Squid moaning about /tmp/rules.test.packages syntax error under pfSense 2.2



  • I see that a number of people are having problems with squid having updated to 2.2.

    I am seeing the following in the System Log as soon as I try to enable squid 3.4.10_2 pkg 0.2.6 in transparent mode.

    php-fpm[12216]: /rc.filter_configure_sync: The command '/sbin/pfctl -nf /tmp/rules.test.packages' returned exit code '1', the output was '/tmp/rules.test.packages:134: syntax error'
    
    

    The offending line in /tmp/rules.test.packages is

    pass in quick on  proto tcp from any to !() port {80,3128} flags S/SA keep state
    
    

    I have tried hitting Save from each tab on the squid GUI to no avail.

    If I manually set the proxy settings on a machine to force it to use the proxy, all seems OK. This makes sense as the above error seems to relate to redirection and it proves that there aren't any firewall rules etc in the way.

    Oddly, pfctl seems to think there's a redirect rule in place.

    rdr on msk2 inet proto tcp from any to ! (msk2) port = http -> 127.0.0.1 port 3128
    

    I've uninstalled/reinstalled several times, edited the config.xml to remove all my old config etc, but nothing seems to work.

    That's going on here. Worked fine under 2.1.5.

    Thanks,

    Steve



  • I'll start another fresh install to stimulate this error here.



  • Did a fresh install and all is working together …

    Steps I did

    • fresh 2.2 install

    • Install squid3

    • changed package signature option on system advanced.

    • Installed squidguard-devel

    • chech squid tabs, save, fix config options pointed by gui alerts

    • On antivirus tab, save config twice as first time it will load sample files and second check config options.

    • via console wait (repeating ps ax | grep -i fresclam  or tail -f /var/log/clamav/freshclam.log) clamav database first slow update

    • enable transparent mode(do not select loopback on any squid option)

    • stop and start squid via gui to force c-icap to restart too after first freshclam.

    • install shalla blacklist on squidguard

    • apply squidguard changes

    I can see both clamav and squidguard denied page for virus(tested with eicar) and blocked sites.

    my tmp rules.debug file shows both intercept rules

    rdr on em1 proto tcp from any to !(em1) port 80 -> 127.0.0.1 port 3128
    pass in quick on em1 proto tcp from any to !(em1) port {80,3128} flags S/SA keep state
    
    


  • Hi,

    Glad to hear a fresh install works OK, so that's one option.

    I'm using the 4G CF install on  Watchguard x750e. Could this be a nanobsd related issue?

    Thanks,

    Steve



  • Is the above working in transparent mode? That's where I'm seeing issues.

    Steve



  • Thanks for the guide, you are always helpful



  • Still a problem

    1. I have created a cert.
    2. Installed squid and icap, updated.
    3. But after installing getting "icap protocol error" not able to open any page
    4. Activated transparent proxy and ssl filtering.

    Please help



  • @exograpix:

    Still a problem

    1. I have created a cert.
    2. Installed squid and icap, updated.
    3. But after installing getting "icap protocol error" not able to open any page
    4. Activated transparent proxy and ssl filtering.

    Please help

    I think it has to do with the Certificate.



  • Well this is damn frustrating.

    I've installed a fresh 2.2 by writing a new CF card. I've stepped through recreating my configuration and still see the attached.

    I note that /var/squid/acl/throttle_exts.acl is indeed empty. My config may be relevant here. Rather than using a ramdisk for /var I have it mounted on an HDD in my Watchguard Firebox x750e so I can store squid caches and logs there. Is this my problem?

