Squid can't work
-
Please post output of pfctl -vvsr
netstat -aihf link -
pfctl -vvsr
@0 scrub in on em2 all fragment reassemble [ Evaluations: 253 Packets: 36 Bytes: 200 States: 0 ] [ Inserted: uid 0 pid 46236 ] @1 scrub in on em0 all fragment reassemble [ Evaluations: 177 Packets: 80 Bytes: 1910 States: 0 ] [ Inserted: uid 0 pid 46236 ] @2 scrub in on em1 all fragment reassemble [ Evaluations: 2 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 46236 ] @0 pass in quick on em0 inet proto tcp from any to 192.168.0.1 port = 8000 flags S/SA keep state (sloppy) [ Evaluations: 10 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 46236 ] @1 pass in quick on em0 inet proto tcp from any to 192.168.0.1 port = 8001 flags S/SA keep state (sloppy) [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 46236 ] @2 pass out quick on em0 inet proto tcp from 192.168.0.1 port = 8000 to any flags S/SA keep state (sloppy) [ Evaluations: 3 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 46236 ] @3 pass out quick on em0 inet proto tcp from 192.168.0.1 port = 8001 to any flags S/SA keep state (sloppy) [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 46236 ] @4 anchor "relayd/*" all [ Evaluations: 10 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 46236 ] @5 block drop in log all label "Default deny rule" [ Evaluations: 10 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 46236 ] @6 block drop out log all label "Default deny rule" [ Evaluations: 10 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 46236 ] @7 block drop in quick inet6 all [ Evaluations: 10 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 46236 ] @8 block drop out quick inet6 all [ Evaluations: 4 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 46236 ] @9 block drop quick proto tcp from any port = 0 to any [ Evaluations: 10 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 46236 ] @10 block drop quick proto tcp from any to any port = 0 [ Evaluations: 3 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 46236 ] @11 block drop quick proto udp from any port = 0 to any [ Evaluations: 10 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 46236 ] @12 block drop quick proto udp from any to any port = 0 [ Evaluations: 7 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 46236 ] @13 block drop quick from <snort2c:0>to any label "Block snort2c hosts" [ Evaluations: 10 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 46236 ] @14 block drop quick from any to <snort2c:0>label "Block snort2c hosts" [ Evaluations: 10 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 46236 ] @15 block drop in log quick proto tcp from <sshlockout:0>to any port = ssh label "sshlockout" [ Evaluations: 10 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 46236 ] @16 block drop in log quick proto tcp from <webconfiguratorlockout:0>to any port = 8080 label "webConfiguratorlockout" [ Evaluations: 3 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 46236 ] @17 block drop in quick from <virusprot:0>to any label "virusprot overload table" [ Evaluations: 6 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 46236 ] @18 block drop in on ! em2 inet from 172.17.1.140/30 to any [ Evaluations: 6 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 46236 ] @19 block drop in inet from 172.17.1.141 to any [ Evaluations: 6 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 46236 ] @20 block drop in on ! em0 inet from 192.168.0.0/23 to any [ Evaluations: 6 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 46236 ] @21 block drop in inet from 192.168.0.1 to any [ Evaluations: 6 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 46236 ] @22 block drop in on em2 inet6 from fe80::21b:21ff:fe17:2d67 to any [ Evaluations: 6 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 46236 ] @23 block drop in on em0 inet6 from fe80::21b:21ff:fe17:2d64 to any [ Evaluations: 6 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 46236 ] @24 pass