Hello to all. I having problems with transparente Proxy with squid. I have this rule in my rules file: REDIRECT loc:!172.16.1.177 8080 tcp www The problem is the traffic isn''t redirected to the 8080 port and the clients try to go directly to the por 80 using the default gateway. I''m using shorewall 4.0.2 and kernel 2.6.22.2-42 (FC6). Some idea to solve this? Thanks, Stacker ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
Stacker Hush wrote:> I having problems with transparente Proxy with squid. > > I have this rule in my rules file: > REDIRECT loc:!172.16.1.177 8080 tcp www > > The problem is the traffic isn''t redirected to the 8080 port and the clients > try to go directly to the por 80 using the default gateway.Which default gateway? The Firewall''s default gateway or their own default gateway (if it isn''t through the firewall)?> > I''m using shorewall 4.0.2 and kernel 2.6.22.2-42 (FC6). > > Some idea to solve this?Not really -- but if you will follow the instructions at http://www.shorewall.net/support.htm#Guidelines, we''ll try to help you. -Tom -- Tom Eastep \ The ultimate result of shielding men from the effects of Shoreline, \ folly is to fill the world with fools. Washington, USA \ -- Herbert Spencer ------------------------------------------------------------------------ http://www.shorewall.net ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
Stacker Hush wrote:> I have attached status information according the site you have tell me.There are no REDIRECT rules in this configuration. -Tom -- Tom Eastep \ The ultimate result of shielding men from the Shoreline, \ effects of folly is to fill the world with fools. Washington, USA \ -Herbert Spencer http://shorewall.net \________________________________________________ ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
Hello. The rule is commented now to avoid problems. But the rule is: REDIRECT loc:!172.16.1.177 8080 tcp www Thanks, Wilson -----Mensagem original----- De: Tom Eastep [mailto:teastep@shorewall.net] Enviada em: quarta-feira, 8 de outubro de 2008 14:41 Para: Shorewall Users Assunto: Re: [Shorewall-users] RES: transparent proxy Stacker Hush wrote:> I have attached status information according the site you have tell me.There are no REDIRECT rules in this configuration. -Tom -- Tom Eastep \ The ultimate result of shielding men from the Shoreline, \ effects of folly is to fill the world with fools. Washington, USA \ -Herbert Spencer http://shorewall.net \________________________________________________ ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
Stacker Hush wrote:> Hello. > > The rule is commented now to avoid problems.Unbelievable.... -Tom -- Tom Eastep \ The ultimate result of shielding men from the Shoreline, \ effects of folly is to fill the world with fools. Washington, USA \ -Herbert Spencer http://shorewall.net \________________________________________________ ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
try this from the documentation.... REDIRECT loc 8080 tcp www - ACCEPT fw net tcp 80 On Wed, Oct 8, 2008 at 2:02 PM, Tom Eastep <teastep@shorewall.net> wrote:> Stacker Hush wrote: > > Hello. > > > > The rule is commented now to avoid problems. > > Unbelievable.... > > -Tom > -- > Tom Eastep \ The ultimate result of shielding men from the > Shoreline, \ effects of folly is to fill the world with fools. > Washington, USA \ -Herbert Spencer > http://shorewall.net \________________________________________________ > > > ------------------------------------------------------------------------- > This SF.Net email is sponsored by the Moblin Your Move Developer''s > challenge > Build the coolest Linux based applications with Moblin SDK & win great > prizes > Grand prize is a trip for two to an Open Source event anywhere in the world > http://moblin-contest.org/redirect.php?banner_id=100&url=/ > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users > >------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
