Squid Returned to Packages *** PLEASE TEST ***

superwutze

coredumps here too

latest snapshot and p10 and only "pid xxxx (squid), uid 0: exited on signal 6 (core dumped)"

pkg uninstalled, used pkg_delete to remove both squid-packages, 'find / -name "squid"' and all deleted and even removed all squid lines from /cf/conf/config.xml but it stays the same.

my pkg_info shows the following:

bsdinstaller-2.0.2006.0728 BSD Installer mega-package
cpdup-1.05          A comprehensive filesystem mirroring program
lighttpd-1.4.13     A secure, fast, compliant, and very flexible Web Server
lua-5.0.2_1         Small, compilable scripting language providing easy access
openldap-client-2.3.24 Open source LDAP client implementation
openldap-client-2.3.30 Open source LDAP client implementation
openntpd-3.7p1,2    OpenBSD's Network Time Protocol daemon
pcre-6.7            Perl Compatible Regular Expressions library
perl-5.8.8          Practical Extraction and Report Language

what packages can safely be removed (dependencies from squid)? maybe there is some old version in there that has to be reinstalled.

AkumaKuruma

any plans to get wildcards working? i.e.  *.blockeddomain.com would block www.blockeddomain.com and ftp.blockeddomain.com

or is this something outside the scope of what the default squid package can do?

as for testing P10, I cant get it to work except for having all fields have an entry in them. I have to have dummy information in the top 3 fields (using 192.168.255.0/24 block since my network isnt). so as far as i can tell, P10 doesnt fix anything and runs identical to P9

mhab12

I know 'wildcards' worked in p9.  I was able to enter google.com in the blacklist and was unable reach any destination at google (i.e. mail.google.com, maps.google.com, etc.)  I tried others that I knew had many subdomains and got the same result.  That said, true wildcards were not working as they used to.  You can not enter an * in the blacklist and only allow the whitelist.  Haven't had a chance to try out p10.

As far as ftp goes, I believe Squid is an HTTP proxy only.  Things like ftp.host.com (i assume you meant the ftp protocol) would circumvent any sort of blacklisting that was actually working.  I too would like something that could block traffic on all protocols (i.e. external proxies, remote desktop, ftp, etc.) but for now I think our only option is Squid or the captive portal (which has other limitations).

databeestje

Then it's not p10 you are running.

I have tested this on 3 different machines, and I have just reinstalled the package from the package screen. And on all of those I see no core dumps and it works with empty fields.

Are you using reinstall xml gui components or reinstall package? Since there are 2 icons to choose from.
I use the former. If you deinstall the package and then install it again that works all the same.
No need to remove packages from the CLI. I have not required it.

With regards to the blacklisting I employ a dstdomain match. so .domain.com would match all subdomains of domain.com. So no * is required. we are using dstdom regex matching for the black and whitelist.

Mikhail:
If the general settings page barks at you that you need to configure a setting. CONFIGURE A SETTING.
It's there for a reason and I really don't care that you think that you don't need it.

jahonix

@databeestje:

If the general settings page barks at you that you need to configure a setting. CONFIGURE A SETTING.

OK, please help me out here.
Which setting is required when the log says:

kernel: pid 93017 (squid), uid 0: exited on signal 6 (core dumped)
squid: No port defined

The only port I can imagine is the proxy port and that one is set to 3128.
Transparent mode is disabled currently since squid doesn't start and this would be quite … unproductive ;-)
What else can I do?

Thanks for your input!

Mikhail

I just installed v.11 - it still does't work… again problems with general settings page :'(

databeestje

And have you put in a log location field?
e.g. /var/squid/log ?

databeestje

If the general settings page complains even after providing all required fields I can troubleshoot this.

I have just committed version p13. Warning, the config format for a number of fields has changed. They should be migrated automatically. If they are not, try reinstalling the package again. When I tested this I needed 2 attempts after which it succesfully migrated the fields.

databeestje

and p14 which might actually migrate the config correctly.

