Beta 1 is now available for testing.
Problems Corrected:
1) Previously, nested conditionals did not work correctly in all
cases. In particular:
?IF $FALSE
?IF $FALSE
foo
bar
?ENDIF
baz
bop
?ENDIF
In this case, the lines ''baz'' and ''bop''
were incorrectly included
when they should have beeen omitted.
New Features:
1) The TPROXY tcrules action introduced in Shorewall 4.4.7 was
incomplete and required additional logic to be added in the
''start''
or ''started'' extension scripts.
In this release, the TPROXY implementation has been changed and an
additional DIVERT action has been created. Because the new TPROXY
has a different set of parameters than the prior one, the tcrules
file now supports two formats:
FORMAT 1 - (default, deprecated )
The TPROXY action allows three arguments, the first of which
(''mark'') is required.
FORMAT 2
The TPROXY action has two optional arguments:
port -- the port on which the proxy is listening. While
this argument is optional, it will normally be
supplied.
ip address -- The address on which the proxy is listening.
The format is specified by a line line this:
FORMAT {1|2}
The Sample configurations have been updated to use FORMAT 2.
The format-2 tcrules file also supports the DIVERT action. The
DIVERT action directs matching packets to the local system if there
is a transparent socket in the local system that matches the
destination of the packet.
Finally, the providers file supports a new ''tproxy''
option. When
''tproxy'' is specified:
- It must be the only OPTION given
- The MARK, DUPLICATE and GATEWAY columns must be empty.
The ''tproxy'' option causes a reserved mark value to be
associated
with the provider and for its associated routing rule to have
priority 1.
Here is the TPROXY configuration at shorewall.net:
tcrules:
FORMAT 2
#ACTION SOURCE DEST PROTO DEST SOURCE
# PORT(S) PORT(S)
...
DIVERT eth1 - tcp - 80
DIVERT eth0 - tcp - 80
TPROXY(3129,172.20.1.254) eth2 - tcp 80
Note: eth1 and eth0 are Internet interfaces and eth2 connects to
the local LAN.
providers:
#NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS
...
Squid 3 - - lo - tproxy
/etc/squid3/squid.conf:
...
http_port 172.20.1.254:3129 tproxy
...
Thank you for testing,
-Tom
--
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today''s security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
El 11/05/12 15:31, Tom Eastep escribió:> Beta 1 is now available for testing. > > Problems Corrected: > > 1) Previously, nested conditionals did not work correctly in all > cases. In particular: > > ?IF $FALSE > ?IF $FALSE > foo > bar > ?ENDIF > baz > bop > ?ENDIF > > In this case, the lines ''baz'' and ''bop'' were incorrectly included > when they should have beeen omitted. > > New Features: > > 1) The TPROXY tcrules action introduced in Shorewall 4.4.7 was > incomplete and required additional logic to be added in the ''start'' > or ''started'' extension scripts. > > In this release, the TPROXY implementation has been changed and an > additional DIVERT action has been created. Because the new TPROXY > has a different set of parameters than the prior one, the tcrules > file now supports two formats: > > FORMAT 1 - (default, deprecated ) > > The TPROXY action allows three arguments, the first of which > (''mark'') is required. > > FORMAT 2 > > The TPROXY action has two optional arguments: > > port -- the port on which the proxy is listening. While > this argument is optional, it will normally be > supplied. > > ip address -- The address on which the proxy is listening. > > The format is specified by a line line this: > > FORMAT {1|2} > > The Sample configurations have been updated to use FORMAT 2. > > The format-2 tcrules file also supports the DIVERT action. The > DIVERT action directs matching packets to the local system if there > is a transparent socket in the local system that matches the > destination of the packet. > > Finally, the providers file supports a new ''tproxy'' option. When > ''tproxy'' is specified: > > - It must be the only OPTION given > - The MARK, DUPLICATE and GATEWAY columns must be empty. > > The ''tproxy'' option causes a reserved mark value to be associated > with the provider and for its associated routing rule to have > priority 1. > > Here is the TPROXY configuration at shorewall.net: > > tcrules: > > FORMAT 2 > #ACTION SOURCE DEST PROTO DEST SOURCE > # PORT(S) PORT(S) > ... > DIVERT eth1 - tcp - 80 > DIVERT eth0 - tcp - 80 > TPROXY(3129,172.20.1.254) eth2 - tcp 80 > > Note: eth1 and eth0 are Internet interfaces and eth2 connects to > the local LAN. > > providers: > > #NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS > ... > Squid 3 - - lo - tproxy > > /etc/squid3/squid.conf: > > ... > http_port 172.20.1.254:3129 tproxy > ... > > Thank