On 2013-06-01 5:03, Amos Jeffries wrote:
> On 1/06/2013 11:20 p.m., Rob Sheldon wrote:
>>
>> So I just turned on host_verify_strict and now I'm getting the 409
>> error described in the docs.
>>
>> It looks to me like the problem is the destination rewrite in rdr-to,
>> but that still doesn't really make sense; surely someone else would've
>> bumped into this by now.
>
> It would seem not. IIRC the documentation on recent OpenBSD
> installations indicated to use divert instead of rdr-to.
OK. This has gotten me a step closer; I thought there was another
routing option, but couldn't remember what it was (nor find it last
night). divert-to is exactly it.
However, there's a bit of a catch-22 here: since divert-to doesn't
rewrite the destination address, internal interfaces don't want to
accept the traffic (unless I change their broadcast address to 0.0.0.0,
which seems ugly and prone to failure). pf doesn't allow me to divert-to
on outbound traffic, and I can't trap the traffic inbound on the
external interfaces.
This has gotten really wickedly tricky.
I'm going to start a thread over on OpenBSD-Misc and ask the pf wizards
there for advice. I'm thinking at this point I may need to set up a
virtual interface or something, but that could really mess with outbound
NAT, especially since I've got multipath routing over more than one
external interface.
Assuming I can get this all working somehow, I'll do a solid write-up
of it on our company site. Was the security check added in a sort-of
recent version of Squid? I still find it hard to believe that this has
been broken for other people and gone unreported or that I'm the first
person recently to try to get Squid working on OpenBSD ... I'm still
expecting to find that I'm doing something wrong.
Thanks for your kind help.
- R.
-- [__ Robert Sheldon [__ No Problem [__ Information technology support and services [__ (530) 575-0278Received on Sun Jun 02 2013 - 06:58:02 MDT
This archive was generated by hypermail 2.2.0 : Sun Jun 02 2013 - 12:00:15 MDT