From owner-freebsd-pf@FreeBSD.ORG Mon Dec 15 11:06:56 2008 Return-Path: Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id EDD4E1065676 for ; Mon, 15 Dec 2008 11:06:56 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id E06708FC25 for ; Mon, 15 Dec 2008 11:06:56 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id mBFB6u4r004425 for ; Mon, 15 Dec 2008 11:06:56 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.3/8.14.3/Submit) id mBFB6uoX004420 for freebsd-pf@FreeBSD.org; Mon, 15 Dec 2008 11:06:56 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 15 Dec 2008 11:06:56 GMT Message-Id: <200812151106.mBFB6uoX004420@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-pf@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-pf@FreeBSD.org X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 15 Dec 2008 11:06:57 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/129060 pf [pf] [tun] pf doesn't forget the old tun IP o kern/127920 pf [pf] ipv6 and synproxy don't play well together o conf/127814 pf [pf] The flush in pf_reload in /etc/rc.d/pf does not w o conf/127511 pf [patch] /usr/sbin/authpf: add authpf folders to BSD.ro o kern/127439 pf [pf] deadlock in pf o kern/127345 pf [pf] Problem with PF on FreeBSD7.0 [regression] o kern/127121 pf [pf] [patch] pf incorrect log priority o kern/127042 pf [pf] [patch] pf recursion panic if interface group is o kern/125467 pf [pf] pf keep state bug while handling sessions between s kern/124933 pf [pf] [ip6] pf does not support (drops) IPv6 fragmented o kern/124364 pf [pf] [panic] Kernel panic with pf + bridge o kern/122773 pf [pf] pf doesn't log uid or pid when configured to o kern/122014 pf [pf] [panic] FreeBSD 6.2 panic in pf o kern/121704 pf [pf] PF mangles loopback packets o kern/120281 pf [pf] [request] lost returning packets to PF for a rdr o kern/120057 pf [pf] [patch] Allow proper settings of ALTQ_HFSC. The c o bin/118355 pf [pf] [patch] pfctl(8) help message options order false o kern/114567 pf [pf] LOR pf_ioctl.c + if.c o kern/114095 pf [carp] carp+pf delay with high state limit o kern/111220 pf [pf] repeatable hangs while manipulating pf tables s conf/110838 pf [pf] tagged parameter on nat not working on FreeBSD 5. o kern/93825 pf [pf] pf reply-to doesn't work o sparc/93530 pf [pf] Incorrect checksums when using pf's route-to on s o kern/92949 pf [pf] PF + ALTQ problems with latency o kern/82271 pf [pf] cbq scheduler cause bad latency 25 problems total. From owner-freebsd-pf@FreeBSD.ORG Fri Dec 19 13:21:45 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id AC3691065673 for ; Fri, 19 Dec 2008 13:21:45 +0000 (UTC) (envelope-from leslie@eskk.nu) Received: from mx1.bjare.net (mx1.bjare.net [212.31.160.3]) by mx1.freebsd.org (Postfix) with ESMTP id 6C3A38FC1C for ; Fri, 19 Dec 2008 13:21:45 +0000 (UTC) (envelope-from leslie@eskk.nu) Received: from localhost (localhost [127.0.0.1]) by mx1.bjare.net (Postfix) with ESMTP id 571794B2006 for ; Fri, 19 Dec 2008 14:21:44 +0100 (CET) X-Virus-Scanned: Debian amavisd-new at mx1.bjare.net X-Spam-Flag: NO X-Spam-Score: 2.37 X-Spam-Level: ** X-Spam-Status: No, score=2.37 tagged_above=-999 required=5 tests=[AWL=-0.798, HELO_LH_HOME=3.169, SPF_PASS=-0.001] Received: from mx1.bjare.net ([127.0.0.1]) by localhost (mx1.bjare.net [127.0.0.1]) (amavisd-new, port 10024) with LMTP id Ga8fwkJkJojP for ; Fri, 19 Dec 2008 14:21:41 +0100 (CET) X-BN-MX1: ja X-BN-MailInfo: BjareNet Received: from bljbsd01.homenet.home (c-195-216-040-164.static.bjare.net [195.216.40.164]) by mx1.bjare.net (Postfix) with ESMTP id D467B4B2005 for ; Fri, 19 Dec 2008 14:21:41 +0100 (CET) Message-ID: <494B9FE5.6070501@eskk.nu> Date: Fri, 19 Dec 2008 14:21:41 +0100 From: Leslie Jensen User-Agent: Thunderbird 2.0.0.18 (X11/20081125) MIME-Version: 1.0 To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: clientNatLookup: PF open failed: (13) Permission denied X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 19 Dec 2008 13:21:45 -0000 I've tried the squid users mail list but I try here. I'm aware that this list is not a squid list, but with it beeing PF I hope someone has a suggestion how to fix my problem. I'm not sure if I want to change the rights on /dev/pf that's why I'm asking. I'm running Squid-3.0.10 on FreeBSD 7.0-RELEASE-p4 with PF. I've noticed that in cache.log are a lot of entries as the one below clientNatLookup: PF open failed: (13) Permission denied I've found some information on the problem via Google. One is "start Squid as root". Squid is started via rc.conf so I think that is sorted. There is a concern about rights on /dev/pf Finally there's some advice ---- snip---- If you are performing any kind of transparent interception with squid you will need one of the --*-transparent options. Without it squid will fail to correctly spoof the