[squid-users] OpenBSD + PF + Squid: forwarding loop

Hi,

I'm a Squid newbie. I have an OpenBSD firewall running pf with multiple
outbound interfaces doing some connection pooling. I'm trying to get
Squid/SquidGuard up and running as a transparent proxy; I've been using
this guide: http://www.kernel-panic.it/openbsd/proxy/proxy4.html

I've run into a problem I don't understand and it's driving me bugnuts.
Hoping somebody can help sort me out.

If I set "http_port 3139", do no redirects in pf, and manually
configure my browser to use the firewall LAN side on 3139 as a proxy,
everything works just fine. If I change http_port to "3139 intercept",
turn on rdr in pf for just my test IP address (only!), and turn off my
browser's proxy config, I get "access denied" errors back from Squid,
along with complaints about forwarding loops. There's no goofy proxy
peering, no other redirects in pf ... I can't for the life of me figure
out where the loop is happening.

Here's the pf rule I'm using to activate the redirect for my test IP:

pass in quick on $if_int proto tcp from 192.168.0.209 to any port www
rdr-to 192.168.0.1 port 3139

...And here's my squid.conf, sans comments (I've stripped it down a bit
trying to figure this out):

acl localnet src 10.0.0.0/8
acl localnet src 172.16.0.0/12
acl localnet src 192.168.0.0/16
acl localnet src fc00::/7
acl localnet src fe80::/10

acl SSL_ports port 443
acl Safe_ports port 80
acl Safe_ports port 21
acl Safe_ports port 443
acl Safe_ports port 70
acl Safe_ports port 210
acl Safe_ports port 1025-65535
acl Safe_ports port 280
acl Safe_ports port 488
acl Safe_ports port 591
acl Safe_ports port 777
acl CONNECT method CONNECT

http_access allow all

http_port 3128
http_port 3139 intercept

visible_hostname firewall.local

...When testing, I'll toggle "intercept" on or off on the second
http_port config along with the rdr in pf.

What I'm seeing when running "squid -d 1 -N" is e.g.,

2013/05/30 17:19:03| WARNING: Forwarding loop detected for:
POST / HTTP/1.1
Host: ocsp.verisign.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:10.0.12) Gecko/20100101
Firefox/10.0.12 Iceweasel/10.0.12
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Length: 115
Content-Type: application/ocsp-request
Via: 1.1 firewall.local (squid/3.2.7)
X-Forwarded-For: 192.168.0.209
Cache-Control: max-age=259200
Connection: keep-alive

The only rule I'm changing in pf between the two scenarios is the rdr
rule for my IP only, so I don't think the loop is happening anywhere in
pf. I must have something in squid.conf seriously goofed up, but I
haven't been able to figure it out.

Any help?

Thanks,

- R.

-- 
[__ Robert Sheldon
[__ No Problem
[__ Information technology support and services
[__ (530) 575-0278