Hi all I have a successful installation of shorewall 4.0.6 on Ubuntu 8.04 Hardy. Two ISP on eht0 and eth1, internal network on eth2. All the internet traffic is routed through eth1. openswan ipsec version 2.4.15 running an functioning well. I want to add squid to the mix, so the internet traffic will still go through eth1 but through the transparent proxy running on the firewall. We are reserving the fast eth0 provider for inter-branches connectivity via the ipsec. Attached is my shorewall dump. Any directions will be appreciated. Thanks Ibrahim Hamouda ------------------------------------------------------------------------------ Come build with us! The BlackBerry(R) Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9 - 12, 2009. Register now! http://p.sf.net/sfu/devconference
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Ibrahim Hamouda wrote:> Hi all > I have a successful installation of shorewall 4.0.6 on Ubuntu 8.04 > Hardy. > Two ISP on eht0 and eth1, internal network on eth2. > > All the internet traffic is routed through eth1. > openswan ipsec version 2.4.15 running an functioning well. > > I want to add squid to the mix, so the internet traffic will still go > through eth1 but through the transparent proxy running on the firewall. > > We are reserving the fast eth0 provider for inter-branches connectivity > via the ipsec. > > Attached is my shorewall dump. > > Any directions will be appreciated. >In squid.conf, set tcp_outgoing_address to 70.75.31.164. - -Tom - -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkrk6LEACgkQO/MAbZfjDLKxyACgkaccfHdDXFacqESSBQ9zttI9 RCoAn09Eeakkbp8tordKH97qpXlAbbE1 =seB9 -----END PGP SIGNATURE----- ------------------------------------------------------------------------------ Come build with us! The BlackBerry(R) Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9 - 12, 2009. Register now! http://p.sf.net/sfu/devconference
so nothing needs to go in shorewall configuration files AT ALL? On Sun, 2009-10-25 at 17:09 -0700, Tom Eastep wrote:> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Ibrahim Hamouda wrote: > > Hi all > > I have a successful installation of shorewall 4.0.6 on Ubuntu 8.04 > > Hardy. > > Two ISP on eht0 and eth1, internal network on eth2. > > > > All the internet traffic is routed through eth1. > > openswan ipsec version 2.4.15 running an functioning well. > > > > I want to add squid to the mix, so the internet traffic will still go > > through eth1 but through the transparent proxy running on the firewall. > > > > We are reserving the fast eth0 provider for inter-branches connectivity > > via the ipsec. > > > > Attached is my shorewall dump. > > > > Any directions will be appreciated. > > > > In squid.conf, set tcp_outgoing_address to 70.75.31.164. > > - -Tom > - -- > Tom Eastep \ When I die, I want to go like my Grandfather who > Shoreline, \ died peacefully in his sleep. Not screaming like > Washington, USA \ all of the passengers in his car > http://shorewall.net \________________________________________________ > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.9 (GNU/Linux) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org > > iEYEARECAAYFAkrk6LEACgkQO/MAbZfjDLKxyACgkaccfHdDXFacqESSBQ9zttI9 > RCoAn09Eeakkbp8tordKH97qpXlAbbE1 > =seB9 > -----END PGP SIGNATURE----- >------------------------------------------------------------------------------ Come build with us! The BlackBerry(R) Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9 - 12, 2009. Register now! http://p.sf.net/sfu/devconference
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Ibrahim Hamouda wrote:> so nothing needs to go in shorewall configuration files AT ALL?I assumed that you would be able to find the Shorewall transparent proxy documentation (http://www.shorewall.net/Shorewall_Squid_Usage.html). Or do you expect me to do your whole job for you? - -Tom - -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkrk/JgACgkQO/MAbZfjDLL7jgCfS+uDqBR8vtfA25sVU6h9pZlu b88AniS7Cm+VTDNRBkTN1YG0KZtk5orz =WLHl -----END PGP SIGNATURE----- ------------------------------------------------------------------------------ Come build with us! The BlackBerry(R) Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9 - 12, 2009. Register now! http://p.sf.net/sfu/devconference
