Re: Re: [squid-users] clientNatLookup: PF open failed: (13) Permissiondenied

> [root_at_SRAID-Server ~]# /home/squid/sbin/squid -v
> Squid Cache: Version 2.7.STABLE4
> configure options: '--prefix=/home/squid' '--enable-dlmalloc'
> '--with-pthreads' '--enable-poll' '--disable-internal-dns'
> '--enable-stacktrace' '--enable-removal-policies=heap,lru'
> '--enable-delay-pools' '--enable-storeio=aufs,coss,diskd,ufs'
>
>
> 2008-12-17
>
>
>
> thematice
>
>
>
> 发件人： Leslie Jensen
> 发送时间： 2008-12-17 15:33:56
> 收件人： Amos Jeffries; Chris Robertson; squid-users
> 抄送：
> 主题： Re: [squid-users] clientNatLookup: PF open failed: (13)
> Permissiondenied
>
> Amos Jeffries skrev:
>> Chris Robertson wrote:
>>> Leslie Jensen wrote:
>>>> I'm running Squid-3.0.10 on FreeBSD 7.0-RELEASE-p4 with PF.
>>>>
>>>> I've noticed that in cache.log are a lot of entries as the one below
>>>>
>>>> clientNatLookup: PF open failed: (13) Permission denied
>>>>
>>>> I've found some information on the problem via Google.
>>>>
>>>> One is "start Squid as root". Squid is started via rc.conf so I think
>>>> that is sorted.
>>>>
>>>> There is a concern about rights on /dev/pf
>>>>
>>>> Finally there's some advice
>>>>
>>>> ---- snip----
>>>> If you are performing any kind of transparent interception with squid
>>>> you will need one of the --*-transparent options. Without it squid
>>>> will
>>>> fail to correctly spoof the clients IP.
>>>> ----- snip ----
>>>>
>>>> I do not fully understand where the "--*-transparent options" are to
>>>> be found. And if it's the solution to the problem.
>>>>
>>>> Will someone Please enlighten me?
>>>
>>> First, I don't know if it is the solution to the problem, but it's an
>>> easy thing to check...
>>>
>>> Run "/path/to/squid -v". That will show what options squid was
>>> compiled with. For example:
>>>
>>> -bash-3.00$ /home/squid2/bin/squid -v
>>> Squid Cache: Version 2.6.STABLE3
>>> configure options: '--bindir=/home/squid2/bin'
>>> '--sbindir=/home/squid2/bin' '--libexecdir=/home/squid2/bin'
>>> '--datadir=/home/squid2/etc' '--sysconfdir=/etc/squid'
>>> '--localstatedir=/home/squid2' '--mandir=/usr/man'
>>> '--enable-err-languages=English' '--enable-snmp' '--with-large-files'
>>> '--disable-ident-lookups' '--disable-useragent-log'
>>> '--disable-referer-log' '--enable-async-io' '--enable-epoll'
>>> -bash-3.00$
>>>
>>> If you don't see --enable-pf-transparent in that list, you are going
>>> to need to recompile.
>>>
>>
>> I believe the option is present. The line "PF open failed" should never
>> occur without it.
>>
>> The rc.conf may not necessarily be correct. Bug 2396 bout PF
>> permissions, has only been fixed since 3.0.STABLE8.
>>
>> Amos
> Yes, it's there! Squid is working from what I can see but the error
> messages are of concern to me.

Yes, the NAT/FW table is not accessible to squid, so some of the controls
will be failing.

> Mine is Squid Cache: Version 3.0.STABLE10
> /Leslie
> -------------- snip ---------------
> :/usr/local/sbin/squid -v
> Squid Cache: Version 3.0.STABLE10
> configure options: '--with-default-user=squid'
<snip>
> '--enable-ipfw-transparent' '--enable-pf-transparent' '--enable-kqueue'

Did you check the rc.conf actions?

I see squid is also built with-default-user, thats the username your proxy
will set itself to run as by default after the startup root stuff is
finished.
Can we also have a look at the /dev/pf permissions and the group
membership of the squid user. (don't change any of that yet, I just think
it might be useful to know).

Amos
Received on Wed Dec 17 2008 - 23:30:57 MST