Re: Anyone using squid and pf?
Damien Fleuriot skrev 2012-11-29 00:28:
# 1/ redirect web traffic to the proxy $proxy on port $proxyport
rdr in on $int_if inet proto tcp from !$proxy to any port 80 -> $proxy
port $proxyport tag rdr_proxy
# 2/ redirect FTP traffic to the ftp-proxy running on the local
machine on port 8021
rdr in on $int_if inet proto tcp from $int_if:network to any port 21
-> 127.0.0.1 port 8021 tag rdr_ftp
# 3/ access rule to allow traffic from the local net to your proxy
pass in quick on $int_if inet proto tcp flags S/SAFR tagged rdr_proxy
# 4/ access rule to allow traffic from the local net to your FTP proxy
pass in quick on $int_if inet proto tcp flags S/SAFR tagged rdr_ftp
# 5/ access rule to allow your proxy to do whatever it wants in a very
limited fashion
pass in quick on $int_if inet proto tcp from $proxy to any port { 80
443 } flags S/SAFR
Hello Damien
I'm concentrating on getting the web traffic to work first.
I've changed rule #1 as you can see below but pf returns a syntax error.
# redirect www trafic to proxy
rdr in on $int_if inet proto tcp from !$proxy to any port
$proxy_services -> $proxy $proxyport tag rdr_proxy
My variables are:
proxy = "172.18.0.1"
proxy_services = "{ 21, 80 }"
proxyport="8080"
Am I supposed to ad rule #5 as well or is it a suggestion?
Thanks
/Leslie
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Anyone using squid and pf?
On 30 Nov 2012, at 08:30, Leslie Jensen wrote:
>
>
> Damien Fleuriot skrev 2012-11-29 00:28:
>> On 27 November 2012 22:01, Leslie Jensen wrote:
>>>
>>>
>>
>>
>> Well, that depends on what you want to do.
>>
>> If you want FTP traffic to go to ftp-proxy running on the firewall,
>> then redirect to 8021.
>> If you want it to go to your squid proxy, then send it to port 8080 on
>> $proxy.
>>
>>
>>
>> Let's redo your redirects correctly.
>> I'll expand upon Volodymyr's idea of not confusing normal rules with
>> ones matching a packet that was redirected, through the use of tags.
>>
>>
>>
>> # 1/ redirect web traffic to the proxy $proxy on port $proxyport
>> rdr in on $int_if inet proto tcp from !$proxy to any port 80 -> $proxy
>> port $proxyport tag rdr_proxy
>>
>> # 2/ redirect FTP traffic to the ftp-proxy running on the local
>> machine on port 8021
>> rdr in on $int_if inet proto tcp from $int_if:network to any port 21
>> -> 127.0.0.1 port 8021 tag rdr_ftp
>>
>> # 3/ access rule to allow traffic from the local net to your proxy
>> pass in quick on $int_if inet proto tcp flags S/SAFR tagged rdr_proxy
>>
>> # 4/ access rule to allow traffic from the local net to your FTP proxy
>> pass in quick on $int_if inet proto tcp flags S/SAFR tagged rdr_ftp
>>
>> # 5/ access rule to allow your proxy to do whatever it wants in a very
>> limited fashion
>> pass in quick on $int_if inet proto tcp from $proxy to any port { 80
>> 443 } flags S/SAFR
>>
>>
>>
>> I liked Volodymyr's original intent behind the "rdr pass", the use of
>> tags here allows you to setup actual pass/block rules and still match
>> packets coming from a redirect.
>> This has many advantages, including:
>> - quick keyword
>> - flags matching
>> - use of labels to keep stats, if you'd like to
>>
>> Well basically it only has advantages.
>>
>>
>> Let me know if that helped.
>> ___
>> freebsd-questions@freebsd.org mailing list
>> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
>> To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
>>
>
> Thank you Damien.
>
> I'll try out your suggestions and report back.
>
> Thanks :-)
>
> /Leslie
>
The rdr rules should read:
Rdr in on $int_if from !$proxy to any port 80 tag rdr_proxy -> $proxy port
$proxyport
Notice the packet gets tagged before the "-> destination" syntax.
Otherwise, should be just fine.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Anyone using squid and pf?
Damien Fleuriot skrev 2012-11-29 00:28:
On 27 November 2012 22:01, Leslie Jensen wrote:
Well, that depends on what you want to do.
If you want FTP traffic to go to ftp-proxy running on the firewall,
then redirect to 8021.
