I have squid and dansguardian running on the shorewall box. Users on loc can successfully use port 3128 as a squid proxy and port 8080 for dansguardain. When I add the "REDIRECT loc 8080 tcp www - !10.192.0.2"to rules they get a squid cache page back complaining about an invalid url. I have looked around on squid-cache.org, but am not finding a clear solution. Is this a known issue from running a transparent proxy on shorewall that has an easy fix? Raymond
Raymond Norton wrote:> I have squid and dansguardian running on the shorewall box. Users on loc can > successfully use port 3128 as a squid proxy and port 8080 for dansguardain. > When I add the "REDIRECT loc 8080 tcp www - !10.192.0.2"to > rules they get a squid cache page back complaining about an invalid url. I > have looked around on squid-cache.org, but am not finding a clear solution. > Is this a known issue from running a transparent proxy on shorewall that has > an easy fix?Have you configured Squid for transparent operation on port 8080? There''s a link from the Shorewall Squid page to the appropriate Squid documentation. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
> > Have you configured Squid for transparent operation on port 8080? > There''s a link from the Shorewall Squid page to the appropriate Squid > documentation. > > -TomIs there more in the docs than this link for transparent squid on the firewall? http://www.shorewall.net/Shorewall_Squid_Usage.html#Firewall
Raymond Norton wrote:>>Have you configured Squid for transparent operation on port 8080? >>There''s a link from the Shorewall Squid page to the appropriate Squid >>documentation. >> >>-Tom > > > > Is there more in the docs than this link for transparent squid on the > firewall? > > http://www.shorewall.net/Shorewall_Squid_Usage.html#Firewall >This URL is mentioned in the Caution at the top of that page: http://tldp.org/HOWTO/mini/TransparentProxy.html -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Tom Eastep wrote:> > This URL is mentioned in the Caution at the top of that page: > > http://tldp.org/HOWTO/mini/TransparentProxy.html >I''ve updated the Shorewall Squid page to make the above reference a link. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
> > This URL is mentioned in the Caution at the top of that page: > > > > http://tldp.org/HOWTO/mini/TransparentProxy.html > > > > I''ve updated the Shorewall Squid page to make the above reference a link. >Thank you. I was able to do everything except the PREROUTE command. iptables didn''t like it. I think it will be easier just to redirect to another squid box.
Raymond Norton wrote:>>>This URL is mentioned in the Caution at the top of that page: >>> >>> http://tldp.org/HOWTO/mini/TransparentProxy.html >>> >> >>I''ve updated the Shorewall Squid page to make the above reference a link. >> > > > Thank you. > > I was able to do everything except the PREROUTE command. iptables didn''t > like it. I think it will be easier just to redirect to another squid box.The only part of the HOWTO that you need to follow is the configuration of Squid as a transparent proxy -- Shorewall does the rest. The whole operation takes two minutes and the Squid configuration part is the same regardless of where you run Squid. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
> > The only part of the HOWTO that you need to follow is the configuration > of Squid as a transparent proxy -- Shorewall does the rest. The whole > operation takes two minutes and the Squid configuration part is the same > regardless of where you run Squid. >I thought it was strange to do this:) Well, it turns out transparent squid is working. I will take the victory, but of course this was not my goal. I need users to transparently be sent to Dans on port 8080? (without getting a bad url page) Dans talks to squid on port 3128 I am doing this for another school, so my access is limited to the firewall for now.
never mind my last post. It worked once I activated the redirect rule again. Thanks much for your help!
spoke too soon. tell me it''s a squid problem and I will subscribe to their mailing list. If I go to a site that is set in the dans config as a denied site the expected denied page comes up. If I go to a site that is not blocked a squid error page comes back as "while trying to retrieve the URL:/apps/commerce, etc... The real URL I went to was http://www.redhat.com/apps/commerce, so it stripped off the first part. I can only guess the reason the denied page comes up is the box reads the dans config files before going out to the net? ----- Original Message ----- From: "Raymond Norton" <admin@support.lctn.org> To: "Mailing List for Shorewall Users" <shorewall-users@lists.shorewall.net> Sent: Monday, March 29, 2004 4:33 PM Subject: Re: [Shorewall-users] transparent proxy from firewall> never mind my last post. It worked once I activated the redirect ruleagain.> > Thanks much for your help! > > > > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe:https://lists.shorewall.net/mailman/listinfo/shorewall-users> Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm
Raymond Norton wrote:> spoke too soon. tell me it''s a squid problem and I will subscribe to their > mailing list. >It''s not a Shorewall problem. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net