clientNatLookup: PF open failed: (13) Permission denied
Peter Maxwell
peter at allicient.co.uk
Fri Dec 19 05:48:45 PST 2008
Hi Leslie,
The message you're getting is usually associated with the rule base
blocking an outbound connection - so check that you've opened all the
outbound ports that squid needs in your pf.conf. Tip: you can use
tcpdump to see what's going on, the openbsd pf pages at
http://www.openbsd.org/faq/pf/logging.html will give an introduction
and there's lots of info on tcpdump around - note tcpdump is great for
testing purposes but don't use tcpdump on a production box (it's not
got a great security record and if you get the parameters wrong with
high load you can kill the box).
Transparent http proxing is basically where there is a rdr rule in
your pf config so that outbound port 80 connections (or 443 for that
matter) are forwarded to squid's inbound port and, if configured
properly, squid can then handle the request. The reason its called
'transparent' is because the user's broswer doesn't need configuring
because pf redirects all http traffic - so to the browser it just
looks like a direct connection to the internet (with a few extra HTTP
headers). There are several implications of this, if squid fails
(which it does a lot) then you don't get web browsing until you fix
squid; it forces use of the proxy; you can use any authentication
mechanisms with squid. Personally, transparent proxying is more
trouble than its worth but your milage may vary.
Best wishes,
Peter
2008/12/19 Leslie Jensen <leslie at eskk.nu>:
> I've tried the squid users mail list but I try here. I'm aware that this
> list is not a squid list, but with it beeing PF I hope someone has a
> suggestion how to fix my problem.
>
> I'm not sure if I want to change the rights on /dev/pf that's why I'm
> asking.
>
>
>
> I'm running Squid-3.0.10 on FreeBSD 7.0-RELEASE-p4 with PF.
>
> I've noticed that in cache.log are a lot of entries as the one below
>
> clientNatLookup: PF open failed: (13) Permission denied
>
> I've found some information on the problem via Google.
>
> One is "start Squid as root". Squid is started via rc.conf so I think
> that is sorted.
>
> There is a concern about rights on /dev/pf
>
> Finally there's some advice
>
> ---- snip----
> If you are performing any kind of transparent interception with squid
> you will need one of the --*-transparent options. Without it squid will
> fail to correctly spoof the clients IP.
> ----- snip ----
>
> I do not fully understand where the "--*-transparent options" are to be
> found. And if it's the solution to the problem.
>
> Will someone Please enlighten me?
>
> Thank you
> /Leslie
>
>
> _______________________________________________
> freebsd-pf at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-pf
> To unsubscribe, send any mail to "freebsd-pf-unsubscribe at freebsd.org"
>
More information about the freebsd-pf
mailing list