Re: [squid-users] Problems with transparancy and pf
On 07/04/11 08:03, Leslie Jensen wrote: On 2011-04-06 05:32, Amos Jeffries wrote: Thank you. I've split the wiki examples we have for PF into separate OpenBSD and FreeBSD pages and added a new section for the altered OpenBSD syntax. Would any of you mind reading through and checking the texts? please? http://wiki.squid-cache.org/ConfigExamples/Intercept/OpenBsdPf http://wiki.squid-cache.org/ConfigExamples/Intercept/FreeBsdPf Amos For squid31 on Free BSD there are several options already set. I think it would be helpful to mention a little more in the wiki. The configure options that are available are: (From the Makefile) OPTIONS= SQUID_KERB_AUTH Install Kerberos authentication helpers on \ SQUID_LDAP_AUTH Install LDAP authentication helpers off \ SQUID_NIS_AUTH Install NIS/YP authentication helpers on \ SQUID_SASL_AUTH Install SASL authentication helpers off \ SQUID_IPV6 Enable IPv6 support on \ SQUID_DELAY_POOLS Enable delay pools off \ SQUID_SNMP Enable SNMP support on \ SQUID_SSL Enable SSL support for reverse proxies off \ SQUID_PINGER Install the icmp helper off \ SQUID_DNS_HELPER Use the old 'dnsserver' helper off \ SQUID_HTCP Enable HTCP support on \ SQUID_VIA_DB Enable forward/via database off \ SQUID_CACHE_DIGESTS Enable cache digests off \ SQUID_WCCP Enable Web Cache Coordination Prot. v1 on \ SQUID_WCCPV2 Enable Web Cache Coordination Prot. v2 off \ SQUID_STRICT_HTTP Be strictly HTTP compliant off \ SQUID_IDENT Enable ident (RFC 931) lookups on \ SQUID_REFERER_LOG Enable Referer-header logging off \ SQUID_USERAGENT_LOG Enable User-Agent-header logging off \ SQUID_ARP_ACL Enable ACLs based on ethernet address off \ SQUID_IPFW Enable transparent proxying with IPFW off \ SQUID_PF Enable transparent proxying with PF off \ SQUID_IPFILTER Enable transp. proxying with IPFilter off \ SQUID_FOLLOW_XFF Follow X-Forwarded-For headers off \ SQUID_ECAP En. loadable content adaptation modules off \ SQUID_ICAP Enable ICAP client functionality off \ SQUID_ESI Enable ESI support (experimental) off \ SQUID_AUFS Enable the aufs storage scheme on \ SQUID_COSS Enable COSS (currently not available) off \ SQUID_KQUEUE Use kqueue(2) (experimental) on \ SQUID_LARGEFILE Support log and cache files 2GB off \ SQUID_STACKTRACES Create backtraces on fatal errors off \ SQUID_DEBUG Enable debugging options off Thank you. I see none of the NAT lookup features are turned on. Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.12 Beta testers wanted for 3.2.0.6
Re: [squid-users] Problems with transparancy and pf
On 2011-04-06 05:32, Amos Jeffries wrote: Thank you. I've split the wiki examples we have for PF into separate OpenBSD and FreeBSD pages and added a new section for the altered OpenBSD syntax. Would any of you mind reading through and checking the texts? please? http://wiki.squid-cache.org/ConfigExamples/Intercept/OpenBsdPf http://wiki.squid-cache.org/ConfigExamples/Intercept/FreeBsdPf Amos For squid31 on Free BSD there are several options already set. I think it would be helpful to mention a little more in the wiki. The configure options that are available are: (From the Makefile) OPTIONS= SQUID_KERB_AUTH Install Kerberos authentication helpers on \ SQUID_LDAP_AUTH Install LDAP authentication helpers off \ SQUID_NIS_AUTH Install NIS/YP authentication helpers on \ SQUID_SASL_AUTH Install SASL authentication helpers off \ SQUID_IPV6 Enable IPv6 support on \ SQUID_DELAY_POOLS Enable delay pools off \ SQUID_SNMP Enable SNMP support on \ SQUID_SSL Enable SSL support for reverse proxies off \ SQUID_PINGER Install the icmp helper off \ SQUID_DNS_HELPER Use the old 