you for testing, > -TomHi all, hi Tom I am using 2 providers in the same ethernet (realm) , in that case, is ok to set ? : tcrules: FORMAT 2 #ACTION SOURCE DEST PROTO DEST SOURCE # PORT(S) PORT(S) ... DIVERT eth4:192.168.150.199 - tcp - 80 DIVERT eth4:192.168.150.200 - tcp - 80 DIVERT eth6 - tcp - 80 TPROXY(3129,x.x.x.x) eth2 - tcp 80 /etc/shorewall/providers #NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS COPY cyber2 2 2 main eth4:192.168.150.99 192.168.150.199 track,loose,balance=10,mtu=1492 cyber3 3 3 main eth4:192.168.150.99 192.168.150.200 track,loose,balance=8,mtu=1492 silica 4 4 main eth6 186.0.x.x track,balance=2,mtu=1500 Thanks for the Great Work Tom, i got few nightmares nights with TPROXY before trying to make it work. Ricardo. ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
On 5/11/12 3:09 PM, Ricardo Rios wrote:> El 11/05/12 15:31, Tom Eastep escribió: >> Beta 1 is now available for testing. >> >> Problems Corrected: >> >> 1) Previously, nested conditionals did not work correctly in all >> cases. In particular: >> >> ?IF $FALSE >> ?IF $FALSE >> foo >> bar >> ?ENDIF >> baz >> bop >> ?ENDIF >> >> In this case, the lines ''baz'' and ''bop'' were incorrectly included >> when they should have beeen omitted. >> >> New Features: >> >> 1) The TPROXY tcrules action introduced in Shorewall 4.4.7 was >> incomplete and required additional logic to be added in the ''start'' >> or ''started'' extension scripts. >> >> In this release, the TPROXY implementation has been changed and an >> additional DIVERT action has been created. Because the new TPROXY >> has a different set of parameters than the prior one, the tcrules >> file now supports two formats: >> >> FORMAT 1 - (default, deprecated ) >> >> The TPROXY action allows three arguments, the first of which >> (''mark'') is required. >> >> FORMAT 2 >> >> The TPROXY action has two optional arguments: >> >> port -- the port on which the proxy is listening. While >> this argument is optional, it will normally be >> supplied. >> >> ip address -- The address on which the proxy is listening. >> >> The format is specified by a line line this: >> >> FORMAT {1|2} >> >> The Sample configurations have been updated to use FORMAT 2. >> >> The format-2 tcrules file also supports the DIVERT action. The >> DIVERT action directs matching packets to the local system if there >> is a transparent socket in the local system that matches the >> destination of the packet. >> >> Finally, the providers file supports a new ''tproxy'' option. When >> ''tproxy'' is specified: >> >> - It must be the only OPTION given >> - The MARK, DUPLICATE and GATEWAY columns must be empty. >> >> The ''tproxy'' option causes a reserved mark value to be associated >> with the provider and for its associated routing rule to have >> priority 1. >> >> Here is the TPROXY configuration at shorewall.net: >> >> tcrules: >> >> FORMAT 2 >> #ACTION SOURCE DEST PROTO DEST SOURCE >> # PORT(S) PORT(S) >> ... >> DIVERT eth1 - tcp - 80 >> DIVERT eth0 - tcp - 80 >> TPROXY(3129,172.20.1.254) eth2 - tcp 80 >> >> Note: eth1 and eth0 are Internet interfaces and eth2 connects to >> the local LAN. >> >> providers: >> >> #NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS >> ... >> Squid 3 - - lo - tproxy >> >> /etc/squid3/squid.conf: >> >> ... >> http_port 172.20.1.254:3129 tproxy >> ... >> >> Thank you for testing, >> -Tom > Hi all, hi Tom > > I am using 2 providers in the same ethernet (realm) , in that case, is > ok to set ? : > > tcrules: > > FORMAT 2 > #ACTION SOURCE DEST PROTO DEST SOURCE > # PORT(S) PORT(S) > ... > DIVERT eth4:192.168.150.199 - tcp - 80 > DIVERT eth4:192.168.150.200 - tcp - 80No -- Simply have a single entry for eth4 with no qualifying addresses.> > Thanks for the Great Work Tom, i got few nightmares nights with TPROXY > before trying to make it work.You''re most welcome; I hope it works well for you. It''s working fine here. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
El 11/05/12 20:25, Tom Eastep escribió:> On 5/11/12 3:09 PM, Ricardo Rios wrote: >> El 11/05/12 15:31, Tom Eastep escribió: >>> Beta 1 is now available for testing. >>> >>> Problems Corrected: >>> >>> 1) Previously, nested conditionals did not work correctly in all >>> cases. In particular: >>> >>> ?IF $FALSE >>> ?IF $FALSE >>> foo >>> bar >>> ?ENDIF >>> baz >>> bop >>> ?ENDIF >>> >>> In this case, the lines ''baz'' and ''bop'' were incorrectly included >>> when they should have beeen omitted. >>> >>> New Features: >>> >>> 1) The TPROXY tcrules action introduced in Shorewall 4.4.7 was >>> incomplete and required additional logic to be added in the ''start'' >>> or ''started'' extension scripts. >>> >>> In this release, the TPROXY implementation has been