understood
clamav radomly stops working for me. makes it useless.

There shouldn't be any softlink to that anywhere (and for sure isn't created by adding a dummy target category). As said, it just doesn't make sense.

Ok, I dump some of the traffic and think I find the problem:

Client 1.1.1.1
Server 2.2.2.2

Here is the dump for a listing in passive mode:

17:51:56.209388 IP 1.1.1.1.34966 > 2.2.2.2.58523: Flags [s], seq 367546487, win 29200, options [mss 1460,sackOK,TS val 438097740 ecr 0,nop,wscale 7], length 0 17:51:56.228354 IP 2.2.2.2.38538 > 1.1.1.1.34966: Flags [S.], seq 3116512794, ack 367546488, win 5792, options [mss 1460,sackOK,TS val 811246550 ecr 438097740,nop,wscale 3], length 0 17:51:56.228379 IP 1.1.1.1.34966 > 2.2.2.2.38538: Flags [R], seq 367546488, win 0, length 0 17:51:57.207804 IP 1.1.1.1.34966 > 2.2.2.2.58523: Flags [s], seq 367546487, win 29200, options [mss 1460,sackOK,TS val 438097990 ecr 0,nop,wscale 7], length 0 17:51:57.216513 IP 2.2.2.2.38538 > 1.1.1.1.34966: Flags [S.], seq 3116512794, ack 367546488, win 5792, options [mss 1460,sackOK,TS val 811246650 ecr 438097740,nop,wscale 3], length 0 17:51:57.216579 IP 1.1.1.1.34966 > 2.2.2.2.38538: Flags [R], seq 367546488, win 0, length 0 17:51:59.211787 IP 1.1.1.1.34966 > 2.2.2.2.58523: Flags [s], seq 367546487, win 29200, options [mss 1460,sackOK,TS val 438098491 ecr 0,nop,wscale 7], length 0 17:51:59.240789 IP 2.2.2.2.38538 > 1.1.1.1.34966: Flags [S.], seq 3116512794, ack 367546488, win 5792, options [mss 1460,sackOK,TS val 811246850 ecr 438097740,nop,wscale 3], length 0 17:51:59.240815 IP 1.1.1.1.34966 > 2.2.2.2.38538: Flags [R], seq 367546488, win 0, length 0 17:51:59.812596 IP 2.2.2.2.38538 > 1.1.1.1.34966: Flags [S.], seq 3116512794, ack 367546488, win 5792, options [mss 1460,sackOK,TS val 811246910 ecr 438097740,nop,wscale 3], length 0 17:51:59.812651 IP 1.1.1.1.34966 > 2.2.2.2.38538: Flags [R], seq 367546488, win 0, length 0 17:52:03.215791 IP 1.1.1.1.34966 > 2.2.2.2.58523: Flags [s], seq 367546487, win 29200, options [mss 1460,sackOK,TS val 438099492 ecr 0,nop,wscale 7], length 0 17:52:03.224268 IP 2.2.2.2.38538 > 1.1.1.1.34966: Flags [S.], seq 3116512794, ack 367546488, win 5792, options [mss 1460,sackOK,TS val 811247251 ecr 438097740,nop,wscale 3], length 0 17:52:03.224288 IP 1.1.1.1.34966 > 2.2.2.2.38538: Flags [R], seq 367546488, win 0, length 0 17:52:05.812505 IP 2.2.2.2.38538 > 1.1.1.1.34966: Flags [S.], seq 3116512794, ack 367546488, win 5792, options [mss 1460,sackOK,TS val 811247510 ecr 438097740,nop,wscale 3], length 0 The client initiates the connection from port 34966 to 58523\. But the answer come from port 38538 and not port 58523\. So the client send a RST and retransmit.. A bug in the package? Any ideas? We really need a working ftp helper implementation for our customers :-/ Thx! [/s][/s][/s][/s]

Thanks, Doktornotor.

the process of removing the package from the web interface is actually removes all or reference files for future installations.

How can I do to remove the package from the command line?