'dnsserver' helper off \ SQUID_HTCP Enable HTCP support on \ SQUID_VIA_DB Enable forward/via database off \ SQUID_CACHE_DIGESTS Enable cache digests off \ SQUID_WCCP Enable Web Cache Coordination Prot. v1 on \ SQUID_WCCPV2 Enable Web Cache Coordination Prot. v2 off \ SQUID_STRICT_HTTP Be strictly HTTP compliant off \ SQUID_IDENT Enable ident (RFC 931) lookups on \ SQUID_REFERER_LOG Enable Referer-header logging off \ SQUID_USERAGENT_LOG Enable User-Agent-header logging off \ SQUID_ARP_ACL Enable ACLs based on ethernet address off \ SQUID_IPFW Enable transparent proxying with IPFW off \ SQUID_PF Enable transparent proxying with PF off \ SQUID_IPFILTER Enable transp. proxying with IPFilter off \ SQUID_FOLLOW_XFF Follow X-Forwarded-For headers off \ SQUID_ECAP En. loadable content adaptation modules off \ SQUID_ICAP Enable ICAP client functionality off \ SQUID_ESI Enable ESI support (experimental) off \ SQUID_AUFS Enable the aufs storage scheme on \ SQUID_COSS Enable COSS (currently not available) off \ SQUID_KQUEUE Use kqueue(2) (experimental) on \ SQUID_LARGEFILE Support log and cache files 2GB off \ SQUID_STACKTRACES Create backtraces on fatal errors off \ SQUID_DEBUG Enable debugging options off /Leslie
Re: [squid-users] Problems with transparancy and pf
Thank you. I've split the wiki examples we have for PF into separate OpenBSD and FreeBSD pages and added a new section for the altered OpenBSD syntax. Would any of you mind reading through and checking the texts? please? yes http://wiki.squid-cache.org/ConfigExamples/Intercept/OpenBsdPf OK , Thanks very much. With Squid Cache: Version 2.7.STABLE9 on OpenBSD 4.8 I have below lines for transparency with PF # macros ext_if=em0 int_if=em1 lan_net=192.168.0.0/24 # Deafult deny block in log block out log antispoof quick for { lo $int_if $ext_if } #These 2 are the rules for transparency with PF pass in log on $int_if proto tcp from $lan_net to any port 80 \ rdr-to 127.0.0.1 port 3128 pass out log on $ext_if inet proto tcp from $ext_if to any \ port 80 -- Thank you Indunil Jayasooriya
Re: [squid-users] Problems with transparancy and pf
On Wed, Mar 30, 2011 at 01:06, Indunil Jayasooriya induni...@gmail.com wrote: some PF syntax have been changed since OpenBSD 4.7. one is rdr . pls see this http://www.openbsd.org/faq/upgrade47.html So, when it comes to FreeBSD 8.2, I do NOT know, whether these syntax are present. Pls check. I hate to follow up so late (a week later) but I just got this and thought it worth commenting. The FreeBSD 8.x line is still using an extremely dated version of pf, from circa OpenBSD 4.2. -HEAD has some newer code, from (I think) OpenBSD 4.5, but nothing recent enough to incorporate the syntax changes. My understanding is that more recent pf code is more closely coupled to OpenBSD at the OS level that makes it more difficult to port to/import into FreeBSD, it's highly unlikely any version of pf will be pulled into the 8.x/9.x lines that uses the newer syntax. kmw
Re: [squid-users] Problems with transparancy and pf
On Tue, 5 Apr 2011 10:49:37 -0400, Kevin Wilcox wrote: On Wed, Mar 30, 2011 at 01:06, Indunil Jayasooriya wrote: some PF syntax have been changed since OpenBSD 4.7. one is rdr . pls see this http://www.openbsd.org/faq/upgrade47.html So, when it comes to FreeBSD 8.2, I do NOT know, whether these syntax are present. Pls check. I hate to follow up so late (a week later) but I just got this and thought it worth commenting. The FreeBSD 8.x line is still using an extremely dated version of pf, from circa OpenBSD 4.2. -HEAD has some newer code, from (I think) OpenBSD 4.5, but nothing recent enough to incorporate the syntax changes. My