# Weird Squid + IPFW behavior



## Young (Apr 12, 2013)

Hi,

I'm running Squid with IPFW for Windows Update caching. The system works very well with manual browser proxy configuration and WinHTTP proxy setting. The problem is with the interception of IPFW. If I download something with the browser proxy configurated, the subsequent requests always returns from Squid (HIT) but if I download something with the IPFW forward (intercept) configurated and browser proxy off, after 2~3 downloads the request goes directly (MISS) and after this all requests goes directly (WTF?!). Aparently the browser doesn't know about the packet interception and then send some no-cache packet. Any clues?

access.log

```
1365731269.162   2095 192.168.1.2 TCP_HIT/200 238870715 GET http://download.windowsupdate.com/msdownload/update/driver/drvs/2013/03/20541077_3cdf18b8840f06c4a2ea18a11897a80f1e94500a.cab - HIER_NONE/- application/octet-stream
1365731280.316   2112 192.168.1.2 TCP_HIT/200 238870715 GET http://download.windowsupdate.com/msdownload/update/driver/drvs/2013/03/20541077_3cdf18b8840f06c4a2ea18a11897a80f1e94500a.cab - HIER_NONE/- application/octet-stream
1365731579.867 261156 192.168.1.2 TCP_MISS/200 238870704 GET http://download.windowsupdate.com/msdownload/update/driver/drvs/2013/03/20541077_3cdf18b8840f06c4a2ea18a11897a80f1e94500a.cab - HIER_DIRECT/72.246.94.157 application/octet-stream
```

squid.conf

```
acl localnet src 10.0.0.0/8     # RFC1918 possible internal network
acl localnet src 172.16.0.0/12  # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7       # RFC 4193 local private network range
acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged) machines

acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT

http_access allow localhost manager
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports

http_access allow localnet
http_access allow localhost
http_access deny all

http_port 3128
http_port 3129 intercept

minimum_object_size 0 KB
maximum_object_size 2048 MB

memory_cache_mode disk

cache_dir ufs /cache 80000 16 256
coredump_dir /cache

range_offset_limit -1
quick_abort_min -1

refresh_pattern -i microsoft.com/.*\.(cab|exe|dll|msi|psf) 259200 100% 259200 override-expire override-lastmod reload-into-ims ignore-reload ignore-no-store ignore-must-revalidate ignore-private ignore-auth
refresh_pattern -i windowsupdate.com/.*\.(cab|exe|dll|msi|psf) 259200 100% 259200 override-expire override-lastmod reload-into-ims ignore-reload ignore-no-store ignore-must-revalidate ignore-private ignore-auth

refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern .               0       20%     4320

visible_hostname cache.local
```


```
# ipfw list
00010 check-state
00020 fwd 127.0.0.1,3129 tcp from any to any dst-port 80 via bge0 setup keep-state
00050 divert 8668 ip4 from any to any via em0
00100 allow ip from any to any via lo0
00200 deny ip from any to 127.0.0.0/8
00300 deny ip from 127.0.0.0/8 to any
00400 deny ip from any to ::1
00500 deny ip from ::1 to any
00600 allow ipv6-icmp from :: to ff02::/16
00700 allow ipv6-icmp from fe80::/10 to fe80::/10
00800 allow ipv6-icmp from fe80::/10 to ff02::/16
00900 allow ipv6-icmp from any to any ip6 icmp6types 1
01000 allow ipv6-icmp from any to any ip6 icmp6types 2,135,136
65000 allow ip from any to any
65535 deny ip from any to any
```

System used in the tests: Windows 7 Ultimate with Internet Explorer 10

Thanks.


----------

