Re: [squid-users] clientNatLookup: PF open failed: (13) Permission denied

From: Leslie Jensen <leslie_at_eskk.nu>
Date: Thu, 18 Dec 2008 09:53:59 +0100

>> Amos Jeffries skrev:
>>> Chris Robertson wrote:
>>>> Leslie Jensen wrote:
>>>>> I'm running Squid-3.0.10 on FreeBSD 7.0-RELEASE-p4 with PF.
>>>>>
>>>>> I've noticed that in cache.log are a lot of entries as the one below
>>>>>
>>>>> clientNatLookup: PF open failed: (13) Permission denied
>>>>>
>>>>> I've found some information on the problem via Google.
>>>>>
>>>>> One is "start Squid as root". Squid is started via rc.conf so I think
>>>>> that is sorted.
>>>>>
>>>>> There is a concern about rights on /dev/pf
>>>>>
>>>>> Finally there's some advice
>>>>>
>>>>> ---- snip----
>>>>> If you are performing any kind of transparent interception with squid
>>>>> you will need one of the --*-transparent options. Without it squid
>>>>> will
>>>>> fail to correctly spoof the clients IP.
>>>>> ----- snip ----
>>>>>
>>>>> I do not fully understand where the "--*-transparent options" are to
>>>>> be found. And if it's the solution to the problem.
>>>>>
>>>>> Will someone Please enlighten me?
>>>> First, I don't know if it is the solution to the problem, but it's an
>>>> easy thing to check...
>>>>
>>>> Run "/path/to/squid -v". That will show what options squid was
>>>> compiled with. For example:
>>>>
>>>> -bash-3.00$ /home/squid2/bin/squid -v
>>>> Squid Cache: Version 2.6.STABLE3
>>>> configure options: '--bindir=/home/squid2/bin'
>>>> '--sbindir=/home/squid2/bin' '--libexecdir=/home/squid2/bin'
>>>> '--datadir=/home/squid2/etc' '--sysconfdir=/etc/squid'
>>>> '--localstatedir=/home/squid2' '--mandir=/usr/man'
>>>> '--enable-err-languages=English' '--enable-snmp' '--with-large-files'
>>>> '--disable-ident-lookups' '--disable-useragent-log'
>>>> '--disable-referer-log' '--enable-async-io' '--enable-epoll'
>>>> -bash-3.00$
>>>>
>>>> If you don't see --enable-pf-transparent in that list, you are going
>>>> to need to recompile.
>>>>
>>> I believe the option is present. The line "PF open failed" should never
>>> occur without it.
>>>
>>> The rc.conf may not necessarily be correct. Bug 2396 bout PF
>>> permissions, has only been fixed since 3.0.STABLE8.
>>>
>>> Amos
>> Yes, it's there! Squid is working from what I can see but the error
>> messages are of concern to me.
>
> Yes, the NAT/FW table is not accessible to squid, so some of the controls
> will be failing.
>
>> Mine is Squid Cache: Version 3.0.STABLE10
>> /Leslie
>> -------------- snip ---------------
>> :/usr/local/sbin/squid -v
>> Squid Cache: Version 3.0.STABLE10
>> configure options: '--with-default-user=squid'
> <snip>
>> '--enable-ipfw-transparent' '--enable-pf-transparent' '--enable-kqueue'
>
> Did you check the rc.conf actions?
>
> I see squid is also built with-default-user, thats the username your proxy
> will set itself to run as by default after the startup root stuff is
> finished.
> Can we also have a look at the /dev/pf permissions and the group
> membership of the squid user. (don't change any of that yet, I just think
> it might be useful to know).
>
> Amos
>

What do you mean with rc.conf actions?
I have squid_enable="YES"

ll /dev/pf
crw------- 1 root wheel 0, 90 Dec 18 09:44 /dev/pf

Do I need to give squid rights to read and write /dev/pf ?

squid user is member of squid group only

/Leslie
Received on Thu Dec 18 2008 - 08:54:08 MST

This archive was generated by hypermail 2.2.0 : Thu Dec 18 2008 - 12:00:03 MST