AkumaKuruma

When i did the upgrade to P10, i selected to reinstall the whole package. it ran at first and had automatically deleted entries in the allowed subnets and whitelist field but was blocking pages i told it too. as soon as i deleted the entries in the other fields that were still dummy information, it stopped working. replacing the data had no effect and it went down hill from there. I'll fully delete and install the latest version tonight to see how it does.

I'll say this, when i can get it to read the config file right, it DOES work though so keep up the good work of sorting out the bugs. This is one of the packages that almost everyone is looking forward to be finalized.

the www. and ftp.blockeddomain.com were just example subdomains that jumped to mind. I wasnt refering to handling FTP traffic thru squid

Mikhail

@databeestje:

And have you put in a log location field?
e.g. /var/squid/log ?

Yes. I am using p14. Now one error exists:You can not run squid on the same port as the webgui.
And
Jan 17 18:48:01 kernel: pid 60080 (squid), uid 0: exited on signal 6 (core dumped)
Jan 17 18:48:01 squid: No port defined

in system logs…

AkumaKuruma

move your GUI to a different port. that issue has been around for a while and is pretty easily rectified.

databeestje

I have a hunch. If you enable transparent mode, does it still complain then?

Note: if squid is not running, no filter rules will be installed that redirect the traffic.

bender

woo woo - nice work databeestje - we are getting there  :)

Testing using pfSense 1.0.1-SNAPSHOT-12-28-2006 and squid 2.6.5_1-p14 running in transparent mode - I did a bare metal reinstall of everything just to be sure.

@bender:

…my squid.conf line 17 now unexpectedly reads:

Allow local network(s) on interface(s)

This is fixed  :)

@bender:

2007/01/11 04:01:44| ACL name 'whitelist' not defined!
FATAL: Bungled squid.conf line 65: http_access allow whitelist

This is fixed  :)  Blank entries now work in all sections

Blacklists now work nicely - including wildcards such as "google.com" or "ru" (no offence Russia!)

Hooray  :)

Whitelists don't work for me, but I think that the fix is an easy one:

The following lines always appear in my squid.conf: (near the bottom)

Allow local network(s) on interface(s)

http_access allow localnet

These lines should be there when there is no whitelist, but I suspect that these lines should be deleted when a whitelist exists? Otherwise this rule seems to allow access to any url, even those that haven't been specified in the whitelist. If I manually comment out this line, then whitelists seem to work perfectly - i.e. users can only browse those sites specified in the whitelist as expected.

Sorry for all the smilies, but /me is happy today  ;D

databeestje

Verified. When you do not enable transparent mode it cores ….  ::)

databeestje

When you disable "allow traffic from interface" this alias goes away and would then rely on the whitelist.

At least the last time I tested this.

databeestje

no transparent mode core dump fixed

jahonix

Even with 2.6.5_1-p14 I get:

Jan 17 17:05:02 kernel: pid 2146 (squid), uid 0: exited on signal 6 (core dumped)
Jan 17 17:05:02 squid: No port defined
Jan 17 17:04:47 php: : SQUID is installed but not started. Not installing redirect rules.

The service is marked as stopped.

My WebGUI port ist HTTPs on 445 and squid is set to 3128. Not likely they interfere.
What else can I watch out for?

Mikhail

Squid p15 started!!!

bender

@databeestje:

When you disable "allow traffic from interface" this alias goes away and would then rely on the whitelist.

Okay, when I uncheck: "Allow users on interface" on the General settings tab, the:

Allow local network(s) on interface(s)

http_access allow localnet

entries do get removed from squid.conf as you thought.

At that point however, my whitelists and blacklists stop working altogether for some reason. What .conf files get updated when that setting is unchecked? I have compared squid.conf before and after, and all the other settings seems to be the same.

I also tried adding my subnet info in the: "Allowed subnets" section on the "Access control" tab - acls still don't work