PF PF / Squid 3.3 not working

J

jpachersbs

My head is very hot. I'm breaking my brain, someone could help me? Since FreeBSD 8 everything worked very well. But now on FreeBSD 10.0, my pf.conf with Squid 3.3 does not work.
 

Attachments

jpachersbs said:
My head is very hot. I'm breaking my brain, someone could help me?
Click to expand...
Usually it is not necessary reflecting on ones state of health. If you still do be prepared to get appropriate advice on this like:
1. Take a cold shower, this is mostly sufficient to cool a hot head.
2. Take a nap. This regenerates human brains.
3. Stop breaking your head immediately. You might damage beyond repair.
If this is not sufficient consult a physician. :)

As you did not post what you tried to debug your problem, here are some hints how to start:

Did you check if Squid is listening on the defined IP and port?
Did you check your PF logfiles?
Did you use tcpdump to look on both interface and pflog0?
Did you check environment variable http_proxy?
Did you check your browser for proxy settings ?
 
I understand you're frustrated and loosing your cool over troubleshooting. No worries if English isn't your best language. Just stick to the facts. Can you show the on screen output that shows up when something isn't working?

Based off your configuration shown, I have two observations
Execute pkg info squid | grep TP_PF
Does this display the following?
Code: 
TP_PF          : on

You're /usr/local/etc/squid/squid.conf should say intercept on the listen directive according to advise of fellow transparent proxy users on here and the pfSense forum.
Code: 
http_proxy 3129 intercept

https://forums.freebsd.org/threads/transparent-proxy-with-squid33-and-pf.48038/
https://forum.pfsense.org/index.php?topic=67443.0

Otherwise, I do want to point out FreeBSD 10.0 is unsupported at the end of February and Squid 3.3 is unsupported upstream by upstream. You should consider switching to FreeBSD 10.0 and Squid 3.4, www/squid, before spending too much time fixing something that will be out of date soon.
 
Thanks, but I have other FreeBSD servers and I've use it since 2006. I have servers with and without transparent proxy. There is a server with 9.3-RELEASE, I did it with "intercept" code. Now my problem is it, if I use without the NAT rule (rdr pass on $internal ...) of course all desktop users can connect to all networks because Squid won't apply. No problems related in logs, all ports are correct in use by pfctl -sa. Running
tail -f /usr/local/etc/squid/logs/access.log | grep -i a.b.c.dIP, I can see attempts to connect some website by 3129 port but they don't connect. Thanks all.
 
Can you post a few lines from Squid's access.log on what gets logged when outbound connects are made? Feel free to "X" out IPs or change host names to example.com if you need to.
 
jpachersbs: Can you make outbound connections from your proxy server? Like running fetch http://www.google.com/? Just to rule out that the server itself has some problems to connect to the outside world.
 
wWell guys, I gave up the version 10, redid the server with version 8.3 I used in some other servers. pPackage installation ISO files, like screen, apache22, the remainder by the ports or pkg_add, always looking for ftp to the FreeBSD version 8.4 is still available.
hHere all packages installed:
Code: 
apache-2.2.22_5     Version 2.2.x of Apache web server with prefork MPM.
apr-ipv6-devrandom-gdbm-db42-1.4.5.1.3.12_1 Apache Portability Library
chpasswd-2.2.4      Allow users to change their Squid or Web password using the
cups-client-1.5.4_1 Common UNIX Printing System: Library cups
darkstat-3.0.715    Network statistics gatherer and reporter
db42-4.2.52_5       The Berkeley DB package, revision 4.2
en-freebsd-doc-20120308 Documentation from the FreeBSD Documentation Project
expat-2.0.1_2       XML 1.0 parser written in C
fontconfig-2.9.0,1  An XML-based font configuration API for X Windows
freetype2-2.4.11    A free and portable TrueType font rendering engine
gd-2.0.35_8,1       A graphics library for fast creation of images
gdbm-1.9.1          The GNU database manager
gettext-0.18.1.1_1  GNU gettext package
isc-dhcp41-server-4.1.e_3,2 The ISC Dynamic Host Configuration Protocol server
jpeg-8_4            IJG's jpeg compression utilities
libexecinfo-1.1_3   A library for inspecting program's backtrace
libiconv-1.13.1_2   A character set conversion library
libsunacl-1.0       Wrapper providing SunOS NFSv4 ACL API
logwatch-7.4.0      A log file analysis program
maradns-1.4.10      DNS server with focus on security and simplicity
muse-0.2            Shows memory usage data
openldap-client-2.4.34_1 Open source LDAP client implementation
openssh-portable-5.8.p2_1,1 The portable version of OpenBSD's OpenSSH
p5-MIME-Base64-3.13 Perl5 module for Base64 and Quoted-Printable encodings
pcre-8.30_1         Perl Compatible Regular Expressions library
perl-5.12.4_4       Practical Extraction and Report Language
pkg-config-0.25_1   A utility to retrieve information about installed libraries
png-1.5.14          Library for manipulating PNG images
popt-1.16           A getopt(3) like library with a number of enhancements, fro
pt-freebsd-doc-20120308 Portuguese translation of the FreeBSD Documentation Project
python27-2.7.2_4    An interpreted object-oriented programming language
samba36-3.6.13      A free SMB and CIFS client and server for UNIX
sarg-2.3.4          Squid log analyzer and HTML report generator
screen-4.0.3_13     A multi-screen window manager
squid-3.1.19        HTTP Caching Proxy
talloc-2.0.7        Hierarchical pool based memory allocator
tdb-1.2.11,1        Trivial Database
Now part of my access.log:
Code: 
1421900418.020 119055 192.168.0.252 TCP_MISS/503 0 CONNECT www.facebook.com:443 - DIRECT/- -
1421900438.014 119197 192.168.0.252 TCP_MISS/503 0 CONNECT safebrowsing.google.com:443 - DIRECT/- -
1421900446.016 119969 192.168.0.252 TCP_MISS/503 0 CONNECT 3-edge-chat.facebook.com:443 - DIRECT/- -
1421900448.018 119045 192.168.0.252 TCP_MISS/503 0 CONNECT www.facebook.com:443 - DIRECT/- -
1421900976.659  32805 192.168.0.252 TCP_MISS/000 0 GET http://www.google.com.br/ - DIRECT/www.google.com.br -
1421900976.823  33168 192.168.0.252 TCP_MISS/000 0 GET http://www.gstatic.com/chrome/profile_avatars/avatar_generic.png - DIRECT/www.gstatic.com -
1421901008.426      0 192.168.0.252 TCP_DENIED/403 1635 GET http://www.gstatic.com/chrome/profile_avatars/avatar_generic.png - NONE/- text/html
1421901008.543      0 192.168.0.252 TCP_DENIED/403 1557 GET http://www.google.com.br/ - NONE/- text/html
1421901023.489      0 192.168.0.252 TCP_DENIED/403 1559 GET http://www.msn.com/pt-br/? - NONE/- text/html
1421901028.008      0 192.168.0.252 TCP_DENIED/403 1567 GET http://api.bing.com/qsml.aspx? - NONE/- text/html
1421901028.150      0 192.168.0.252 TCP_DENIED/403 1567 GET http://api.bing.com/qsml.aspx? - NONE/- text/html
1421901028.259      0 192.168.0.252 TCP_DENIED/403 1567 GET http://api.bing.com/qsml.aspx? - NONE/- text/html
All working, squid, transparent proxy, sarg, all rules of pf, so everything...

tThanks for help and attention, but unfortunately the version 10 not convinced me yet, I study a little more.
 
You must log in or register to reply here.
Back
Top