FreeBSD PF question

krad kraduk at gmail.com
Mon Mar 9 14:46:38 UTC 2015 

yes the squid box needs to be whitelisted for no redirection

On 9 March 2015 at 14:27, Monah Baki <monahbaki at gmail.com> wrote:

> Should I do this on the cisco itself?
>
> On Mon, Mar 9, 2015 at 10:24 AM, krad <kraduk at gmail.com> wrote:
>
>> It sounds like your cisco isnt letting the squid web traffic out and
>> redirecting it back to itself. You need to exclude the squid proxyies
>> address from redirection
>>
>> On 9 March 2015 at 14:03, Monah Baki <monahbaki at gmail.com> wrote:
>>
>>> Hi All,
>>>
>>> I have a freebsd 10.1 server with a single interface (bge0) running squid
>>> in intercept mode. There is a Cisco device doing the policy routing.
>>>
>>> interface GigabitEthernet0/0/1.1
>>>
>>> encapsulation dot1Q 1 native
>>>
>>> ip address 10.0.0.9 255.255.255.0
>>>
>>> no ip redirects
>>>
>>> no ip unreachables
>>>
>>> ip nat inside
>>>
>>> standby 1 ip 10.0.0.10
>>>
>>> standby 1 priority 120
>>>
>>> standby 1 preempt
>>>
>>> standby 1 name HSRP
>>>
>>> ip policy route-map CFLOW
>>>
>>>
>>>
>>> ip access-list extended REDIRECT
>>>
>>> deny   tcp host 10.0.0.24 any eq www
>>>
>>> permit tcp host 10.0.0.23 any eq www
>>>
>>>
>>>
>>> route-map CFLOW permit 10
>>>
>>> match ip address REDIRECT
>>> set ip next-hop 10.0.0.24
>>>
>>> My squid.conf has the following:
>>> http_port 3128
>>> http_port 3129 intercept
>>>
>>>
>>>
>>> My pf.conf has the following:
>>>
>>> rdr on bge0 inet proto tcp from 10.0.0.0/8 to any port 80 -> 10.0.0.24
>>> port
>>> 3129
>>> # block in
>>> pass in log quick on bge0
>>> pass out log quick on bge0
>>> pass out keep state
>>>
>>>
>>>
>>> User gets an access denied on browsing, and in my cache.log file, I see:
>>> WARNING: Forwarding loop detected for:
>>>
>>>
>>>
>>> Any help/guidance is appreciated.
>>>
>>>
>>> Thanks
>>> _______________________________________________
>>> freebsd-questions at freebsd.org mailing list
>>> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
>>> To unsubscribe, send any mail to "
>>> freebsd-questions-unsubscribe at freebsd.org"
>>>
>>
>>
>

More information about the freebsd-questions mailing list