Shorewall users - Mar 2008 - Shorewall rule to make Dansguardian transparent proxy

Prior to installing Dansguardian, I had a working firewall and web cache 
solution with shorewall and squid. Susequently, I have Dansguardian 
installed and working, but want to avoid setting up proxy servers on any 
clients connecting to my network. I want to add a rule(s) (presumably a 
REDIRECT) so that web page requests automatically are forced through 
dansguardian --> squid --> web

I''ve tried a number of rules, but they either end up going nowhere, or 
to the webserver on the machine.

Mike


-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/

Mike Purnell wrote on 07/03/2008 16:35:11:

I want to add a rule(s) (presumably a 
> REDIRECT) so that web page requests automatically are forced through 
> dansguardian --> squid --> web
> 
REDIRECT        loc             8080    tcp     http,https

did the trick here... with no additional configuration on dansguardian.


cheers,


--
Eduardo Ferreira
Icatu Holding S.A.
(21) 3804-8606




-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/

Eduardo Ferreira wrote:
>
> Mike Purnell wrote on 07/03/2008 16:35:11:
>
> I want to add a rule(s) (presumably a
> > REDIRECT) so that web page requests automatically are forced through
> > dansguardian --> squid --> web
> >
>
> REDIRECT        loc                8080        tcp        http,https
>
> did the trick here... with no additional configuration on dansguardian.
>
>
> cheers,
>
>
> --
> Eduardo Ferreira
> Icatu Holding S.A.
> (21) 3804-8606
>
That is equivalent to my rule:
REDIRECT   loc   8080   tcp   www

But... you still have to go around and configure client browsers to use 
"IP_ADDRESS_OF_PROXY:8080"

I want to make the proxy transparent, like it was with squid before 
dansguardian was installed.

--Mike
>
> ------------------------------------------------------------------------
>
> -------------------------------------------------------------------------
> This SF.net email is sponsored by: Microsoft
> Defy all challenges. Microsoft(R) Visual Studio 2008.
> http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
> ------------------------------------------------------------------------
>
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>   

-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/

Mike Purnell wrote:
> Eduardo Ferreira wrote:
>> Mike Purnell wrote on 07/03/2008 16:35:11:
>>
>> I want to add a rule(s) (presumably a
>>> REDIRECT) so that web page requests automatically are forced
through
>>> dansguardian --> squid --> web
>>>
>> REDIRECT        loc                8080        tcp        http,https
>>
>> did the trick here... with no additional configuration on dansguardian.
>>
<snip>
> That is equivalent to my rule:
> REDIRECT   loc   8080   tcp   www
Well not quite:  cat /etc/services | grep www
#       http://www.iana.org/assignments/port-numbers
http            80/tcp          www www-http    # WorldWideWeb HTTP
http            80/udp          www www-http    # HyperText Transfer 
Protocol
www-ldap-gw     1760/tcp                        # www-ldap-gw
www-ldap-gw     1760/udp                        # www-ldap-gw
www-dev         2784/tcp                        # world wide web - 
development
www-dev         2784/udp                        # world wide web - 
development
flirtmitmir     3840/tcp                        # www.FlirtMitMir.de
flirtmitmir     3840/udp                        # www.FlirtMitMir.de

So when the service "www" is resolved, it may fail, it''s an
alias in
/etc/services, maybe you should use http here.

Jerry


-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/

Jerry Vonau wrote:
> Mike Purnell wrote:
>   
>> Eduardo Ferreira wrote:
>>     
>>> Mike Purnell wrote on 07/03/2008 16:35:11:
>>>
>>> I want to add a rule(s) (presumably a
>>>       
>>>> REDIRECT) so that web page requests automatically are forced
through
>>>> dansguardian --> squid --> web
>>>>
>>>>         
>>> REDIRECT        loc                8080        tcp       
http,https
>>>
>>> did the trick here... with no additional configuration on
dansguardian.
>>>
>>>       
> <snip>
>   
>> That is equivalent to my rule:
>> REDIRECT   loc   8080   tcp   www
>>     
>
> Well not quite:  cat /etc/services | grep www
> #       http://www.iana.org/assignments/port-numbers
> http            80/tcp          www www-http    # WorldWideWeb HTTP
> http            80/udp          www www-http    # HyperText Transfer 
> Protocol
> www-ldap-gw     1760/tcp                        # www-ldap-gw
> www-ldap-gw     1760/udp                        # www-ldap-gw
> www-dev         2784/tcp                        # world wide web - 
> development
> www-dev         2784/udp                        # world wide web - 
> development
> flirtmitmir     3840/tcp                        # www.FlirtMitMir.de
> flirtmitmir     3840/udp                        # www.FlirtMitMir.de
>
> So when the service "www" is resolved, it may fail, it''s
an alias in
> /etc/services, maybe you should use http here.
>
> Jerry
>   
I tried "http,https" in place of  "www" before responding to
the list.
It made no difference. You still have to set up clients. Again, I''m
just
trying to setup the rightly coded REDIRECT so that clients transparently 
receive their web pages from Dansguardian without configuring browsers 
to access through a proxy.