understanding is that more recent pf code is more closely coupled to OpenBSD at the OS level that makes it more difficult to port to/import into FreeBSD, it's highly unlikely any version of pf will be pulled into the 8.x/9.x lines that uses the newer syntax. kmw Thank you. I've split the wiki examples we have for PF into separate OpenBSD and FreeBSD pages and added a new section for the altered OpenBSD syntax. Would any of you mind reading through and checking the texts? please? http://wiki.squid-cache.org/ConfigExamples/Intercept/OpenBsdPf http://wiki.squid-cache.org/ConfigExamples/Intercept/FreeBsdPf Amos
Re: [squid-users] Problems with transparancy and pf
Hi List I found out what was wrong. It was in /etc/pf.conf, the int_if specified as bfe0 should be bge0 So it was a Typo! Thank you very much for your time and effort. I'm a bit ashamed that I did not spot the typo earlier. Everything is now acting as expected :-) /Leslie
Re: [squid-users] Problems with transparancy and pf
Pls see below Urls http://forums.freebsd.org/showthread.php?t=16917 http://forums.freebsd.org/showthread.php?t=14889 http://forums.freebsd.org/showthread.php?t=10874 On Tue, Mar 29, 2011 at 3:32 PM, Leslie Jensen les...@eskk.nu wrote: Hello list. I've used squid together with pf for a while on a Freebsd 7.2-RELEASE machine. I've now installed Freebsd 8.2-RELEASE on new hardware and I'm using my config from the 7.2 machine. My problem is that squid is not working with transparency. The browser traffic goes directly to the Internet. Setting proxy in the browser works, so I believe squid is ok. My question is about which build options I must use? I've used the following: SQUID_KERB_AUTH X (ON) SQUID_NIS_AUTH X (ON) SQUID_IPV6 (Default) X (ON) SQUID_DELAY_POOLS X (ON) SQUID_SNMP X (ON) SQUID_HTCP (CARP?) X (ON) SQUID_WCCP X (ON) SQUID_IDENT (OFF) SQUID_IPFW X (ON) SQUID_PF X (ON) SQUID_AUFS (Default) X (ON) SQUID_KQUEUE X (ON) Then I found this https://wiki.andrewmercer.net/index.php/Squid_-_Transparent_Proxy Where he suggests that even SQUID_IPFILTER X (ON) Should be activated. I recompiled Squid3.1 with the above and now I get an error which I can understand because I do not have IPFilter installed/active. 2011/03/29 11:14:43| IpIntercept.cc(250) IpfInterception: NAT open failed: (2) No such file or directory 2011/03/29 11:14:43| IpIntercept.cc(250) IpfInterception: NAT open failed: (2) No such file or directory 2011/03/29 11:14:43| IpIntercept.cc(250) IpfInterception: NAT open failed: (2) No such file or directory 2011/03/29 11:14:43| IpIntercept.cc(250) IpfInterception: NAT open failed: (2) No such file or directory 2011/03/29 11:14:43| IpIntercept.cc(250) IpfInterception: NAT open failed: (2) No such file or directory 2011/03/29 11:14:43| IpIntercept.cc(250) IpfInterception: NAT open failed: (2) No such file or directory 2011/03/29 11:14:43| IpIntercept.cc(250) IpfInterception: NAT open failed: (2) No such file or directory 2011/03/29 11:14:43| IpIntercept.cc(250) IpfInterception: NAT open failed: (2) No such file or directory 2011/03/29 11:14:44| IpIntercept.cc(250) IpfInterception: NAT open failed: (2) No such file or directory _ So when only pf is used, must I compile squid with IPFILTER and IPFW ? Thanks /Leslie -- Thank you Indunil Jayasooriya
Re: [squid-users] Problems with transparancy and pf