This works if the squid and shorewall are in the same machine, i not sure if is that case. Fabio 2008/10/8 Andy McGuire <mickwire@gmail.com>> try this from the documentation.... > > REDIRECT loc 8080 tcp www - > ACCEPT fw net tcp 80 > > On Wed, Oct 8, 2008 at 2:02 PM, Tom Eastep <teastep@shorewall.net> wrote: > >> Stacker Hush wrote: >> > Hello. >> > >> > The rule is commented now to avoid problems. >> >> Unbelievable.... >> >> -Tom >> -- >> Tom Eastep \ The ultimate result of shielding men from the >> Shoreline, \ effects of folly is to fill the world with fools. >> Washington, USA \ -Herbert Spencer >> http://shorewall.net \________________________________________________ >> >> >> ------------------------------------------------------------------------- >> This SF.Net email is sponsored by the Moblin Your Move Developer''s >> challenge >> Build the coolest Linux based applications with Moblin SDK & win great >> prizes >> Grand prize is a trip for two to an Open Source event anywhere in the >> world >> http://moblin-contest.org/redirect.php?banner_id=100&url=/ >> _______________________________________________ >> Shorewall-users mailing list >> Shorewall-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/shorewall-users >> >> > > ------------------------------------------------------------------------- > This SF.Net email is sponsored by the Moblin Your Move Developer''s > challenge > Build the coolest Linux based applications with Moblin SDK & win great > prizes > Grand prize is a trip for two to an Open Source event anywhere in the world > http://moblin-contest.org/redirect.php?banner_id=100&url=/ > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users > >------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
Fabio Correa wrote:> This works if the squid and shorewall are in the same machine, i not sure if > is that case.We basically don''t have enough information here -- a) If Stacker''s users are accessing the internet directly now, how does adding the rule disrupt them if, as claimed, the rule does nothing? b) As Fabio says, we''re assuming that Squid is running on the Shorewall box. But even if it isn''t, that wouldn''t cause the users to "try to go directly to the por (SIC) 80 using the default gateway". So I suspect that the rule is working and Squid is not. Because: - In 90% of cases where transparent proxy doesn''t work, it is the Squid configuration that is wrong, not Shorewall. - In 9% of the cases, the user forgot to enable port 80 from fw->net even though that is carefully documented at http://www.shorewall.net/Shorewall_Squid_Usage.html - In the other 1%, the user is astonished to learn that HTTPS cannot be transparently proxied. -Tom -- Tom Eastep \ The ultimate result of shielding men from the Shoreline, \ effects of folly is to fill the world with fools. Washington, USA \ -Herbert Spencer http://shorewall.net \________________________________________________ ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
Hi, I am trying to add an extra zone int1. I can connect to the firewall, but can''t get any access to the internet. The loc zone has no problems connecting. Below is the setup. I am running Shorewall 4.0.13 3 Interfaces eth0 = 192.168.1.2/ 255.255.255.0 eth1 = 10.10.1.1/ 255.255.255.0 eth2 = 10.10.2.1/ 255.255.254.0 ppp0 Interfaces: net ppp0 detect routefilter,norfc1918,tcpflags,blacklistmodem eth0 detectloc eth1 detect tcpflags,dhcpint1 eth2 detect tcpflags,dhcp masq: ppp0 eth1eth0 eth1eth0 eth2 policy: loc net ACCEPT int1 net ACCEPTnet all DROP infoall all REJECT info routestopped: eth1 -eth2 - zones: fw firewallnet ipv4loc ipv4int1 ipv4modem ipv4 rules: ACCEPT int1 net all _________________________________________________________________ Get 30 Free Emoticons for your Windows Live Messenger http://www.livemessenger-emoticons.com/funfamily/en-ie/ ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
P Hennessy wrote:> Hi, > > I am trying to add an extra zone int1. > I can connect to the firewall, but can''t get any access to the internet. > The loc zone has no problems connecting. > Below is the setup. > > I am running Shorewall 4.0.13 > 3 Interfaces > > eth0 = 192.168.1.2/ 255.255.255.0 > eth1 = 10.10.1.1/ 255.255.255.0 > eth2 = 10.10.2.1/ 255.255.254.0 > ppp0 > > Interfaces: > net ppp0 detect routefilter,norfc1918,tcpflags,blacklist > modem eth0 detect > loc eth1 detect tcpflags,dhcp > int1 eth2 detect tcpflags,dhcp > > masq: > ppp0 eth1 > eth0 eth1 > eth0 eth2 >Take a real close look at the above file -- it''s missing an important entry. -Tom -- Tom Eastep \ The ultimate result of shielding men from the Shoreline, \ effects of folly is to fill the world with fools. Washington, USA \ -Herbert Spencer http://shorewall.net \________________________________________________ ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