clients IP. ----- snip ---- I do not fully understand where the "--*-transparent options" are to be found. And if it's the solution to the problem. Will someone Please enlighten me? Thank you /Leslie From owner-freebsd-pf@FreeBSD.ORG Fri Dec 19 13:48:45 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6F3711065674 for ; Fri, 19 Dec 2008 13:48:45 +0000 (UTC) (envelope-from allicient3141@googlemail.com) Received: from mail-bw0-f19.google.com (mail-bw0-f19.google.com [209.85.218.19]) by mx1.freebsd.org (Postfix) with ESMTP id E22D18FC20 for ; Fri, 19 Dec 2008 13:48:44 +0000 (UTC) (envelope-from allicient3141@googlemail.com) Received: by bwz12 with SMTP id 12so2707998bwz.19 for ; Fri, 19 Dec 2008 05:48:43 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:sender :to:subject:in-reply-to:mime-version:content-type :content-transfer-encoding:content-disposition:references :x-google-sender-auth; bh=CUoWX9efHFFQsE/jG/O+HI+Zvl4jpSKRx1s80CrDXcs=; b=Gy/o+bjIY4JEl0mIrhrdLlsJqkDk8wOyUNYA39YbmJXdkJZrY1WR0kAGlp1rq7kUvK iqYgYwEfa6McDjrBijT3VbKSrrGdSnPkL5FdeyT722dB4OA98p85CiUe+WfrQcwngcak W9e72SGo+KrizCPoA3ZKagrVNKOoU9ted/hXY= DomainKey-Signature: a=rsa-sha1; c=nofws; d=googlemail.com; s=gamma; h=message-id:date:from:sender:to:subject:in-reply-to:mime-version :content-type:content-transfer-encoding:content-disposition :references:x-google-sender-auth; b=uD1Jw8gJxF+SYMLb/MwQX8+vp+/CxVNa5CMb+zrbQuqd5TYfqXVMo/v1vJc0X8aNne k1g88e6juGjMIgCI7g1V8zX5Xd59qhCHJ1m3R2S0quCfHFPatddEcpKIBhbYZMRlSbmY qAuC+wQO5F0sf+2M6JWiqS88gK9C48gtdiBpU= Received: by 10.181.216.14 with SMTP id t14mr116553bkq.103.1229694521912; Fri, 19 Dec 2008 05:48:41 -0800 (PST) Received: by 10.181.195.18 with HTTP; Fri, 19 Dec 2008 05:48:41 -0800 (PST) Message-ID: <7731938b0812190548r399e6c2by4ff666ce9fa63481@mail.gmail.com> Date: Fri, 19 Dec 2008 13:48:41 +0000 From: "Peter Maxwell" Sender: allicient3141@googlemail.com To: freebsd-pf@freebsd.org In-Reply-To: <494B9FE5.6070501@eskk.nu> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <494B9FE5.6070501@eskk.nu> X-Google-Sender-Auth: 4cddc822b7035722 Subject: Re: clientNatLookup: PF open failed: (13) Permission denied X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 19 Dec 2008 13:48:45 -0000 Hi Leslie, The message you're getting is usually associated with the rule base blocking an outbound connection - so check that you've opened all the outbound ports that squid needs in your pf.conf. Tip: you can use tcpdump to see what's going on, the openbsd pf pages at http://www.openbsd.org/faq/pf/logging.html will give an introduction and there's lots of info on tcpdump around - note tcpdump is great for testing purposes but don't use tcpdump on a production box (it's not got a great security record and if you get the parameters wrong with high load you can kill the box). Transparent http proxing is basically where there is a rdr rule in your pf config so that outbound port 80 connections (or 443 for that matter) are forwarded to squid's inbound port and, if configured properly, squid can then handle the request. The reason its called 'transparent' is because the user's broswer doesn't need configuring because pf redirects all http traffic - so to the browser it just looks like a direct connection to the internet (with a few extra HTTP headers). There are several implications of this, if squid fails (which it does a lot) then you don't get web browsing until you fix squid; it forces use of the proxy; you can use any authentication mechanisms with squid. Personally, transparent proxying is more trouble than its worth but your milage may vary. Best wishes, Peter 2008/12/19 Leslie Jensen : > I've tried the squid users mail list but I try here. I'm aware that this > list is not a squid list, but with it beeing PF I hope someone has a > suggestion how to fix my problem. > > I'm not sure if I want to change the rights on /dev/pf that's why I'm > asking. > > > > I'm running Squid-3.0.10 on FreeBSD 7.0-RELEASE-p4 with PF. > > I've noticed that in cache.log are a lot of entries as the one below > > clientNatLookup: PF open failed: (13) Permission denied > > I've found some information on the problem via Google. > > One is "start Squid as root". Squid is started via rc.conf so I think > that is sorted. > > There is a concern about rights on /dev/pf > > Finally there's some advice > > ---- snip---- > If you are performing any kind of transparent interception with squid > you will need one of the --*-transparent options. Without it squid will > fail to correctly spoof the clients IP. > ----- snip ---- > > I do not fully understand where the "--*-transparent options" are to be > found. And if it's the solution to the problem. > > Will someone Please enlighten me? > > Thank you > /Leslie > > > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" >