On 2011-03-29 12:26, Indunil Jayasooriya wrote: On Tue, Mar 29, 2011 at 3:32 PM, Leslie Jensenles...@eskk.nu wrote: Hello list. I've used squid together with pf for a while on a Freebsd 7.2-RELEASE machine. I've now installed Freebsd 8.2-RELEASE on new hardware and I'm using my config from the 7.2 machine. My problem is that squid is not working with transparency. The browser traffic goes directly to the Internet. Setting proxy in the browser works, so I believe squid is ok. My question is about which build options I must use? I've used the following: SQUID_KERB_AUTH X (ON) SQUID_NIS_AUTH X (ON) SQUID_IPV6 (Default) X (ON) SQUID_DELAY_POOLS X (ON) SQUID_SNMP X (ON) SQUID_HTCP (CARP?) X (ON) SQUID_WCCP X (ON) SQUID_IDENT (OFF) SQUID_IPFW X (ON) SQUID_PFX (ON) SQUID_AUFS (Default)X (ON) SQUID_KQUEUEX (ON) Then I found this https://wiki.andrewmercer.net/index.php/Squid_-_Transparent_Proxy Where he suggests that even SQUID_IPFILTER X (ON) Should be activated. I recompiled Squid3.1 with the above and now I get an error which I can understand because I do not have IPFilter installed/active. 2011/03/29 11:14:43| IpIntercept.cc(250) IpfInterception: NAT open failed: (2) No such file or directory 2011/03/29 11:14:43| IpIntercept.cc(250) IpfInterception: NAT open failed: (2) No such file or directory 2011/03/29 11:14:43| IpIntercept.cc(250) IpfInterception: NAT open failed: (2) No such file or directory 2011/03/29 11:14:43| IpIntercept.cc(250) IpfInterception: NAT open failed: (2) No such file or directory 2011/03/29 11:14:43| IpIntercept.cc(250) IpfInterception: NAT open failed: (2) No such file or directory 2011/03/29 11:14:43| IpIntercept.cc(250) IpfInterception: NAT open failed: (2) No such file or directory 2011/03/29 11:14:43| IpIntercept.cc(250) IpfInterception: NAT open failed: (2) No such file or directory 2011/03/29 11:14:43| IpIntercept.cc(250) IpfInterception: NAT open failed: (2) No such file or directory 2011/03/29 11:14:44| IpIntercept.cc(250) IpfInterception: NAT open failed: (2) No such file or directory _ So when only pf is used, must I compile squid with IPFILTER and IPFW ? Thanks /Leslie Pls see below Urls http://forums.freebsd.org/showthread.php?t=16917 http://forums.freebsd.org/showthread.php?t=14889 http://forums.freebsd.org/showthread.php?t=10874 Thank you! I've seen those links and they suggest compiling with PF and IPFW. But as I wrote it does not work so I'm wondering if IPFILTER should be used. If not I'm back on square one. As you can see below I have used more options and maybe it is to much. squid -v Squid Cache: Version 3.1.11 configure options: '--with-default-user=squid' '--bindir=/usr/local/sbin' '--sbindir=/usr/local/sbin' '--datadir=/usr/local/etc/squid' '--libexecdir=/usr/local/libexec/squid' '--localstatedir=/var/squid' '--sysconfdir=/usr/local/etc/squid' '--with-logdir=/var/log/squid' '--with-pidfile=/var/run/squid/squid.pid' '--enable-removal-policies=lru heap' '--disable-linux-netfilter' '--disable-linux-tproxy' '--disable-epoll' '--disable-translation' '--enable-auth=basic digest negotiate ntlm' '--enable-basic-auth-helpers=DB NCSA PAM MSNT SMB squid_radius_auth YP' '--enable-digest-auth-helpers=password' '--enable-external-acl-helpers=ip_user session unix_group wbinfo_group' '--enable-ntlm-auth-helpers=smb_lm' '--enable-negotiate-auth-helpers=squid_kerb_auth' '--enable-storeio=ufs diskd aufs' '--enable-disk-io=AIO Blocking DiskDaemon DiskThreads' '--enable-delay-pools' '--enable-ipfw-transparent' '--enable-pf-transparent' '--enable-ipf-transparent' '--disable-ecap' '--disable-loadable-modules' '--enable-kqueue' '--prefix=/usr/local' '--mandir=/usr/local/man' '--infodir=/usr/local/info/' '--build=amd64-portbld-freebsd8.2' 'build_alias=amd64-portbld-freebsd8.2' 'CC=cc' 'CFLAGS=-O2 -pipe -fno-strict-aliasing' 'LDFLAGS=' 'CPPFLAGS=' 'CXX=c++' 'CXXFLAGS=-O2 -pipe -fno-strict-aliasing' 'CPP=cpp' --with-squid=/usr/ports/www/squid31/work/squid-3.1.11 --enable-ltdl-convenience Do you have any suggestions? /Leslie
