Re: [squid-users] Problems with transparancy and pf from Amos Jeffries on 2011-03-29 (squid-users)

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Wed, 30 Mar 2011 02:04:08 +1300

On 30/03/11 00:58, Leslie Jensen wrote:
>
>
> On 2011-03-29 13:47, Amos Jeffries wrote:
>> On 30/03/11 00:20, Indunil Jayasooriya wrote:
>>>> I've now installed Freebsd 8.2-RELEASE on new hardware and I'm using my
>>>> config from the 7.2 machine.
>>>>
>>>> My problem is that squid is not working with transparency. The browser
>>>> traffic goes directly to the Internet.
>>>>
>>>
>>> If u r doing with PF, Can I have your pf rules?
>>>
>>> I am doing squid 2.7.9 tranparent with OpenBSd 4.8.
>>>
>>>
>>> These are my PF rules.
>>>
>>>
>>> # filter rules
>>> block in log
>>> pass out log
>>>
>>>
>>> pass in log on $int_if proto tcp from $lan_net to any port { 80 8080 } \
>>> rdr-to 127.0.0.1 port 3128
>>>
>>>
>>> in squid.conf file
>>>
>>> http_port 3128 transparent
>>>
>>>
>>> acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
>>> acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
>>> acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
>>>
>>> http_access allow localnet
>>>
>>
>> It's worth noting the whole intercept section underwent a code change to
>> make the NAT lookups run-time selected. At the time care was taken not
>> to change the lookup sequence, but even so mistakes were found. There
>> were also outstanding reports that some were badly broken before the
>> change (doing the lookups completely backward so "myip" ACL matched the
>> remote client).
>>
>> I have not had anyone report either "works" or "fails" for IPFW,
>> IPFILTER or PF on the 3.1.10 or later releases.
>>
>> I believe the other modules work due to people using them successfully.
>>
>> FWIW; in theory you should be able to build Squid
>> with them all enabled and whichever your system provides will be used.
>>
>> Amos
>
> Thank you Amos.
>
> Would you suggest that I revert to 3.0 or even 2.7?
>

For the immediate result I think you should use 2.7, check that the PF
side of things is fine.
When you have confirmed a PF setup with 2.7 as working, please try 3.1
again.
I would like to know the result of that (good or bad are both useful)
and if you are able to help debug any bad results to get 3.1 fixed that
would be extra great.

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE9 or 3.1.11
   Beta testers wanted for 3.2.0.5

Received on Tue Mar 29 2011 - 13:04:13 MDT

This archive was generated by hypermail 2.2.0 : Tue Mar 29 2011 - 12:00:02 MDT