FreeBSD PF question

krad kraduk at gmail.com
Mon Mar 9 14:24:59 UTC 2015


It sounds like your cisco isnt letting the squid web traffic out and
redirecting it back to itself. You need to exclude the squid proxyies
address from redirection

On 9 March 2015 at 14:03, Monah Baki <monahbaki at gmail.com> wrote:

> Hi All,
>
> I have a freebsd 10.1 server with a single interface (bge0) running squid
> in intercept mode. There is a Cisco device doing the policy routing.
>
> interface GigabitEthernet0/0/1.1
>
> encapsulation dot1Q 1 native
>
> ip address 10.0.0.9 255.255.255.0
>
> no ip redirects
>
> no ip unreachables
>
> ip nat inside
>
> standby 1 ip 10.0.0.10
>
> standby 1 priority 120
>
> standby 1 preempt
>
> standby 1 name HSRP
>
> ip policy route-map CFLOW
>
>
>
> ip access-list extended REDIRECT
>
> deny   tcp host 10.0.0.24 any eq www
>
> permit tcp host 10.0.0.23 any eq www
>
>
>
> route-map CFLOW permit 10
>
> match ip address REDIRECT
> set ip next-hop 10.0.0.24
>
> My squid.conf has the following:
> http_port 3128
> http_port 3129 intercept
>
>
>
> My pf.conf has the following:
>
> rdr on bge0 inet proto tcp from 10.0.0.0/8 to any port 80 -> 10.0.0.24
> port
> 3129
> # block in
> pass in log quick on bge0
> pass out log quick on bge0
> pass out keep state
>
>
>
> User gets an access denied on browsing, and in my cache.log file, I see:
> WARNING: Forwarding loop detected for:
>
>
>
> Any help/guidance is appreciated.
>
>
> Thanks
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "
> freebsd-questions-unsubscribe at freebsd.org"
>


More information about the freebsd-questions mailing list