If you want it to go to your squid proxy, then send it to port 8080 on $proxy.
Let's redo your redirects correctly.
I'll expand upon Volodymyr's idea of not confusing normal rules with
ones matching a packet that was redirected, through the use of tags.
# 1/ redirect web traffic to the proxy $proxy on port $proxyport
rdr in on $int_if inet proto tcp from !$proxy to any port 80 -> $proxy
port $proxyport tag rdr_proxy
# 2/ redirect FTP traffic to the ftp-proxy running on the local
machine on port 8021
rdr in on $int_if inet proto tcp from $int_if:network to any port 21
-> 127.0.0.1 port 8021 tag rdr_ftp
# 3/ access rule to allow traffic from the local net to your proxy
pass in quick on $int_if inet proto tcp flags S/SAFR tagged rdr_proxy
# 4/ access rule to allow traffic from the local net to your FTP proxy
pass in quick on $int_if inet proto tcp flags S/SAFR tagged rdr_ftp
# 5/ access rule to allow your proxy to do whatever it wants in a very
limited fashion
pass in quick on $int_if inet proto tcp from $proxy to any port { 80
443 } flags S/SAFR
I liked Volodymyr's original intent behind the "rdr pass", the use of
tags here allows you to setup actual pass/block rules and still match
packets coming from a redirect.
This has many advantages, including:
- quick keyword
- flags matching
- use of labels to keep stats, if you'd like to
Well basically it only has advantages.
Let me know if that helped.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Thank you Damien.
I'll try out your suggestions and report back.
Thanks :-)
/Leslie
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Anyone using squid and pf?
On 27 November 2012 22:01, Leslie Jensen wrote:
>
>
> Volodymyr Kostyrko skrev 2012-11-26 21:50:
>>
>> 26.11.2012 20:40, Leslie Jensen:
>>
>>> Rules from pf.conf
>>>
>>>
>>> # macros
>>> ext_if="xl0"
>>> int_if="bge0"
>>>
>>> tcp_services="{ 22, 993, 5910:5917 }"
>>> tcp_priv_services="{ 389, 443 }"
>>> proxy_services = "{ 21, 80 }"
>>> icmp_types="{ echoreq unreach squench timex }"
>>> internal_net = "172.18.0.0/16"
>>> proxy = "172.18.0.1"
>>> proxyport="8021"
>>>
>>> # tables
>>> table persist
>>> table persist
>>>
>>> # options
>>> set block-policy return # ports are closed but can be seen
>>> set loginterface $ext_if
>>>
>>> set skip on lo0
>>>
>>> # scrub
>>> scrub in
>>>
>>> rdr pass proto tcp from any to any port ftp -> 127.0.0.1 port 8021
>>>
>>> # redirect www trafic to proxy
>>> rdr on $int_if inet proto tcp from $internal_net to any port
>>> $proxy_services -> $proxy port 8080
>>
>>
>> I could be wrong here but I think you have a loop. You are redirecting
>> from local interface to local interface i.e. the result of redirect is
>> still subject for redirect. Could you try one of the following:
>>
>> 1. Make this a `rdr in on $int_if`.
>>
>> 2. Make this a `rdr pass ... -> 127.0.0.1 port 8080`. I prefer this way
>> so port for transparent forwarding is unreachable except when explicitly
>> redirecting to it.
>>
>> Personally I newer allow such ambiguity in my configs.
>>
>
> #1 gives a syntax error when I try to load it.
>
> #2 My intention is to redirect only ftp traffic with this rule so that's why
> I use port 8021.
>
> Do you mean that I should redirect even ftp traffic to port 8080?
>
> Thanks!
>
> /Leslie
>
Well, that depends on what you want to do.
If you want FTP traffic to go to ftp-proxy running on the firewall,
then redirect to 8021.
If you want it to go to your squid proxy, then send it to port 8080 on $proxy.
Let's redo your redirects correctly.
I'll expand upon Volodymyr's idea of not confusing normal rules with
ones matching a packet that was redirected, through the use of tags.
