/dev/pf permission for squid 3.2.0.6 on openbsd 4.8

classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

/dev/pf permission for squid 3.2.0.6 on openbsd 4.8

Indunil Jayasooriya
Hi list,

I am trying to test squid 3.2.0.6 on OpenBSD 4.8 (amd64) in
transparent mode. I can browse internet. But, I get the below error.



2011/04/08 17:43:11 kid1| Intercept.cc(305) PfInterception: PF open
failed: (13) Permission denied
2011/04/08 17:43:11 kid1| Intercept.cc(305) PfInterception: PF open
failed: (13) Permission denied
2011/04/08 17:44:20 kid1| Intercept.cc(305) PfInterception: PF open
failed: (13) Permission denied
2011/04/08 17:44:53 kid1| Intercept.cc(305) PfInterception: PF open
failed: (13) Permission denied
2011/04/08 17:44:54 kid1| Intercept.cc(305) PfInterception: PF open
failed: (13) Permission denied
2011/04/08 17:44:55 kid1| Intercept.cc(305) PfInterception: PF open
failed: (13) Permission denied


Then, I did below steps. I got it from
http://www.benzedrine.cx/transquid.html (PF founder's link)

are the below 2 commnads okay for OpenBSD 4.8?

# chgrp _squid /dev/pf
# chmod g+rw /dev/pf

but, for squid 2.7.9 on OpenBSD 4.8, I have the default. Pls see .I
did NOT change /dev/pf

# ls -al /dev/pf
crw-------  1 root  wheel   73,   0 Dec 17 16:33 /dev/pf

any comments?





--
Thank you
Indunil Jayasooriya

Reply | Threaded
Open this post in threaded view
|

Re: /dev/pf permission for squid 3.2.0.6 on openbsd 4.8

Reyk Floeter-2
On Fri, Apr 08, 2011 at 03:25:55PM +0530, Indunil Jayasooriya wrote:
> I am trying to test squid 3.2.0.6 on OpenBSD 4.8 (amd64) in
> transparent mode. I can browse internet. But, I get the below error.
>

> # chgrp _squid /dev/pf
> # chmod g+rw /dev/pf
>

scary.  squid should not touch /dev/pf at all.  we have a new method
in pf that does not require access to /dev/pf: divert-to.  you can try
the following:

- revert /dev/pf to the old 0600 permissions
- recompile squid _without_ --enable-pf-transparent (disable it)
- update your pf.conf to use divert-to instead of rdr-to

divert-to provides the real destination address inline via the
standard getsockname() call which is done by squid by default if no
other transparent mode is configured (as far as I understand the code
in squid's client_side.c).  the `traditional' rdr-to method had to do
an out-of-band call on /dev/pf to retrieve this information.

reyk

Reply | Threaded
Open this post in threaded view
|

Re: /dev/pf permission for squid 3.2.0.6 on openbsd 4.8

Muhammad Muntaza
In reply to this post by Indunil Jayasooriya
2011/4/8, Indunil Jayasooriya <[hidden email]>:

> Hi list,
>
> I am trying to test squid 3.2.0.6 on OpenBSD 4.8 (amd64) in
> transparent mode. I can browse internet. But, I get the below error.
>
>
>
> 2011/04/08 17:43:11 kid1| Intercept.cc(305) PfInterception: PF open
> failed: (13) Permission denied
> 2011/04/08 17:43:11 kid1| Intercept.cc(305) PfInterception: PF open
> failed: (13) Permission denied
> 2011/04/08 17:44:20 kid1| Intercept.cc(305) PfInterception: PF open
> failed: (13) Permission denied
> 2011/04/08 17:44:53 kid1| Intercept.cc(305) PfInterception: PF open
> failed: (13) Permission denied
> 2011/04/08 17:44:54 kid1| Intercept.cc(305) PfInterception: PF open
> failed: (13) Permission denied
> 2011/04/08 17:44:55 kid1| Intercept.cc(305) PfInterception: PF open
> failed: (13) Permission denied
>
>
> Then, I did below steps. I got it from
> http://www.benzedrine.cx/transquid.html (PF founder's link)
>
> are the below 2 commnads okay for OpenBSD 4.8?
>
> # chgrp _squid /dev/pf
> # chmod g+rw /dev/pf
>
> but, for squid 2.7.9 on OpenBSD 4.8, I have the default. Pls see .I
> did NOT change /dev/pf
>
> # ls -al /dev/pf
> crw-------  1 root  wheel   73,   0 Dec 17 16:33 /dev/pf
>
> any comments?
>
>
>
>
>
> --
> Thank you
> Indunil Jayasooriya
>
>
my squid and openbsd:

in /etc/pf.conf:
pass in quick on $int_if proto tcp from $localnet to any port 80
rdr-to lo0 port 3128