Re: [squid-users] Problems with transparancy and pf
I've now installed Freebsd 8.2-RELEASE on new hardware and I'm using my config from the 7.2 machine. My problem is that squid is not working with transparency. The browser traffic goes directly to the Internet. If u r doing with PF, Can I have your pf rules? I am doing squid 2.7.9 tranparent with OpenBSd 4.8. These are my PF rules. # filter rules block in log pass out log pass in log on $int_if proto tcp from $lan_net to any port { 80 8080 } \ rdr-to 127.0.0.1 port 3128 in squid.conf file http_port 3128 transparent acl localnet src 10.0.0.0/8 # RFC1918 possible internal network acl localnet src 172.16.0.0/12 # RFC1918 possible internal network acl localnet src 192.168.0.0/16 # RFC1918 possible internal network http_access allow localnet -- Thank you Indunil Jayasooriya
Re: [squid-users] Problems with transparancy and pf
On 30/03/11 00:20, Indunil Jayasooriya wrote: I've now installed Freebsd 8.2-RELEASE on new hardware and I'm using my config from the 7.2 machine. My problem is that squid is not working with transparency. The browser traffic goes directly to the Internet. If u r doing with PF, Can I have your pf rules? I am doing squid 2.7.9 tranparent with OpenBSd 4.8. These are my PF rules. # filter rules block in log pass out log pass in log on $int_if proto tcp from $lan_net to any port { 80 8080 } \ rdr-to 127.0.0.1 port 3128 in squid.conf file http_port 3128 transparent acl localnet src 10.0.0.0/8 # RFC1918 possible internal network acl localnet src 172.16.0.0/12 # RFC1918 possible internal network acl localnet src 192.168.0.0/16 # RFC1918 possible internal network http_access allow localnet It's worth noting the whole intercept section underwent a code change to make the NAT lookups run-time selected. At the time care was taken not to change the lookup sequence, but even so mistakes were found. There were also outstanding reports that some were badly broken before the change (doing the lookups completely backward so myip ACL matched the remote client). I have not had anyone report either works or fails for IPFW, IPFILTER or PF on the 3.1.10 or later releases. I believe the other modules work due to people using them successfully. FWIW; in theory you should be able to build Squid with them all enabled and whichever your system provides will be used. Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.11 Beta testers wanted for 3.2.0.5
Re: [squid-users] Problems with transparancy and pf
On 2011-03-29 13:20, Indunil Jayasooriya wrote: I've now installed Freebsd 8.2-RELEASE on new hardware and I'm using my config from the 7.2 machine. My problem is that squid is not working with transparency. The browser traffic goes directly to the Internet. If u r doing with PF, Can I have your pf rules? I am doing squid 2.7.9 tranparent with OpenBSd 4.8. These are my PF rules. # filter rules block in log pass out log pass in log on $int_if proto tcp from $lan_net to any port { 80 8080 } \ rdr-to 127.0.0.1 port 3128 in squid.conf file http_port 3128 transparent acl localnet src 10.0.0.0/8 # RFC1918 possible internal network acl localnet src 172.16.0.0/12 # RFC1918 possible internal network acl localnet src 192.168.0.0/16 # RFC1918 possible internal network http_access allow localnet This is my pf.conf that worked on the 7.2 system. proxy_services = { 21, 80 } internal_net = 172.17.0.0/16 proxy = 127.0.0.1 rdr on $int_if inet proto tcp from $internal_net to any port $proxy_services - $proxy port 8080 block in log on $ext_if all pass in log on $int_if inet proto tcp from $internal_net to $proxy port 8080 keep state pass out log on $ext_if inet proto tcp from $proxy to any port $proxy_services keep state pass out I'm trying to use your example but I get a syntax error when trying to load. I'm aware of line feeds and have checked that there's none. pass in log on $int_if proto tcp from $internal_net to any port $proxy_services rdr - $proxy port 8080 Thanks /Leslie