--Mike


-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/

Mike Purnell wrote:
> I tried "http,https" in place of  "www" before
responding to the list.
> It made no difference. You still have to set up clients. Again,
I''m just
> trying to setup the rightly coded REDIRECT so that clients transparently 
> receive their web pages from Dansguardian without configuring browsers 
> to access through a proxy.
> 
> --Mike
Just to ensure we are not chasing around in circles, the
"danguardian''s
box" is the firewall that is running shorewall, and that the lan clients 
are using the "dan''s box" as their default gateway?

Maybe I need a dump here...

Jerry




-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/

Jerry Vonau wrote:
> Mike Purnell wrote:
> 
>> I tried "http,https" in place of  "www" before
responding to the list.
>> It made no difference. You still have to set up clients. Again,
I''m just
>> trying to setup the rightly coded REDIRECT so that clients
transparently
>> receive their web pages from Dansguardian without configuring browsers 
>> to access through a proxy.
>>
>> --Mike
> 
> Just to ensure we are not chasing around in circles, the
"danguardian''s
> box" is the firewall that is running shorewall, and that the lan
clients
> are using the "dan''s box" as their default gateway?
> 
> Maybe I need a dump here...
In addition to the dump, the output of ''netstat -tnap'' on the
firewall would
also be enlightening.

One thing -- https CANNOT be transparently proxied. You must manually
configure a proxy for HTTPS.

This is described at http://www.shorewall.net/Shorewall_Squid_Usage.htm

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/

On Fri, Mar 07, 2008 at 03:19:54PM -0800, Tom Eastep
wrote:
> One thing -- https CANNOT be transparently proxied. You must manually
> configure a proxy for HTTPS.
And it''s imperfect for HTTP itself. You would be better served by
deploying WPAD for automatic proxy configuration. Note that to cover
all clients, you must deploy both the DHCP and DNS variants, despite
what the spec says.

If you are serving DHCP and DNS from a linux-based server, this can be
accomplished in about ten minutes with a few lines in the relevant
config files.
> This is described at http://www.shorewall.net/Shorewall_Squid_Usage.htm
Or even .html, which actually exists.

-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/

>
>> Just to ensure we are not chasing around in circles, the
"danguardian''s
>> box" is the firewall that is running shorewall, and that the lan
clients
>> are using the "dan''s box" as their default gateway?
>>
>> Maybe I need a dump here...
>>     
>
> In addition to the dump, the output of ''netstat -tnap'' on
the firewall would
> also be enlightening.
>
> One thing -- https CANNOT be transparently proxied. You must manually
> configure a proxy for HTTPS.
>
> This is described at http://www.shorewall.net/Shorewall_Squid_Usage.htm
>
> -Tom
>   
Tom, Thanks for the bit about https

Jerry, Yes, the gateway is firewall, squid caching server, and 
dansguardian box

The beginning of the thread explained that dansguardian was the late 
addition to a configuration that worked fine as a transparent proxy (via 
squid). The issue was adding dansguardian and configuring shorewall so 
that clients on the lan would continue with transparent proxy as:  
lan-based_http_request --> dansguardian --> squid --> Internet  ***

I was able to think this through and realize how I needed to change my 
shorewall rules to reflect the new circumstances. I had previously left 
the rule in place for transparent proxying through squid:

REDIRECT    loc    3128    tcp    80

This needed to be changed as follows, in order to redirect dansguardian 
--> squid:

REDIRECT    loc    3128    tcp    8080

Then, I needed to redirect requests on port 80 --> dansguardian:

REDIRECT    loc    8080    tcp    80

Everything seems hunky-dory now.

