On 23 January 2015 at 16:07, Amos Jeffries <squ...@treenet.co.nz> wrote:
> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 24/01/2015 1:47 a.m., Yuri Voinov wrote: > > > > Once more. You CANNOT have neither web-server nor other service > > with listening port 80 on the same host as transparent Squid proxy. > > This is one and only reason you have looping. > > > > That is not correct. It can be done, but depends on how the firewall > operates and what ruleset is used. > > One has to intercept traffic transiting the machine, but ignore > traffic destined *to* or *from* the local machines running processes. > > > Look. On my transparent 3.4.11 (which was early 2.7) IPFilter > > redirects 80 port to proxy. My web server on the same host listens > > only 8080, 8088 and 8888 ports. No one service except NAT is using > > 80 port. > > > > And finally I have no looping 4 years. > > > > Obvious, is it? > > > > Maybe there was, maybe there wasn't. > > Squid-2.7 ignored a lot of NAT related errors and even silently did > some Very Bad Things(tm) - none of which Squid-3.2+ will allow to > happen anymore. > > > Odhiambo: > I suspect it might be related to your use of "rdr" firewall rules. In > OpenBSD PF at least rdr rules do not work properly and divert-to rules > needs to be used instead (divert-to can be used for either TPROXY or > NAT Squid listening ports on BSD). > I am thinking Squid-3.2+ is evil :-) Anyway, my PF rules are here : http://pastebin.com/pKv1jN2v And my IPFilter rules are here: http://pastebin.com/JQ77X01H I need to figure out why squid is DENYing all access .. -- Best regards, Odhiambo WASHINGTON, Nairobi,KE +254733744121/+254722743223 "I can't hear you -- I'm using the scrambler."
_______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users