On 23 January 2015 at 16:40, Amos Jeffries <squ...@treenet.co.nz> wrote:
> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 24/01/2015 2:20 a.m., Odhiambo Washington wrote: > > On 23 January 2015 at 16:07, Amos Jeffries <squ...@treenet.co.nz> > > wrote: > > > >> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > >> > >> On 24/01/2015 1:47 a.m., Yuri Voinov wrote: > >>> > >>> Once more. You CANNOT have neither web-server nor other > >>> service with listening port 80 on the same host as transparent > >>> Squid proxy. This is one and only reason you have looping. > >>> > >> > >> That is not correct. It can be done, but depends on how the > >> firewall operates and what ruleset is used. > >> > >> One has to intercept traffic transiting the machine, but ignore > >> traffic destined *to* or *from* the local machines running > >> processes. > >> > >>> Look. On my transparent 3.4.11 (which was early 2.7) IPFilter > >>> redirects 80 port to proxy. My web server on the same host > >>> listens only 8080, 8088 and 8888 ports. No one service except > >>> NAT is using 80 port. > >>> > >>> And finally I have no looping 4 years. > >>> > >>> Obvious, is it? > >>> > >> > >> Maybe there was, maybe there wasn't. > >> > >> Squid-2.7 ignored a lot of NAT related errors and even silently > >> did some Very Bad Things(tm) - none of which Squid-3.2+ will > >> allow to happen anymore. > >> > >> > >> Odhiambo: I suspect it might be related to your use of "rdr" > >> firewall rules. In OpenBSD PF at least rdr rules do not work > >> properly and divert-to rules needs to be used instead (divert-to > >> can be used for either TPROXY or NAT Squid listening ports on > >> BSD). > >> > > > > > > I am thinking Squid-3.2+ is evil :-) > > > > Anyway, my PF rules are here : http://pastebin.com/pKv1jN2v And my > > IPFilter rules are here: http://pastebin.com/JQ77X01H > > > > I need to figure out why squid is DENYing all access .. > > > > Can you update me on what the squid -v output is from the Squid build > you are having issues with pleae? > > Amos > root@mail:/usr/src # /opt/squid35/sbin/squid -v Squid Cache: Version 3.5.1-20150120-r13736 Service Name: squid configure options: '--prefix=/opt/squid35' '--enable-removal-policies=lru heap' '--disable-epoll' '--enable-auth' '--enable-auth-basic=DB NCSA PAM PAM POP3 SSPI' '--enable-external-acl-helpers=session unix_group file_userip' '--enable-auth-negotiate=kerberos' '--with-pthreads' '--enable-storeio=ufs diskd rock aufs' '--enable-delay-pools' '--enable-snmp' '--with-openssl=/usr' '--enable-forw-via-db' '--enable-cache-digests' '--enable-wccpv2' '--enable-follow-x-forwarded-for' '--with-large-files' '--enable-large-cache-files' '--enable-esi' '--enable-kqueue' '--enable-icap-client' '--enable-kill-parent-hack' '--enable-ssl' '--enable-leakfinder' '--enable-ssl-crtd' '--enable-url-rewrite-helpers' '--enable-xmalloc-statistics' '--enable-stacktraces' '--enable-zph-qos' '--enable-eui' '--enable-pf-transparent' 'CC=clang' 'CXX=clang++' --enable-ltdl-convenience -- Best regards, Odhiambo WASHINGTON, Nairobi,KE +254733744121/+254722743223 "I can't hear you -- I'm using the scrambler."
_______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users