Having moved from a "cascading LANs" configuration to two independent LANs on eth0 and eth1, I still get some "state INVALID" for which I am not sure what the cause is. Can somebody help me understand its probable origin? Thanks, Costantino [see attachment]
On Sun, 2004-12-05 at 20:16 +0100, Costantino wrote:> Having moved from a "cascading LANs" configuration to two independent LANs > on eth0 and eth1, I still get some "state INVALID" for which I am not sure > what the cause is. Can somebody help me understand its probable origin?Let''s see what they are. As root: iptables -I FORWARD 2 -m state --state INVALID -p ! icmp -j LOG \ --log-prefix "Shorewall:FORWARD:INVALID " --log-level <level> iptables -I INPUT 2 -m state --state INVALID -p ! icmp -j LOG \ --log-prefix "Shorewall:INPUT:INVALID " --log-level <level> where <level> is your preferred log leve. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
On Sun, 2004-12-05 at 11:40 -0800, Tom Eastep wrote:> On Sun, 2004-12-05 at 20:16 +0100, Costantino wrote: > > Having moved from a "cascading LANs" configuration to two independent LANs > > on eth0 and eth1, I still get some "state INVALID" for which I am not sure > > what the cause is. Can somebody help me understand its probable origin? > > Let''s see what they are. As root: > > iptables -I FORWARD 2 -m state --state INVALID -p ! icmp -j LOG \ > --log-prefix "Shorewall:FORWARD:INVALID " --log-level <level> > > iptables -I INPUT 2 -m state --state INVALID -p ! icmp -j LOG \ > --log-prefix "Shorewall:INPUT:INVALID " --log-level <level> > > where <level> is your preferred log leve. >See any INVALID log messages yet? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
On Sun, 2004-12-05 at 13:13 -0800, Tom Eastep wrote:> On Sun, 2004-12-05 at 11:40 -0800, Tom Eastep wrote: > > On Sun, 2004-12-05 at 20:16 +0100, Costantino wrote: > > > Having moved from a "cascading LANs" configuration to two independent LANs > > > on eth0 and eth1, I still get some "state INVALID" for which I am not sure > > > what the cause is. Can somebody help me understand its probable origin? > > > > Let''s see what they are. As root: > > > > iptables -I FORWARD 2 -m state --state INVALID -p ! icmp -j LOG \ > > --log-prefix "Shorewall:FORWARD:INVALID " --log-level <level> > > > > iptables -I INPUT 2 -m state --state INVALID -p ! icmp -j LOG \ > > --log-prefix "Shorewall:INPUT:INVALID " --log-level <level> > > > > where <level> is your preferred log leve. > > > > See any INVALID log messages yet?I suppose I should explain what the above commands do for those of you who don''t know iptables. The commands insert a rule between the existing first and second rules in the FORWARD and INPUT chains respectively. The current second rule in these chains silently drops INVALID state packets except for ICMPs. The rules that I''m inserting will log those packets before they are dropped. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Results attached, Costantino. -----Original Message----- From: shorewall-users-bounces@lists.shorewall.net [mailto:shorewall-users-bounces@lists.shorewall.net]On Behalf Of Tom Eastep Sent: 05 December 2004 20:40 To: Shorewall Users Subject: Re: [Shorewall-users] state INVALID On Sun, 2004-12-05 at 20:16 +0100, Costantino wrote:> Having moved from a "cascading LANs" configuration to two independent LANs > on eth0 and eth1, I still get some "state INVALID" for which I am not sure > what the cause is. Can somebody help me understand its probable origin?Let''s see what they are. As root: iptables -I FORWARD 2 -m state --state INVALID -p ! icmp -j LOG \ --log-prefix "Shorewall:FORWARD:INVALID " --log-level <level> iptables -I INPUT 2 -m state --state INVALID -p ! icmp -j LOG \ --log-prefix "Shorewall:INPUT:INVALID " --log-level <level> where <level> is your preferred log leve. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key _______________________________________________ Shorewall-users mailing list Post: Shorewall-users@lists.shorewall.net Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users Support: http://www.shorewall.net/support.htm FAQ: http://www.shorewall.net/FAQ.htm
On Mon, 2004-12-06 at 00:48 +0100, Costantino wrote:> Results attached,Looks to me like you have asymmetric routing -- your firewall is seeing SYN ACK without a preceding SYN. That suggests that traffic from 212.156.4.201 to 212.110.41.138 is passing through the Shorewall box but traffic from 212.110.41.138 to 212.156.4.201 is not. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
