Dear all, I’m set up a firewall and proxy using Shorewall (the last version available as deb package) and Squid (2.6 Stable1) on Kubuntu server. I follows the instruction for the two interface shorewall conf and: http://www.shorewall.net/Shorewall_Squid_Usage.html Both shorewall and squid work fine when I use its separately (squid work fine when I con figure my web browser to user the proxy on the 3128 with shorewall configured to accept the request from local network on 3128 port). Thus I try to set up shorewall to redirect all www requests on 3128 port but in this case, when I try to navigate on internet, squid reply on my browser whit the message that it is not possible to forward this request at this time. Squid is configured with: http_port 3128 transparent … acl my_networks src 10.10.10.0/24 http_access allow mynetwoks …. On ‘rules’ file of shorewall configuration I inserted the following lines: (where loc is the local net zone 10.10.10.0/24 and net represents the Internet zone) REDIRECT loc 3128 tcp www – ACCEPT $FW net tcp www Some one can help me? Thanks in advance, GV ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
On Mon, Mar 12, 2007 at 10:56:26AM +0100, Gianvito Quarta wrote:> Thus I try to set up shorewall to redirect all www requests on 3128 > port but in this case, > when I try to navigate on internet, squid reply on my browser whit > the message that it is not possible to forward this request at this > time.try acessing the squid from the router. I think it''s an acl problem, but I''m not sure how exactly tcp port redirection works. -- (Not so) Random fortune: Any sufficiently advanced incompetence is indistinguishable from malice. -- Arthur C. Clarke ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Gianvito Quarta wrote:> On ‘rules’ file of shorewall configuration I inserted the following > lines: > (where loc is the local net zone 10.10.10.0/24 and net represents the > Internet zone) > > REDIRECT loc 3128 tcp www – > ACCEPT $FW net tcp www > > Some one can help me?Your Shorewall rules are correct. And given that Squid is receiving the redirected requests, there must be a problem with your Squid configuration. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Hi Tom, I believed the same think but it is strange that squid works fine when I configure my web browser to use squid as proxy and when I con figure shorewall to accept request on port 3128 from loc zone …. GV Il giorno 12/mar/07, alle ore 16:31, Tom Eastep ha scritto:> Gianvito Quarta wrote: > >> On ‘rules’ file of shorewall configuration I inserted the following >> lines: >> (where loc is the local net zone 10.10.10.0/24 and net represents the >> Internet zone) >> >> REDIRECT loc 3128 tcp www – >> ACCEPT $FW net tcp www >> >> Some one can help me? > > Your Shorewall rules are correct. And given that Squid is receiving > the > redirected requests, there must be a problem with your Squid > configuration. > > -Tom > -- > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key > > ---------------------------------------------------------------------- > --- > Take Surveys. Earn Cash. Influence the Future of IT > Join SourceForge.net''s Techsay panel and you''ll get the chance to > share your > opinions on IT & business topics through brief surveys-and earn cash > http://www.techsay.com/default.php? > page=join.php&p=sourceforge&CID=DEVDEV________________________________ > _______________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Gianvito Quarta wrote:> Hi Tom, > I believed the same think but it is strange that squid works fine when > I configure my web browser to use squid as proxy and when I con figure > shorewall to accept request on port 3128 from loc zone ….All the more reason to think that squid isn''t configured properly for transparent operation. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Tom Eastep írta:> Gianvito Quarta wrote: > >> Hi Tom, >> I believed the same think but it is strange that squid works fine when >> I configure my web browser to use squid as proxy and when I con figure >> shorewall to accept request on port 3128 from loc zone …. >> > > All the more reason to think that squid isn''t configured properly for > transparent operation. > > -Tom > > ------------------------------------------------------------------------ > > ------------------------------------------------------------------------- > Take Surveys. Earn Cash. Influence the Future of IT > Join SourceForge.net''s Techsay panel and you''ll get the chance to share your > opinions on IT & business topics through brief surveys-and earn cash > http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV > ------------------------------------------------------------------------ > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users >In your squid acls you allowed your network but not localhost. But when redirected the client squid is contacted by is the host shorewall is running on. Good Luck Geza ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV