On 1/06/2013 11:58 a.m., Rob Sheldon wrote:
On 2013-05-31 16:07, Loïc BLOT wrote:
Instead of your ugly:
pass quick on lo0
use:
skip lo0
which is better :)

Thanks, I forgot about skip.

You must redirect trafic on your lan interface directed to any remote 80
to your lan IP:3129 and also allow tcp 3129 on pf

pass out quick on $lan_if proto tcp to port 80 rdr-to $lan_ip port 3129
pass in quick on $lan_if proto tcp to $lan_ip port 3129

You mustn't redirecto to localhost iface it's bad.

I'd rather not futz around with pf anymore for now, since I don't think that's where the problem is. (Unless Squid for some reason requires "http_port...intercept" to be passed through an rdr rule...?

Why yes. Squid does.
 If you don't you will end up with invalid-URL errors.

FWIW: sending non-intercept traffic to the proxy intercept port will show up as forwarding loops. But don't read too much into that ... AFAICT your tests were using the non-intercept port for the directly configured traffic so that should be a different loop reason than what you were hitting.

The loop you were hitting did seem to be traffoc through Squid and outbound to somewhoere port 80 being redirected a second time into Squid.

) I'd rather just get the most basic test case working first before involving any pf rules which might further complicate troubleshooting.

For normal and transparent you are correct. Have you compiled squid with
--enable-pf-transparent option ? (/usr/local/squid/sbin/squid -v show
you)

I've got Squid 3.2.7. Here's the output from -v:

configure options: '--enable-shared' '--datadir=/usr/local/share/squid' '--libexecdir=/usr/local/libexec/squid' '--disable-loadable-modules' '--enable-arp-acl' '--enable-auth' '--enable-auth-basic=NCSA SMB NIS radius LDAP' '--enable-auth-digest=file LDAP' '--enable-auth-negotiate=kerberos' '--enable-auth-ntlm=fake smb_lm' '--enable-delay-pools' '--enable-external-acl-helpers=file_userip session unix_group wbinfo_group LDAP_group' '--enable-follow-x-forwarded-for' '--enable-forw-via-db' '--enable-http-violations' '--enable-icap-client' '--enable-ipv6' '--enable-referer-log' '--enable-removal-policies=lru heap' '--enable-ssl' '--enable-stacktraces' '--enable-storeio=aufs ufs diskd ' '--with-default-user=_squid' '--with-filedescriptors=8192' '--with-pidfile=/var/run/squid.pid' '--with-pthreads' '--with-swapdir=/var/squid/cache' '--disable-pf-transparent' '--enable-ipfw-transparent' '--prefix=/usr/local' '--sysconfdir=/etc/squid' '--mandir=/usr/local/man' '--infodir=/usr/local/info' '--localstatedir=/var/squid' '--disable-silent-rules' 'CC=cc' 'CFLAGS=-O2 -pipe' 'LDFLAGS=-L/usr/local/lib' 'CPPFLAGS=-I/usr/local/include' 'CXX=c++' 'CXXFLAGS=-O2 -pipe'

...it looks correct for that version, according to http://wiki.squid-cache.org/ConfigExamples/Intercept/OpenBsdPf#NAT_Interception_proxy, --enable-pf-transparent doesn't work until Squid 3.4, "--disable-pf-transparent --enable-ipfw-transparent" is the recommended way for 3.3 and 3.2.


Yes that is correct.

Amos

Reply via email to