Re: [squid-users] Spawning external processes with Squid on FreeBSD

From: Randy Smith <compunut@dont-contact.us>
Date: Thu, 19 Jul 2001 20:36:02 -0700

Colin:

I can not thank you enough for your help. The problem was somewhere I
never would have thought to look. It was with the ipf firewall
ruleset. Everything else on the system worked great. I didn't think that
Squid would be using IP sockets to communicate with children.

Disabling the rules and doing a simple pass all fixed the problem. For
future reference, here is a summary of the problem and resolution.

I installed Squid on FreeBSD servers. I followed the directions in
<http://www.hacom.nl/~richard/software/smb_auth.html>.

In the squid log, the following error occurs:
   WARNING: Cannot run '/usr/local/squid/bin/smb_auth' process.
Note that the path can change.

On the servers running squid, I was also running IPF firewall rules to
protect the machines. In the rules, I used keepstate extensively. The
keepstate feature has always seemed a bit quirky to me. In this case,
Squid used IP sockets to communicate with spawned smb_auth processes due to
keepstate rules on the loopback address. By removing keepstate (and flags
S) from all loopback address entries of the firewall, the problem went away.

I want to thank Colin Campbell again for all the great help that was given
to me!

Have a great day y'all!

Randy

At 12:07 PM 7/19/2001 +1000, you wrote:
>Hi,
>
>On Wed, 18 Jul 2001, Randy Smith wrote:
>
> > OK. Now this is interesting. So, are the tasks communicating through IP
> > loopback?
>
>It is IP (TCP socket actually) and possibly the loopback address
>(127.0.0.1) but I am not sure and that's why I wanted the squid debug
>options set. So, edit squid.conf and reconfigure. Since you mention the
>firewall stuff, it's possibly that which is breaking things. I believe the
>debug output will display all the socket addresses and explain quite a
>bit.
>
> > I can't tell you how much I appreciate this help. I have learned an
> > incredible amount about *nix from this.
>
>No problem. Just set the squid debug as follows:
>
> debug_options ALL,1 50,9 54,9
>
>Colin

keywords: SMB, smb_auth, domain, domain authentication, squid, proxy, ipf,
ipfilter, keepstate
Received on Thu Jul 19 2001 - 21:33:53 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:01:17 MST