Re: /dev/pf permission for squid 3.2.0.6 on openbsd 4.8
On 2011-04-20, Indunil Jayasooriya wrote: > On Tue, Apr 19, 2011 at 12:00 PM, Indunil Jayasooriya > wrote: > > >> many thanks. I got it working. I changed from http_port 3129 intercept to >> http_port 127.0.0.1:3129 intercept in squid.conf file. >> >> Here's the rule in pf.conf >> >> pass in log on $int_if proto tcp from $lan_net to any port 80 \ >> divert-to 127.0.0.1 port 3129 >> > > very sorry. After sending this mail, I checked squid cache.log with > below command > > tail -f /var/squid/logs/cache.log > > > this below error still appears. > > Intercept.cc(305) PfInterception: PF open failed: (13) Permission denied > > > I just wanted to let you know. If this is a trouble, Pls excuse me. > > > > > > -- > Thank you > Indunil Jayasooriya > > Your copy of Squid is built with --enable-pf-transparent, build a new one from -current ports or remove that line from CONFIGURE_ARGS and reinstall.
Re: /dev/pf permission for squid 3.2.0.6 on openbsd 4.8
On Tue, Apr 19, 2011 at 12:00 PM, Indunil Jayasooriya wrote: > many thanks. I got it working. I changed from http_port 3129 intercept to > http_port 127.0.0.1:3129 intercept in squid.conf file. > > Here's the rule in pf.conf > > pass in log on $int_if proto tcp from $lan_net to any port 80 \ > divert-to 127.0.0.1 port 3129 > very sorry. After sending this mail, I checked squid cache.log with below command tail -f /var/squid/logs/cache.log this below error still appears. Intercept.cc(305) PfInterception: PF open failed: (13) Permission denied I just wanted to let you know. If this is a trouble, Pls excuse me. -- Thank you Indunil Jayasooriya
Re: /dev/pf permission for squid 3.2.0.6 on openbsd 4.8
> The non-obvious thing here is you must bind the listening socket in > squid to 127.0.0.1 e.g. > > http_port 127.0.0.1:3127 transparent > > I will talk to the port maintainer about removing --enable-pf-transparent. > > many thanks. I got it working. I changed from http_port 3129 intercept to http_port 127.0.0.1:3129 intercept in squid.conf file. Here's the rule in pf.conf pass in log on $int_if proto tcp from $lan_net to any port 80 \ divert-to 127.0.0.1 port 3129 -- Thank you Indunil Jayasooriya
Re: /dev/pf permission for squid 3.2.0.6 on openbsd 4.8
> The non-obvious thing here is you must bind the listening socket in > squid to 127.0.0.1 e.g. > > http_port 127.0.0.1:3127 transparent > > I will talk to the port maintainer about removing --enable-pf-transparent. > > Hi, I think this below link may be useful. ( this reply from a squid developer) http://www.mail-archive.com/squid-users@squid-cache.org/msg78541.html -- Thank you Indunil Jayasooriya
Re: /dev/pf permission for squid 3.2.0.6 on openbsd 4.8
On 2011-04-08, Reyk Floeter wrote: > On Fri, Apr 08, 2011 at 03:25:55PM +0530, Indunil Jayasooriya wrote: >> I am trying to test squid 3.2.0.6 on OpenBSD 4.8 (amd64) in >> transparent mode. I can browse internet. But, I get the below error. >> > >> # chgrp _squid /dev/pf >> # chmod g+rw /dev/pf >> > > scary. squid should not touch /dev/pf at all. we have a new method > in pf that does not require access to /dev/pf: divert-to. you can try > the following: > > - revert /dev/pf to the old 0600 permissions > - recompile squid _without_ --enable-pf-transparent (disable it) > - update your pf.conf to use divert-to instead of rdr-to > > divert-to provides the real destination address inline via the > standard getsockname() call which is done by squid by default if no > other transparent mode is configured (as far as I understand the code > in squid's client_side.c). the `traditional' rdr-to method had to do > an out-of-band call on /dev/pf to retrieve this information. > > reyk > > The non-obvious thing here is you must bind the listening socket in squid to 127.0.0.1 e.g. http_port 127.0.0.1:3127 transparent I will talk to the port maintainer about removing --enable-pf-transparent.
