From owner-freebsd-questions@FreeBSD.ORG Mon Nov 26 18:40:18 2012 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 32877622 for ; Mon, 26 Nov 2012 18:40:18 +0000 (UTC) (envelope-from leslie@eskk.nu) Received: from mx1.bjare.net (mx1.bjare.net [212.31.160.3]) by mx1.freebsd.org (Postfix) with ESMTP id ADD188FC14 for ; Mon, 26 Nov 2012 18:40:17 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by mx1.bjare.net (Postfix) with ESMTP id 5024F5E24C; Mon, 26 Nov 2012 19:40:08 +0100 (CET) X-Virus-Scanned: Debian amavisd-new at mx1.bjare.net X-Spam-Flag: NO X-Spam-Score: -1.546 X-Spam-Level: X-Spam-Status: No, score=-1.546 tagged_above=-999 required=5 tests=[AWL=-0.548, BAYES_00=-2.599, RCVD_IN_PBL=0.905, RDNS_DYNAMIC=0.1, SPF_SOFTFAIL=0.596] Received: from mx1.bjare.net ([127.0.0.1]) by localhost (mx1.bjare.net [127.0.0.1]) (amavisd-new, port 10024) with LMTP id jEZeh0OHE92M; Mon, 26 Nov 2012 19:40:02 +0100 (CET) X-BN-MX1: ja X-BN-MailInfo: BjareNet Received: from [172.17.0.111] (c-195-216-043-059.ekt.thalamus.net [195.216.43.59]) by mx1.bjare.net (Postfix) with ESMTP id 1B9655E227; Mon, 26 Nov 2012 19:40:01 +0100 (CET) Message-ID: <50B3B788.6040801@eskk.nu> Date: Mon, 26 Nov 2012 19:40:08 +0100 From: Leslie Jensen User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/17.0 Thunderbird/17.0 MIME-Version: 1.0 To: Volodymyr Kostyrko Subject: Re: Anyone using squid and pf? References: <50B0EA28.7060904@eskk.nu> <50B338B2.3090600@gmail.com> In-Reply-To: <50B338B2.3090600@gmail.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd questions list X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 26 Nov 2012 18:40:18 -0000 Volodymyr Kostyrko skrev 2012-11-26 10:38: > 24.11.2012 17:39, Leslie Jensen: >> >> I've upgraded squid from 3.1 to 3.2. Starting squid 3.2 with the same >> configuration file now gives me errors in cache.log when one tries to >> access any site, and of course no access! >> >> 2012/11/24 16:24:56 kid1| WARNING: Forwarding loop detected for: >> >> Reverting back to 3.1 works. >> >> I know there are some changes in 3.2 that does this >> >> + 3.2 intercept port receiving forward-proxy requests will reject them >> due to NAT failure/lies. >> >> + 3.2 Host header validation *will* reject if forward traffic is >> validated as being intercepted. >> >> I would appreciate suggestions for changes to squid.conf so that squid >> will work for me with version 3.2. > > When switching to 3.2 I had to split listening ports - one for > transparency and one for the local machine. However this doesn't looks > like your case. > > Can you please provide relevant parts of pf.conf and full log output, > not just the first line? > Just to clarify. I'm running pf and squid on the same machine. Yes I've also split the listening ports. http_port 172.18.0.1:8080 intercept http_port 127.0.0.1:8080 Output from cache.log: 2012/11/24 14:10:09 kid1| WARNING: Forwarding loop detected for: GET /Artwork/SN.png HTTP/1.1 Host: www.squid-cache.org User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0.2) Gecko/20100101 Firefox/6.0.2 Accept: image/png,image/*;q=0.8,*/*;q=0.5 Accept-Language: sv-se,sv;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Referer: http://www.aftonbladet.se/ Via: 1.1 "FQDN machine name" (squid/3.2.3) X-Forwarded-For: 172.18.0.100 Cache-Control: max-age=259200 Connection: keep-alive Rules from pf.conf -------------------------------------------- # macros ext_if="xl0" int_if="bge0" tcp_services="{ 22, 993, 5910:5917 }" tcp_priv_services="{ 389, 443 }" proxy_services = "{ 21, 80 }" icmp_types="{ echoreq unreach squench timex }" internal_net = "172.18.0.0/16" proxy = "172.18.0.1" proxyport="8021" # tables table persist table persist # options set block-policy return # ports are closed but can be seen set loginterface $ext_if set skip on lo0 # scrub scrub in rdr pass proto tcp from any to any port ftp -> 127.0.0.1 port 8021 # redirect www trafic to proxy rdr on $int_if inet proto tcp from $internal_net to any port $proxy_services -> $proxy port 8080 # ext_if IP address could be dynamic, hence ($ext_if) nat on $ext_if from !($ext_if) to any -> ($ext_if) # filter rules block in log on $ext_if all block drop in log quick inet6 all block drop out log quick inet6 all block in log quick on $ext_if from label "ssh bruteforce" # Allow traffic through SQUID pass in log on $int_if inet proto tcp from $internal_net to $proxy port 8080 keep state pass out log on $ext_if inet proto tcp from $proxy to any port $proxy_services keep state # pass out pass out log # ICMP answers (traffic) needs to be passed: pass in inet proto icmp all icmp-type $icmp_types keep state # traffic must be passed to and from the internal network pass in log quick on $int_if # Thanks /Leslie