Is commented because the rule isn''t working in my configuration. I have anothers firewalls running shorewall with the same configuration and all works fine. Thanks, Stacker -----Mensagem original----- De: Tom Eastep [mailto:teastep@shorewall.net] Enviada em: quarta-feira, 8 de outubro de 2008 15:02 Para: Shorewall Users Assunto: Re: [Shorewall-users] RES: RES: transparent proxy Stacker Hush wrote:> Hello. > > The rule is commented now to avoid problems.Unbelievable.... -Tom -- Tom Eastep \ The ultimate result of shielding men from the Shoreline, \ effects of folly is to fill the world with fools. Washington, USA \ -Herbert Spencer http://shorewall.net \________________________________________________ ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
I guess you mean the masq file. ppp0 eth2 thank you.> Date: Wed, 8 Oct 2008 14:14:04 -0700> From: teastep@shorewall.net> To: shorewall-users@lists.sourceforge.net> Subject: Re: [Shorewall-users] Adding an extra zone.> > P Hennessy wrote:> > Hi,> > > > I am trying to add an extra zone int1.> > I can connect to the firewall, but can''t get any access to the internet.> > The loc zone has no problems connecting.> > Below is the setup.> > > > I am running Shorewall 4.0.13> > 3 Interfaces> > > > eth0 = 192.168.1.2/ 255.255.255.0> > eth1 = 10.10.1.1/ 255.255.255.0> > eth2 = 10.10.2.1/ 255.255.254.0> > ppp0 > > > > Interfaces:> > net ppp0 detect routefilter,norfc1918,tcpflags,blacklist> > modem eth0 detect> > loc eth1 detect tcpflags,dhcp> > int1 eth2 detect tcpflags,dhcp> > > > masq:> > ppp0 eth1> > eth0 eth1> > eth0 eth2> >> > Take a real close look at the above file -- it''s missing an important entry.> > -Tom> -- > Tom Eastep \ The ultimate result of shielding men from the> Shoreline, \ effects of folly is to fill the world with fools.> Washington, USA \ -Herbert Spencer> http://shorewall.net \________________________________________________>_________________________________________________________________ Get 30 Free Emoticons for your Windows Live Messenger http://www.livemessenger-emoticons.com/funfamily/en-ie/ ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
Hello. The squid + shorewall is in the same machine. Using the REDIRECT rule and blocking the access local zone to net under tcp 80 port i see in the logs shorewall is blocking attempts to Access 80 port directly. The strange is i have this setup in others firewall and works fine. If i configure Proxy manually in the machines works fine using the Proxy (confirmed by the Proxy log). Thanks, Stacker -----Mensagem original----- De: Tom Eastep [mailto:teastep@shorewall.net] Enviada em: quarta-feira, 8 de outubro de 2008 17:44 Para: Shorewall Users Assunto: Re: [Shorewall-users] RES: RES: transparent proxy Fabio Correa wrote:> This works if the squid and shorewall are in the same machine, i not > sure if is that case.We basically don''t have enough information here -- a) If Stacker''s users are accessing the internet directly now, how does adding the rule disrupt them if, as claimed, the rule does nothing? b) As Fabio says, we''re assuming that Squid is running on the Shorewall box. But even if it isn''t, that wouldn''t cause the users to "try to go directly to the por (SIC) 80 using the default gateway". So I suspect that the rule is working and Squid is not. Because: - In 90% of cases where transparent proxy doesn''t work, it is the Squid configuration that is wrong, not Shorewall. - In 9% of the cases, the user forgot to enable port 80 from fw->net even though that is carefully documented at http://www.shorewall.net/Shorewall_Squid_Usage.html - In the other 1%, the user is astonished to learn that HTTPS cannot be transparently proxied. -Tom -- Tom Eastep \ The ultimate result of shielding men from the Shoreline, \ effects of folly is to fill the world with fools. Washington, USA \ -Herbert Spencer http://shorewall.net \________________________________________________ ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
Stacker Hush wrote:> Hello. > > The squid + shorewall is in the same machine. > > Using the REDIRECT rule and blocking the access local zone to net under tcp > 80 port i see in the logs shorewall is blocking attempts to Access 80 port > directly.We need to see a dump taken when that is happening.> The strange is i have this setup in others firewall and works > fine.There is obviously something different. -Tom -- Tom Eastep \ The ultimate result of shielding men from the Shoreline, \ effects of folly is to fill the world with fools. Washington, USA \ -Herbert Spencer http://shorewall.net \________________________________________________ ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