changed and an >>> additional DIVERT action has been created. Because the new TPROXY >>> has a different set of parameters than the prior one, the tcrules >>> file now supports two formats: >>> >>> FORMAT 1 - (default, deprecated ) >>> >>> The TPROXY action allows three arguments, the first of which >>> (''mark'') is required. >>> >>> FORMAT 2 >>> >>> The TPROXY action has two optional arguments: >>> >>> port -- the port on which the proxy is listening. While >>> this argument is optional, it will normally be >>> supplied. >>> >>> ip address -- The address on which the proxy is listening. >>> >>> The format is specified by a line line this: >>> >>> FORMAT {1|2} >>> >>> The Sample configurations have been updated to use FORMAT 2. >>> >>> The format-2 tcrules file also supports the DIVERT action. The >>> DIVERT action directs matching packets to the local system if there >>> is a transparent socket in the local system that matches the >>> destination of the packet. >>> >>> Finally, the providers file supports a new ''tproxy'' option. When >>> ''tproxy'' is specified: >>> >>> - It must be the only OPTION given >>> - The MARK, DUPLICATE and GATEWAY columns must be empty. >>> >>> The ''tproxy'' option causes a reserved mark value to be associated >>> with the provider and for its associated routing rule to have >>> priority 1. >>> >>> Here is the TPROXY configuration at shorewall.net: >>> >>> tcrules: >>> >>> FORMAT 2 >>> #ACTION SOURCE DEST PROTO DEST SOURCE >>> # PORT(S) PORT(S) >>> ... >>> DIVERT eth1 - tcp - 80 >>> DIVERT eth0 - tcp - 80 >>> TPROXY(3129,172.20.1.254) eth2 - tcp 80 >>> >>> Note: eth1 and eth0 are Internet interfaces and eth2 connects to >>> the local LAN. >>> >>> providers: >>> >>> #NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS >>> ... >>> Squid 3 - - lo - tproxy >>> >>> /etc/squid3/squid.conf: >>> >>> ... >>> http_port 172.20.1.254:3129 tproxy >>> ... >>> >>> Thank you for testing, >>> -Tom >> Hi all, hi Tom >> >> I am using 2 providers in the same ethernet (realm) , in that case, is >> ok to set ? : >> >> tcrules: >> >> FORMAT 2 >> #ACTION SOURCE DEST PROTO DEST SOURCE >> # PORT(S) PORT(S) >> ... >> DIVERT eth4:192.168.150.199 - tcp - 80 >> DIVERT eth4:192.168.150.200 - tcp - 80 > No -- Simply have a single entry for eth4 with no qualifying addresses. > >> Thanks for the Great Work Tom, i got few nightmares nights with TPROXY >> before trying to make it work. > You''re most welcome; I hope it works well for you. It''s working fine here. > > -Tom > >Hi all, hi Tom So i go TPROXY working now, but i have a question, if i check my http headers on any internet website, i keep seeing my squid proxy : http://pastebin.com/HK3sjinn I whonder if is this ok or not. Regards. Ricardo ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
On 05/14/2012 02:59 PM, Ricardo Rios wrote:> Hi all, hi Tom > > So i go TPROXY working now, but i have a question, if i check my http > headers on any internet website, i keep seeing my squid proxy : > > http://pastebin.com/HK3sjinn > > I whonder if is this ok or not.Are you masquerading or using SNAT? If so, then you will still see the SOURCE IP as that of your Shorewall box. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
El 14/05/2012 19:27, Tom Eastep escribió:> On 05/14/2012 02:59 PM, Ricardo Rios wrote: > >> Hi all, hi Tom >> >> So i go TPROXY working now, but i have a question, if i check my http >> headers on any internet website, i keep seeing my squid proxy : >> >> http://pastebin.com/HK3sjinn >> >> I whonder if is this ok or not. > Are you masquerading or using SNAT? If so, then you will still see the > SOURCE IP as that of your Shorewall box. > > -TomIf I understand correctly, Ricardo is talking about the http headers. I think you can turn off those headers with forwarded_for off via off in your squid.conf. Pablo. ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
El 14/05/12 21:15, Pablo Sebastian Greco escribió:> El 14/05/2012 19:27, Tom Eastep escribió: >> On 05/14/2012 02:59 PM, Ricardo Rios wrote: >> >>> Hi all, hi Tom >>> >>> So i go TPROXY working now, but i have a question, if i check my http >>> headers on any internet website, i keep seeing my squid proxy : >>> >>> http://pastebin.com/HK3sjinn >>> >>> I whonder if is this ok or not. >> Are you masquerading or using SNAT? If so, then you will still see the >> SOURCE IP as that of your Shorewall box. >> >> -Tom > If I understand correctly, Ricardo is talking about the http headers. > I think you can turn off those headers with > forwarded_for off > via off > in your squid.conf. > > Pablo. > > >Yep, now i dont see anything about the proxy on the http headers, thanks Pablo Regards Ricardo ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/