FreeBSD PF question

Monah Baki monahbaki at gmail.com
Mon Mar 9 14:27:36 UTC 2015


Should I do this on the cisco itself?

On Mon, Mar 9, 2015 at 10:24 AM, krad <kraduk at gmail.com> wrote:

> It sounds like your cisco isnt letting the squid web traffic out and
> redirecting it back to itself. You need to exclude the squid proxyies
> address from redirection
>
> On 9 March 2015 at 14:03, Monah Baki <monahbaki at gmail.com> wrote:
>
>> Hi All,
>>
>> I have a freebsd 10.1 server with a single interface (bge0) running squid
>> in intercept mode. There is a Cisco device doing the policy routing.
>>
>> interface GigabitEthernet0/0/1.1
>>
>> encapsulation dot1Q 1 native
>>
>> ip address 10.0.0.9 255.255.255.0
>>
>> no ip redirects
>>
>> no ip unreachables
>>
>> ip nat inside
>>
>> standby 1 ip 10.0.0.10
>>
>> standby 1 priority 120
>>
>> standby 1 preempt
>>
>> standby 1 name HSRP
>>
>> ip policy route-map CFLOW
>>
>>
>>
>> ip access-list extended REDIRECT
>>
>> deny   tcp host 10.0.0.24 any eq www
>>
>> permit tcp host 10.0.0.23 any eq www
>>
>>
>>
>> route-map CFLOW permit 10
>>
>> match ip address REDIRECT
>> set ip next-hop 10.0.0.24
>>
>> My squid.conf has the following:
>> http_port 3128
>> http_port 3129 intercept
>>
>>
>>
>> My pf.conf has the following:
>>
>> rdr on bge0 inet proto tcp from 10.0.0.0/8 to any port 80 -> 10.0.0.24
>> port
>> 3129
>> # block in
>> pass in log quick on bge0
>> pass out log quick on bge0
>> pass out keep state
>>
>>
>>
>> User gets an access denied on browsing, and in my cache.log file, I see:
>> WARNING: Forwarding loop detected for:
>>
>>
>>
>> Any help/guidance is appreciated.
>>
>>
>> Thanks
>> _______________________________________________
>> freebsd-questions at freebsd.org mailing list
>> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
>> To unsubscribe, send any mail to "
>> freebsd-questions-unsubscribe at freebsd.org"
>>
>
>


More information about the freebsd-questions mailing list