Greetings, I have RH 8 running shorewall and squid. I would like to enable access from the local network to squid proxy running on the shorewall box. How do I open that up? Squid ACL is set to allow clients fine when shorewall is off, so squid is not stopping it. Any suggestions are appreciated. Thanks Richard Richard Tiffen, IT Specialist - Hamden Public Schools richard.tiffen@hs.hamden.org 203-407-2040 X7575
On Fri, 2003-10-17 at 13:54, Richard Tiffen wrote:> Greetings, > I have RH 8 running shorewall and squid. I would like to enable access > from the local network to squid proxy running on the shorewall box. How > do I open that up? Squid ACL is set to allow clients fine when > shorewall is off, so squid is not stopping it. Any suggestions are > appreciated.1) Are you running Squid as a transparent proxy or are you manually configuring your browsers to use the proxy? 2) What port is Squid listening on? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
On Fri, 2003-10-17 at 14:00, Tom Eastep wrote:> On Fri, 2003-10-17 at 13:54, Richard Tiffen wrote: > > Greetings, > > I have RH 8 running shorewall and squid. I would like to enable access > > from the local network to squid proxy running on the shorewall box. How > > do I open that up? Squid ACL is set to allow clients fine when > > shorewall is off, so squid is not stopping it. Any suggestions are > > appreciated. > > 1) Are you running Squid as a transparent proxy or are you manually > configuring your browsers to use the proxy? > > 2) What port is Squid listening on?I''ve updated http://shorewall.net/Shorewall_Squid_Usage.html to cover manually-configured proxies so your question should be answered there in any event. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
I am using a manual proxy and is listening to port 800. I read the notes on manual proxy, and used the rules specified. ACCEPT loc $FW tcp 800 ACCEPT $FW net tcp 80 I am using the sample files for two interfaces from 1.4.7 two-interfaces.tgz It is still prevented from connecting to the outside. Any suggestions Richard Tiffen, IT Specialist - Hamden Public Schools richard.tiffen@hs.hamden.org 203-407-2040 X7575?>>> teastep@shorewall.net 10/17/2003 5:23:41 PM >>>On Fri, 2003-10-17 at 14:00, Tom Eastep wrote:> On Fri, 2003-10-17 at 13:54, Richard Tiffen wrote: > > Greetings, > > I have RH 8 running shorewall and squid. I would like to enableaccess> > from the local network to squid proxy running on the shorewall box.How> > do I open that up? Squid ACL is set to allow clients fine when > > shorewall is off, so squid is not stopping it. Any suggestions are > > appreciated. > > 1) Are you running Squid as a transparent proxy or are you manually > configuring your browsers to use the proxy? > > 2) What port is Squid listening on?I''ve updated http://shorewall.net/Shorewall_Squid_Usage.html to cover manually-configured proxies so your question should be answered there in any event. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net _______________________________________________ Shorewall-users mailing list Post: Shorewall-users@lists.shorewall.net Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users Support: http://www.shorewall.net/support.htm FAQ: http://www.shorewall.net/FAQ.htm
On Wed, 2003-10-22 at 08:01, Richard Tiffen wrote:> I am using a manual proxy and is listening to port 800. I read the notes > on manual proxy, and used the rules specified. > ACCEPT loc $FW tcp 800 > ACCEPT $FW net tcp 80 > > I am using the sample files for two interfaces from 1.4.7 > two-interfaces.tgz > > It is still prevented from connecting to the outside. Any suggestions >Look at your log. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Outgoing traffic is be rejected. I not sure what rule to put in place let it through. I get Shorewall:all2all:REJECT:IN= OUT=eth1 SRC=10.62.1.5 DST=216.109.118.65 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=35685 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0. Richard Tiffen, IT Specialist - Hamden Public Schools richard.tiffen@hs.hamden.org 203-407-2040 X7575>>> teastep@shorewall.net 10/22/2003 11:05:23 AM >>>On Wed, 2003-10-22 at 08:01, Richard Tiffen wrote:> I am using a manual proxy and is listening to port 800. I read thenotes> on manual proxy, and used the rules specified. > ACCEPT loc $FW tcp 800 > ACCEPT $FW net tcp 80 > > I am using the sample files for two interfaces from 1.4.7 > two-interfaces.tgz > > It is still prevented from connecting to the outside. Anysuggestions>Look at your log. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net _______________________________________________ Shorewall-users mailing list Post: Shorewall-users@lists.shorewall.net Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users Support: http://www.shorewall.net/support.htm FAQ: http://www.shorewall.net/FAQ.htm
