PF Transparent Proxy with squid33 and PF

[alie]

I am trying to deploy transparent proxy with squid on small server with 1 NIC (1 ethernet interface computer) but facing really weird problem and it seems a loop?

My /etc/pf.conf

int_if="em0"
rdr pass inet proto tcp from 192.168.88.0/24 to any port 80 -> 192.168.77.253 port 3128

block in
pass in quick on $int_if
pass out keep state

My www/squid33 version

root@mumah-cache:/usr/home/alie # squid -v
Squid Cache: Version 3.3.11
configure options:  '--with-default-user=squid' '--bindir=/usr/local/sbin' '--sbindir=/usr/local/sbin' '--datadir=/usr/local/etc/squid' '--libexecdir=/usr/local/libexec/squid' '--localstatedir=/var' '--sysconfdir=/usr/local/etc/squid' '--with-logdir=/var/log/squid' '--with-pidfile=/var/run/squid/squid.pid' '--with-swapdir=/var/squid/cache/squid' '--enable-auth' '--enable-build-info' '--enable-loadable-modules' '--enable-removal-policies=lru heap' '--disable-epoll' '--disable-linux-netfilter' '--disable-linux-tproxy' '--disable-translation' '--enable-auth-basic=DB MSNT MSNT-multi-domain NCSA PAM POP3 RADIUS  fake getpwnam NIS' '--enable-auth-digest=file' '--enable-external-acl-helpers=file_userip time_quota unix_group' '--enable-auth-negotiate=kerberos wrapper' '--enable-auth-ntlm=fake smb_lm' '--enable-storeio=diskd rock ufs aufs' '--enable-disk-io=AIO Blocking DiskDaemon IpcIo Mmapped DiskThreads' '--enable-log-daemon-helpers=file' '--enable-url-rewrite-helpers=fake' '--enable-htcp' '--disable-forw-via-db' '--disable-cache-digests' '--enable-wccp' '--enable-wccpv2' '--disable-eui' '--disable-ipfw-transparent' '--enable-pf-transparent' '--disable-ipf-transparent' '--disable-follow-x-forwarded-for' '--enable-ecap' '--enable-icap-client' '--disable-esi' '--enable-kqueue' '--with-large-files' '--prefix=/usr/local' '--mandir=/usr/local/man' '--infodir=/usr/local/info/' '--build=amd64-portbld-freebsd9.3' 'build_alias=amd64-portbld-freebsd9.3' 'CC=cc' 'CFLAGS=-O2 -pipe -I/usr/local/include -fno-strict-aliasing' 'LDFLAGS= -pthread -L/usr/local/lib' 'CPPFLAGS=' 'CXX=c++' 'CXXFLAGS=-O2 -pipe -I/usr/local/include -fno-strict-aliasing' 'CPP=cpp' 'PKG_CONFIG=pkgconf' --enable-ltdl-convenience

root@mumah-cache:/usr/home/alie # uname -a
FreeBSD mumah-cache 9.3-RELEASE FreeBSD 9.3-RELEASE #0 r268512: Thu Jul 10 23:44:39 UTC 2014     root@snap.freebsd.org:/usr/obj/usr/src/sys/GENERIC  amd64

Log from www/squid33 access. I am getting TCP_MISS_ABORTED while browsing any URL. I was trying to solve this issue for 2 days but could not find any solution to it, please help