Re: [squid-users] Problems with transparancy and pf
On 2011-03-29 13:47, Amos Jeffries wrote: On 30/03/11 00:20, Indunil Jayasooriya wrote: I've now installed Freebsd 8.2-RELEASE on new hardware and I'm using my config from the 7.2 machine. My problem is that squid is not working with transparency. The browser traffic goes directly to the Internet. If u r doing with PF, Can I have your pf rules? I am doing squid 2.7.9 tranparent with OpenBSd 4.8. These are my PF rules. # filter rules block in log pass out log pass in log on $int_if proto tcp from $lan_net to any port { 80 8080 } \ rdr-to 127.0.0.1 port 3128 in squid.conf file http_port 3128 transparent acl localnet src 10.0.0.0/8 # RFC1918 possible internal network acl localnet src 172.16.0.0/12 # RFC1918 possible internal network acl localnet src 192.168.0.0/16 # RFC1918 possible internal network http_access allow localnet It's worth noting the whole intercept section underwent a code change to make the NAT lookups run-time selected. At the time care was taken not to change the lookup sequence, but even so mistakes were found. There were also outstanding reports that some were badly broken before the change (doing the lookups completely backward so myip ACL matched the remote client). I have not had anyone report either works or fails for IPFW, IPFILTER or PF on the 3.1.10 or later releases. I believe the other modules work due to people using them successfully. FWIW; in theory you should be able to build Squid with them all enabled and whichever your system provides will be used. Amos Thank you Amos. Would you suggest that I revert to 3.0 or even 2.7? /Leslie
Re: [squid-users] Problems with transparancy and pf
On Tue, Mar 29, 2011 at 07:47, Amos Jeffries squ...@treenet.co.nz wrote: I have not had anyone report either works or fails for IPFW, IPFILTER or PF on the 3.1.10 or later releases. I believe the other modules work due to people using them successfully. I can confirm that PF on 3.1.11, running on FreeBSD 8.2-RELEASE, works great. The setup: Base 8.2-RELEASE install Rebuilt GENERIC kernel with pf, pfsync, pflog added (literally three lines added to GENERIC) portsnap fetch extract Install portmaster, portaudit portmaster -t -g -d www/squid31 pf.conf rdr: rdr pass on $int_if proto tcp from any to any port 80 - 127.0.0.1 port 3128 Squid listens on 3128 == Now that I'm back to wondering about getting YouTube and NetFlix to cache, I've reverted to 2.7-STABLE9 for storeurl_rewrite. kmw
Re: [squid-users] Problems with transparancy and pf
On 30/03/11 00:58, Leslie Jensen wrote: On 2011-03-29 13:47, Amos Jeffries wrote: On 30/03/11 00:20, Indunil Jayasooriya wrote: I've now installed Freebsd 8.2-RELEASE on new hardware and I'm using my config from the 7.2 machine. My problem is that squid is not working with transparency. The browser traffic goes directly to the Internet. If u r doing with PF, Can I have your pf rules? I am doing squid 2.7.9 tranparent with OpenBSd 4.8. These are my PF rules. # filter rules block in log pass out log pass in log on $int_if proto tcp from $lan_net to any port { 80 8080 } \ rdr-to 127.0.0.1 port 3128 in squid.conf file http_port 3128 transparent acl localnet src 10.0.0.0/8 # RFC1918 possible internal network acl localnet src 172.16.0.0/12 # RFC1918 possible internal network acl localnet src 192.168.0.0/16 # RFC1918 