On Fri, Apr 15, 2016 at 8:45 AM, Odhiambo Washington <odhia...@gmail.com> wrote:
> Hello Amos, > > All noted. > > Lemme consult with some FreeBSD guys on these . > As a FreeBSD user, here's my two cents. You should be using the www/squid port. If the port doesn't compile with the options you wish, open a problem report with FreeBSD and/or ask on the FreeBSD ports mailing list. The maintainer of the www/squid port is pretty responsive and helpful. I don't have any issues with www/squid on FreeBSD 10.1-RELEASE. > > On 15 April 2016 at 18:13, Amos Jeffries <squ...@treenet.co.nz> wrote: > >> On 16/04/2016 1:29 a.m., Odhiambo Washington wrote: >> > >> > With luck, I have managed to get squid to compile successfully (after >> > upgrading a few components here and there). I used: >> >> Yay! >> >> > >> > I have it running now (redirecting using IPFilter/IPNAT), but once in a >> > while I see this error about NAT: >> > >> <snip> >> > 2016/04/15 16:17:23| ERROR: NAT/TPROXY lookup failed to locate original >> IPs >> > on local=192.168.55.254:13128 remote=192.168.55.62:57724 FD 29 flags=33 >> >> These are the kernel NAT system telling Squid the connection being >> looked up has not record there. >> >> It could be TCP connections being made straight to the intercept port. >> If so you need to update the firewall config to prevent them, even from >> localhost. >> In Linux we use a mangle table rule, since that is the filter pre-NAT >> that can do it. I'm not sure how FreeBSD would do that. It has to be >> done on packets first arrival pre-NAT. Any filter that is applied after >> the NAT action will get it wrong due to the NAT changes. >> >> >> It could be the NAT systems table of connections filling up and >> overflowing. If so there should be a kernel sysctl somewhere to increase >> that table size. >> >> > >> > In any case, I am planning to rewrite the IPNAT rules into PF and use >> PF. >> > It's the inception stage so I haven't delved deep into ssl-bump >> > configurations... >> > >> >> HTH >> Amos >> >> > > > -- > Best regards, > Odhiambo WASHINGTON, > Nairobi,KE > +254 7 3200 0004/+254 7 2274 3223 > "Oh, the cruft." > > _______________________________________________ > squid-users mailing list > squid-users@lists.squid-cache.org > http://lists.squid-cache.org/listinfo/squid-users > >
_______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users