squid3 and ipfw_transparent macport broke as of Lion?

Michael macosforge.org at nemonik.com
Tue Dec 6 07:05:51 PST 2011

I am x-post from the user-list.

I'm stuck getting the Squid3 w/ ipdw_transparent port to work as per
https://trac.macports.org/wiki/howto/SetupInterceptionSquid and I have
concerns Lion may have broken the current squid3 w/ ipfw_transparent

I need an intercepting proxy on my dev box as have problem especially
aggravated by Dev Ops programming, I'm spending a great deal time
building out virtualized environments with the Vagrant tool;
specifically, in authoring base box definition postinstall shell
scripts. These scripts pull down countless yum packages in order to
build up the base image that I then later further provision with
either Puppet or Chef integration frameworks via scripts written in
Ruby. When things are dorked up like an apparent dependency problem in
the repo, I'm spending a great deal of time in debugging issues
especially when throttled behind a T1 connection resulting mind
numbing time spent in mostly twiddling my thumbs as I sit through
repeated pulls of dependencies to get to where the problem occurs.

The intercept config example for FreeBsdIpfw at wiki.squid-cache.org
led me to a few corrections, but largely the macports wiki article
appears correct:

The article in Step 3: Configure Mac OS X firewall fails to obviously
mention you need to Start Lion's Firewall through the System Panel ->
Security & Privacy -> Firewall tab.

And I've tried the following to configure the firewall via the rule:

sudo ipfw add 1013 fwd,3128 tcp from any to any dst-port 80 recv en0

I verified the rule was set via

sudo ipfw list

and it returns:

$ sudo ipfw list
01013 fwd,3128 tcp from any to any dst-port 80 recv en0
65535 allow ip from any to any

and I also restarted the firewall just in case w/ each rule change. No dice.

I've also configured the kernel as per Step 2: Configure Mac OS X
kernel' as described originally at:


Maybe this portion changed w/ Lion?

Once setup, the firewall never seems to redirect traffic dst-port 80
traffic to Squid to handle, but if I directly configure the Squid
proxy settings (localhost:3128) into say Firefox it performs
flawlessly... So, the problem seems to be in the ipfw's forwarding of
any dst-port 80 traffic to squid to handle.

Ideas? Is the problem with Apple's firewall or what?


More information about the macports-dev mailing list