Squid moaning about /tmp/rules.test.packages syntax error under pfSense 2.2

Steve Evans

I see that a number of people are having problems with squid having updated to 2.2.

I am seeing the following in the System Log as soon as I try to enable squid 3.4.10_2 pkg 0.2.6 in transparent mode.

php-fpm[12216]: /rc.filter_configure_sync: The command '/sbin/pfctl -nf /tmp/rules.test.packages' returned exit code '1', the output was '/tmp/rules.test.packages:134: syntax error'

The offending line in /tmp/rules.test.packages is

pass in quick on  proto tcp from any to !() port {80,3128} flags S/SA keep state

I have tried hitting Save from each tab on the squid GUI to no avail.

If I manually set the proxy settings on a machine to force it to use the proxy, all seems OK. This makes sense as the above error seems to relate to redirection and it proves that there aren't any firewall rules etc in the way.

Oddly, pfctl seems to think there's a redirect rule in place.

rdr on msk2 inet proto tcp from any to ! (msk2) port = http -> 127.0.0.1 port 3128

I've uninstalled/reinstalled several times, edited the config.xml to remove all my old config etc, but nothing seems to work.

That's going on here. Worked fine under 2.1.5.

Thanks,

Steve

marcelloc

I'll start another fresh install to stimulate this error here.

marcelloc

Did a fresh install and all is working together …

Steps I did

• fresh 2.2 install

• Install squid3

• changed package signature option on system advanced.

• Installed squidguard-devel

• chech squid tabs, save, fix config options pointed by gui alerts

• On antivirus tab, save config twice as first time it will load sample files and second check config options.

• via console wait (repeating ps ax | grep -i fresclam  or tail -f /var/log/clamav/freshclam.log) clamav database first slow update

• enable transparent mode(do not select loopback on any squid option)

• stop and start squid via gui to force c-icap to restart too after first freshclam.

• install shalla blacklist on squidguard

• apply squidguard changes

I can see both clamav and squidguard denied page for virus(tested with eicar) and blocked sites.

my tmp rules.debug file shows both intercept rules

rdr on em1 proto tcp from any to !(em1) port 80 -> 127.0.0.1 port 3128
pass in quick on em1 proto tcp from any to !(em1) port {80,3128} flags S/SA keep state

Steve Evans

Hi,

Glad to hear a fresh install works OK, so that's one option.

I'm using the 4G CF install on  Watchguard x750e. Could this be a nanobsd related issue?

Thanks,

Steve

Steve Evans

Is the above working in transparent mode? That's where I'm seeing issues.

Steve

exograpix

Thanks for the guide, you are always helpful

exograpix

Still a problem

1. I have created a cert.
2. Installed squid and icap, updated.
3. But after installing getting "icap protocol error" not able to open any page
4. Activated transparent proxy and ssl filtering.

Please help

asterix

@exograpix:

Still a problem

1. I have created a cert.
2. Installed squid and icap, updated.
3. But after installing getting "icap protocol error" not able to open any page
4. Activated transparent proxy and ssl filtering.

Please help

I think it has to do with the Certificate.

Steve Evans

Well this is damn frustrating.

I've installed a fresh 2.2 by writing a new CF card. I've stepped through recreating my configuration and still see the attached.

I note that /var/squid/acl/throttle_exts.acl is indeed empty. My config may be relevant here. Rather than using a ramdisk for /var I have it mounted on an HDD in my Watchguard Firebox x750e so I can store squid caches and logs there. Is this my problem?

Steve


Steve Evans

OK, so unchecking the Throttle only specific extensions checkbox on the Traffic Mgmt tab has fixed the /var/squid/acl/throttle_exts.acl problem…

Steve Evans

The reason for the /tmp/rules.test.packages issue is that I had transparency enabled, but no bound interfaces. I got rather sidetracked by this whilst trying to understand whilst transparency didn't work.

So, I guess this thread is dead, but transparency still isn't working. :(

Steve

marcelloc

@Steve:

The reason for the /tmp/rules.test.packages issue is that I had transparency enabled, but no bound interfaces. I got rather sidetracked by this whilst trying to understand whilst transparency didn't work.

It is working on 2.2, check your config and do not check loopback on squid interfaces.

Steve Evans

I've tried 2.7.9 too and it's no different, which is consistent at least!

Where's the loopback option in the GUI?

Thanks,

Steve

Steve Evans

Ah, OK, I understand. I'm just checking LAN.

Steve

Steve Evans

I've also reverted back to using a ram disk /var and no improvement. I figure this must be a configuration issue, but it worked fine with 2.1.5.

Steve

marcelloc

@Steve:

Is the above working in transparent mode? That's where I'm seeing issues.

Yes.  But I'm not testing nano or cf images.

marcelloc

@exograpix:

Still a problem

1. I have created a cert.
2. Installed squid and icap, updated.
3. But after installing getting "icap protocol error" not able to open any page
4. Activated transparent proxy and ssl filtering.

Please help

If you do not stop squid and icap after first freshclam,  it will show icap error.

dwood

Got it working, although not a fresh install..an upgrade.  To add to below (if you're doing an upgrade install from 2.1.5) There was a reference left over to HAVP under "Proxy Server" General settings tab, Integrations.  I removed all the text present in Integrations box, and then reinstalled Squidguard-dev.  Works great now.

@marcelloc:

Did a fresh install and all is working together …

Steps I did

• fresh 2.2 install

• Install squid3

• changed package signature option on system advanced.

• Installed squidguard-devel

• chech squid tabs, save, fix config options pointed by gui alerts

• On antivirus tab, save config twice as first time it will load sample files and second check config options.

• via console wait (repeating ps ax | grep -i fresclam  or tail -f /var/log/clamav/freshclam.log) clamav database first slow update

• enable transparent mode(do not select loopback on any squid option)

• stop and start squid via gui to force c-icap to restart too after first freshclam.

• install shalla blacklist on squidguard

• apply squidguard changes

I can see both clamav and squidguard denied page for virus(tested with eicar) and blocked sites.

my tmp rules.debug file shows both intercept rules

rdr on em1 proto tcp from any to !(em1) port 80 -> 127.0.0.1 port 3128
pass in quick on em1 proto tcp from any to !(em1) port {80,3128} flags S/SA keep state

marcelloc

@dwood:

There was a reference left over to HAVP under "Proxy Server" General settings tab, Integrations.

That's step 5  :)

• chech squid tabs, save, fix config options pointed by gui alerts

exograpix

What config option we should correct, please post details. yet to get squid3 and squidguard working, sometime it works and on the restart squidguard stop working.

marcelloc

There is nothing to correct but you need to check your config.

Old package integration as mentioned above is an example.
Setting transparent mode without selecting an interface to intercept is another.

Squidguard as you can see in many threads is called on demand by squid,  so sometimes you will see it stopped.

Gloom

Just looking for a bit of clarity before I start updating firewalls. The steps say install squid3 and squidguard-devel however the description for squidguard-devel says  "Requires proxy Squid 2.x package." Is this just a case of an outdated description or am I missing something?

Steve Evans

Locking this thread as the original issue is resolved; it was caused by me not associating any interfaces and leaving transparent mode enabled.

Transparent mode isn't working on i386 and marcelloc has confirmed this is due to a build configuration issue which will be resolved shortly.

Steve