Any help/thoughts/suggestions??

Not possible with just Squid/squidGuard.  If these people have the right to bypass restrictions when they feel like it, why are you restricting them in the first place?

But I do not have all day every day to sit and white list sites that our teaching staff need access to.

Sometimes this is the only way.  I can't believe it's that many sites, nor should they change that much that it would require you to spend a lot of time maintaining a whitelist.  If you use squidGuard with blacklists, you can check the URL against the blacklist to see which category it falls under (if any) and then allow just those users to access that category of sites.

Fix for me too!
Thanks!  8)

You'd be best off using a separate Squid/Dansguardian server running internally than using the PFS for your proxy. That way you can incorporate AD into the proxy's authentication service and your popups will no longer be a problem.

http://www.petespcs.co.uk/2011/10/dans-guardian-and-ntlm-from-active-directory/

Hi Carlo,

I've been playing with it a bit think this might help.
By putting the config setting below in the advanced settings of haproxy would allow socket access to users in the admins group:

stats socket /tmp/haproxy.adminsocket group admins mode 0020 level admin echo "show sess" | socat stdio /tmp/haproxy.adminsocket

That way at least the sudo wouldn't be needed.

Regards
PiBa-NL

Squid 2.7 is dead broken crap. Stop using it. (If some of the developers chimes in here and tells you otherwise, I still am telling you it's dead broken shit that shouldn't be touched with a 10ft pole.)

-Squid General Settings
–- Proxy Interface(s) (LAN, OPT1, OPT2, selected)
--- Allow Users on Interface (unchecked)

-ACLs
---Allowed Subnets (added  LAN, OPT1, OPT2 adresses)

Not sure why you're doing it that way.  Why not just check the Allow Users on Interface box and not bother with the Allowed Subnets?  They are one and the same.

I've been playing around with the squid settings and have been able to get it to work on my setup using the tcp_outgoing_address setting in the custom ACL (before auth) option under Proxy Server: General Settings. This only works provided you have a static address for the VPN interface.

acl vpn_clients src 192.168.1.5 192.168.1.9  192.168.2.14/31 #replace with corresponding ip addresses for you src clients going via VPN tcp_outgoing_address 172.10.10.10 vpn_clients #replace with IP of VPN interface

You will also need to add a firewall rule on your LAN interface to route traffic for these source IP addresses via the VPN so that HTTPS is also routed via the proxy.

Make a config backup (or even a full backup) and try for yourself, perhaps. It should work now without breaking the CP. Did not test, don't have a use case for this. (Plus, obviously the method of patching core system files sucks.) :D

Yeah, when things are screwed in the start, it becomes a giant PITA to fix later. I never got to doing anything but random bugfixes with this package. The code gives me headaches realiably, cannot make myself finish anything there. Getting lost over and over again.

P.S. We have tons of "ridiculous" characters in my language as well (ěščřžýáíéďťňúůó). You just get used to avoid them in places where it might cause trouble. This stuff just causes headaches and lots of additional work with computers. There still are much worse languages though even in Europe, e.g. setting your locale to things like et-EE is a great way to cause tons of unexpected compile issues and cryptic bugs – such as totally unexpected values because of failed regexp matching.

So I managed to get everything working.  It is very doable to get a transparent proxy working without directly routed subnets being on the pfSense.  The issue that was blocking me were some of the rules on my FW, specifically traffic shaping.  It seems like that rule was taking precedence over the transparent proxy settings and because of this, the traffic never reached the "Remote Cache" server.

I'm up and running now.

No, it won't be fixed until 2.3 is out and PBI shit is gone. You have a postinstall note there and instructions in the GUI.

Hi Dok,

Yes, some downloads from Apple.com and others, but mostly browsing traffic as far as I can tell…

Seems to work fine on my end since your fix...

Below here are some screenies from our prod servers. :)

sqstat-01.jpg
sqstat-01.jpg_thumb
sqstat-02.jpg
sqstat-02.jpg_thumb

Nice waste of time.