Re: /dev/pf permission for squid 3.2.0.6 on openbsd 4.8
Hi, This link may help: http://wiki.squid-cache.org/ConfigExamples/Intercept/OpenBsdPf Thanks, On Wed, 13 Apr 2011 16:12:51 +0700, Muhammad Muntaza wrote: 2011/4/8, Indunil Jayasooriya : Hi list, I am trying to test squid 3.2.0.6 on OpenBSD 4.8 (amd64) in transparent mode. I can browse internet. But, I get the below error. 2011/04/08 17:43:11 kid1| Intercept.cc(305) PfInterception: PF open failed: (13) Permission denied 2011/04/08 17:43:11 kid1| Intercept.cc(305) PfInterception: PF open failed: (13) Permission denied 2011/04/08 17:44:20 kid1| Intercept.cc(305) PfInterception: PF open failed: (13) Permission denied 2011/04/08 17:44:53 kid1| Intercept.cc(305) PfInterception: PF open failed: (13) Permission denied 2011/04/08 17:44:54 kid1| Intercept.cc(305) PfInterception: PF open failed: (13) Permission denied 2011/04/08 17:44:55 kid1| Intercept.cc(305) PfInterception: PF open failed: (13) Permission denied Then, I did below steps. I got it from http://www.benzedrine.cx/transquid.html (PF founder's link) are the below 2 commnads okay for OpenBSD 4.8? # chgrp _squid /dev/pf # chmod g+rw /dev/pf but, for squid 2.7.9 on OpenBSD 4.8, I have the default. Pls see .I did NOT change /dev/pf # ls -al /dev/pf crw--- 1 root wheel 73, 0 Dec 17 16:33 /dev/pf any comments? -- Thank you Indunil Jayasooriya my squid and openbsd: in /etc/pf.conf: pass in quick on $int_if proto tcp from $localnet to any port 80 rdr-to lo0 port 3128 $ ls -l /dev/pf crw--- 1 root wheel 73, 0 Nov 28 12:40 /dev/pf in /etc/squid/squid.conf http_port 127.0.0.1:3128 transparent Muhammad Muntaza bin Hatta -- Using Opera's revolutionary email client: http://www.opera.com/mail/
Re: /dev/pf permission for squid 3.2.0.6 on openbsd 4.8
2011/4/8, Indunil Jayasooriya : > Hi list, > > I am trying to test squid 3.2.0.6 on OpenBSD 4.8 (amd64) in > transparent mode. I can browse internet. But, I get the below error. > > > > 2011/04/08 17:43:11 kid1| Intercept.cc(305) PfInterception: PF open > failed: (13) Permission denied > 2011/04/08 17:43:11 kid1| Intercept.cc(305) PfInterception: PF open > failed: (13) Permission denied > 2011/04/08 17:44:20 kid1| Intercept.cc(305) PfInterception: PF open > failed: (13) Permission denied > 2011/04/08 17:44:53 kid1| Intercept.cc(305) PfInterception: PF open > failed: (13) Permission denied > 2011/04/08 17:44:54 kid1| Intercept.cc(305) PfInterception: PF open > failed: (13) Permission denied > 2011/04/08 17:44:55 kid1| Intercept.cc(305) PfInterception: PF open > failed: (13) Permission denied > > > Then, I did below steps. I got it from > http://www.benzedrine.cx/transquid.html (PF founder's link) > > are the below 2 commnads okay for OpenBSD 4.8? > > # chgrp _squid /dev/pf > # chmod g+rw /dev/pf > > but, for squid 2.7.9 on OpenBSD 4.8, I have the default. Pls see .I > did NOT change /dev/pf > > # ls -al /dev/pf > crw--- 1 root wheel 73, 0 Dec 17 16:33 /dev/pf > > any comments? > > > > > > -- > Thank you > Indunil Jayasooriya > > my squid and openbsd: in /etc/pf.conf: pass in quick on $int_if proto tcp from $localnet to any port 80 rdr-to lo0 port 3128 $ ls -l /dev/pf crw--- 1 root wheel 73, 0 Nov 28 12:40 /dev/pf in /etc/squid/squid.conf http_port 127.0.0.1:3128 transparent Muhammad Muntaza bin Hatta -- Indonesia http://muntaza.wordpress.com
Re: /dev/pf permission for squid 3.2.0.6 on openbsd 4.8
On Fri, Apr 08, 2011 at 03:25:55PM +0530, Indunil Jayasooriya wrote: > I am trying to test squid 3.2.0.6 on OpenBSD 4.8 (amd64) in > transparent mode. I can browse internet. But, I get the below error. > > # chgrp _squid /dev/pf > # chmod g+rw /dev/pf > scary. squid should not touch /dev/pf at all. we have a new method in pf that does not require access to /dev/pf: divert-to. you can try the following: - revert /dev/pf to the old 0600 permissions - recompile squid _without_ --enable-pf-transparent (disable it) - update your pf.conf to use divert-to instead of rdr-to divert-to provides the real destination address inline via the standard getsockname() call which is done by squid by default if no other transparent mode is configured (as far as I understand the code in squid's client_side.c). the `traditional' rdr-to method had to do an out-of-band call on /dev/pf to retrieve this information. reyk
/dev/pf permission for squid 3.2.0.6 on openbsd 4.8
Hi list, I am trying to test squid 3.2.0.6 on OpenBSD 4.8 (amd64) in transparent mode. I can browse internet. But, I get the below error. 2011/04/08 17:43:11 kid1| Intercept.cc(305) PfInterception: PF open failed: (13) Permission denied 2011/04/08 17:43:11 kid1| Intercept.cc(305) PfInterception: PF open failed: (13) Permission denied 2011/04/08 17:44:20 kid1| Intercept.cc(305) PfInterception: PF open failed: (13) Permission denied 2011/04/08 17:44:53 kid1| Intercept.cc(305) PfInterception: PF open failed: (13) Permission denied 2011/04/08 17:44:54 kid1| Intercept.cc(305) PfInterception: PF open failed: (13) Permission denied 2011/04/08 17:44:55 kid1| Intercept.cc(305) PfInterception: PF open failed: (13) Permission denied Then, I did below steps. I got it from http://www.benzedrine.cx/transquid.html (PF founder's link) are the below 2 commnads okay for OpenBSD 4.8? # chgrp _squid /dev/pf # chmod g+rw /dev/pf but, for squid 2.7.9 on OpenBSD 4.8, I have the default. Pls see .I did NOT change /dev/pf # ls -al /dev/pf crw--- 1 root wheel 73, 0 Dec 17 16:33 /dev/pf any comments? -- Thank you Indunil Jayasooriya