oot@mumah-cache:/usr/home/alie # tail -f /var/log/squid/access.log 
1410777456.657    992 192.168.88.148 TCP_MISS_ABORTED/000 0 GET http://lh6.ggpht.com/xR8CnvQDNJorg76Y0JUWpKppG4TNZf10n8SM6EssuBmafp2L4wfKxpV4umLBziEkjg=rw-w102-h102 - HIER_DIRECT/192.168.77.253 -
1410777458.708   3006 192.168.88.148 TCP_MISS_ABORTED/000 0 GET http://lh3.ggpht.com/STkLA3lthJ3mrb1mScEIdKgag30BABVWAz3m-zTnwTeUShZIZz8fAkQR0tgCe4GLSEY=rw-w20-h20 - HIER_DIRECT/192.168.77.253 -
1410777459.668   2995 192.168.88.148 TCP_MISS_ABORTED/000 0 GET http://lh6.ggpht.com/xR8CnvQDNJorg76Y0JUWpKppG4TNZf10n8SM6EssuBmafp2L4wfKxpV4umLBziEkjg=rw-w102-h102 - HIER_DIRECT/192.168.77.253 -
1410777461.757   3019 192.168.88.148 TCP_MISS_ABORTED/000 0 GET http://lh3.ggpht.com/STkLA3lthJ3mrb1mScEIdKgag30BABVWAz3m-zTnwTeUShZIZz8fAkQR0tgCe4GLSEY=rw-w20-h20 - HIER_DIRECT/192.168.77.253 -
1410777462.687   2998 192.168.88.148 TCP_MISS_ABORTED/000 0 GET http://lh6.ggpht.com/xR8CnvQDNJorg76Y0JUWpKppG4TNZf10n8SM6EssuBmafp2L4wfKxpV4umLBziEkjg=rw-w102-h102 - HIER_DIRECT/192.168.77.253 -
1410777464.787   3018 192.168.88.148 TCP_MISS_ABORTED/000 0 GET http://lh3.ggpht.com/STkLA3lthJ3mrb1mScEIdKgag30BABVWAz3m-zTnwTeUShZIZz8fAkQR0tgCe4GLSEY=rw-w20-h20 - HIER_DIRECT/192.168.77.253 -
1410777465.707   3000 192.168.88.148 TCP_MISS_ABORTED/000 0 GET http://lh6.ggpht.com/xR8CnvQDNJorg76Y0JUWpKppG4TNZf10n8SM6EssuBmafp2L4wfKxpV4umLBziEkjg=rw-w102-h102 - HIER_DIRECT/192.168.77.253 -
1410777467.817   3023 192.168.88.148 TCP_MISS_ABORTED/000 0 GET http://lh3.ggpht.com/STkLA3lthJ3mrb1mScEIdKgag30BABVWAz3m-zTnwTeUShZIZz8fAkQR0tgCe4GLSEY=rw-w20-h20 - HIER_DIRECT/192.168.77.253 -
1410777468.721   2998 192.168.88.148 TCP_MISS_ABORTED/000 0 GET http://lh6.ggpht.com/xR8CnvQDNJorg76Y0JUWpKppG4TNZf10n8SM6EssuBmafp2L4wfKxpV4umLBziEkjg=rw-w102-h102 - HIER_DIRECT/192.168.77.253 -
1410777476.858   9017 192.168.88.148 TCP_MISS_ABORTED/000 0 GET http://lh3.ggpht.com/STkLA3lthJ3mrb1mScEIdKgag30BABVWAz3m-zTnwTeUShZIZz8fAkQR0tgCe4GLSEY=rw-w20-h20 - HIER_DIRECT/192.168.77.253 -
1410777477.778   9000 192.168.88.148 TCP_MISS_ABORTED/000 0 GET http://lh6.ggpht.com/xR8CnvQDNJorg76Y0JUWpKppG4TNZf10n8SM6EssuBmafp2L4wfKxpV4umLBziEkjg=rw-w102-h102 - HIER_DIRECT/192.168.77.253 -

