# FreeBSD 10.1, PF, and Squid



## Sabrtooth (Mar 21, 2015)

Hey all,

So I've been troubleshooting this a bit, and I've gotten some issues squared away, but otherwise, it's been a pain to deal with.

When I first when to set this all up, I used Squid 3.4 and PF. I got the problem in my cache.log:

```
WARNING: Forward Loop Detected
```
Obviously, nothing would work.

Through a series of research and troubleshooting (including downgrading to Squid 3.3.13 where I don't intend to stay), I've gotten that problem to go away, but now I've got the problem that nothing passes through. Every site registers in the access.log as a TCP_MISS/403 and a TCP_DENIED/403 HEIR_DIRECT/192.168.0.1 and HIER_NONE leaving me with the following msg in the browser:

```
ERROR

The requested URL could not be retrieved

The following error was encountered while trying to retrieve the URL: http://www.transformers.com/

Access Denied.

Access control configuration prevents your request from being allowed at this time. Please contact your service provider if you feel this is incorrect.

Your cache administrator is support@northshoretech.net.


Generated Sat, 21 Mar 2015 04:30:56 GMT by proxy.investrwm.com (squid/3.3.13)
```
Any Ideas?

I've attached my conf files with changes. Hope it helps. I'm hoping some sleep will help as well.


----------



## Sabrtooth (Mar 21, 2015)

Hey all --

I backed this up (using from ports-mgmt/portdowngrade) to Squid 3.4.9 and it all worked. All I needed was to add rights to squid for /dev/pf in /etc/devfs.conf:

```
# Allow Squid read acess to /dev/pf
own pf root:squid
perm pf 0640
```
And from the command line:

```
chgrp squid /dev/pf
chmod 660 /dev/pf
```

My PF filter line that's handling everything fine is:

```
$proxyservices = "{ 80, 443, 21 }"
$proxy = "127.0.0.1"
$proxyport = "3128"
rdr pass inet proto tcp from 192.168.0.0/24 to any port $proxy_services -> $proxy port $proxyport
```
My squid.conf entries of relevance:

```
http_port 192.168.0.1:3128
http_port 127.0.0.1:3128 intercept
```
Hope this helps someone.


----------



## junovitch@ (Mar 21, 2015)

Thanks for the update.  It's a bit confusing reading the Squid examples on this.  The docs for FreeBSD aren't very clear and don't mention anything for /dev/pf access.
http://wiki.squid-cache.org/ConfigExamples/Intercept/FreeBsdPf

For OpenBSD they do mention /dev/pf but they strangely enough they only mention write access.
http://wiki.squid-cache.org/ConfigExamples/Intercept/OpenBsdPf


----------



## Sabrtooth (Mar 21, 2015)

In my car on the way to a party but I am happy to be more clear. Where are you confused?

I think this is the kind of solution that you only discover when you're a day without sleep and determined.

I remember (cannot validate right now) them fixing the pf issue in 3.4.9 in .10. Maybe that broke the pf-transparent/with-devpf in later versions? I didn't test .10.

Either way, it is pretty solid and a lot of people are having problems. Hope this gets to some.


----------



## junovitch@ (Mar 22, 2015)

Thanks, I understand it.  I was just pointing it out for posterity that the Squid examples aren't very clear on this and that doesn't help out someone who has never set it up before.  Thanks for taking the time to document your experience and hopefully it does help someone in the future.


----------