# 1/ redirect web traffic to the proxy $proxy on port $proxyport
rdr in on $int_if inet proto tcp from !$proxy to any port 80 -> $proxy
port $proxyport tag rdr_proxy
# 2/ redirect FTP traffic to the ftp-proxy running on the local
machine on port 8021
rdr in on $int_if inet proto tcp from $int_if:network to any port 21
-> 127.0.0.1 port 8021 tag rdr_ftp
# 3/ access rule to allow traffic from the local net to your proxy
pass in quick on $int_if inet proto tcp flags S/SAFR tagged rdr_proxy
# 4/ access rule to allow traffic from the local net to your FTP proxy
pass in quick on $int_if inet proto tcp flags S/SAFR tagged rdr_ftp
# 5/ access rule to allow your proxy to do whatever it wants in a very
limited fashion
pass in quick on $int_if inet proto tcp from $proxy to any port { 80
443 } flags S/SAFR
I liked Volodymyr's original intent behind the "rdr pass", the use of
tags here allows you to setup actual pass/block rules and still match
packets coming from a redirect.
This has many advantages, including:
- quick keyword
- flags matching
- use of labels to keep stats, if you'd like to
Well basically it only has advantages.
Let me know if that helped.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Anyone using squid and pf?
Volodymyr Kostyrko skrev 2012-11-26 21:50:
26.11.2012 20:40, Leslie Jensen:
Rules from pf.conf
# macros
ext_if="xl0"
int_if="bge0"
tcp_services="{ 22, 993, 5910:5917 }"
tcp_priv_services="{ 389, 443 }"
proxy_services = "{ 21, 80 }"
icmp_types="{ echoreq unreach squench timex }"
internal_net = "172.18.0.0/16"
proxy = "172.18.0.1"
proxyport="8021"
# tables
table persist
table persist
# options
set block-policy return # ports are closed but can be seen
set loginterface $ext_if
set skip on lo0
# scrub
scrub in
rdr pass proto tcp from any to any port ftp -> 127.0.0.1 port 8021
# redirect www trafic to proxy
rdr on $int_if inet proto tcp from $internal_net to any port
$proxy_services -> $proxy port 8080
I could be wrong here but I think you have a loop. You are redirecting
from local interface to local interface i.e. the result of redirect is
still subject for redirect. Could you try one of the following:
1. Make this a `rdr in on $int_if`.
2. Make this a `rdr pass ... -> 127.0.0.1 port 8080`. I prefer this way
so port for transparent forwarding is unreachable except when explicitly
redirecting to it.
Personally I newer allow such ambiguity in my configs.
#1 gives a syntax error when I try to load it.
#2 My intention is to redirect only ftp traffic with this rule so that's
why I use port 8021.
Do you mean that I should redirect even ftp traffic to port 8080?
Thanks!
/Leslie
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Anyone using squid and pf?
Doug Sampson skrev 2012-11-27 18:34:
[...]
Rules from pf.conf
# macros
ext_if="xl0"
int_if="bge0"
tcp_services="{ 22, 993, 5910:5917 }"
tcp_priv_services="{ 389, 443 }"
proxy_services = "{ 21, 80 }"
icmp_types="{ echoreq unreach squench timex }"
internal_net = "172.18.0.0/16"
proxy = "172.18.0.1"
proxyport="8021"
^
No whitespace here
# tables
table persist
table persist
# options
set block-policy return # ports are closed but can be seen
set loginterface $ext_if
set skip on lo0
# scrub
scrub in
rdr pass proto tcp from any to any port ftp -> 127.0.0.1 port 8021
# redirect www trafic to proxy
rdr on $int_if inet proto tcp from $internal_net to any port
$proxy_services -> $proxy port 8080
^
Whitespace here. Maybe that's the issue here?
# ext_if IP address could be dynamic, hence ($ext_if)
nat on $ext_if from !($ext_if) to any -> ($ext_if)
[...]
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Thanks!
No if you see I have a $proxy and a $proxyport (I shall rename this one.
It's confusing, I know)
So the whitespace is not the problem.
/Leslie
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Anyone using squid and pf?
On Nov 27, 2012, at 6:34 PM, Doug Sampson wrote:
> [...]
>
>> Rules from pf.conf
>>
>>
>> # macros
>> ext_if="xl0"
>> int_if="bge0"
>>
>> tcp_services="{ 22, 993, 5910:5917 }"
>> tcp_priv_services="{ 389, 443 }"
>> proxy_services = "{ 21, 80 }"
>> icmp_types="{ echoreq unreach squench timex }"
>> internal_net = "172.18.0.0/16"
>> proxy = "172.18.0.1"
>> proxyport="8021"
> ^
> No whitespace here
>
>>
>> # tables
>> table persist
>> table persist
>>
>> # options
>> set block-policy return # ports are closed but can be seen
>> set loginterface $ext_if
>>
>> set skip on lo0
>>
>> # scrub
>> scrub in
>>
>> rdr pass proto tcp from any to any port ftp -> 127.0.0.1 port 8021
>>
>> # redirect www trafic to proxy
>> rdr on $int_if inet proto tcp from $internal_net to any port
>> $proxy_services -> $proxy port 8080
> ^
> Whitespace here. Maybe that's the issue here?