From cache.log

2014/09/15 17:52:44 kid1| Starting Squid Cache version 3.3.11 for amd64-portbld-freebsd9.3...
2014/09/15 17:52:44 kid1| Process ID 2127
2014/09/15 17:52:44 kid1| Process Roles: worker
2014/09/15 17:52:44 kid1| With 109341 file descriptors available
2014/09/15 17:52:44 kid1| Initializing IP Cache...
2014/09/15 17:52:44 kid1| DNS Socket created at [::], FD 7
2014/09/15 17:52:44 kid1| DNS Socket created at 0.0.0.0, FD 8
2014/09/15 17:52:44 kid1| Adding nameserver 192.168.77.1 from /etc/resolv.conf
2014/09/15 17:52:44 kid1| Adding nameserver 8.8.8.8 from /etc/resolv.conf
2014/09/15 17:52:44 kid1| Adding nameserver 221.132.112.8 from /etc/resolv.conf
2014/09/15 17:52:44 kid1| Logfile: opening log daemon:/var/log/squid/access.log
2014/09/15 17:52:44 kid1| Logfile Daemon: opening log /var/log/squid/access.log
2014/09/15 17:52:44 kid1| WARNING: no_suid: setuid(0): (1) Operation not permitted
2014/09/15 17:52:44 kid1| WARNING: no_suid: setuid(0): (1) Operation not permitted
2014/09/15 17:52:45 kid1| Unlinkd pipe opened on FD 14
2014/09/15 17:52:45 kid1| Store logging disabled
2014/09/15 17:52:45 kid1| Swap maxSize 83886080 + 65536 KB, estimated 6457816 objects
2014/09/15 17:52:45 kid1| Target number of buckets: 322890
2014/09/15 17:52:45 kid1| Using 524288 Store buckets
2014/09/15 17:52:45 kid1| Max Mem  size: 65536 KB
2014/09/15 17:52:45 kid1| Max Swap size: 83886080 KB
2014/09/15 17:52:45 kid1| Rebuilding storage in /var/squid/cache/squid (clean log)
2014/09/15 17:52:45 kid1| Using Least Load store dir selection
2014/09/15 17:52:45 kid1| Current Directory is /var/squid
2014/09/15 17:52:45 kid1| Loaded Icons.
2014/09/15 17:52:45 kid1| HTCP Disabled.
2014/09/15 17:52:45 kid1| Squid plugin modules loaded: 0
2014/09/15 17:52:45 kid1| Adaptation support is off.
2014/09/15 17:52:45 kid1| Accepting HTTP Socket connections at local=[::]:3129 remote=[::] FD 17 flags=9
2014/09/15 17:52:45 kid1| Accepting NAT intercepted HTTP Socket connections at local=192.168.77.253:3128 remote=[::] FD 18 flags=41
2014/09/15 17:52:45 kid1| Done reading /var/squid/cache/squid swaplog (7 entries)
2014/09/15 17:52:45 kid1| Finished rebuilding storage from disk.
2014/09/15 17:52:45 kid1|         7 Entries scanned
2014/09/15 17:52:45 kid1|         0 Invalid entries.
2014/09/15 17:52:45 kid1|         0 With invalid flags.
2014/09/15 17:52:45 kid1|         7 Objects loaded.
2014/09/15 17:52:45 kid1|         0 Objects expired.
2014/09/15 17:52:45 kid1|         0 Objects cancelled.
2014/09/15 17:52:45 kid1|         0 Duplicate URLs purged.
2014/09/15 17:52:45 kid1|         0 Swapfile clashes avoided.
2014/09/15 17:52:45 kid1|   Took 0.02 seconds (429.05 objects/sec).
2014/09/15 17:52:45 kid1| Beginning Validation Procedure
2014/09/15 17:52:45 kid1|   Completed Validation Procedure
2014/09/15 17:52:45 kid1|   Validated 7 Entries
2014/09/15 17:52:45 kid1|   store_swap_size = 80.00 KB
2014/09/15 17:52:46 kid1| storeLateRelease: released 0 objects

Thanks in advance

 

[alie]

The above configuration works if I use thru browser proxy configuration only.
Please do let me know if anyone here able to use squid 3.4.x or 3.3.x as transparent proxy under FreeBSD with PF on machine with 1 or 2 NICs

Note: I have tried squid 2.7.9 and it works as transparent proxy without any pf configuration.

 

[junovitch@]

I do use Squid and PF just not as a transparent proxy. Since 3.4 is out and is going to be the supported version going forward, taking a look at that is probably the way to go. The Freshports history at www/squid shows that there was a fix a few days ago for working transparently with PF. The commit message references PR 193705 @ https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=193705 where it seems like there is some useful discussion on configuring transparent proxy and giving Squid some access to /dev/pf so it gets the extra info it needs.

 

[gqgunhed]

For squid33 you must use the directive "intercept", not "transparent" with e.g. port 3129.
So just replace your line in the /usr/local/etc/squid.conf that reads "http_port transparent 3128" with "http_port intercept 3129".
See http://wiki.squid-cache.org/ConfigExamples/Intercept/FreeBsdPf for reference.

Your existing pf rule should end with 3129 instead of 3128 like so:

rdr pass inet proto tcp from 192.168.88.0/24 to any port 80 -> 192.168.77.253 port 3129

 

[alie]

Somehow intercept is not working for squid 3.4.x so I use vhost accell redirect.

 

[gqgunhed]

alie: You can have both lines in your /usr/local/etc/squid.conf:

# normal connections to squid like from browsers
# with http_proxy set connect to the standard squid
http_port 3128
# intercepted connections point to this port
http_port intercept 3129

So you have two ports active. One for the traffic from well-configured clients/browsers on 3128 as well as one for the intercepted traffic through PF on 3129. Maybe this does change it. I just realized only one port being mentioned in your /var/log/squid/cache.log.