as by default after the startup root stuff is
>> finished.
>> Can we also have a look at the /dev/pf permissions and the group
>> membership of the squid user. (don't change any of that yet, I just think
>> it might be useful to know).
>>
>> Amos
>>
>
> What do you mean with rc.conf actions?
> I have squid_enable="YES"

Okay. I don't know Solaris at all. The other OS I know have an init
script called rc.something that starts squid with certain parameters and
points it at the config file.

>
> ll /dev/pf
> crw------- 1 root wheel 0, 90 Dec 18 09:44 /dev/pf
>
> Do I need to give squid rights to read and write /dev/pf ?

Um, Ill leave this for someone who known PF and solaris privileges
betters (anyone??)

One way or another squid needs read-only privilege. I would have thought
that device would be crw-r--r-

but as I don't know Solaris so don't quote me on that.

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE5 or 3.0.STABLE10
   Current Beta Squid 3.1.0.3 or 3.0.STABLE11-RC1