possible internal network http_access allow localnet It's worth noting the whole intercept section underwent a code change to make the NAT lookups run-time selected. At the time care was taken not to change the lookup sequence, but even so mistakes were found. There were also outstanding reports that some were badly broken before the change (doing the lookups completely backward so myip ACL matched the remote client). I have not had anyone report either works or fails for IPFW, IPFILTER or PF on the 3.1.10 or later releases. I believe the other modules work due to people using them successfully. FWIW; in theory you should be able to build Squid with them all enabled and whichever your system provides will be used. Amos Thank you Amos. Would you suggest that I revert to 3.0 or even 2.7? For the immediate result I think you should use 2.7, check that the PF side of things is fine. When you have confirmed a PF setup with 2.7 as working, please try 3.1 again. I would like to know the result of that (good or bad are both useful) and if you are able to help debug any bad results to get 3.1 fixed that would be extra great. Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.11 Beta testers wanted for 3.2.0.5
Re: [squid-users] Problems with transparancy and pf
On 30/03/11 02:04, Amos Jeffries wrote: On 30/03/11 00:58, Leslie Jensen wrote: On 2011-03-29 13:47, Amos Jeffries wrote: On 30/03/11 00:20, Indunil Jayasooriya wrote: I've now installed Freebsd 8.2-RELEASE on new hardware and I'm using my config from the 7.2 machine. My problem is that squid is not working with transparency. The browser traffic goes directly to the Internet. If u r doing with PF, Can I have your pf rules? I am doing squid 2.7.9 tranparent with OpenBSd 4.8. These are my PF rules. # filter rules block in log pass out log pass in log on $int_if proto tcp from $lan_net to any port { 80 8080 } \ rdr-to 127.0.0.1 port 3128 in squid.conf file http_port 3128 transparent acl localnet src 10.0.0.0/8 # RFC1918 possible internal network acl localnet src 172.16.0.0/12 # RFC1918 possible internal network acl localnet src 192.168.0.0/16 # RFC1918 possible internal network http_access allow localnet It's worth noting the whole intercept section underwent a code change to make the NAT lookups run-time selected. At the time care was taken not to change the lookup sequence, but even so mistakes were found. There were also outstanding reports that some were badly broken before the change (doing the lookups completely backward so myip ACL matched the remote client). I have not had anyone report either works or fails for IPFW, IPFILTER or PF on the 3.1.10 or later releases. I believe the other modules work due to people using them successfully. FWIW; in theory you should be able to build Squid with them all enabled and whichever your system provides will be used. Amos Thank you Amos. Would you suggest that I revert to 3.0 or even 2.7? For the immediate result I think you should use 2.7, check that the PF side of things is fine. When you have confirmed a PF setup with 2.7 as working, please try 3.1 again. I would like to know the result of that (good or bad are both useful) and if you are able to help debug any bad results to get 3.1 fixed that would be extra great. Meh, nix this. See Kevins response. 3.1 works:) Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.11 Beta testers wanted for 3.2.0.5
Re: [squid-users] Problems with transparancy and pf