On Thu, 2003-10-23 at 08:14, Richard Tiffen wrote:> Outgoing traffic is be rejected. I not sure what rule to put in place > let it through. > I get > Shorewall:all2all:REJECT:IN= OUT=eth1 SRC=10.62.1.5 DST=216.109.118.65 > LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=35685 DPT=80 > WINDOW=5840 RES=0x00 SYN URGP=0.According to you, the correct rule is already in place: ACCEPT $FW net tcp 80 What does your /etc/shorewall/interfaces file look like? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
On Thu, 2003-10-23 at 08:26, Tom Eastep wrote:> On Thu, 2003-10-23 at 08:14, Richard Tiffen wrote: > > Outgoing traffic is be rejected. I not sure what rule to put in place > > let it through. > > I get > > Shorewall:all2all:REJECT:IN= OUT=eth1 SRC=10.62.1.5 DST=216.109.118.65 > > LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=35685 DPT=80 > > WINDOW=5840 RES=0x00 SYN URGP=0. > > According to you, the correct rule is already in place: > > ACCEPT $FW net tcp 80 > > What does your /etc/shorewall/interfaces file look like?Wait a minute -- 10.62.1.5 isn''t configured to use the proxy!!! It is trying to connect directly to 216.109.118.65:80!!! It should be trying to connect to port 800 on your firewall!! -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
On Sat, 2003-10-25 at 10:00, Tom Eastep wrote:> > Wait a minute -- 10.62.1.5 isn''t configured to use the proxy!!! It is > trying to connect directly to 216.109.118.65:80!!! It should be trying > to connect to port 800 on your firewall!! >Duh -- please disregard those ravings and rather please tell me if 10.62.1.5 is your external IP address. If so, I take it that another box outboard of the Shorewall one is doing SNAT? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Oops, I found one mistake. The eth0/loc and eth1/net were backwards. Eth1 is my public side. The eth1 address 10.62.1.5 gets NATed out to the Internet futher down the line. eth0 address 172.16.13.8 is on my private side. Now that that is fixed, the log looks like this: Oct 27 08:47:05 hpsproxy03 kernel: Shorewall:all2all:REJECT:INOUT=eth0 SRC=172.16.13.8 DST=172.16.9.6 LEN=63 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=32770 DPT=53 LEN=43 I have a DNS server at 172.16.9.6. Seems I need to open traffic to my DNS server on the local network to resolve names. Thanks Richard Tiffen, IT Specialist - Hamden Public Schools richard.tiffen@hs.hamden.org 203-407-2040 X7575>>> teastep@shorewall.net 10/25/2003 1:10:06 PM >>>On Sat, 2003-10-25 at 10:00, Tom Eastep wrote:> > Wait a minute -- 10.62.1.5 isn''t configured to use the proxy!!! Itis> trying to connect directly to 216.109.118.65:80!!! It should betrying> to connect to port 800 on your firewall!! >Duh -- please disregard those ravings and rather please tell me if 10.62.1.5 is your external IP address. If so, I take it that another box outboard of the Shorewall one is doing SNAT? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net _______________________________________________ Shorewall-users mailing list Post: Shorewall-users@lists.shorewall.net Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users Support: http://www.shorewall.net/support.htm FAQ: http://www.shorewall.net/FAQ.htm
On Mon, 2003-10-27 at 06:11, Richard Tiffen wrote:> Oops, I found one mistake. The eth0/loc and eth1/net were backwards. > Eth1 is my public side. The eth1 address 10.62.1.5 gets NATed out to > the Internet futher down the line. eth0 address 172.16.13.8 is on my > private side. Now that that is fixed, the log looks like this: > Oct 27 08:47:05 hpsproxy03 kernel: Shorewall:all2all:REJECT:IN> OUT=eth0 SRC=172.16.13.8 DST=172.16.9.6 LEN=63 TOS=0x00 PREC=0x00 TTL=64 > ID=0 DF PROTO=UDP SPT=32770 DPT=53 LEN=43 > I have a DNS server at 172.16.9.6. Seems I need to open traffic to my > DNS server on the local network to resolve names.Looks like it -- see the Two-interface QuickStart Guide section on DNS. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net