Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 26 Nov 2012 19:40:08 +0100
From:      Leslie Jensen <>
To:        Volodymyr Kostyrko <>
Cc:        freebsd questions list <>
Subject:   Re: Anyone using squid and pf?
Message-ID:  <>
In-Reply-To: <>
References:  <> <>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help

Volodymyr Kostyrko skrev 2012-11-26 10:38:
> 24.11.2012 17:39, Leslie Jensen:
>> I've upgraded squid from 3.1 to 3.2. Starting squid 3.2 with the same
>> configuration file now gives me errors in cache.log when one tries to
>> access any site, and of course no access!
>> 2012/11/24 16:24:56 kid1| WARNING: Forwarding loop detected for:
>> Reverting back to 3.1 works.
>> I know there are some changes in 3.2 that does this
>> + 3.2 intercept port receiving forward-proxy requests will reject them
>> due to NAT failure/lies.
>> + 3.2 Host header validation *will* reject if forward traffic is
>> validated as being intercepted.
>> I would appreciate suggestions for changes to squid.conf so that squid
>> will work for me with version 3.2.
> When switching to 3.2 I had to split listening ports - one for
> transparency and one for the local machine. However this doesn't looks
> like your case.
> Can you please provide relevant parts of pf.conf and full log output,
> not just the first line?

Just to clarify. I'm running pf and squid on the same machine.

Yes I've also split the listening ports.

http_port intercept

Output from cache.log:

2012/11/24 14:10:09 kid1| WARNING: Forwarding loop detected for:
GET /Artwork/SN.png HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0.2)
Gecko/20100101 Firefox/6.0.2
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: sv-se,sv;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Via: 1.1 "FQDN machine name" (squid/3.2.3)
Cache-Control: max-age=259200
Connection: keep-alive

Rules from pf.conf

# macros

tcp_services="{ 22, 993, 5910:5917 }"
tcp_priv_services="{ 389, 443 }"
proxy_services = "{ 21, 80 }"
icmp_types="{ echoreq unreach squench timex }"
internal_net = ""
proxy = ""

# tables
table <goodguys> persist
table <sshguard> persist

# options
set block-policy return     # ports are closed but can be seen
set loginterface $ext_if

set skip on lo0

# scrub
scrub in

rdr pass proto tcp from any to any port ftp -> port 8021

# redirect www trafic to proxy
rdr on $int_if inet proto tcp from $internal_net to any port 
$proxy_services -> $proxy port 8080

# ext_if IP address could be dynamic, hence ($ext_if)
nat on $ext_if from !($ext_if) to any -> ($ext_if)

# filter rules
block in log on $ext_if all
block drop in log quick inet6 all
block drop out log quick inet6 all

block in log quick on $ext_if from <sshguard> label "ssh bruteforce"

# Allow traffic through SQUID
pass in log on $int_if inet proto tcp from $internal_net to $proxy port 
8080 keep state

pass out log on $ext_if inet proto tcp from $proxy to any port 
$proxy_services keep state

# pass out
pass out log

# ICMP answers (traffic) needs to be passed:
pass in inet proto icmp all icmp-type $icmp_types keep state

# traffic must be passed to and from the internal network
pass in log quick on $int_if



Want to link to this message? Use this URL: <>