On 2011-03-29 14:52, Kevin Wilcox wrote: On Tue, Mar 29, 2011 at 07:47, Amos Jeffriessqu...@treenet.co.nz wrote: I have not had anyone report either works or fails for IPFW, IPFILTER or PF on the 3.1.10 or later releases. I believe the other modules work due to people using them successfully. I can confirm that PF on 3.1.11, running on FreeBSD 8.2-RELEASE, works great. The setup: Base 8.2-RELEASE install Rebuilt GENERIC kernel with pf, pfsync, pflog added (literally three lines added to GENERIC) I'm using a GENERIC kernel, on the former 7.2 system I didn't rebuild the kernel either. Do you think I need to do that? /Leslie portsnap fetch extract Install portmaster, portaudit portmaster -t -g -d www/squid31 pf.conf rdr: rdr pass on $int_if proto tcp from any to any port 80 - 127.0.0.1 port 3128 Squid listens on 3128 == Now that I'm back to wondering about getting YouTube and NetFlix to cache, I've reverted to 2.7-STABLE9 for storeurl_rewrite. kmw
Re: [squid-users] Problems with transparancy and pf
On Tue, Mar 29, 2011 at 10:07, Leslie Jensen les...@eskk.nu wrote: On 2011-03-29 14:52, Kevin Wilcox wrote: I can confirm that PF on 3.1.11, running on FreeBSD 8.2-RELEASE, works great. The setup: Base 8.2-RELEASE install Rebuilt GENERIC kernel with pf, pfsync, pflog added (literally three lines added to GENERIC) I'm using a GENERIC kernel, on the former 7.2 system I didn't rebuild the kernel either. Do you think I need to do that? You shouldn't need to, I just did it because I need access to pflog and the pfsync device for pulling out NAT/PAT information. Out of curiosity, if you do a pfctl -s info, do you get something like: INFO: Status: Enabled for 43 days 05:17:26 = My options file from /var/db/ports/squid: ++ # This file is auto-generated by 'make config'. # No user-servicable parts inside! # Options for squid-2.7.9 _OPTIONS_READ=squid-2.7.9 WITHOUT_SQUID_KERB_AUTH=true WITHOUT_SQUID_LDAP_AUTH=true WITHOUT_SQUID_NIS_AUTH=true WITHOUT_SQUID_SASL_AUTH=true WITHOUT_SQUID_DELAY_POOLS=true WITH_SQUID_SNMP=true WITHOUT_SQUID_CARP=true WITHOUT_SQUID_SSL=true WITHOUT_SQUID_PINGER=true WITHOUT_SQUID_DNS_HELPER=true WITHOUT_SQUID_HTCP=true WITHOUT_SQUID_VIA_DB=true WITHOUT_SQUID_CACHE_DIGESTS=true WITHOUT_SQUID_WCCP=true WITHOUT_SQUID_WCCPV2=true WITHOUT_SQUID_STRICT_HTTP=true WITH_SQUID_IDENT=true WITH_SQUID_REFERER_LOG=true WITH_SQUID_USERAGENT_LOG=true WITHOUT_SQUID_ARP_ACL=true WITH_SQUID_PF=true WITHOUT_SQUID_IPFILTER=true WITHOUT_SQUID_FOLLOW_XFF=true WITHOUT_SQUID_AUFS=true WITHOUT_SQUID_COSS=true WITH_SQUID_KQUEUE=true WITH_SQUID_LARGEFILE=true WITHOUT_SQUID_STACKTRACES=true ++ This is for the latest stable 2.7 (2.7-STABLE9). kmw
Re: [squid-users] Problems with transparancy and pf
This is my pf.conf that worked on the 7.2 system. some PF syntax have been changed since OpenBSD 4.7. one is rdr . pls see this http://www.openbsd.org/faq/upgrade47.html So, when it comes to FreeBSD 8.2, I do NOT know, whether these syntax are present. Pls check. proxy_services = { 21, 80 } internal_net = 172.17.0.0/16 proxy = 127.0.0.1 rdr on $int_if inet proto tcp from $internal_net to any port $proxy_services - $proxy port 8080 since rdr syntax has been changed. this is the new since OpenBSD 4.7 for port 80 pass in log on $int_if proto tcp from $lan_net to any port 80 \ rdr-to 127.0.0.1 port 8080 for port 21, since ftp-proxy is running on openBSD pass in quick log on $int_if proto tcp from $lan_net to any port 21 \ rdr-to 127.0.0.1 port 8021 I'm trying to use your example but I get a syntax error when trying to load. I'm aware of line feeds and have checked that there's none. pass in log on $int_if proto tcp from $internal_net to any port $proxy_services rdr - $proxy port 8080 Pls replace like this and see. pass in log on $int_if proto tcp from $internal_net to any port 80 rdr - $proxy port 8080 -- Thank you Indunil Jayasooriya