in on em0 inet proto udp from any port = bootpc to 255.255.255.255 port = bootps keep state label "allow access to DHCP server" [ Evaluations: 6 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 46236 ] @25 pass in on em0 inet proto udp from any port = bootpc to 192.168.0.1 port = bootps keep state label "allow access to DHCP server" [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 46236 ] @26 pass out on em0 inet proto udp from 192.168.0.1 port = bootps to any port = bootpc keep state label "allow access to DHCP server" [ Evaluations: 7 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 46236 ] @27 block drop in on ! em1 inet from 172.20.211.0/24 to any [ Evaluations: 10 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 46236 ] @28 block drop in inet from 172.20.211.254 to any [ Evaluations: 6 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 46236 ] @29 block drop in on em1 inet6 from fe80::21b:21ff:fe08:f738 to any [ Evaluations: 6 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 46236 ] @30 pass in on lo0 all flags S/SA keep state label "pass loopback" [ Evaluations: 6 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 46236 ] @31 pass out on lo0 all flags S/SA keep state label "pass loopback" [ Evaluations: 4 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 46236 ] @32 pass out all flags S/SA keep state allow-opts label "let out anything from firewall host itself" [ Evaluations: 10 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 46236 ] @33 pass out route-to (em2 172.17.1.142) inet from 172.17.1.141 to ! 172.17.1.140/30 flags S/SA keep state allow-opts label "let out anything from firewall host itself" [ Evaluations: 4 Packets: 8 Bytes: 1510 States: 4 ] [ Inserted: uid 0 pid 46236 ] @34 pass in quick on em0 proto tcp from any to (em0:2) port = 8080 flags S/SA keep state label "anti-lockout rule" [ Evaluations: 10 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 46236 ] @35 pass in quick on em0 proto tcp from any to (em0:2) port = ssh flags S/SA keep state label "anti-lockout rule" [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 46236 ] @36 pass in inet all flags S/SA keep state label "NAT REFLECT: Allow traffic to localhost" tagged PFREFLECT [ Evaluations: 10 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 46236 ] @37 pass in log quick on em2 reply-to (em2 172.17.1.142) inet from <safeweb:21>to 192.168.0.0/23 flags S/SA keep state label "USER_RULE: SafeWeb in" [ Evaluations: 6 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 46236 ] @38 pass in log quick on em2 reply-to (em2 172.17.1.142) inet from any to <remote:13>flags S/SA keep state label "USER_RULE: any2 remote" [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 46236 ] @39 block drop in log quick on em2 reply-to (em2 172.17.1.142) inet from any to <block_lan:4>label "USER_RULE: block any2 block_lan" [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 46236 ] @40 pass in log quick on em2 reply-to (em2 172.17.1.142) inet proto tcp from any to <web:1>port = http flags S/SA keep state label "USER_RULE: Web" [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 46236 ] @41 pass in log quick on em2 reply-to (em2 172.17.1.142) inet proto tcp from any to 192.168.1.2 port = hosts2-ns flags S/SA keep state label "USER_RULE: NAT " [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 46236 ] @42 block drop in log quick on em2 reply-to (em2 172.17.1.142) inet all label "USER_RULE: block wan 2 any" [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 46236 ] @43 pass in log quick on em1 all flags S/SA keep state label "USER_RULE: DMZ-> any" [ Evaluations: 6 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 46236 ] @44 pass in log quick on em0 from <remote:13>to any flags S/SA keep state label "USER_RULE: remote 2 any" [ Evaluations: 6 Packets: 19 Bytes: 1535 States: 5 ] [ Inserted: uid 0 pid 46236 ] @45 block drop in log quick on em0 from <block_lan:4>to any label "USER_RULE: block_lan 