Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 26 Nov 2012 19:40:08 +0100
From:      Leslie Jensen <leslie@eskk.nu>
To:        Volodymyr Kostyrko <c.kworr@gmail.com>
Cc:        freebsd questions list <freebsd-questions@freebsd.org>
Subject:   Re: Anyone using squid and pf?
Message-ID:  <50B3B788.6040801@eskk.nu>
In-Reply-To: <50B338B2.3090600@gmail.com>
References:  <50B0EA28.7060904@eskk.nu> <50B338B2.3090600@gmail.com>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help


Volodymyr Kostyrko skrev 2012-11-26 10:38:
> 24.11.2012 17:39, Leslie Jensen:
>>
>> I've upgraded squid from 3.1 to 3.2. Starting squid 3.2 with the same
>> configuration file now gives me errors in cache.log when one tries to
>> access any site, and of course no access!
>>
>> 2012/11/24 16:24:56 kid1| WARNING: Forwarding loop detected for:
>>
>> Reverting back to 3.1 works.
>>
>> I know there are some changes in 3.2 that does this
>>
>> + 3.2 intercept port receiving forward-proxy requests will reject them
>> due to NAT failure/lies.
>>
>> + 3.2 Host header validation *will* reject if forward traffic is
>> validated as being intercepted.
>>
>> I would appreciate suggestions for changes to squid.conf so that squid
>> will work for me with version 3.2.
>
> When switching to 3.2 I had to split listening ports - one for
> transparency and one for the local machine. However this doesn't looks
> like your case.
>
> Can you please provide relevant parts of pf.conf and full log output,
> not just the first line?
>


Just to clarify. I'm running pf and squid on the same machine.

Yes I've also split the listening ports.

http_port 172.18.0.1:8080 intercept
http_port 127.0.0.1:8080


Output from cache.log:

2012/11/24 14:10:09 kid1| WARNING: Forwarding loop detected for:
GET /Artwork/SN.png HTTP/1.1
Host: www.squid-cache.org
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0.2)
Gecko/20100101 Firefox/6.0.2
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: sv-se,sv;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Referer: http://www.aftonbladet.se/
Via: 1.1 "FQDN machine name" (squid/3.2.3)
X-Forwarded-For: 172.18.0.100
Cache-Control: max-age=259200
Connection: keep-alive



Rules from pf.conf

--------------------------------------------
# macros
ext_if="xl0"
int_if="bge0"

tcp_services="{ 22, 993, 5910:5917 }"
tcp_priv_services="{ 389, 443 }"
proxy_services = "{ 21, 80 }"
icmp_types="{ echoreq unreach squench timex }"
internal_net = "172.18.0.0/16"
proxy = "172.18.0.1"
proxyport="8021"

# tables
table <goodguys> persist
table <sshguard> persist

# options
set block-policy return     # ports are closed but can be seen
set loginterface $ext_if

set skip on lo0

# scrub
scrub in

rdr pass proto tcp from any to any port ftp -> 127.0.0.1 port 8021

# redirect www trafic to proxy
rdr on $int_if inet proto tcp from $internal_net to any port 
$proxy_services -> $proxy port 8080

# ext_if IP address could be dynamic, hence ($ext_if)
nat on $ext_if from !($ext_if) to any -> ($ext_if)

# filter rules
block in log on $ext_if all
block drop in log quick inet6 all
block drop out log quick inet6 all

block in log quick on $ext_if from <sshguard> label "ssh bruteforce"

# Allow traffic through SQUID
pass in log on $int_if inet proto tcp from $internal_net to $proxy port 
8080 keep state

pass out log on $ext_if inet proto tcp from $proxy to any port 
$proxy_services keep state

# pass out
pass out log

# ICMP answers (traffic) needs to be passed:
pass in inet proto icmp all icmp-type $icmp_types keep state

# traffic must be passed to and from the internal network
pass in log quick on $int_if
#

Thanks

/Leslie




Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?50B3B788.6040801>