Shorewall users - Oct 2006 - Re: Tc rules Help with multiISP+ squid& squidguard...

>If you
>
>a) Have the correct REDIRECT rule (which you do); and
>b) Are accepting $FW->Net HTTP traffic (which you are -- at least with
your
>policy); and
>c) DNS works from your firewall (I assume it does since you are wide
open >from $FW->Net); then
>The problem is in your Squid configuration (this is true in %90 of the
>reports on this list where Squid doesn''t work; the other %10 fail
to
allow >either HTTP or DNS from the firewall).

Add in rules:

ACCEPT          $FW     Net        tcp     80,443,53,25,110
ACCEPT          $FW     Net        udp     53

Firewall Resolve and ping
Without Squid, all works
With the Squid, no surf ... connection time out

When I desactivate multiISP :

Firewall resolve and ping
With squid surf is good :)

Please HELP !! ( leloo :) )





-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

Joffrey FLEURICE wrote:
>> If you
>>
>> a) Have the correct REDIRECT rule (which you do); and
>> b) Are accepting $FW->Net HTTP traffic (which you are -- at least
with
> your
>> policy); and
>> c) DNS works from your firewall (I assume it does since you are wide
> open >from $FW->Net); then
> 
>> The problem is in your Squid configuration (this is true in %90 of the
>> reports on this list where Squid doesn''t work; the other %10
fail to
> allow >either HTTP or DNS from the firewall).
> 
> Add in rules:
> 
> ACCEPT          $FW     Net        tcp     80,443,53,25,110
> ACCEPT          $FW     Net        udp     53
> 
> Firewall Resolve and ping
> Without Squid, all works
> With the Squid, no surf ... connection time out
One thing I notice -- you do not have the entries in /etc/shorewall/masq
required for net access from the firewall to work correctly (see the example in
the Multi-ISP documentation).

If adding those doesn''t help, you are going to have to debug the
problem with
tcpdump or ethereal (look at port 80 traffic on the external interfaces).

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

Tom Eastep wrote:
> Joffrey FLEURICE wrote:
>>> If you
>>>
>>> a) Have the correct REDIRECT rule (which you do); and
>>> b) Are accepting $FW->Net HTTP traffic (which you are -- at
least with
>> your
>>> policy); and
>>> c) DNS works from your firewall (I assume it does since you are
wide
>> open >from $FW->Net); then
>>
>>> The problem is in your Squid configuration (this is true in %90 of
the
>>> reports on this list where Squid doesn''t work; the other
%10 fail to
>> allow >either HTTP or DNS from the firewall).
>>
>> Add in rules:
>>
>> ACCEPT          $FW     Net        tcp     80,443,53,25,110
>> ACCEPT          $FW     Net        udp     53
>>
>> Firewall Resolve and ping
>> Without Squid, all works
>> With the Squid, no surf ... connection time out
> 
> One thing I notice -- you do not have the entries in /etc/shorewall/masq
> required for net access from the firewall to work correctly (see the
example in
> the Multi-ISP documentation).
I''m going to stop responding to this thread until I have time to really
look at
your output. I''m in meetings all day today and I''m trying to
help you during
breaks. I''m clearly missing too much since I see that you do have the
appropriate masq rules.

I''ll get to you in the next day or so.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

Joffrey FLEURICE wrote:
>> If you
>>
>> a) Have the correct REDIRECT rule (which you do); and
>> b) Are accepting $FW->Net HTTP traffic (which you are -- at least
with
> your
>> policy); and
>> c) DNS works from your firewall (I assume it does since you are wide
> open >from $FW->Net); then
> 
>> The problem is in your Squid configuration (this is true in %90 of the
>> reports on this list where Squid doesn''t work; the other %10
fail to
> allow >either HTTP or DNS from the firewall).
> 
> Add in rules:
> 
> ACCEPT          $FW     Net        tcp     80,443,53,25,110
> ACCEPT          $FW     Net        udp     53
> 
> Firewall Resolve and ping
> Without Squid, all works
> With the Squid, no surf ... connection time out
> 
> When I desactivate multiISP :
> 
> Firewall resolve and ping
> With squid surf is good :)
> 
> Please HELP !! ( leloo :) )
My meeting got over early so I''ve had a chance to spent some time with
the dump.
Here is what I see:

1) The dump covers approximately 5 minutes

	Shorewall-3.2.3 Dump at PPSI-D - jeu oct 12 16:49:22 CEST 2006

	Counters reset jeu oct 12 16:44:35 CEST 2006

2) 21 New connections were established to Squid

	Chain excl_1 (1 references)
	 pkts bytes target     prot opt in     out     source               destination

	...
	   21  1008 REDIRECT   tcp  --  *      *       0.0.0.0/0            0.0.0.0/0
         redir ports 3128

3) I cannot tell how many new connections were established (if any) from Squid
to remote web servers because there is no separate fw->Net rule for TCP port
80.

4) 71 Packets were sent from the firewall to remote web servers; they were
marked with mark value 0xc9 (201)

	Mangle Table

	...
	Chain tcout (1 references)
 pkts bytes target     prot opt in     out     source               destination

	...
   	71  8938 MARK       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0
         tcp dpt:80 MARK set 0xc9

5) There are no ESTABLISHED Squid connections from the firewall to the net but
we have several in TIME_WAIT state as shown in this example. Note that the
source IP address indicates that ppp0 is being used (which is correct for mark
201). We have seen responses from the remote server on this connection since the
connection mark has value 201.

	Conntrack Table

	...
	tcp      6 68 TIME_WAIT src=90.1.80.88 dst=84.96.219.201 sport=3323 dport=80
packets=6 bytes=916 src=84.96.219.201 dst=90.1.80.88 sport=80 dport=3323
packets=4 bytes=408 [ASSURED] mark=201 use=1

So I guess that I''m back to my original suggestion -- see what is
happening
using tcpdump or Ethereal.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642