    Steve

    ![Screen Shot 2015-01-26 at 20.43.56.png](/public/imported_attachments/1/Screen Shot 2015-01-26 at 20.43.56.png)
    ![Screen Shot 2015-01-26 at 20.43.56.png_thumb](/public/imported_attachments/1/Screen Shot 2015-01-26 at 20.43.56.png_thumb)



  • OK, so unchecking the Throttle only specific extensions checkbox on the Traffic Mgmt tab has fixed the /var/squid/acl/throttle_exts.acl problem…



  • The reason for the /tmp/rules.test.packages issue is that I had transparency enabled, but no bound interfaces. I got rather sidetracked by this whilst trying to understand whilst transparency didn't work.

    So, I guess this thread is dead, but transparency still isn't working. :(

    Steve



  • @Steve:

    The reason for the /tmp/rules.test.packages issue is that I had transparency enabled, but no bound interfaces. I got rather sidetracked by this whilst trying to understand whilst transparency didn't work.

    It is working on 2.2, check your config and do not check loopback on squid interfaces.



  • I've tried 2.7.9 too and it's no different, which is consistent at least!

    Where's the loopback option in the GUI?

    Thanks,

    Steve



  • Ah, OK, I understand. I'm just checking LAN.

    Steve



  • I've also reverted back to using a ram disk /var and no improvement. I figure this must be a configuration issue, but it worked fine with 2.1.5. 😬

    Steve



  • @Steve:

    Is the above working in transparent mode? That's where I'm seeing issues.

    Yes.  But I'm not testing nano or cf images.



  • @exograpix:

    Still a problem

    1. I have created a cert.
    2. Installed squid and icap, updated.
    3. But after installing getting "icap protocol error" not able to open any page
    4. Activated transparent proxy and ssl filtering.

    Please help

    If you do not stop squid and icap after first freshclam,  it will show icap error.



  • Got it working, although not a fresh install..an upgrade.  To add to below (if you're doing an upgrade install from 2.1.5) There was a reference left over to HAVP under "Proxy Server" General settings tab, Integrations.  I removed all the text present in Integrations box, and then reinstalled Squidguard-dev.  Works great now.

    @marcelloc:

    Did a fresh install and all is working together …

    Steps I did

    • fresh 2.2 install

    • Install squid3

    • changed package signature option on system advanced.

    • Installed squidguard-devel

    • chech squid tabs, save, fix config options pointed by gui alerts

    • On antivirus tab, save config twice as first time it will load sample files and second check config options.

    • via console wait (repeating ps ax | grep -i fresclam  or tail -f /var/log/clamav/freshclam.log) clamav database first slow update

    • enable transparent mode(do not select loopback on any squid option)

    • stop and start squid via gui to force c-icap to restart too after first freshclam.

    • install shalla blacklist on squidguard

    • apply squidguard changes

    I can see both clamav and squidguard denied page for virus(tested with eicar) and blocked sites.

    my tmp rules.debug file shows both intercept rules

    rdr on em1 proto tcp from any to !(em1) port 80 -> 127.0.0.1 port 3128
    pass in quick on em1 proto tcp from any to !(em1) port {80,3128} flags S/SA keep state
    
    


  • @dwood:

    There was a reference left over to HAVP under "Proxy Server" General settings tab, Integrations.

    That's step 5  :)

    • chech squid tabs, save, fix config options pointed by gui alerts


  • What config option we should correct, please post details. yet to get squid3 and squidguard working, sometime it works and on the restart squidguard stop working.



  • There is nothing to correct but you need to check your config.

    Old package integration as mentioned above is an example.
    Setting transparent mode without selecting an interface to intercept is another.

    Squidguard as you can see in many threads is called on demand by squid,  so sometimes you will see it stopped.



  • Just looking for a bit of clarity before I start updating firewalls. The steps say install squid3 and squidguard-devel however the description for squidguard-devel says  "Requires proxy Squid 2.x package." Is this just a case of an outdated description or am I missing something?



  • Locking this thread as the original issue is resolved; it was caused by me not associating any interfaces and leaving transparent mode enabled.

    Transparent mode isn't working on i386 and marcelloc has confirmed this is due to a build configuration issue which will be resolved shortly.

    Steve


Locked