On Sun, 2004-12-05 at 15:51 -0800, Tom Eastep wrote:> On Mon, 2004-12-06 at 00:48 +0100, Costantino wrote: > > Results attached, > > Looks to me like you have asymmetric routing -- your firewall is seeing > SYN ACK without a preceding SYN. That suggests that traffic from > 212.156.4.201 to 212.110.41.138 is passing through the Shorewall box but > traffic from 212.110.41.138 to 212.156.4.201 is not. >Wait a minute -- that can''t be right. 212.110.41.138 is a firewall address. Unfortunately, we put the FORWARD chain in the wrong place; rather than a 2 after FORWARD, we needed 1. I frankly can''t explain what is happening with the one message we see in the output of "shorewall status". -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Tom, That node has got no business in dealing with our system. I can see that there was an attempt on port 22. What does input invalid mean? is that a badly formatted packet or what? Is there something I should be concerned about? Costantino. -----Original Message----- From: shorewall-users-bounces@lists.shorewall.net [mailto:shorewall-users-bounces@lists.shorewall.net]On Behalf Of Tom Eastep Sent: 06 December 2004 00:51 To: Shorewall Users Subject: RE: [Shorewall-users] state INVALID On Mon, 2004-12-06 at 00:48 +0100, Costantino wrote:> Results attached,Looks to me like you have asymmetric routing -- your firewall is seeing SYN ACK without a preceding SYN. That suggests that traffic from 212.156.4.201 to 212.110.41.138 is passing through the Shorewall box but traffic from 212.110.41.138 to 212.156.4.201 is not. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key _______________________________________________ Shorewall-users mailing list Post: Shorewall-users@lists.shorewall.net Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users Support: http://www.shorewall.net/support.htm FAQ: http://www.shorewall.net/FAQ.htm
On Mon, 2004-12-06 at 01:05 +0100, Costantino wrote:> Tom, > > That node has got no business in dealing with our system. > I can see that there was an attempt on port 22. What does input invalid > mean? is that a badly formatted packet or what? > Is there something I should be concerned about?It means that the firewall is seeing traffic that doesn''t make sense -- an example is SYN,ACK without a preceding SYN in the other direction. If everything seems to be working ok, I wouldn''t worry about it; but keep it in mind if you start seeing connection problems. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
I''ve changed, but not yet INVALID. I''ll send as soon as they appear. Costantino -----Original Message----- From: shorewall-users-bounces@lists.shorewall.net [mailto:shorewall-users-bounces@lists.shorewall.net]On Behalf Of Tom Eastep Sent: 06 December 2004 00:58 To: Shorewall Users Subject: RE: [Shorewall-users] state INVALID On Sun, 2004-12-05 at 15:51 -0800, Tom Eastep wrote:> On Mon, 2004-12-06 at 00:48 +0100, Costantino wrote: > > Results attached, > > Looks to me like you have asymmetric routing -- your firewall is seeing > SYN ACK without a preceding SYN. That suggests that traffic from > 212.156.4.201 to 212.110.41.138 is passing through the Shorewall box but > traffic from 212.110.41.138 to 212.156.4.201 is not. >Wait a minute -- that can''t be right. 212.110.41.138 is a firewall address. Unfortunately, we put the FORWARD chain in the wrong place; rather than a 2 after FORWARD, we needed 1. I frankly can''t explain what is happening with the one message we see in the output of "shorewall status". -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key _______________________________________________ Shorewall-users mailing list Post: Shorewall-users@lists.shorewall.net Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users Support: http://www.shorewall.net/support.htm FAQ: http://www.shorewall.net/FAQ.htm
There are connection problems - from time to time people conplain that they can not connect to the mail server, or one site or another site. Then the problem disappears, then is back again. Could it be the router preceding the FW from the internet side? What else could mess up like that? Costantino -----Original Message----- From: shorewall-users-bounces@lists.shorewall.net [mailto:shorewall-users-bounces@lists.shorewall.net]On Behalf Of Tom Eastep Sent: 06 December 2004 01:16 To: Shorewall Users Subject: RE: [Shorewall-users] state INVALID On Mon, 2004-12-06 at 01:05 +0100, Costantino wrote:> Tom, > > That node has got no business in dealing with our system. > I can see that there was an attempt on port 22. What does input invalid > mean? is that a badly formatted packet or what? > Is there something I should be concerned about?It means that the firewall is seeing traffic that doesn''t make sense -- an example is SYN,ACK without a preceding SYN in the other direction. If everything seems to be working ok, I wouldn''t worry about it; but keep it in mind if you start seeing connection problems. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key _______________________________________________ Shorewall-users mailing list Post: Shorewall-users@lists.shorewall.net Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users Support: http://www.shorewall.net/support.htm FAQ: http://www.shorewall.net/FAQ.htm