$ ls -l /dev/pf
crw-------  1 root  wheel   73,   0 Nov 28 12:40 /dev/pf

in /etc/squid/squid.conf
http_port 127.0.0.1:3128 transparent


Muhammad Muntaza bin Hatta
--
Indonesia
http://muntaza.wordpress.com

Reply | Threaded
Open this post in threaded view
|

Re: /dev/pf permission for squid 3.2.0.6 on openbsd 4.8

Insan Praja SW
Hi,
This link may help:
http://wiki.squid-cache.org/ConfigExamples/Intercept/OpenBsdPf

Thanks,

On Wed, 13 Apr 2011 16:12:51 +0700, Muhammad Muntaza  
<[hidden email]> wrote:

> 2011/4/8, Indunil Jayasooriya <[hidden email]>:
>> Hi list,
>>
>> I am trying to test squid 3.2.0.6 on OpenBSD 4.8 (amd64) in
>> transparent mode. I can browse internet. But, I get the below error.
>>
>>
>>
>> 2011/04/08 17:43:11 kid1| Intercept.cc(305) PfInterception: PF open
>> failed: (13) Permission denied
>> 2011/04/08 17:43:11 kid1| Intercept.cc(305) PfInterception: PF open
>> failed: (13) Permission denied
>> 2011/04/08 17:44:20 kid1| Intercept.cc(305) PfInterception: PF open
>> failed: (13) Permission denied
>> 2011/04/08 17:44:53 kid1| Intercept.cc(305) PfInterception: PF open
>> failed: (13) Permission denied
>> 2011/04/08 17:44:54 kid1| Intercept.cc(305) PfInterception: PF open
>> failed: (13) Permission denied
>> 2011/04/08 17:44:55 kid1| Intercept.cc(305) PfInterception: PF open
>> failed: (13) Permission denied
>>
>>
>> Then, I did below steps. I got it from
>> http://www.benzedrine.cx/transquid.html (PF founder's link)
>>
>> are the below 2 commnads okay for OpenBSD 4.8?
>>
>> # chgrp _squid /dev/pf
>> # chmod g+rw /dev/pf
>>
>> but, for squid 2.7.9 on OpenBSD 4.8, I have the default. Pls see .I
>> did NOT change /dev/pf
>>
>> # ls -al /dev/pf
>> crw-------  1 root  wheel   73,   0 Dec 17 16:33 /dev/pf
>>
>> any comments?
>>
>>
>>
>>
>>
>> --
>> Thank you
>> Indunil Jayasooriya
>>
>>
> my squid and openbsd:
>
> in /etc/pf.conf:
> pass in quick on $int_if proto tcp from $localnet to any port 80
> rdr-to lo0 port 3128
>
> $ ls -l /dev/pf
> crw-------  1 root  wheel   73,   0 Nov 28 12:40 /dev/pf
>
> in /etc/squid/squid.conf
> http_port 127.0.0.1:3128 transparent
>
>
> Muhammad Muntaza bin Hatta


--
Using Opera's revolutionary email client: http://www.opera.com/mail/

Reply | Threaded
Open this post in threaded view
|

Re: /dev/pf permission for squid 3.2.0.6 on openbsd 4.8

Stuart Henderson
In reply to this post by Reyk Floeter-2
On 2011-04-08, Reyk Floeter <[hidden email]> wrote:

> On Fri, Apr 08, 2011 at 03:25:55PM +0530, Indunil Jayasooriya wrote:
>> I am trying to test squid 3.2.0.6 on OpenBSD 4.8 (amd64) in
>> transparent mode. I can browse internet. But, I get the below error.
>>
>
>> # chgrp _squid /dev/pf
>> # chmod g+rw /dev/pf
>>
>
> scary.  squid should not touch /dev/pf at all.  we have a new method
> in pf that does not require access to /dev/pf: divert-to.  you can try
> the following:
>
> - revert /dev/pf to the old 0600 permissions
> - recompile squid _without_ --enable-pf-transparent (disable it)
> - update your pf.conf to use divert-to instead of rdr-to
>
> divert-to provides the real destination address inline via the
> standard getsockname() call which is done by squid by default if no
> other transparent mode is configured (as far as I understand the code
> in squid's client_side.c).  the `traditional' rdr-to method had to do
> an out-of-band call on /dev/pf to retrieve this information.
>
> reyk
>
>

The non-obvious thing here is you must bind the listening socket in
squid to 127.0.0.1 e.g.

http_port 127.0.0.1:3127 transparent

I will talk to the port maintainer about removing --enable-pf-transparent.

Reply | Threaded
Open this post in threaded view
|

Re: /dev/pf permission for squid 3.2.0.6 on openbsd 4.8

Indunil Jayasooriya
> The non-obvious thing here is you must bind the listening socket in
> squid to 127.0.0.1 e.g.
>
> http_port 127.0.0.1:3127 transparent
>
> I will talk to the port maintainer about removing --enable-pf-transparent.
>
>
Hi, I think this below link may be useful. ( this reply from a squid
developer)

http://www.mail-archive.com/squid-users@.../msg78541.html






--
Thank you
Indunil Jayasooriya

Reply | Threaded
Open this post in threaded view
|

Re: /dev/pf permission for squid 3.2.0.6 on openbsd 4.8

Indunil Jayasooriya
In reply to this post by Stuart Henderson
> The non-obvious thing here is you must bind the listening socket in
> squid to 127.0.0.1 e.g.
>
> http_port 127.0.0.1:3127 transparent
>
> I will talk to the port maintainer about removing --enable-pf-transparent.
>
>
many thanks.  I got it working. I changed from http_port 3129 intercept to
http_port 127.0.0.1:3129 intercept in squid.conf file.

Here's the rule in pf.conf

pass in log on $int_if proto tcp from $lan_net to any port 80 \
    divert-to 127.0.0.1 port 3129




--
Thank you
Indunil Jayasooriya

Reply | Threaded
Open this post in threaded view
|

Re: /dev/pf permission for squid 3.2.0.6 on openbsd 4.8

Indunil Jayasooriya
On Tue, Apr 19, 2011 at 12:00 PM, Indunil Jayasooriya
<[hidden email]> wrote:


> many thanks.  I got it working. I changed from http_port 3129 intercept to
> http_port 127.0.0.1:3129 intercept in squid.conf file.
>
> Here's the rule in pf.conf
>
> pass in log on $int_if proto tcp from $lan_net to any port 80 \
>     divert-to 127.0.0.1 port 3129
>

very sorry. After sending this mail, I checked squid cache.log with
below command

tail -f /var/squid/logs/cache.log


 this below error still appears.

Intercept.cc(305) PfInterception: PF open failed: (13) Permission denied


I just wanted to let you know. If this is a trouble, Pls excuse me.





--
Thank you
Indunil Jayasooriya

Reply | Threaded
Open this post in threaded view
|

Re: /dev/pf permission for squid 3.2.0.6 on openbsd 4.8

Stuart Henderson
On 2011-04-20, Indunil Jayasooriya <[hidden email]> wrote:

> On Tue, Apr 19, 2011 at 12:00 PM, Indunil Jayasooriya
><[hidden email]> wrote:
>
>
>> many thanks.  I got it working. I changed from http_port 3129 intercept to
>> http_port 127.0.0.1:3129 intercept in squid.conf file.
>>
>> Here's the rule in pf.conf
>>
>> pass in log on $int_if proto tcp from $lan_net to any port 80 \
>>     divert-to 127.0.0.1 port 3129
>>
>
> very sorry. After sending this mail, I checked squid cache.log with
> below command
>
> tail -f /var/squid/logs/cache.log
>
>
>  this below error still appears.
>
> Intercept.cc(305) PfInterception: PF open failed: (13) Permission denied
>
>
> I just wanted to let you know. If this is a trouble, Pls excuse me.
>
>
>
>
>
> --
> Thank you
> Indunil Jayasooriya
>
>

Your copy of Squid is built with --enable-pf-transparent, build a new one
from -current ports or remove that line from CONFIGURE_ARGS and reinstall.