Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Squid moaning about /tmp/rules.test.packages syntax error under pfSense 2.2

    Cache/Proxy
    6
    23
    12972
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      Steve Evans last edited by

      I see that a number of people are having problems with squid having updated to 2.2.

      I am seeing the following in the System Log as soon as I try to enable squid 3.4.10_2 pkg 0.2.6 in transparent mode.

      php-fpm[12216]: /rc.filter_configure_sync: The command '/sbin/pfctl -nf /tmp/rules.test.packages' returned exit code '1', the output was '/tmp/rules.test.packages:134: syntax error'
      
      

      The offending line in /tmp/rules.test.packages is

      pass in quick on  proto tcp from any to !() port {80,3128} flags S/SA keep state
      
      

      I have tried hitting Save from each tab on the squid GUI to no avail.

      If I manually set the proxy settings on a machine to force it to use the proxy, all seems OK. This makes sense as the above error seems to relate to redirection and it proves that there aren't any firewall rules etc in the way.

      Oddly, pfctl seems to think there's a redirect rule in place.

      rdr on msk2 inet proto tcp from any to ! (msk2) port = http -> 127.0.0.1 port 3128
      

      I've uninstalled/reinstalled several times, edited the config.xml to remove all my old config etc, but nothing seems to work.

      That's going on here. Worked fine under 2.1.5.

      Thanks,

      Steve

      1 Reply Last reply Reply Quote 0
      • marcelloc
        marcelloc last edited by

        I'll start another fresh install to stimulate this error here.

        Treinamentos de Elite: http://sys-squad.com

        Help a community developer! ;D

        1 Reply Last reply Reply Quote 0
        • marcelloc
          marcelloc last edited by

          Did a fresh install and all is working together …

          Steps I did

          • fresh 2.2 install

          • Install squid3

          • changed package signature option on system advanced.

          • Installed squidguard-devel

          • chech squid tabs, save, fix config options pointed by gui alerts

          • On antivirus tab, save config twice as first time it will load sample files and second check config options.

          • via console wait (repeating ps ax | grep -i fresclam  or tail -f /var/log/clamav/freshclam.log) clamav database first slow update

          • enable transparent mode(do not select loopback on any squid option)

          • stop and start squid via gui to force c-icap to restart too after first freshclam.

          • install shalla blacklist on squidguard

          • apply squidguard changes

          I can see both clamav and squidguard denied page for virus(tested with eicar) and blocked sites.

          my tmp rules.debug file shows both intercept rules

          rdr on em1 proto tcp from any to !(em1) port 80 -> 127.0.0.1 port 3128
          pass in quick on em1 proto tcp from any to !(em1) port {80,3128} flags S/SA keep state
          
          

          Treinamentos de Elite: http://sys-squad.com

          Help a community developer! ;D

          1 Reply Last reply Reply Quote 0
          • S
            Steve Evans last edited by

            Hi,

            Glad to hear a fresh install works OK, so that's one option.

            I'm using the 4G CF install on  Watchguard x750e. Could this be a nanobsd related issue?

            Thanks,

            Steve

            1 Reply Last reply Reply Quote 0
            • S
              Steve Evans last edited by

              Is the above working in transparent mode? That's where I'm seeing issues.

              Steve

              1 Reply Last reply Reply Quote 0
              • E
                exograpix last edited by

                Thanks for the guide, you are always helpful

                1 Reply Last reply Reply Quote 0
                • E
                  exograpix last edited by

                  Still a problem

                  1. I have created a cert.
                  2. Installed squid and icap, updated.
                  3. But after installing getting "icap protocol error" not able to open any page
                  4. Activated transparent proxy and ssl filtering.

                  Please help

                  1 Reply Last reply Reply Quote 0
                  • A
                    asterix last edited by

                    @exograpix:

                    Still a problem

                    1. I have created a cert.
                    2. Installed squid and icap, updated.
                    3. But after installing getting "icap protocol error" not able to open any page
                    4. Activated transparent proxy and ssl filtering.

                    Please help

                    I think it has to do with the Certificate.

                    1 Reply Last reply Reply Quote 0
                    • S
                      Steve Evans last edited by

                      Well this is damn frustrating.

                      I've installed a fresh 2.2 by writing a new CF card. I've stepped through recreating my configuration and still see the attached.

                      I note that /var/squid/acl/throttle_exts.acl is indeed empty. My config may be relevant here. Rather than using a ramdisk for /var I have it mounted on an HDD in my Watchguard Firebox x750e so I can store squid caches and logs there. Is this my problem?

                      Steve

                      ![Screen Shot 2015-01-26 at 20.43.56.png](/public/imported_attachments/1/Screen Shot 2015-01-26 at 20.43.56.png)
                      ![Screen Shot 2015-01-26 at 20.43.56.png_thumb](/public/imported_attachments/1/Screen Shot 2015-01-26 at 20.43.56.png_thumb)

                      1 Reply Last reply Reply Quote 0
                      • S
                        Steve Evans last edited by

                        OK, so unchecking the Throttle only specific extensions checkbox on the Traffic Mgmt tab has fixed the /var/squid/acl/throttle_exts.acl problem…

                        1 Reply Last reply Reply Quote 0
                        • S
                          Steve Evans last edited by

                          The reason for the /tmp/rules.test.packages issue is that I had transparency enabled, but no bound interfaces. I got rather sidetracked by this whilst trying to understand whilst transparency didn't work.

