Hi all, is it possible configure Shorewall in bridge mode and, in the same box, utilize Squid in transparent mode? I''m triing to do this, but the REDIRECT rule doesn''t work. I''ve already read http://www.shorewall.net/bridge.html to configure the bridge and work fine for me, but when I add the rule for transparent proxy (http://www.shorewall.net/Shorewall_Squid_Usage.html#Firewall) and test the web seem that Squid don''t start. Someone can say if Bridge+Transparent is possible? Thanks Lorenzo
On Sat, 2004-12-18 at 16:19 +0100, Lorenzo Bagni wrote:> > Someone can say if Bridge+Transparent is possible?It *IS* possible -- I ran it here for several months. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
> On Sat, 2004-12-18 at 16:19 +0100, Lorenzo Bagni wrote: > > > > > Someone can say if Bridge+Transparent is possible? > > It *IS* possible -- I ran it here for several months. > > -TomThere is some documentations? tips? The shorewall documentation is great and useful, but there isn''t some example like this. :( Thanks Lorenzo
On Sat, 2004-12-18 at 18:58 +0100, Lorenzo Bagni wrote:> > On Sat, 2004-12-18 at 16:19 +0100, Lorenzo Bagni wrote: > > > > > > > > Someone can say if Bridge+Transparent is possible? > > > > It *IS* possible -- I ran it here for several months. > > > > -Tom > > There is some documentations? tips? > The shorewall documentation is great and useful, > but there isn''t some example like this. :(I''m delighted that you are volunteering to write such documentation and I look forward to seeing it. Thanks, -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
On Sat, 2004-12-18 at 10:16 -0800, Tom Eastep wrote:> On Sat, 2004-12-18 at 18:58 +0100, Lorenzo Bagni wrote: > > > On Sat, 2004-12-18 at 16:19 +0100, Lorenzo Bagni wrote: > > > > > > > > > > > Someone can say if Bridge+Transparent is possible? > > > > > > It *IS* possible -- I ran it here for several months. > > > > > > -Tom > > > > There is some documentations? tips? > > The shorewall documentation is great and useful, > > but there isn''t some example like this. :( > > I''m delighted that you are volunteering to write such documentation and > I look forward to seeing it.Here is a Docbook copy of the description one of my old configurations where I ran Squid on a bridge. http://cvs.shorewall.net/cgi-bin/cvs/cvsweb.cgi/Shorewall-docs2/myfiles.xml?rev=1.3;content-type=text%2Fplain You can also get a copy of the graphics corresponding to this version from CVS. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
On Sat, 2004-12-18 at 10:21 -0800, Tom Eastep wrote:> > Here is a Docbook copy of the description one of my old configurations > where I ran Squid on a bridge. > > http://cvs.shorewall.net/cgi-bin/cvs/cvsweb.cgi/Shorewall-docs2/myfiles.xml?rev=1.3;content-type=text%2Fplain > > You can also get a copy of the graphics corresponding to this version > from CVS. >In your original post, it sounded like Squid wasn''t starting -- you DO have an IP address configured on the bridge, right? And default gateway? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
> > Here is a Docbook copy of the description one of my old configurations > > where I ran Squid on a bridge. > > > >http://cvs.shorewall.net/cgi-bin/cvs/cvsweb.cgi/Shorewall-docs2/myfiles.xml?rev=1.3;content-type=text%2Fplain> > > > You can also get a copy of the graphics corresponding to this version > > from CVS. > >Thanks, I read it, but the configuration seems similar like mine, one question, when bridge is up the value of /etc/sys/net/ipv4/ip_forward must be set to 0 or 1?> > In your original post, it sounded like Squid wasn''t starting -- you DO > have an IP address configured on the bridge, right? And default gateway? >I have set IP and Gateway, Squid i up and running, but when I use a browser the packet arrive at Shorewall box, the rule of redirect works, but Squid doens''t log anything in /var/log/squid/access.log and do nothing. I set for squid the parameters of transparent proxy: httpd_accel_port 80 httpd_accel_host virtual httpd_accel_with_proxy on httpd_accel_uses_host_header on Thanks Lorenzo> -Tom > -- > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key > > > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe:https://lists.shorewall.net/mailman/listinfo/shorewall-users> Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm >
