Re: [squid-users] transparent ipfw from Amos Jeffries on 2009-03-06 (squid-users)

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Sat, 07 Mar 2009 01:39:19 +1300

Val Powler wrote:
> Hello!
>
> Im trying to setup transparent squid on freebsd.
> First of all i tried to use it as parent proxy server only (without
> local gateway).
> So my gateway (ipfw, freebsd) forwards packets to this proxy. I have
> already a box with freebsd 6.3 and squid (Version 2.6.STABLE19+ICAP)
> and it works fine - my freebsd gateway 10.11.2.103 forwards packets to
> 10.11.2.129 (ipfw fwd 10.11.2.129,3128 tcp from 10.0.0.0/8 to any
> dst-port 80).
>
> Ok, now about the problem. Im trying to setup a new proxy server.
> A clean copy of freebsd 7.1, squid30 from ports. I've made a simple
> config file (tried it on freebsd 6.3 old proxy and it works fine):
>
> http_port 3128 transparent
> access_log /var/log/squid/access.log
> cache_log /var/log/squid/cache.log
> cache_store_log /var/log/squid/store.log
> cache_mgr admin_at_everywhere.net
> visible_hostname proxy.on.the.net
> http_access allow all
>
> It doesnt work.
> <tcpdump -i fxp0> shows me that packets successfully forwarded to new
> proxy, but squid doesnt respond.
> <telnet google.com 80> from client machines doesnt refuse a
> connection, only timeout.
>
> When configuring browser to work with proxy - everything works like it should.
> But its not all history :)
> I tried to enable firewall on new freebsd. (rc.conf
> firewall_enable="YES" firewall_type="open"). Nothing
> Then installed a new kernel with
>
> options IPFIREWALL
> options IPDIVERT
> options IPFIREWALL_DEFAULT_TO_ACCEPT
> options IPFIREWALL_FORWARD
>
> Again nothing.
> Tried the 2.7 version from ports. Tried even squid from sources (3.1
> with intercept). Nothing
> Tried to setup it with local gateway (local forward) to prove its not
> a remote box problem and still nothing.
>
> Please help me,
>
> regards, Val Powler

What does /var/log/squid/cache.log tell you?

Also, there is likely to be a second rule in the firewall, permitting
Squid2 access out again without capture itself.
Check the squid30 has a) same IP as old squid, or b) also allowed direct
access outward through firewall.

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE6 or 3.0.STABLE13
   Current Beta Squid 3.1.0.6

Received on Fri Mar 06 2009 - 12:38:49 MST

This archive was generated by hypermail 2.2.0 : Fri Mar 06 2009 - 12:00:02 MST