Re: [squid-users] Problems with transparancy and pf

From: Leslie Jensen <leslie_at_eskk.nu>
Date: Tue, 29 Mar 2011 13:58:08 +0200

On 2011-03-29 13:47, Amos Jeffries wrote:
> On 30/03/11 00:20, Indunil Jayasooriya wrote:
>>> I've now installed Freebsd 8.2-RELEASE on new hardware and I'm using my
>>> config from the 7.2 machine.
>>>
>>> My problem is that squid is not working with transparency. The browser
>>> traffic goes directly to the Internet.
>>>
>>
>> If u r doing with PF, Can I have your pf rules?
>>
>> I am doing squid 2.7.9 tranparent with OpenBSd 4.8.
>>
>>
>> These are my PF rules.
>>
>>
>> # filter rules
>> block in log
>> pass out log
>>
>>
>> pass in log on $int_if proto tcp from $lan_net to any port { 80 8080 } \
>> rdr-to 127.0.0.1 port 3128
>>
>>
>> in squid.conf file
>>
>> http_port 3128 transparent
>>
>>
>> acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
>> acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
>> acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
>>
>> http_access allow localnet
>>
>
> It's worth noting the whole intercept section underwent a code change to
> make the NAT lookups run-time selected. At the time care was taken not
> to change the lookup sequence, but even so mistakes were found. There
> were also outstanding reports that some were badly broken before the
> change (doing the lookups completely backward so "myip" ACL matched the
> remote client).
>
> I have not had anyone report either "works" or "fails" for IPFW,
> IPFILTER or PF on the 3.1.10 or later releases.
>
> I believe the other modules work due to people using them successfully.
>
> FWIW; in theory you should be able to build Squid
> with them all enabled and whichever your system provides will be used.
>
> Amos

Thank you Amos.

Would you suggest that I revert to 3.0 or even 2.7?

/Leslie
Received on Tue Mar 29 2011 - 11:58:10 MDT

This archive was generated by hypermail 2.2.0 : Tue Mar 29 2011 - 12:00:02 MDT