                          So, I guess this thread is dead, but transparency still isn't working. :(

                          Steve

                          1 Reply Last reply Reply Quote 0
                          • marcelloc
                            marcelloc last edited by

                            @Steve:

                            The reason for the /tmp/rules.test.packages issue is that I had transparency enabled, but no bound interfaces. I got rather sidetracked by this whilst trying to understand whilst transparency didn't work.

                            It is working on 2.2, check your config and do not check loopback on squid interfaces.

                            Treinamentos de Elite: http://sys-squad.com

                            Help a community developer! ;D

                            1 Reply Last reply Reply Quote 0
                            • S
                              Steve Evans last edited by

                              I've tried 2.7.9 too and it's no different, which is consistent at least!

                              Where's the loopback option in the GUI?

                              Thanks,

                              Steve

                              1 Reply Last reply Reply Quote 0
                              • S
                                Steve Evans last edited by

                                Ah, OK, I understand. I'm just checking LAN.

                                Steve

                                1 Reply Last reply Reply Quote 0
                                • S
                                  Steve Evans last edited by

                                  I've also reverted back to using a ram disk /var and no improvement. I figure this must be a configuration issue, but it worked fine with 2.1.5. 😬

                                  Steve

                                  1 Reply Last reply Reply Quote 0
                                  • marcelloc
                                    marcelloc last edited by

                                    @Steve:

                                    Is the above working in transparent mode? That's where I'm seeing issues.

                                    Yes.  But I'm not testing nano or cf images.

                                    Treinamentos de Elite: http://sys-squad.com

                                    Help a community developer! ;D

                                    1 Reply Last reply Reply Quote 0
                                    • marcelloc
                                      marcelloc last edited by

                                      @exograpix:

                                      Still a problem

                                      1. I have created a cert.
                                      2. Installed squid and icap, updated.
                                      3. But after installing getting "icap protocol error" not able to open any page
                                      4. Activated transparent proxy and ssl filtering.

                                      Please help

                                      If you do not stop squid and icap after first freshclam,  it will show icap error.

                                      Treinamentos de Elite: http://sys-squad.com

                                      Help a community developer! ;D

                                      1 Reply Last reply Reply Quote 0
                                      • D
                                        dwood last edited by

                                        Got it working, although not a fresh install..an upgrade.  To add to below (if you're doing an upgrade install from 2.1.5) There was a reference left over to HAVP under "Proxy Server" General settings tab, Integrations.  I removed all the text present in Integrations box, and then reinstalled Squidguard-dev.  Works great now.

                                        @marcelloc:

                                        Did a fresh install and all is working together …

                                        Steps I did

                                        • fresh 2.2 install

                                        • Install squid3

                                        • changed package signature option on system advanced.

                                        • Installed squidguard-devel

                                        • chech squid tabs, save, fix config options pointed by gui alerts

                                        • On antivirus tab, save config twice as first time it will load sample files and second check config options.

                                        • via console wait (repeating ps ax | grep -i fresclam  or tail -f /var/log/clamav/freshclam.log) clamav database first slow update

                                        • enable transparent mode(do not select loopback on any squid option)

                                        • stop and start squid via gui to force c-icap to restart too after first freshclam.

                                        • install shalla blacklist on squidguard

                                        • apply squidguard changes

                                        I can see both clamav and squidguard denied page for virus(tested with eicar) and blocked sites.

                                        my tmp rules.debug file shows both intercept rules

                                        rdr on em1 proto tcp from any to !(em1) port 80 -> 127.0.0.1 port 3128
                                        pass in quick on em1 proto tcp from any to !(em1) port {80,3128} flags S/SA keep state
                                        
                                        
                                        1 Reply Last reply Reply Quote 0
                                        • marcelloc
                                          marcelloc last edited by

                                          @dwood:

                                          There was a reference left over to HAVP under "Proxy Server" General settings tab, Integrations.

                                          That's step 5  :)

                                          • chech squid tabs, save, fix config options pointed by gui alerts

                                          Treinamentos de Elite: http://sys-squad.com

                                          Help a community developer! ;D

                                          1 Reply Last reply Reply Quote 0
                                          • E
                                            exograpix last edited by

                                            What config option we should correct, please post details. yet to get squid3 and squidguard working, sometime it works and on the restart squidguard stop working.

                                            1 Reply Last reply Reply Quote 0
                                            • marcelloc
                                              marcelloc last edited by

                                              There is nothing to correct but you need to check your config.

                                              Old package integration as mentioned above is an example.
                                              Setting transparent mode without selecting an interface to intercept is another.

                                              Squidguard as you can see in many threads is called on demand by squid,  so sometimes you will see it stopped.

                                              Treinamentos de Elite: http://sys-squad.com

                                              Help a community developer! ;D

                                              1 Reply Last reply Reply Quote 0
                                              • G
                                                Gloom last edited by

                                                Just looking for a bit of clarity before I start updating firewalls. The steps say install squid3 and squidguard-devel however the description for squidguard-devel says  "Requires proxy Squid 2.x package." Is this just a case of an outdated description or am I missing something?

                                                Never underestimate the power of human stupidity

                                                1 Reply Last reply Reply Quote 0
                                                • S
                                                  Steve Evans last edited by

                                                  Locking this thread as the original issue is resolved; it was caused by me not associating any interfaces and leaving transparent mode enabled.

                                                  Transparent mode isn't working on i386 and marcelloc has confirmed this is due to a build configuration issue which will be resolved shortly.

                                                  Steve

                                                  1 Reply Last reply Reply Quote 0
                                                  • First post
                                                    Last post