On Mon, 2004-12-06 at 01:26 +0100, Costantino wrote:> There are connection problems - from time to time people conplain > that they can not connect to the mail server, or one site or another > site. Then the problem disappears, then is back again. > > Could it be the router preceding the FW from the internet side? > What else could mess up like that?Two firewall interfaces being cabled to the same switch (or two unrelated switches being accidentally cabled together) can cause these problems. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
The log is attached, Costantino -----Original Message----- From: shorewall-users-bounces@lists.shorewall.net [mailto:shorewall-users-bounces@lists.shorewall.net]On Behalf Of Tom Eastep Sent: 06 December 2004 00:58 To: Shorewall Users Subject: RE: [Shorewall-users] state INVALID On Sun, 2004-12-05 at 15:51 -0800, Tom Eastep wrote:> On Mon, 2004-12-06 at 00:48 +0100, Costantino wrote: > > Results attached, > > Looks to me like you have asymmetric routing -- your firewall is seeing > SYN ACK without a preceding SYN. That suggests that traffic from > 212.156.4.201 to 212.110.41.138 is passing through the Shorewall box but > traffic from 212.110.41.138 to 212.156.4.201 is not. >Wait a minute -- that can''t be right. 212.110.41.138 is a firewall address. Unfortunately, we put the FORWARD chain in the wrong place; rather than a 2 after FORWARD, we needed 1. I frankly can''t explain what is happening with the one message we see in the output of "shorewall status". -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key _______________________________________________ Shorewall-users mailing list Post: Shorewall-users@lists.shorewall.net Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users Support: http://www.shorewall.net/support.htm FAQ: http://www.shorewall.net/FAQ.htm
They gave me an HP switch, supposedly partitioned in 3 VLANs, one per interface. I don''t remember the model. Costantino. -----Original Message----- From: shorewall-users-bounces@lists.shorewall.net [mailto:shorewall-users-bounces@lists.shorewall.net]On Behalf Of Tom Eastep Sent: 06 December 2004 01:26 To: Shorewall Users Subject: RE: [Shorewall-users] state INVALID On Mon, 2004-12-06 at 01:26 +0100, Costantino wrote:> There are connection problems - from time to time people conplain > that they can not connect to the mail server, or one site or another > site. Then the problem disappears, then is back again. > > Could it be the router preceding the FW from the internet side? > What else could mess up like that?Two firewall interfaces being cabled to the same switch (or two unrelated switches being accidentally cabled together) can cause these problems. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key _______________________________________________ Shorewall-users mailing list Post: Shorewall-users@lists.shorewall.net Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users Support: http://www.shorewall.net/support.htm FAQ: http://www.shorewall.net/FAQ.htm
On Mon, 2004-12-06 at 01:29 +0100, Costantino wrote:> The log is attached,Nothing there is causing connection problems -- those are RSTs where there is no conntrack entry. Have you been rebooting this box? Or reconfiguring the network around it? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
I''ve rebooted about 30min ago. Costantino -----Original Message----- From: shorewall-users-bounces@lists.shorewall.net [mailto:shorewall-users-bounces@lists.shorewall.net]On Behalf Of Tom Eastep Sent: 06 December 2004 01:34 To: Shorewall Users Subject: RE: [Shorewall-users] state INVALID On Mon, 2004-12-06 at 01:29 +0100, Costantino wrote:> The log is attached,Nothing there is causing connection problems -- those are RSTs where there is no conntrack entry. Have you been rebooting this box? Or reconfiguring the network around it? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key _______________________________________________ Shorewall-users mailing list Post: Shorewall-users@lists.shorewall.net Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users Support: http://www.shorewall.net/support.htm FAQ: http://www.shorewall.net/FAQ.htm
