After reboot squit does not block sites
-
Hi
I'm running pfsense on a box with 5 nics, 3 wan & 2 lan.
I've setup the firewall rules with load balancing and everything works as expected.
When in install squid an do a basic configuration as a transparent (just the basic options an a domain in the backlist) i have the a problem.
The blocking works until i restart the box.
Then until i go to the squid setup page an just click save, squid seems as non existent (no blocking, load balance working, specific gateways (other than the default) for specific host working).
currently i am running 1.2.3-RC1 built on Mon May 4 16:25:47 EDT 2009 but i had the same problem with 1.2.2.
Is there something that i forgot to do, an expected behavior with my setup (so i need to move squid to a different box) or a bug?Thanks
Stephanos
-
As far as I know, squid does not work in transparent mode in multiple lan setups, that may be causing your problem.
-
We have a production box that is running squid transparently and blocking sites with two LAN connections. The setup that is not possible is transparent proxy with more than 1 WAN connection…
-
Actually the problem seem to be than on boot squid rules are not created.
/tmp/rules.debug does not contain any rules for squid.
these are the missing lines from rules/debug
```
diff rules.debug /root/rules.debug
82,87d81
<
< # Setup Squid proxy redirect
< no rdr on em0 proto tcp from any to { 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 } port 80
< no rdr on em0 proto tcp from { 10.0.0.242, 10.0.0.30 } to any port 80
< rdr on em0 proto tcp from any to !(em0) port 80 -> 127.0.0.1 port 80
<
94,97d87
< # Setup squid pass rules for proxy
< pass in quick on em0 proto tcp from any to !(em0) port 80 flags S/SA keep state
< pass in quick on em0 proto tcp from any to !(em0) port 3128 flags S/SA keep state
<
220d209
< pass in quick on $lan from { 10.0.0.30 } to any keep state label "USER_RULE: VM Testing"After hitting the save button on any page that reruns filter.inc the rules are created. I have done some testing with a vm image with the basic config (1 lan, 1 wan) and the problem exists when snort is also installed.
-
Hi
I'm running pfsense on a box with 5 nics, 3 wan & 2 lan.
I've setup the firewall rules with load balancing and everything works as expected.
When in install squid an do a basic configuration as a transparent (just the basic options an a domain in the backlist) i have the a problem.
The blocking works until i restart the box.
Then until i go to the squid setup page an just click save, squid seems as non existent (no blocking, load balance working, specific gateways (other than the default) for specific host working).
currently i am running 1.2.3-RC1 built on Mon May 4 16:25:47 EDT 2009 but i had the same problem with 1.2.2.
Is there something that i forgot to do, an expected behavior with my setup (so i need to move squid to a different box) or a bug?Thanks
Stephanos
I'm not sure whether it's related or not, but I have also noticed that kind of behaviour with squid/lightsquid. Yesterday I uninstalled several packages, in an effort to stabilize my box (that has been plagued with various problems related to some packages) and after that (today) I notices that lightsquid report had nothing from this day. All days before were full of logged activity as usual. This happened even though I didn't tough anything in either squid nor lightsquid when performing those uninstalls.
What I did then was some kind of weird routine with re-saving on some pages and pressing 'refresh' button on lightsquid page and checking output over and over and also re-saving stuff (not adding or altering anything) in squid section. Then all of a sudden it's alive again and I'm not sure what exactly did the trick.
Cheers,
-
Are you also running snort on that box?
To me it seems squid and snort don't play nice together
-
Are you also running snort on that box?
To me it seems squid and snort don't play nice together
No I'm not. I did however at one time install snort and then uninstalled it. I've seen "snort" mentioned somewhere in XML or something. So I'm not using snort nor having it installed right now.
Cheers,