Re: [squid-users] clientNatLookup: PF open failed: (13) Permission denied

Amos Jeffries wrote:
> Leslie Jensen wrote:
>>
>>>> Amos Jeffries skrev:
>>>>> Chris Robertson wrote:
>>>>>> Leslie Jensen wrote:
>>>>>>> I'm running Squid-3.0.10 on FreeBSD 7.0-RELEASE-p4 with PF.
>>>>>>>
>>>>>>> I've noticed that in cache.log are a lot of entries as the one below
>>>>>>>
>>>>>>> clientNatLookup: PF open failed: (13) Permission denied
>>>>>>>
>>>>>>> I've found some information on the problem via Google.
>>>>>>>
>>>>>>> One is "start Squid as root". Squid is started via rc.conf so I
>>>>>>> think
>>>>>>> that is sorted.
>>>>>>>
>>>>>>> There is a concern about rights on /dev/pf
>>>>>>>
>>>>>>> Finally there's some advice
>>>>>>>
>>>>>>> ---- snip----
>>>>>>> If you are performing any kind of transparent interception with
>>>>>>> squid
>>>>>>> you will need one of the --*-transparent options. Without it squid
>>>>>>> will
>>>>>>> fail to correctly spoof the clients IP.
>>>>>>> ----- snip ----
>>>>>>>
>>>>>>> I do not fully understand where the "--*-transparent options" are to
>>>>>>> be found. And if it's the solution to the problem.
>>>>>>>
>>>>>>> Will someone Please enlighten me?
>>>>>> First, I don't know if it is the solution to the problem, but it's an
>>>>>> easy thing to check...
>>>>>>
>>>>>> Run "/path/to/squid -v". That will show what options squid was
>>>>>> compiled with. For example:
>>>>>>
>>>>>> -bash-3.00$ /home/squid2/bin/squid -v
>>>>>> Squid Cache: Version 2.6.STABLE3
>>>>>> configure options: '--bindir=/home/squid2/bin'
>>>>>> '--sbindir=/home/squid2/bin' '--libexecdir=/home/squid2/bin'
>>>>>> '--datadir=/home/squid2/etc' '--sysconfdir=/etc/squid'
>>>>>> '--localstatedir=/home/squid2' '--mandir=/usr/man'
>>>>>> '--enable-err-languages=English' '--enable-snmp' '--with-large-files'
>>>>>> '--disable-ident-lookups' '--disable-useragent-log'
>>>>>> '--disable-referer-log' '--enable-async-io' '--enable-epoll'
>>>>>> -bash-3.00$
>>>>>>
>>>>>> If you don't see --enable-pf-transparent in that list, you are going
>>>>>> to need to recompile.
>>>>>>
>>>>> I believe the option is present. The line "PF open failed" should
>>>>> never
>>>>> occur without it.
>>>>>
>>>>> The rc.conf may not necessarily be correct. Bug 2396 bout PF
>>>>> permissions, has only been fixed since 3.0.STABLE8.
>>>>>
>>>>> Amos
>>>> Yes, it's there! Squid is working from what I can see but the error
>>>> messages are of concern to me.
>>>
>>> Yes, the NAT/FW table is not accessible to squid, so some of the
>>> controls
>>> will be failing.
>>>
>>>> Mine is Squid Cache: Version 3.0.STABLE10
>>>> /Leslie
>>>> -------------- snip ---------------
>>>> :/usr/local/sbin/squid -v
>>>> Squid Cache: Version 3.0.STABLE10
>>>> configure options: '--with-default-user=squid'
>>> <snip>
>>>> '--enable-ipfw-transparent' '--enable-pf-transparent' '--enable-kqueue'
>>>
>>> Did you check the rc.conf actions?
>>>
>>> I see squid is also built with-default-user, thats the username your
>>> proxy
>>> will set itself to run as by default after the startup root stuff is
>>> finished.
>>> Can we also have a look at the /dev/pf permissions and the group
>>> membership of the squid user. (don't change any of that yet, I just
>>> think
>>> it might be useful to know).
>>>
>>> Amos
>>>
>>
>> What do you mean with rc.conf actions?
>> I have squid_enable="YES"
>
> Okay. I don't know Solaris at all. The other OS I know have an init
> script called rc.something that starts squid with certain parameters and
> points it at the config file.
>
>>
>> ll /dev/pf
>> crw------- 1 root wheel 0, 90 Dec 18 09:44 /dev/pf
>>
>> Do I need to give squid rights to read and write /dev/pf ?
>
> Um, Ill leave this for someone who known PF and solaris privileges
> betters (anyone??)
>
> One way or another squid needs read-only privilege. I would have thought
> that device would be crw-r--r-
>
> but as I don't know Solaris so don't quote me on that.
>

Ah Fooey. Don't know quite what I was saying either ;)
Sorry about the OS mixup.
If we ignore that, the rest still makes sense and the point.

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE5 or 3.0.STABLE10
   Current Beta Squid 3.1.0.3 or 3.0.STABLE11-RC1