2 any" [ Evaluations: 1 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 46236 ] @46 block drop in log quick on em0 from any to <block_wan:45>label "USER_RULE: LAN 2 block Web" [ Evaluations: 1 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 46236 ] @47 block drop in log quick on em0 from any to <flv_site:29>label "USER_RULE: LAN 2 block flv Web" [ Evaluations: 1 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 46236 ] @48 pass in log quick on em0 inet from 192.168.0.0/23 to <safeweb:21>flags S/SA keep state label "USER_RULE: LAN 2 Safe Web" [ Evaluations: 1 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 46236 ] @49 pass in log quick on em0 inet proto udp from any to 192.168.0.1 port = domain keep state label "USER_RULE: NAT " [ Evaluations: 1 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 46236 ] @50 pass in log quick on em0 inet proto tcp from 192.168.0.0/23 to any port = http flags S/SA keep state label "USER_RULE: HTTP" [ Evaluations: 1 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 46236 ] @51 pass in log quick on em0 inet proto tcp from 192.168.0.0/23 to any port = https flags S/SA keep state label "USER_RULE: HTTPS" [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 46236 ] @52 pass in log quick on em0 proto tcp from <yey:3>to <yeyoa:1>port = 8008 flags S/SA keep state label "USER_RULE: yey OA" [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 46236 ] @53 block drop in quick on em0 all label "USER_RULE: block LAN 2 any" [ Evaluations: 1 Packets: 1 Bytes: 33 States: 0 ] [ Inserted: uid 0 pid 46236 ] @54 anchor "tftp-proxy/*" all [ Evaluations: 4 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 46236 ] @55 anchor "miniupnpd" all [ Evaluations: 4 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 46236 ] @56 pass in quick on em0 proto tcp from any to ! (em0:2) port = http flags S/SA keep state [ Evaluations: 4 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 46236 ] @57 pass in quick on em0 proto tcp from any to ! (em0:2) port = 3128 flags S/SA keep state [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 46236 ]</yeyoa:1></yey:3></safeweb:21></flv_site:29></block_wan:45></block_lan:4></remote:13></web:1></block_lan:4></remote:13></safeweb:21></virusprot:0></webconfiguratorlockout:0></sshlockout:0></snort2c:0></snort2c:0>netstat -aihf link
Name Mtu Network Address Ipkts Ierrs Idrop Opkts Oerrs Coll em0 1500 <link#1>00:1b:21:17:3e:96 35K 0 0 49K 0 0 33:33:18:61:20:ce 5231 4 33:33:00:00:00:01 5231 4 33:33:ff:17:2d:64 5231 4 01:00:5e:00:00:01 5231 4 em1 1500 <link#2>00:1b:21:48:c7:e8 52K 0 0 32K 0 0 33:33:18:61:20:ce 135 3 33:33:00:00:00:01 135 3 33:33:ff:08:f7:38 135 3 01:00:5e:00:00:01 135 3 em2 1500 <link#3>00:1b:21:47:3e:57 74K 0 0 86K 0 0 33:33:18:61:20:ce 0 3 33:33:00:00:00:01 0 3 33:33:ff:17:2d:67 0 3 01:00:5e:00:00:01 0 3 pflog0* 33128 <link#4>0 0 0 3.9K 0 0 enc0* 1536 <link#5>0 0 0 0 0 0 lo0 16384 <link#6>97 0 0 97 0 0 pfsync0* 1460 <link#7>0 0 0 0 0 0 ipfw0 65536 <link#8>0 0 0 0 0 0</link#8></link#7></link#6></link#5></link#4></link#3></link#2></link#1> -
Thank you Jimp for confirming this bug.
Would appreciate a note in the forums when it has been squashed as we are stuck on December 6 build.
Confirmed, it is that patch causing the issue:
http://redmine.pfsense.org/issues/1096I built an amd64 update without that patch and after upgrading my VM to that image, squid+transparent mode works again.
-
If you want to confirm it for yourself, you could try either one of these updates that I built without the patch in question.
amd64 - http://pingle.org/files/pfSense-Full-Update-2.0-BETA4-20101212-2328.tgz
i386 - http://pingle.org/files/pfSense-Full-Update-2.0-BETA4-20101214-1319.tgz
Use at your own risk, YMMV, etc. :-)
-
Did that test with the i386-image:
First updated via the "normal" update to snap from Dec, 14. Enabled squid transparent and tried to surf to a site: Nothing except a timeout. Disabled sq2uid transparent, site loads.
ok.