Tom First of all I appreciate your participation and quick responses in this news group. I''m a contributer since 1998 in several other news groups and forums, answering questions from newbies in areas that I feel confident enough to give back to the internet community, without making anybody feel that I''m - and I know I''m not - making them a favor, and that''s what made the internet great for all of us. Now to the problem in hand. Yes I read the document you mentioned, and many others and that''s how I got all this working together, I added the line mentioned in the document: REDIRECT loc 3128 tcp www - I didn''t need the other one, as you see from my attached file to the previous email I have: $FW net ACCEPT in my policy After adding the REDIRECT line, the clients behind lost their http access completely. And that''s the reason I''m asking. So do you have an answer? On Sun, 2009-10-25 at 18:34 -0700, Tom Eastep wrote:> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Ibrahim Hamouda wrote: > > > so nothing needs to go in shorewall configuration files AT ALL? > > I assumed that you would be able to find the Shorewall transparent proxy > documentation (http://www.shorewall.net/Shorewall_Squid_Usage.html). Or > do you expect me to do your whole job for you? > > - -Tom > - -- > Tom Eastep \ When I die, I want to go like my Grandfather who > Shoreline, \ died peacefully in his sleep. Not screaming like > Washington, USA \ all of the passengers in his car > http://shorewall.net \________________________________________________ > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.9 (GNU/Linux) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org > > iEYEARECAAYFAkrk/JgACgkQO/MAbZfjDLL7jgCfS+uDqBR8vtfA25sVU6h9pZlu > b88AniS7Cm+VTDNRBkTN1YG0KZtk5orz > =WLHl > -----END PGP SIGNATURE----- >------------------------------------------------------------------------------ Come build with us! The BlackBerry(R) Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9 - 12, 2009. Register now! http://p.sf.net/sfu/devconference
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Ibrahim Hamouda wrote:> First of all I appreciate your participation and quick responses in > this news group.This is not a news group; this is a mailing list.> I''m a contributer since 1998 in several other news groups and forums, > answering questions from newbies in areas that I feel confident > enough to give back to the internet community, without making anybody > feel thatI''m - and I know I''m not - making them a favor, and that''s > what made the internet great for all of us.Then you should know how to report a problem so that the person trying to help you has the information that they need to try to help you.> Now to the problem in hand. > > Yes I read the document you mentioned, and many others and that''s how > I got all this working together, I added the line mentioned in the > document: REDIRECT loc 3128 tcp www - > > I didn''t need the other one, as you see from my attached file to the > previous email I have: $FW net ACCEPT in my policy > > After adding the REDIRECT line, the clients behind lost their http > access completely.Then why didn''t you mention that in your original email? You said: I want to add squid to the mix, so the internet traffic will still go through eth1 but through the transparent proxy running on the firewall. We are reserving the fast eth0 provider for inter-branches connectivity via the ipsec. Attached is my shorewall dump. WHICH HAS NO REDIRECT RULE! What did you expect? I''m not a mind reader.> So do you have an answer?No -- But in 99% of these cases, the problem is in the Squid configuration and not in the Shorewall configuration. So please: a) Look at your Squid access log; do you see access attempts? If you do not, then your Squid config is wrong (assuming that you have managed to add the correct REDIRECT rule). b) If you post again, please tell us what you see in the web browser when you attempt http access from the local net. - -Tom - -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkrlCz0ACgkQO/MAbZfjDLKeBwCeNdz//3kQz8MDYM+2wOmxLPUc YvsAnAieq2jxnw35I19Ysjty88LMl5FU =KO6b -----END PGP SIGNATURE----- ------------------------------------------------------------------------------ Come build with us! The BlackBerry(R) Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9 - 12, 2009. Register now! http://p.sf.net/sfu/devconference