From owner-freebsd-questions@FreeBSD.ORG Mon Mar 9 14:27:36 2015 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 24FEB19B for ; Mon, 9 Mar 2015 14:27:36 +0000 (UTC) Received: from mail-lb0-x22c.google.com (mail-lb0-x22c.google.com [IPv6:2a00:1450:4010:c04::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 9662AF9A for ; Mon, 9 Mar 2015 14:27:35 +0000 (UTC) Received: by lbdu14 with SMTP id u14so50268576lbd.0 for ; Mon, 09 Mar 2015 07:27:33 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=Wsi2QiXa+wWRQoCORhjGp8fleeoq0Ym9fYPcfk+pPPs=; b=THOfmV1WKX5+g1tMfDPfaBneW/+Lv/l/tk1cGdr5ZfIY6HoIxbgR/h+DPAXac5ewSM 8k2EhQQ4q7Eac1ZrEQ42D9XE5JgPMhcRvMMO9ItdW1Sorxby7CIZ5pTv4cg/jD+IFRBj /2hDP8/ip+ysJHIOxmp8nCdzKIG0kyYQMCEGl/vZtQG/7DR1UWDLs3BUEt1BbC/gEZyi pR6GXopsvH8g4ruz3ph67c8o0ew8HuONioLvZVXdcFaeZNYmaO+JIOEfINl0FT8BzJBo GWM/I3Zo54r53shOsSXDWsOYDdK3FQMjRzH6Z9jQXRwtiHRGG2pg0z4cOTvGIfu0t27+ ycKA== X-Received: by 10.153.8.135 with SMTP id dk7mr25602167lad.93.1425911252849; Mon, 09 Mar 2015 07:27:32 -0700 (PDT) MIME-Version: 1.0 Received: by 10.112.89.170 with HTTP; Mon, 9 Mar 2015 07:27:12 -0700 (PDT) In-Reply-To: References: From: Monah Baki Date: Mon, 9 Mar 2015 10:27:12 -0400 Message-ID: Subject: Re: FreeBSD PF question To: krad Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.18-1 Cc: FreeBSD Questions X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 09 Mar 2015 14:27:36 -0000 Should I do this on the cisco itself? On Mon, Mar 9, 2015 at 10:24 AM, krad wrote: > It sounds like your cisco isnt letting the squid web traffic out and > redirecting it back to itself. You need to exclude the squid proxyies > address from redirection > > On 9 March 2015 at 14:03, Monah Baki wrote: > >> Hi All, >> >> I have a freebsd 10.1 server with a single interface (bge0) running squid >> in intercept mode. There is a Cisco device doing the policy routing. >> >> interface GigabitEthernet0/0/1.1 >> >> encapsulation dot1Q 1 native >> >> ip address 10.0.0.9 255.255.255.0 >> >> no ip redirects >> >> no ip unreachables >> >> ip nat inside >> >> standby 1 ip 10.0.0.10 >> >> standby 1 priority 120 >> >> standby 1 preempt >> >> standby 1 name HSRP >> >> ip policy route-map CFLOW >> >> >> >> ip access-list extended REDIRECT >> >> deny tcp host 10.0.0.24 any eq www >> >> permit tcp host 10.0.0.23 any eq www >> >> >> >> route-map CFLOW permit 10 >> >> match ip address REDIRECT >> set ip next-hop 10.0.0.24 >> >> My squid.conf has the following: >> http_port 3128 >> http_port 3129 intercept >> >> >> >> My pf.conf has the following: >> >> rdr on bge0 inet proto tcp from 10.0.0.0/8 to any port 80 -> 10.0.0.24 >> port >> 3129 >> # block in >> pass in log quick on bge0 >> pass out log quick on bge0 >> pass out keep state >> >> >> >> User gets an access denied on browsing, and in my cache.log file, I see: >> WARNING: Forwarding loop detected for: >> >> >> >> Any help/guidance is appreciated. >> >> >> Thanks >> _______________________________________________ >> freebsd-questions@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-questions >> To unsubscribe, send any mail to " >> freebsd-questions-unsubscribe@freebsd.org" >> > >