--Mike

-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/

Mike Purnell wrote:
>>> Just to ensure we are not chasing around in circles, the
"danguardian''s
>>> box" is the firewall that is running shorewall, and that the
lan clients
>>> are using the "dan''s box" as their default
gateway?
>>>
>>> Maybe I need a dump here...
>>>     
>> In addition to the dump, the output of ''netstat
-tnap'' on the firewall would
>> also be enlightening.
>>
>> One thing -- https CANNOT be transparently proxied. You must manually
>> configure a proxy for HTTPS.
>>
>> This is described at http://www.shorewall.net/Shorewall_Squid_Usage.htm
>>
>> -Tom
>>   
> Tom, Thanks for the bit about https
> 
> Jerry, Yes, the gateway is firewall, squid caching server, and 
> dansguardian box
> 
> The beginning of the thread explained that dansguardian was the late 
> addition to a configuration that worked fine as a transparent proxy (via 
> squid). The issue was adding dansguardian and configuring shorewall so 
> that clients on the lan would continue with transparent proxy as:  
> lan-based_http_request --> dansguardian --> squid --> Internet 
***
> 
> I was able to think this through and realize how I needed to change my 
> shorewall rules to reflect the new circumstances. I had previously left 
> the rule in place for transparent proxying through squid:
> 
> REDIRECT    loc    3128    tcp    80
Glad you got it to go, the above appeared before the new dan''s rule, 
correct? First rule match wins in the rules file.
> 
> This needed to be changed as follows, in order to redirect dansguardian 
> --> squid:
> 
> REDIRECT    loc    3128    tcp    8080
> 
This looks a little bogus to me, the dan''s -> squid traffic is local
to
the firewall, is in the zone "fw", and should occur over the loopback 
interface. This will catch clients trying to use squid directly and 
force them to use dansguardian, so it''s not a bad thing. FWIW, you
could
bind squid to the loopback only and then none of the lan clients could 
contact squid directly. Does it work if you leave this redirect out?
It should, unless the browser has proxy settings in it.
> Then, I needed to redirect requests on port 80 --> dansguardian:
> 
> REDIRECT    loc    8080    tcp    80
> 
That one makes sense to me.
> Everything seems hunky-dory now.
> 
Jerry


-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/

Old rule with squid as transparent proxy:
>> REDIRECT    loc    3128    tcp    80
>>     
>
> Glad you got it to go, the above appeared before the new dan''s
rule,
> correct? First rule match wins in the rules file.
>   
Yes, it did.
>> This needed to be changed as follows, in order to redirect dansguardian
>> --> squid:
>>
>> REDIRECT    loc    3128    tcp    8080
> This looks a little bogus to me, the dan''s -> squid traffic is
local to
> the firewall, is in the zone "fw", and should occur over the
loopback
> interface. This will catch clients trying to use squid directly and 
> force them to use dansguardian, so it''s not a bad thing. FWIW, you
could
> bind squid to the loopback only and then none of the lan clients could 
> contact squid directly. Does it work if you leave this redirect out?
> It should, unless the browser has proxy settings in it.
>   
As it turns out, it was redundant, as squid was already bound to 
loopback only. The important rule was, of course:
>> Then, I needed to redirect requests on port 80 --> dansguardian:
>>
>> REDIRECT    loc    8080    tcp    80
> That one makes sense to me.
>   

-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/

See
http://contentfilter.futuragts.com/wiki/index.php?title=Preventing_Skipping_Around
(future DansGuardian users might also read 
http://contentfilter.futuragts.com/wiki/index.php?title=Two_Configuration_Families).


Probably the best way to add DansGuardian to an
existing transparent Squid setup is to change the port
number on the redirect but _not_ add any new Shorewall
rules. Make the connection between DansGuardian and
Squid not with additional Shorewall rules but rather
by tweaking the Squid configuration to only listen on
127.0.0.1. 

IMHO it''s all too easy to accidentally use additional
rules in Shorewall to produce a system that works  
..._but_ allows users to skip the DansGuardian part
and connect directly to the Squid part. At first this
won''t matter. But as you use DansGuardian more and
more heavily (and even migrate existing restrictions
into it so they''re all in one place for easier
maintenance), you''ll wonder why your filter is
enforcing so few restrictions. 

Also as someone else has pointed out, it''s not
possible to filter https: in a transparent-intercept
configuration either without or with DansGuardian.
Rerouting https: traffic into DansGuardian in a
transparent-intercept system will just break things. 

thanks!

-Chuck Kollars


     
____________________________________________________________________________________
Never miss a thing.  Make Yahoo your home page. 
http://www.yahoo.com/r/hs

-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/