>
Erm, working as intended, Doug.
He's redirecting from his internal net to any port defined as proxiable, to his
$proxy machine on port 8080.
Looks good to me.
>> # ext_if IP address could be dynamic, hence ($ext_if)
>> nat on $ext_if from !($ext_if) to any -> ($ext_if)
>
> [...]
> ___
> freebsd-questions@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
RE: Anyone using squid and pf?
[...]
> Rules from pf.conf
>
>
> # macros
> ext_if="xl0"
> int_if="bge0"
>
> tcp_services="{ 22, 993, 5910:5917 }"
> tcp_priv_services="{ 389, 443 }"
> proxy_services = "{ 21, 80 }"
> icmp_types="{ echoreq unreach squench timex }"
> internal_net = "172.18.0.0/16"
> proxy = "172.18.0.1"
> proxyport="8021"
^
No whitespace here
>
> # tables
> table persist
> table persist
>
> # options
> set block-policy return # ports are closed but can be seen
> set loginterface $ext_if
>
> set skip on lo0
>
> # scrub
> scrub in
>
> rdr pass proto tcp from any to any port ftp -> 127.0.0.1 port 8021
>
> # redirect www trafic to proxy
> rdr on $int_if inet proto tcp from $internal_net to any port
> $proxy_services -> $proxy port 8080
^
Whitespace here. Maybe that's the issue here?
> # ext_if IP address could be dynamic, hence ($ext_if)
> nat on $ext_if from !($ext_if) to any -> ($ext_if)
[...]
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Anyone using squid and pf?
Volodymyr Kostyrko skrev 2012-11-26 21:50: rdr pass proto tcp from any to any port ftp -> 127.0.0.1 port 8021 # redirect www trafic to proxy rdr on $int_if inet proto tcp from $internal_net to any port $proxy_services -> $proxy port 8080 I could be wrong here but I think you have a loop. You are redirecting from local interface to local interface i.e. the result of redirect is still subject for redirect. Could you try one of the following: 1. Make this a `rdr in on $int_if`. 2. Make this a `rdr pass ... -> 127.0.0.1 port 8080`. I prefer this way so port for transparent forwarding is unreachable except when explicitly redirecting to it. Personally I newer allow such ambiguity in my configs. Thanks! I'll try it out. I need to wait until tonight, the machine is in use at the moment. #1 I see your point. #2 this rule is for intended ftp traffic. That's why I'm sending to another port number. /Leslie ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Anyone using squid and pf?
26.11.2012 20:40, Leslie Jensen:
Rules from pf.conf
# macros
ext_if="xl0"
int_if="bge0"
tcp_services="{ 22, 993, 5910:5917 }"
tcp_priv_services="{ 389, 443 }"
proxy_services = "{ 21, 80 }"
icmp_types="{ echoreq unreach squench timex }"
internal_net = "172.18.0.0/16"
proxy = "172.18.0.1"
proxyport="8021"
# tables
table persist
table persist
# options
set block-policy return # ports are closed but can be seen
set loginterface $ext_if
set skip on lo0
# scrub
scrub in
rdr pass proto tcp from any to any port ftp -> 127.0.0.1 port 8021
# redirect www trafic to proxy
rdr on $int_if inet proto tcp from $internal_net to any port
$proxy_services -> $proxy port 8080
I could be wrong here but I think you have a loop. You are redirecting
from local interface to local interface i.e. the result of redirect is
still subject for redirect. Could you try one of the following:
1. Make this a `rdr in on $int_if`.
2. Make this a `rdr pass ... -> 127.0.0.1 port 8080`. I prefer this way
so port for transparent forwarding is unreachable except when explicitly
redirecting to it.
Personally I newer allow such ambiguity in my configs.
--
Sphinx of black quartz judge my vow.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Anyone using squid and pf?
Volodymyr Kostyrko skrev 2012-11-26 10:38:
24.11.2012 17:39, Leslie Jensen:
I've upgraded squid from 3.1 to 3.2. Starting squid 3.2 with the same
configuration file now gives me errors in cache.log when one tries to
access any site, and of course no access!
