Hi, I have squid installed on my server. Squid is listening on port 8080. My server also runs, postfix, courier, mailscanner, web, mysql, samba. Apache listens on the external nic. I my logs i see quite offen: (i am not at home right know) fw2net DROP TCP=8080 This is my policy: loc net DROP info fw net DROP info fw loc DROP info loc fw DROP info net all DROP info # THE FOLLOWING POLICY MUST BE LAST all all REJECT info This are my rules: AllowWeb all all AllowDNS all all AllowFTP loc net AllowIMAP loc fw AllowSMTP fw net AllowSMTP net fw AllowSMTP loc net # ISP mail with outlook express AllowSMB loc fw AllowSMB fw loc AllowSSH loc fw AllowSSH fw loc ACCEPT net fw tcp 443 ACCEPT net fw tcp 80 ACCEPT loc fw tcp 901 ACCEPT loc fw tcp 8080 ACCEPT fw net tcp 80 The problem is that when i get the error that squid wants to go to the internet surfing the web just freases. The version of shorewall that is running is 2.0.6 This one is installed yesterday evening. With the older version of shorewall 2.0.5 i didn''t had these problems.
> Hi, > > I have squid installed on my server. > > Squid is listening on port 8080. > My server also runs, postfix, courier, mailscanner, web, mysql, samba. > Apache listens on the external nic. > > > I my logs i see quite offen: > > (i am not at home right know) > > fw2net DROP TCP=8080 > > This is my policy: > > loc net DROP info > fw net DROP info > fw loc DROP info > loc fw DROP info > net all DROP info > # THE FOLLOWING POLICY MUST BE LAST > all all REJECT info > > > > This are my rules: > > > AllowWeb all all > AllowDNS all all > AllowFTP loc net > AllowIMAP loc fw > AllowSMTP fw net > AllowSMTP net fw > AllowSMTP loc net # ISP mail with outlook express > AllowSMB loc fw > AllowSMB fw loc > AllowSSH loc fw > AllowSSH fw loc > > > ACCEPT net fw tcp 443 > ACCEPT net fw tcp 80 > ACCEPT loc fw tcp 901 > ACCEPT loc fw tcp 8080 > ACCEPT fw net tcp 80 > > The problem is that when i get the error that squid wants to go to the > internet surfing the web just freases. > > The version of shorewall that is running is 2.0.6 > This one is installed yesterday evening. > > With the older version of shorewall 2.0.5 i didn''t had these problems.Take a look at http://www.shorewall.net/Shorewall_Squid_Usage.html
rob@mokkinksystems.com wrote:> Hi, > > I have squid installed on my server. > > Squid is listening on port 8080. > My server also runs, postfix, courier, mailscanner, web, mysql, samba. > Apache listens on the external nic. > > > I my logs i see quite offen: > > (i am not at home right know) > > fw2net DROP TCP=8080 >Sounds like someone using the Proxy is trying to browse a URL of the form http://www.foo.tld:8080 -- To allow them to do that, you need to ACCEPT fw net tcp 8080 Also: > fw net DROP info Change that to REJECT if you want things to not bog down when this type of problem happens. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Tom Eastep wrote on 20/07/2004 10:21:21:> rob@mokkinksystems.com wrote: > > > > I my logs i see quite offen: > > > > (i am not at home right know) > > > > fw2net DROP TCP=8080 > > > > Sounds like someone using the Proxy is trying to browse a URL of the > form http://www.foo.tld:8080 -- To allow them to do that, you need to > > ACCEPT fw net tcp 8080 >Here I use an custom action to allow those set of safe-ports in the default squid configuration pass out from the firewall to the internet. The custom action is called action.AllowWebCST and goes by: #TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/ # PORT PORT(S) LIMIT GROUP ACCEPT - - tcp 80,85,443 ACCEPT - - tcp 8000:8100 Then, in my rules file, I have AllowWebCST fw net There are a lot of sites (at least here in Brazil) that uses different ports in the url. squid must surf to them. If you want to make it more safe, you could put your squid user in the user/group column to be sure only squid goes out using this ports... hope it helps, ________________________ Eduardo Ferreira Icatu Holding S.A. Supervisor de TI (5521) 3804-8606
Tom Eastep wrote:> ... >> I have squid installed on my server. >> >> Squid is listening on port 8080. >> My server also runs, postfix, courier, mailscanner, web, mysql, samba. >> Apache listens on the external nic. >> ... > Sounds like someone using the Proxy is trying to browse a URL of the > form http://www.foo.tld:8080 -- To allow them to do that, you need to > > ACCEPT fw net tcp 8080A piece of advice: if you are not the only client using the proxy server, you will find that adding rules for every web server port eventually becomes onerous. You would be better having a segment of your network (usually the DMZ) for which all outbound access is allowed by policy rather than rules. -- Paul Gear, Manager IT Operations, Redlands College 38 Anson Road, Wellington Point 4160, Australia (Please send attachments in portable formats such as PDF, HTML, or OpenOffice.) -- The information contained in this message is copyright by Redlands College. Any use for direct sales or marketing purposes is expressly forbidden. This message does not represent the views of Redlands College.