I have a transparent squid proxy in the DMZ, but would like to also proxy outbound http traffic as well as local zone traffic. I''ve tried setting this rule, ACCEPT dmz dmz:192.168.2.42:3128 tcp http - all I''ve also got the policy file to allow all traffic from the DMZ to the net zone. Can you portforward/redirect within a zone? -- Regards, Chris ----- Chris Freeze Email: cfreeze@alumni.clemson.edu Web: http://www.cfreeze.com
Chris, On Sunday 06 January 2002 11:02 am, Chris Freeze wrote:> I have a transparent squid proxy in the DMZ, but would like to also proxy > outbound http traffic as well as local zone traffic. I''ve tried setting > this rule, > > ACCEPT dmz dmz:192.168.2.42:3128 tcp http - all > > > I''ve also got the policy file to allow all traffic from the DMZ to the net > zone. Can you portforward/redirect within a zone?I''m unclear about exactly what you are trying to do. Is it that you have http=20 clients in your DMZ other than your proxy server? If so, you have yet another=20 variant on FAQ 2 (http://www.shorewall.net/FAQ.htm#faq2 and faq2a). You have=20 to be carefull though that you don''t forward the proxy server''s HTTP requests=20 back to itself. Try this: a) specify ''multi'' on the entry for the DMZ''s interface in =20 /etc/shoreall/interfaces; and b) you need to masquerade the DMZ to itself; and c) You need to ammend your rule above: ACCEPT dmz:!192.168.2.42 dmz:192.168.2.42:3128 tcp http - all -Tom --=20 Tom Eastep \ teastep@shorewall.net AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ Firewalls for Linux 2.4
On 06-Jan-2002 Tom Eastep wrote:> I''m unclear about exactly what you are trying to do. Is it that you have http > clients in your DMZ other than your proxy server? If so, you have yet another > variant on FAQ 2 (http://www.shorewall.net/FAQ.htm#faq2 and faq2a). You have > to be carefull though that you don''t forward the proxy server''s HTTP requests > back to itself.I have a transparent proxy sitting in my dmz zone. I want the local and dmz zone''s to use this proxy transparently. My problem has been in trying to get each zone to use it.> a) specify ''multi'' on the entry for the DMZ''s interface in > /etc/shoreall/interfaces; and > b) you need to masquerade the DMZ to itself; and > c) You need to ammend your rule above: > ACCEPT dmz:!192.168.2.42 dmz:192.168.2.42:3128 tcp http - allI''ve made your modifications as suggested and I''m still not getting anything to go through. Nothing in the logs being rejected so I think it''s still looping somewhere. This box also serves as a webserver. I''ve got the rules for being a webserver above the ones for it being a proxy. I''ve also put settings in Netscape''s advanced settings to use the box as a proxy (avoiding the transparent issue) and things work fine without the above rule. With it, I still have the same problem. -- Regards, Chris ----- Chris Freeze Email: cfreeze@alumni.clemson.edu Web: http://www.cfreeze.com
On Sunday 06 January 2002 12:13 pm, Chris Freeze wrote:> > I have a transparent proxy sitting in my dmz zone. I want the local and > dmz zone''s to use this proxy transparently.May I ask why you have http clients in your DMZ? Seems like an odd=20 arrangement.> My problem has been in trying to get each zone to use it.Are you saying that your local zone won''t use it either?> > > a) specify ''multi'' on the entry for the DMZ''s interface in > > /etc/shoreall/interfaces; and > > b) you need to masquerade the DMZ to itself; and > > c) You need to ammend your rule above: > > ACCEPT dmz:!192.168.2.42 dmz:192.168.2.42:3128 tcp http - all > > I''ve made your modifications as suggested and I''m still not getting > anything to go through. Nothing in the logs being rejected so I think it''s > still looping somewhere. This box also serves as a webserver. I''ve got > the rules for being a webserver above the ones for it being a proxy.And your web server rule looks how?> I''ve > also put settings in Netscape''s advanced settings to use the box as a proxy > (avoiding the transparent issue) and things work fine without the above > rule. With it, I still have the same problem.-Tom --=20 Tom Eastep \ teastep@shorewall.net AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ Firewalls for Linux 2.4