2012/11/24 16:24:56 kid1| WARNING: Forwarding loop detected for:
Reverting back to 3.1 works.
I know there are some changes in 3.2 that does this
+ 3.2 intercept port receiving forward-proxy requests will reject them
due to NAT failure/lies.
+ 3.2 Host header validation *will* reject if forward traffic is
validated as being intercepted.
I would appreciate suggestions for changes to squid.conf so that squid
will work for me with version 3.2.
When switching to 3.2 I had to split listening ports - one for
transparency and one for the local machine. However this doesn't looks
like your case.
Can you please provide relevant parts of pf.conf and full log output,
not just the first line?
Just to clarify. I'm running pf and squid on the same machine.
Yes I've also split the listening ports.
http_port 172.18.0.1:8080 intercept
http_port 127.0.0.1:8080
Output from cache.log:
2012/11/24 14:10:09 kid1| WARNING: Forwarding loop detected for:
GET /Artwork/SN.png HTTP/1.1
Host: www.squid-cache.org
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0.2)
Gecko/20100101 Firefox/6.0.2
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: sv-se,sv;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Referer: http://www.aftonbladet.se/
Via: 1.1 "FQDN machine name" (squid/3.2.3)
X-Forwarded-For: 172.18.0.100
Cache-Control: max-age=259200
Connection: keep-alive
Rules from pf.conf
# macros
ext_if="xl0"
int_if="bge0"
tcp_services="{ 22, 993, 5910:5917 }"
tcp_priv_services="{ 389, 443 }"
proxy_services = "{ 21, 80 }"
icmp_types="{ echoreq unreach squench timex }"
internal_net = "172.18.0.0/16"
proxy = "172.18.0.1"
proxyport="8021"
# tables
table persist
table persist
# options
set block-policy return # ports are closed but can be seen
set loginterface $ext_if
set skip on lo0
# scrub
scrub in
rdr pass proto tcp from any to any port ftp -> 127.0.0.1 port 8021
# redirect www trafic to proxy
rdr on $int_if inet proto tcp from $internal_net to any port
$proxy_services -> $proxy port 8080
# ext_if IP address could be dynamic, hence ($ext_if)
nat on $ext_if from !($ext_if) to any -> ($ext_if)
# filter rules
block in log on $ext_if all
block drop in log quick inet6 all
block drop out log quick inet6 all
block in log quick on $ext_if from label "ssh bruteforce"
# Allow traffic through SQUID
pass in log on $int_if inet proto tcp from $internal_net to $proxy port
8080 keep state
pass out log on $ext_if inet proto tcp from $proxy to any port
$proxy_services keep state
# pass out
pass out log
# ICMP answers (traffic) needs to be passed:
pass in inet proto icmp all icmp-type $icmp_types keep state
# traffic must be passed to and from the internal network
pass in log quick on $int_if
#
Thanks
/Leslie
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Anyone using squid and pf?
24.11.2012 17:39, Leslie Jensen: I've upgraded squid from 3.1 to 3.2. Starting squid 3.2 with the same configuration file now gives me errors in cache.log when one tries to access any site, and of course no access! 2012/11/24 16:24:56 kid1| WARNING: Forwarding loop detected for: Reverting back to 3.1 works. I know there are some changes in 3.2 that does this + 3.2 intercept port receiving forward-proxy requests will reject them due to NAT failure/lies. + 3.2 Host header validation *will* reject if forward traffic is validated as being intercepted. I would appreciate suggestions for changes to squid.conf so that squid will work for me with version 3.2. When switching to 3.2 I had to split listening ports - one for transparency and one for the local machine. However this doesn't looks like your case. Can you please provide relevant parts of pf.conf and full log output, not just the first line? -- Sphinx of black quartz, judge my vow. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Anyone using squid and pf?
I've upgraded squid from 3.1 to 3.2. Starting squid 3.2 with the same configuration file now gives me errors in cache.log when one tries to access any site, and of course no access! 2012/11/24 16:24:56 kid1| WARNING: Forwarding loop detected for: Reverting back to 3.1 works. I know there are some changes in 3.2 that does this + 3.2 intercept port receiving forward-proxy requests will reject them due to NAT failure/lies. + 3.2 Host header validation *will* reject if forward traffic is validated as being intercepted. I would appreciate suggestions for changes to squid.conf so that squid will work for me with version 3.2. Thanks /Leslie ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