On Sun, 2004-12-19 at 12:23 +0100, Lorenzo Bagni wrote:> > > Here is a Docbook copy of the description one of my old configurations > > > where I ran Squid on a bridge. > > > > > > > http://cvs.shorewall.net/cgi-bin/cvs/cvsweb.cgi/Shorewall-docs2/myfiles.xml?rev=1.3;content-type=text%2Fplain > > > > > > You can also get a copy of the graphics corresponding to this version > > > from CVS. > > > > Thanks, I read it, but the configuration seems similar like mine, > one question, when bridge is up the value of /etc/sys/net/ipv4/ip_forward > must be set to 0 or 1?On a simple bridge, it doesn''t matter.> > > > In your original post, it sounded like Squid wasn''t starting -- you DO > > have an IP address configured on the bridge, right? And default gateway? > > > I have set IP and Gateway, Squid i up and running, but when I use a browser > the packet arrive at Shorewall box, the rule of redirect works, but > Squid doens''t log anything in /var/log/squid/access.log and do nothing. > I set for squid the parameters of transparent proxy: > httpd_accel_port 80 > httpd_accel_host virtual > httpd_accel_with_proxy on > httpd_accel_uses_host_header onSquid is listening on the port you are redirecting to? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
> > > In your original post, it sounded like Squid wasn''t starting -- you DO > > > have an IP address configured on the bridge, right? And defaultgateway?> > > > > I have set IP and Gateway, Squid i up and running, but when I use abrowser> > the packet arrive at Shorewall box, the rule of redirect works, but > > Squid doens''t log anything in /var/log/squid/access.log and do nothing. > > I set for squid the parameters of transparent proxy: > > httpd_accel_port 80 > > httpd_accel_host virtual > > httpd_accel_with_proxy on > > httpd_accel_uses_host_header on > > Squid is listening on the port you are redirecting to?I set 3128 as squid port and the rule REDIRECT loc 3128 tcp 80 - !192.168.100.200 but I think the problem is net topology [LAN] ------------------- [SWITCH] --------------[SHOREWALL] --------[ROUTER] ------------[INTERNET] 192.168.100.254/24 192.168.100.200/24 192.168.100.254/24 192.168.1.0/24 192.168.1.254/24 gw 192.168.1.254 gw 192.168.100.254 gw 192.168.100.254 the shorewall box is between two routed lan, and when I log the REDIRECT rule I see the packet switch on 3128 tcp port, but after nothing... Thanks Lorenzo> > -Tom > -- > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key > > > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe:https://lists.shorewall.net/mailman/listinfo/shorewall-users> Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm >
On Mon, 2004-12-20 at 21:06 +0100, Lorenzo Bagni wrote:> > > > In your original post, it sounded like Squid wasn''t starting -- you DO > > > > have an IP address configured on the bridge, right? And default > gateway? > > > > > > > I have set IP and Gateway, Squid i up and running, but when I use a > browser > > > the packet arrive at Shorewall box, the rule of redirect works, but > > > Squid doens''t log anything in /var/log/squid/access.log and do nothing. > > > I set for squid the parameters of transparent proxy: > > > httpd_accel_port 80 > > > httpd_accel_host virtual > > > httpd_accel_with_proxy on > > > httpd_accel_uses_host_header on > > > > Squid is listening on the port you are redirecting to? > > I set 3128 as squid port and the rule > REDIRECT loc 3128 tcp 80 - !192.168.100.200 > > but I think the problem is net topology > > [LAN] ------------------- > [SWITCH] --------------[SHOREWALL] --------[ROUTER] ------------[INTERNET] > 192.168.100.254/24 > 192.168.100.200/24 192.168.100.254/24 > 192.168.1.0/24 192.168.1.254/24 > gw 192.168.1.254 gw 192.168.100.254 gw 192.168.100.254 > > the shorewall box is between two routed lan, > and when I log the REDIRECT rule I see the > packet switch on 3128 tcp port, but after nothing...I don''t understand your network at all. First of all the above ASCII art is probably folded by your mailer so as to be unreadable. Secondly, if Shorewall is running on a bridge then there must be ONE AND ONLY ONE NETWORK INVOLVED unless the Shorewall box is also functioning as a router. Third, if you want my help you need to send the information I ask for at http://shorewall.net/support.htm; be sure to read the part that starts THIS IS IMPORTANT! -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key