Hello Amos, All noted.
Lemme consult with some FreeBSD guys on these . On 15 April 2016 at 18:13, Amos Jeffries <squ...@treenet.co.nz> wrote: > On 16/04/2016 1:29 a.m., Odhiambo Washington wrote: > > > > With luck, I have managed to get squid to compile successfully (after > > upgrading a few components here and there). I used: > > Yay! > > > > > I have it running now (redirecting using IPFilter/IPNAT), but once in a > > while I see this error about NAT: > > > <snip> > > 2016/04/15 16:17:23| ERROR: NAT/TPROXY lookup failed to locate original > IPs > > on local=192.168.55.254:13128 remote=192.168.55.62:57724 FD 29 flags=33 > > These are the kernel NAT system telling Squid the connection being > looked up has not record there. > > It could be TCP connections being made straight to the intercept port. > If so you need to update the firewall config to prevent them, even from > localhost. > In Linux we use a mangle table rule, since that is the filter pre-NAT > that can do it. I'm not sure how FreeBSD would do that. It has to be > done on packets first arrival pre-NAT. Any filter that is applied after > the NAT action will get it wrong due to the NAT changes. > > > It could be the NAT systems table of connections filling up and > overflowing. If so there should be a kernel sysctl somewhere to increase > that table size. > > > > > In any case, I am planning to rewrite the IPNAT rules into PF and use PF. > > It's the inception stage so I haven't delved deep into ssl-bump > > configurations... > > > > HTH > Amos > > -- Best regards, Odhiambo WASHINGTON, Nairobi,KE +254 7 3200 0004/+254 7 2274 3223 "Oh, the cruft."
_______________________________________________ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users