On 06-Jan-2002 Tom Eastep wrote:> May I ask why you have http clients in your DMZ? Seems like an odd > arrangement.Wireless access point is in the DMZ.>> My problem has been in trying to get each zone to use it. > > Are you saying that your local zone won''t use it either?I''m trying to ram all outbound http request through the proxy. I havn''t been able to get a client in any zone.> And your web server rule looks how?ACCEPT net dmz:192.168.2.42 tcp auth,http,https,domain,4000 - xx.xx.xx.xx ACCEPT net dmz:192.168.2.42 udp auth,http,https,domain,4000 - xx.xx.xx.xx -- Regards, Chris ----- Chris Freeze Email: cfreeze@alumni.clemson.edu Web: http://www.cfreeze.com
On Sunday 06 January 2002 12:43 pm, Chris Freeze wrote:> On 06-Jan-2002 Tom Eastep wrote: > > May I ask why you have http clients in your DMZ? Seems like an odd > > arrangement. > > Wireless access point is in the DMZ. > > >> My problem has been in trying to get each zone to use it. > > > > Are you saying that your local zone won''t use it either? > > I''m trying to ram all outbound http request through the proxy. I havn''t > been able to get a client in any zone. > > > And your web server rule looks how? > > ACCEPT net dmz:192.168.2.42 tcp auth,http,https,domain,4000 - > xx.xx.xx.xx > ACCEPT net dmz:192.168.2.42 udp auth,http,https,domain,4000 - > xx.xx.xx.xxWhat about your local proxy rule? -Tom PS -- you have a number of redundent rules above since auth, http and https=20 NEVER use UDP. -Tom --=20 Tom Eastep \ teastep@shorewall.net AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ Firewalls for Linux 2.4
On 06-Jan-2002 Tom Eastep wrote:> What about your local proxy rule?ACCEPT local dmz:192.168.2.42:3128 tcp http - !xx.xx.xx.xx> PS -- you have a number of redundent rules above since auth, http and https > NEVER use UDP.Cut and pasted when I was making them a while back. Left them in for tunneling through http that I might try one day. Never have, so I guess it''s time to go ahead and remove then. Thanks. -- Regards, Chris ----- Chris Freeze Email: cfreeze@alumni.clemson.edu Web: http://www.cfreeze.com
On Sunday 06 January 2002 12:53 pm, Chris Freeze wrote:> On 06-Jan-2002 Tom Eastep wrote: > > What about your local proxy rule? > > ACCEPT local dmz:192.168.2.42:3128 tcp http - !xx.xx.xx.xxUnderstanding your problem is a bit like pealing an onion -- I take off one=20 layer and there''s still 100s more. So since you don''t want us to see what=20 xx.xx.xx.xx is, we have to assume that it''s NOT an RFC1918 address in the=20 DMZ. From this I would quess that you must have a rule somewhere that says: ACCEPT=09local=09xxx:yy.yy.yy.yy=09tcp=09http=09-=09xx.xx.xx.xx -Tom --=20 Tom Eastep \ teastep@shorewall.net AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ Firewalls for Linux 2.4
In looking at your rules, one thing you should keep in mind: a) Any time that you have an entry in the ADDRESS column of the rules file,=20 unless that same address also appears in the SERVER(S) column then DNAT is=20 indicated. b) DNAT rules are evaluated ahead of all non-DNAT rules. c) DNAT rules are evaluated in the order in which they appear in the rules=20 file. You can see all of your NAT rules using the command: =09shorewall show nat -Tom --=20 Tom Eastep \ teastep@shorewall.net AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ Firewalls for Linux 2.4