On Mon, 2004-12-06 at 02:15 +0100, Costantino wrote:> Tom, > > Here is another log. Indeed I see public addresses on the > FW internal interfaces that have got no business to be there. > You may be right that there could be a problem of a mis-configured > switch. Tomorrow I''ll ask the net guy to check it thouroughly. > Do you see any other issue I should be looking at?No -- I would definitely concentrate on that because it would explain all of your problems. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Tom, Here is another log. Indeed I see public addresses on the FW internal interfaces that have got no business to be there. You may be right that there could be a problem of a mis-configured switch. Tomorrow I''ll ask the net guy to check it thouroughly. Do you see any other issue I should be looking at? Thanks, Costantino. -----Original Message----- From: shorewall-users-bounces@lists.shorewall.net [mailto:shorewall-users-bounces@lists.shorewall.net]On Behalf Of Tom Eastep Sent: 06 December 2004 01:34 To: Shorewall Users Subject: RE: [Shorewall-users] state INVALID On Mon, 2004-12-06 at 01:29 +0100, Costantino wrote:> The log is attached,Nothing there is causing connection problems -- those are RSTs where there is no conntrack entry. Have you been rebooting this box? Or reconfiguring the network around it? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key _______________________________________________ Shorewall-users mailing list Post: Shorewall-users@lists.shorewall.net Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users Support: http://www.shorewall.net/support.htm FAQ: http://www.shorewall.net/FAQ.htm
Has anyone setup Shorewall 2.x with Dansguardian as a transparent proxy? Links to a good how-to specific to Shorewall/Dansguardian would be great. I have checked the Shorewall FAQ and tried some of the steps but I''m not having any good success. Thanks, Michael Bush
Gary Buckmaster
2004-Dec-06 01:28 UTC
Re: Transparent Proxy with Shorewall/Dansguardian/Squid
Michael, The company I work for uses a squid-based content filtering agent in conjunction with Shorewall and have found that transparent proxying works wonderfully. Perhaps your configuration is incorrect? -Gary On Sun, 5 Dec 2004 19:18:07 -0600 (CST), Michael Bush <mikeb@digitalminds.net> wrote:> Has anyone setup Shorewall 2.x with Dansguardian as a transparent proxy? > Links to a good how-to specific to Shorewall/Dansguardian would be great. > I have checked the Shorewall FAQ and tried some of the steps but I''m not > having any good success. > > Thanks, > > Michael Bush > > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users > Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm >
On Sun, 2004-12-05 at 19:28 -0600, Gary Buckmaster wrote:> Michael, > > The company I work for uses a squid-based content filtering agent in > conjunction with Shorewall and have found that transparent proxying > works wonderfully. Perhaps your configuration is incorrect?I use it here -- set up according to the Shorewall Squid documentation: http://shorewall.net/Shorewall_Squid_Usage.html Note: I trust the surfing habits of my Wife and Dog so I run Squid but not dansguardian... -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
I run it here (at loudas.com) with dansguardian I don''t trust what my 12 year old and 8 year old daughter might stumble on :) as per http://shorewall.net/Shorewall_Squid_Usage.html Paul.
http://shorewall.net/Shorewall_Squid_Usage.html probably is enough, because DansGuardian is (usually) cascaded inside Squid, not directly as transparent proxy. [Guilsson] On Mon, 06 Dec 2004 14:45:09 +1300, Paul <lists@loudas.com> wrote:> I run it here (at loudas.com) with dansguardian > I don''t trust what my 12 year old and 8 year old daughter might stumble > on :) > > as per http://shorewall.net/Shorewall_Squid_Usage.html > > Paul. > > > > > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users > Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm >
Cristian Rodriguez
2004-Dec-06 01:59 UTC
Re: Transparent Proxy with Shorewall/Dansguardian/Squid
Follow the instruction on: http://shorewall.net/Shorewall_Squid_Usage.html but replace..the port number (3128) for 8080 (dansguardian by default listen on port 8080) (I asume you have dansguadian compiled correctly) ps: I configured 1 server with shorewall/squid/dansguardian+antivirus-filter and no problems at all. On Sun, 5 Dec 2004 19:18:07 -0600 (CST), Michael Bush <mikeb@digitalminds.net> wrote:> Has anyone setup Shorewall 2.x with Dansguardian as a transparent proxy? > Links to a good how-to specific to Shorewall/Dansguardian would be great. > I have checked the Shorewall FAQ and tried some of the steps but I''m not > having any good success. > > Thanks, > > Michael Bush > > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users > Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm >
Cristian Rodriguez
2004-Dec-06 02:04 UTC
Re: Transparent Proxy with Shorewall/Dansguardian/Squid
#ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL # PORT(S) DEST REDIRECT loc 8080 tcp www - ACCEPT fw net tcp www and read the dansguardian documentation carrefully. On Sun, 5 Dec 2004 19:18:07 -0600 (CST), Michael Bush <mikeb@digitalminds.net> wrote:> Has anyone setup Shorewall 2.x with Dansguardian as a transparent proxy? > Links to a good how-to specific to Shorewall/Dansguardian would be great. > I have checked the Shorewall FAQ and tried some of the steps but I''m not > having any good success. > > Thanks, > > Michael Bush > > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users > Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm >
Thanks everyone! Michael Bush Cristian Rodriguez said:> Follow the instruction on: > > http://shorewall.net/Shorewall_Squid_Usage.html > > but replace..the port number (3128) for 8080 (dansguardian by default > listen on port 8080) > (I asume you have dansguadian compiled correctly) > > ps: I configured 1 server with > shorewall/squid/dansguardian+antivirus-filter and no problems at all. > > > On Sun, 5 Dec 2004 19:18:07 -0600 (CST), Michael Bush > <mikeb@digitalminds.net> wrote: >> Has anyone setup Shorewall 2.x with Dansguardian as a transparent proxy? >> Links to a good how-to specific to Shorewall/Dansguardian would be >> great. >> I have checked the Shorewall FAQ and tried some of the steps but I''m not >> having any good success. >> >> Thanks, >> >> Michael Bush >> >> _______________________________________________ >> Shorewall-users mailing list >> Post: Shorewall-users@lists.shorewall.net >> Subscribe/Unsubscribe: >> https://lists.shorewall.net/mailman/listinfo/shorewall-users >> Support: http://www.shorewall.net/support.htm >> FAQ: http://www.shorewall.net/FAQ.htm >> > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: > https://lists.shorewall.net/mailman/listinfo/shorewall-users > Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm >
Gary Buckmaster
2004-Dec-06 03:48 UTC
Re: Transparent Proxy with Shorewall/Dansguardian/Squid
You may also need to open up 8081 depending on your configuration. We use Samba to do active directory authentication checks for us, but Squid also supports internal authentication, and as a result you''ll need 8081 accessible for this purpose. Again, it all depends on how you have things configured. On Sun, 5 Dec 2004 23:04:55 -0300, Cristian Rodriguez <judas.iscariote@gmail.com> wrote:> #ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL > # PORT(S) DEST > REDIRECT loc 8080 tcp www - > ACCEPT fw net tcp www > > and read the dansguardian documentation carrefully. > > > > On Sun, 5 Dec 2004 19:18:07 -0600 (CST), Michael Bush > <mikeb@digitalminds.net> wrote: > > Has anyone setup Shorewall 2.x with Dansguardian as a transparent proxy? > > Links to a good how-to specific to Shorewall/Dansguardian would be great. > > I have checked the Shorewall FAQ and tried some of the steps but I''m not > > having any good success. > > > > Thanks, > > > > Michael Bush > > > > _______________________________________________ > > Shorewall-users mailing list > > Post: Shorewall-users@lists.shorewall.net > > Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users > > Support: http://www.shorewall.net/support.htm > > FAQ: http://www.shorewall.net/FAQ.htm > > > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users > Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm >
On Sun, 2004-12-05 at 17:15 -0800, Tom Eastep wrote:> On Mon, 2004-12-06 at 02:15 +0100, Costantino wrote: > > Tom, > > > > Here is another log. Indeed I see public addresses on the > > FW internal interfaces that have got no business to be there. > > You may be right that there could be a problem of a mis-configured > > switch. Tomorrow I''ll ask the net guy to check it thouroughly. > > Do you see any other issue I should be looking at? > > No -- I would definitely concentrate on that because it would explain > all of your problems.I''ve done some more looking at this (primarily because I installed the INVALID logging rules on my own firewall and they are logging quite a bit of traffic). In recent 2.6 kernels, the TCP connection tracking code was enhanced to following TCP window scaling. The effect of this change is very similar to NEWNOTSYN=No. Also, a bug in the new code was just reported on the Netfilter development list. Your kernel has this code if the file /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_be_liberal exists. You can disable this "feature" by including this in your /etc/shorewall/init file: echo 1 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_be_liberal -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
On Mon, 2004-12-06 at 07:10 -0800, Tom Eastep wrote:> > You can disable this "feature" by including this in > your /etc/shorewall/init file: > > echo 1 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_be_liberal >You can cause additional information about state INVALID TCP packets to be placed in your system log by: echo 1 > /proc/sys/net/ipv4/netfilter/ip_conntrack_log_invalid -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key