Stacker Hush wrote:> Here my firewall configuration: > > Now the REDIRECT rule is activacted in status.txt > > eth0: 192.168.0.254 (wan - connected to ADSL) > eth1: 172.16.1.254 (lan) > tap0: 192.168.99.1 openvpn > > zones: > fw firewall > net ipv4 > loc ipv4 > vpn ipv4 > > interfaces: > net eth0 detect > loc eth1 detect > vpn tap0 > > masq: > eth0 eth1 > eth1 eth0 > > squid is running in 8080 port. > > In messages i see: > Oct 8 19:48:25 farroupilha kernel: Shorewall:FORWARD:REJECT:IN=eth0 > OUT=eth0 SRC=172.16.1.1 DST=65.77.157.50 LEN=48 TOS=0x00 PREC=0x00 TTL=127 > ID=20577 DF PROTO=TCP SPT=1232 DPT=80 WINDOW=65535 RES=0x00 SYN URGP=0That is a sign of a very sick configuration. Note that "IN=eth0 OUT=eth0". That means that the packets are arriving on eth0 and being routed back out of eth0. More troubling from the dump are: Table main: 192.168.99.0/24 dev tap0 proto kernel scope link src 192.168.99.1 172.16.1.0/24 dev eth1 proto kernel scope link src 172.16.1.254 ------------- ---- ARP ? (172.16.1.200) at 00:1E:0B:79:56:C1 [ether] on eth1 ? (192.168.99.3) at 00:FF:E4:C4:C3:DF [ether] on tap0 ? (172.16.1.2) at 00:0E:2E:EC:64:17 [ether] on eth1 ? (172.16.1.1) at 00:0F:EA:D2:10:DB [ether] on eth1 ---------- ---- So 172.16.1.1 should be connected to eth1 yet traffic from that system is arriving on eth0!!! You need to understand why that is happening -- my best guess is that eth0 and eth1 are connected to the same Ethernet segment. -Tom -- Tom Eastep \ The ultimate result of shielding men from the Shoreline, \ effects of folly is to fill the world with fools. Washington, USA \ -Herbert Spencer http://shorewall.net \________________________________________________ ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
Hello. Using the routeback option in the interface file on eth0/eth1 the problem is solved. Thanks, Wilson -----Mensagem original----- De: Tom Eastep [mailto:teastep@shorewall.net] Enviada em: quarta-feira, 8 de outubro de 2008 21:55 Para: Shorewall Users Assunto: Re: [Shorewall-users] RES: RES: RES: transparent proxy Stacker Hush wrote:> Here my firewall configuration: > > Now the REDIRECT rule is activacted in status.txt > > eth0: 192.168.0.254 (wan - connected to ADSL) > eth1: 172.16.1.254 (lan) > tap0: 192.168.99.1 openvpn > > zones: > fw firewall > net ipv4 > loc ipv4 > vpn ipv4 > > interfaces: > net eth0 detect > loc eth1 detect > vpn tap0 > > masq: > eth0 eth1 > eth1 eth0 > > squid is running in 8080 port. > > In messages i see: > Oct 8 19:48:25 farroupilha kernel: Shorewall:FORWARD:REJECT:IN=eth0 > OUT=eth0 SRC=172.16.1.1 DST=65.77.157.50 LEN=48 TOS=0x00 PREC=0x00 > TTL=127 > ID=20577 DF PROTO=TCP SPT=1232 DPT=80 WINDOW=65535 RES=0x00 SYN URGP=0That is a sign of a very sick configuration. Note that "IN=eth0 OUT=eth0". That means that the packets are arriving on eth0 and being routed back out of eth0. More troubling from the dump are: Table main: 192.168.99.0/24 dev tap0 proto kernel scope link src 192.168.99.1 172.16.1.0/24 dev eth1 proto kernel scope link src 172.16.1.254 ------------- ---- ARP ? (172.16.1.200) at 00:1E:0B:79:56:C1 [ether] on eth1 ? (192.168.99.3) at 00:FF:E4:C4:C3:DF [ether] on tap0 ? (172.16.1.2) at 00:0E:2E:EC:64:17 [ether] on eth1 ? (172.16.1.1) at 00:0F:EA:D2:10:DB [ether] on eth1 ---------- ---- So 172.16.1.1 should be connected to eth1 yet traffic from that system is arriving on eth0!!! You need to understand why that is happening -- my best guess is that eth0 and eth1 are connected to the same Ethernet segment. -Tom -- Tom Eastep \ The ultimate result of shielding men from the Shoreline, \ effects of folly is to fill the world with fools. Washington, USA \ -Herbert Spencer http://shorewall.net \________________________________________________ ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
Stacker Hush wrote:> Hello. > > Using the routeback option in the interface file on eth0/eth1 the problem is > solved.I don''t believe that the underlying problem is solved -- I believe you have just swept it under the carpet. -Tom -- Tom Eastep \ The ultimate result of shielding men from the Shoreline, \ effects of folly is to fill the world with fools. Washington, USA \ -Herbert Spencer http://shorewall.net \________________________________________________ ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/