FreeBSD PF question

Monah Baki monahbaki at gmail.com
Mon Mar 9 14:57:37 UTC 2015


I'm a not a cisco person, but "no ip redirect" shouldn't that take care of
it?


Thanks



On Mon, Mar 9, 2015 at 10:46 AM, krad <kraduk at gmail.com> wrote:

> yes the squid box needs to be whitelisted for no redirection
>
> On 9 March 2015 at 14:27, Monah Baki <monahbaki at gmail.com> wrote:
>
>> Should I do this on the cisco itself?
>>
>> On Mon, Mar 9, 2015 at 10:24 AM, krad <kraduk at gmail.com> wrote:
>>
>>> It sounds like your cisco isnt letting the squid web traffic out and
>>> redirecting it back to itself. You need to exclude the squid proxyies
>>> address from redirection
>>>
>>> On 9 March 2015 at 14:03, Monah Baki <monahbaki at gmail.com> wrote:
>>>
>>>> Hi All,
>>>>
>>>> I have a freebsd 10.1 server with a single interface (bge0) running
>>>> squid
>>>> in intercept mode. There is a Cisco device doing the policy routing.
>>>>
>>>> interface GigabitEthernet0/0/1.1
>>>>
>>>> encapsulation dot1Q 1 native
>>>>
>>>> ip address 10.0.0.9 255.255.255.0
>>>>
>>>> no ip redirects
>>>>
>>>> no ip unreachables
>>>>
>>>> ip nat inside
>>>>
>>>> standby 1 ip 10.0.0.10
>>>>
>>>> standby 1 priority 120
>>>>
>>>> standby 1 preempt
>>>>
>>>> standby 1 name HSRP
>>>>
>>>> ip policy route-map CFLOW
>>>>
>>>>
>>>>
>>>> ip access-list extended REDIRECT
>>>>
>>>> deny   tcp host 10.0.0.24 any eq www
>>>>
>>>> permit tcp host 10.0.0.23 any eq www
>>>>
>>>>
>>>>
>>>> route-map CFLOW permit 10
>>>>
>>>> match ip address REDIRECT
>>>> set ip next-hop 10.0.0.24
>>>>
>>>> My squid.conf has the following:
>>>> http_port 3128
>>>> http_port 3129 intercept
>>>>
>>>>
>>>>
>>>> My pf.conf has the following:
>>>>
>>>> rdr on bge0 inet proto tcp from 10.0.0.0/8 to any port 80 -> 10.0.0.24
>>>> port
>>>> 3129
>>>> # block in
>>>> pass in log quick on bge0
>>>> pass out log quick on bge0
>>>> pass out keep state
>>>>
>>>>
>>>>
>>>> User gets an access denied on browsing, and in my cache.log file, I see:
>>>> WARNING: Forwarding loop detected for:
>>>>
>>>>
>>>>
>>>> Any help/guidance is appreciated.
>>>>
>>>>
>>>> Thanks
>>>> _______________________________________________
>>>> freebsd-questions at freebsd.org mailing list
>>>> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
>>>> To unsubscribe, send any mail to "
>>>> freebsd-questions-unsubscribe at freebsd.org"
>>>>
>>>
>>>
>>
>


More information about the freebsd-questions mailing list