Re: [squid-users] Problems with transparancy and pf

On 2011-03-29 12:26, Indunil Jayasooriya wrote:

> On Tue, Mar 29, 2011 at 3:32 PM, Leslie Jensen<leslie_at_eskk.nu> wrote:
>> Hello list.
>>
>> I've used squid together with pf for a while on a Freebsd 7.2-RELEASE
>> machine.
>>
>>
>> I've now installed Freebsd 8.2-RELEASE on new hardware and I'm using my
>> config from the 7.2 machine.
>>
>> My problem is that squid is not working with transparency. The browser
>> traffic goes directly to the Internet.
>>
>> Setting proxy in the browser works, so I believe squid is ok.
>>
>> My question is about which build options I must use?
>>
>> I've used the following:
>> SQUID_KERB_AUTH X (ON)
>> SQUID_NIS_AUTH X (ON)
>> SQUID_IPV6 (Default) X (ON)
>>
>> SQUID_DELAY_POOLS X (ON)
>> SQUID_SNMP X (ON)
>> SQUID_HTCP (CARP?) X (ON)
>> SQUID_WCCP X (ON)
>> SQUID_IDENT (OFF)
>> SQUID_IPFW X (ON)
>> SQUID_PF X (ON)
>> SQUID_AUFS (Default) X (ON)
>> SQUID_KQUEUE X (ON)
>>
>> Then I found this
>> https://wiki.andrewmercer.net/index.php/Squid_-_Transparent_Proxy
>>
>> Where he suggests that even
>> SQUID_IPFILTER X (ON)
>>
>> Should be activated.
>>
>> I recompiled Squid3.1 with the above and now I get an error which I can
>> understand because I do not have IPFilter installed/active.
>>
>> ____________________________________
>>
>> 2011/03/29 11:14:43| IpIntercept.cc(250) IpfInterception: NAT open failed:
>> (2) No such file or directory
>> 2011/03/29 11:14:43| IpIntercept.cc(250) IpfInterception: NAT open failed:
>> (2) No such file or directory
>> 2011/03/29 11:14:43| IpIntercept.cc(250) IpfInterception: NAT open failed:
>> (2) No such file or directory
>> 2011/03/29 11:14:43| IpIntercept.cc(250) IpfInterception: NAT open failed:
>> (2) No such file or directory
>> 2011/03/29 11:14:43| IpIntercept.cc(250) IpfInterception: NAT open failed:
>> (2) No such file or directory
>> 2011/03/29 11:14:43| IpIntercept.cc(250) IpfInterception: NAT open failed:
>> (2) No such file or directory
>> 2011/03/29 11:14:43| IpIntercept.cc(250) IpfInterception: NAT open failed:
>> (2) No such file or directory
>> 2011/03/29 11:14:43| IpIntercept.cc(250) IpfInterception: NAT open failed:
>> (2) No such file or directory
>> 2011/03/29 11:14:44| IpIntercept.cc(250) IpfInterception: NAT open failed:
>> (2) No such file or directory
>> _____________________________________
>>
>> So when only pf is used, must I compile squid with IPFILTER and IPFW ?
>>
>> Thanks
>>
>> /Leslie
>>
>
> Pls see below Urls
>
>
> http://forums.freebsd.org/showthread.php?t=16917
>
> http://forums.freebsd.org/showthread.php?t=14889
>
>
> http://forums.freebsd.org/showthread.php?t=10874
>
>

Thank you!

I've seen those links and they suggest compiling with PF and IPFW.

But as I wrote it does not work so I'm wondering if IPFILTER should be
used. If not I'm back on square one.

As you can see below I have used more options and maybe it is to much.

squid -v
Squid Cache: Version 3.1.11
configure options: '--with-default-user=squid'
'--bindir=/usr/local/sbin' '--sbindir=/usr/local/sbin'
'--datadir=/usr/local/etc/squid' '--libexecdir=/usr/local/libexec/squid'
'--localstatedir=/var/squid' '--sysconfdir=/usr/local/etc/squid'
'--with-logdir=/var/log/squid' '--with-pidfile=/var/run/squid/squid.pid'
'--enable-removal-policies=lru heap' '--disable-linux-netfilter'
'--disable-linux-tproxy' '--disable-epoll' '--disable-translation'
'--enable-auth=basic digest negotiate ntlm'
'--enable-basic-auth-helpers=DB NCSA PAM MSNT SMB squid_radius_auth YP'
'--enable-digest-auth-helpers=password'
'--enable-external-acl-helpers=ip_user session unix_group wbinfo_group'
'--enable-ntlm-auth-helpers=smb_lm'
'--enable-negotiate-auth-helpers=squid_kerb_auth' '--enable-storeio=ufs
diskd aufs' '--enable-disk-io=AIO Blocking DiskDaemon DiskThreads'
'--enable-delay-pools' '--enable-ipfw-transparent'
'--enable-pf-transparent' '--enable-ipf-transparent' '--disable-ecap'
'--disable-loadable-modules' '--enable-kqueue' '--prefix=/usr/local'
'--mandir=/usr/local/man' '--infodir=/usr/local/info/'
'--build=amd64-portbld-freebsd8.2'
'build_alias=amd64-portbld-freebsd8.2' 'CC=cc' 'CFLAGS=-O2 -pipe
-fno-strict-aliasing' 'LDFLAGS=' 'CPPFLAGS=' 'CXX=c++' 'CXXFLAGS=-O2
-pipe -fno-strict-aliasing' 'CPP=cpp'
--with-squid=/usr/ports/www/squid31/work/squid-3.1.11
--enable-ltdl-convenience

Do you have any suggestions?

/Leslie
Received on Tue Mar 29 2011 - 10:55:32 MDT