Now installed your snap from post above and enabled squid transparent. Site loads fine. (tested with another site to eliminate caches.)
Its definitly the change which causes that malfunction of squid.
-
I try to update with the file : 386 - http://pingle.org/files/pfSense-Full-Update-2.0-BETA4-20101214-1319.tgz
But the squid with transparent enable browsing can not run normally.
and disable transparent when browsing can work well ..So, where is his fault?
:o
-
reply #6, page 1 explains the thing…
-
Thanks you
and Thank jimp, on page 1 says checks, allow interface:)
-
Just want to let you know:
This fix works for me on snapshot Dec 14 with squid2 transparent mode:
i386 - http://pingle.org/files/pfSense-Full-Update-2.0-BETA4-20101214-1319.tgz -
Hi Jimp - confirm the i386 build without the patch works in transparent mode. Upgraded one box from Dec 6 build.
However the broken console display problem is back. :-\
We were using Dec 6 build where everything works fine - still have that version installed on another box.
If you want to confirm it for yourself, you could try either one of these updates that I built without the patch in question.
amd64 - http://pingle.org/files/pfSense-Full-Update-2.0-BETA4-20101212-2328.tgz
i386 - http://pingle.org/files/pfSense-Full-Update-2.0-BETA4-20101214-1319.tgz
Use at your own risk, YMMV, etc. :-)
-
However the broken console display problem is back. :-\
Do you have a separate thread for that? There has never been a "broken" console display problem that I'm aware of. The console menu was redesigned into a two column format but that's the only change. If that's not it, start a new thread with screenshots or some other reproduction of the "corruption" so it can be looked into on its own.
-
O.K. I've gone ahead and opened a new thread for this problem.
However the broken console display problem is back. :-\
Do you have a separate thread for that? There has never been a "broken" console display problem that I'm aware of. The console menu was redesigned into a two column format but that's the only change. If that's not it, start a new thread with screenshots or some other reproduction of the "corruption" so it can be looked into on its own.
-
I disabled the patch in the repo and have a new snapshot building now. The next new snapshot dated after this update should be OK.
-
Tried tonight's build Dec 15 and Squid still broken.
Reverted to your custom build of yesterday:
http://pingle.org/files/pfSense-Full-Update-2.0-BETA4-20101214-1319.tgz
Squid works fine.
I disabled the patch in the repo and have a new snapshot building now. The next new snapshot dated after this update should be OK.
-
There isn't a "tonight" build of Dec 15 for i386 yet, it hasn't finished. There is one from 7-ish AM this morning, but that wouldn't have had the fix. (The build of mine you quoted is i386, so I presume you weren't using amd64, there is a fixed build up for that now)
It's still working on NanoBSD images, it'll probably be a while yet before it's uploaded, maybe a couple hours.
-
is this the lastest build today "pfSense-2.0-BETA4-20101215-1831.iso.gz" that make squid work?
cos i want to use it to make a freash install to new system.
-
The latest amd64 build is good, I just tested it. Upgraded my VM and installed squid, and I was able to connect from behind it, confirmed it was doing a transparent redirect (caught it in the access log).
-
sounds good, i am downloading now hope this will work find. I am 1st time try PFsense, from what i read at the website it is very powerfull software router and easy to use.
-
Hi,
just a shot question:
I applied this patch on Dec 14 snapshot:
i386 - http://pingle.org/files/pfSense-Full-Update-2.0-BETA4-20101214-1319.tgzan squid2 works now on my machine.
Today I updated to 2.0-BETA4 (i386) built on Wed Dec 15 20:50:23 EST 2010 and squid2 still works.
Is this because of the patch I applied yesterday or is this patch included in the new snapshot or is this patch "universal" to alle new snapshots ?thx.
-
The firmware files that I built had a patch removed, and now that same patch is removed from the "real" snapshot firmware files.
People who upgrade to a current snapshot (even those who never touched the firmware files I posted) should all be working now.
