On 1/06/2013 11:58 a.m., Rob Sheldon wrote:
> On 2013-05-31 16:07, Loïc BLOT wrote:
>> Instead of your ugly:
>> pass quick on lo0
>> use:
>> skip lo0
>> which is better :)
>
> Thanks, I forgot about skip.
>
>> You must redirect trafic on your lan interface directed to any remote 80
>> to your lan IP:3129 and also allow tcp 3129 on pf
>>
>> pass out quick on $lan_if proto tcp to port 80 rdr-to $lan_ip port 3129
>> pass in quick on $lan_if proto tcp to $lan_ip port 3129
>>
>> You mustn't redirecto to localhost iface it's bad.
>
> I'd rather not futz around with pf anymore for now, since I don't
> think that's where the problem is. (Unless Squid for some reason
> requires "http_port...intercept" to be passed through an rdr rule...?
Why yes. Squid does.
If you don't you will end up with invalid-URL errors.
FWIW: sending non-intercept traffic to the proxy intercept port will
show up as forwarding loops. But don't read too much into that ...
AFAICT your tests were using the non-intercept port for the directly
configured traffic so that should be a different loop reason than what
you were hitting.
The loop you were hitting did seem to be traffoc through Squid and
outbound to somewhoere port 80 being redirected a second time into Squid.
> ) I'd rather just get the most basic test case working first before
> involving any pf rules which might further complicate troubleshooting.
>
>> For normal and transparent you are correct. Have you compiled squid with
>> --enable-pf-transparent option ? (/usr/local/squid/sbin/squid -v show
>> you)
>
> I've got Squid 3.2.7. Here's the output from -v:
>
> configure options: '--enable-shared'
> '--datadir=/usr/local/share/squid'
> '--libexecdir=/usr/local/libexec/squid' '--disable-loadable-modules'
> '--enable-arp-acl' '--enable-auth' '--enable-auth-basic=NCSA SMB NIS
> radius LDAP' '--enable-auth-digest=file LDAP'
> '--enable-auth-negotiate=kerberos' '--enable-auth-ntlm=fake smb_lm'
> '--enable-delay-pools' '--enable-external-acl-helpers=file_userip
> session unix_group wbinfo_group LDAP_group'
> '--enable-follow-x-forwarded-for' '--enable-forw-via-db'
> '--enable-http-violations' '--enable-icap-client' '--enable-ipv6'
> '--enable-referer-log' '--enable-removal-policies=lru heap'
> '--enable-ssl' '--enable-stacktraces' '--enable-storeio=aufs ufs diskd
> ' '--with-default-user=_squid' '--with-filedescriptors=8192'
> '--with-pidfile=/var/run/squid.pid' '--with-pthreads'
> '--with-swapdir=/var/squid/cache' '--disable-pf-transparent'
> '--enable-ipfw-transparent' '--prefix=/usr/local'
> '--sysconfdir=/etc/squid' '--mandir=/usr/local/man'
> '--infodir=/usr/local/info' '--localstatedir=/var/squid'
> '--disable-silent-rules' 'CC=cc' 'CFLAGS=-O2 -pipe'
> 'LDFLAGS=-L/usr/local/lib' 'CPPFLAGS=-I/usr/local/include' 'CXX=c++'
> 'CXXFLAGS=-O2 -pipe'
>
> ...it looks correct for that version, according to
> http://wiki.squid-cache.org/ConfigExamples/Intercept/OpenBsdPf#NAT_Interception_proxy,
> --enable-pf-transparent doesn't work until Squid 3.4,
> "--disable-pf-transparent --enable-ipfw-transparent" is the
> recommended way for 3.3 and 3.2.
>
Yes that is correct.
Amos
Received on Sat Jun 01 2013 - 05:18:48 MDT
This archive was generated by hypermail 2.2.0 : Sat Jun 01 2013 - 12:00:07 MDT