hi all, I am using squid 3.0Stable20-1 along with Shorewall 4.4.4-1 on a RHEL5 box. I had a few problems running squid in transparent mode so now I am running it in non-transparent mode. Every thing like browsing / IM tools working fine. A major problem that I am facing is that quite a few users in my staff uses TFS (Team Foundation Server - A code repository running on port 8080) remotely. After installing squid they are hving great difficulty connecting to that server. I am REDIRECTING port 80 traffic from shorewall to squid on the same box. I tried same approach and REDIRECTED port 8080 traffic to squid as well and made an ACL in squid.conf to allow that particular traffic to that particular server address over port 8080. When I see squid access log, traffic shows up there but with HTTP 401 code that means not-authorized request. On TFS screen users also get "you are not authorized to connect to this server" error. This does not make any sense because without squid they jsut connect in first attempt. Even I tried adding a rule in shorewall to process 8080 traffic before I redirect traffic to squid, but that makes things unreliable in the sense that some times it work, and at times it does not! Can any one help suggesting any measures to get over with this? Is this squid''s normal behaviour to stop shorewall from normal working when installed ? Does squid takes over control of system ports in use by shorewall? -- Regards, Asim Ahmed Khan ------------------------------------------------------------------------------ Return on Information: Google Enterprise Search pays you back Get the facts. http://p.sf.net/sfu/google-dev2dev
Asim Ahmed Khan wrote:> hi all, > > I am using squid 3.0Stable20-1 along with Shorewall 4.4.4-1 on a RHEL5 > box. I had a few problems running squid in transparent mode so now I am > running it in non-transparent mode. Every thing like browsing / IM tools > working fine. A major problem that I am facing is that quite a few users > in my staff uses TFS (Team Foundation Server - A code repository running > on port 8080) remotely. After installing squid they are hving great > difficulty connecting to that server. I am REDIRECTING port 80 traffic > from shorewall to squid on the same box. I tried same approach and > REDIRECTED port 8080 traffic to squid as well and made an ACL in > squid.conf to allow that particular traffic to that particular server > address over port 8080. > > When I see squid access log, traffic shows up there but with HTTP 401 > code that means not-authorized request. On TFS screen users also get > "you are not authorized to connect to this server" error. This does not > make any sense because without squid they jsut connect in first attempt. > > Even I tried adding a rule in shorewall to process 8080 traffic before I > redirect traffic to squid, but that makes things unreliable in the sense > that some times it work, and at times it does not!Please provide the information requested at http://www.shorewall.net/support.htm#Guidelines in the section dealing with "connection problems".> Can any one help suggesting any measures to get over with this? > > Is this squid''s normal behaviour to stop shorewall from normal working > when installed ? Does squid takes over control of system ports in use by > shorewall?Squid only processes what is sent to it. No more and no less. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Return on Information: Google Enterprise Search pays you back Get the facts. http://p.sf.net/sfu/google-dev2dev
Hi, Below you''ll find information on all 6 questions posted there: 1. shorewall.conf points log files to /var/log/messages and it is working 2. Processing /etc/shorewall/params ... Shorewall Counters Reset 3. dump file attached 4. requests originating from 202.142.150.34 and going to 72.166.1.90 On Fri, Dec 11, 2009 at 4:32 AM, Tom Eastep <teastep@shorewall.net> wrote:> Asim Ahmed Khan wrote: > > hi all, > > > > I am using squid 3.0Stable20-1 along with Shorewall 4.4.4-1 on a RHEL5 > > box. I had a few problems running squid in transparent mode so now I am > > running it in non-transparent mode. Every thing like browsing / IM tools > > working fine. A major problem that I am facing is that quite a few users > > in my staff uses TFS (Team Foundation Server - A code repository running > > on port 8080) remotely. After installing squid they are hving great > > difficulty connecting to that server. I am REDIRECTING port 80 traffic > > from shorewall to squid on the same box. I tried same approach and > > REDIRECTED port 8080 traffic to squid as well and made an ACL in > > squid.conf to allow that particular traffic to that particular server > > address over port 8080. > > > > When I see squid access log, traffic shows up there but with HTTP 401 > > code that means not-authorized request. On TFS screen users also get > > "you are not authorized to connect to this server" error. This does not > > make any sense because without squid they jsut connect in first attempt. > > > > Even I tried adding a rule in shorewall to process 8080 traffic before I > > redirect traffic to squid, but that makes things unreliable in the sense > > that some times it work, and at times it does not! > > Please provide the information requested at > http://www.shorewall.net/support.htm#Guidelines in the section dealing > with "connection problems". > > > Can any one help suggesting any measures to get over with this? > > > > Is this squid''s normal behaviour to stop shorewall from normal working > > when installed ? Does squid takes over control of system ports in use by > > shorewall? > > Squid only processes what is sent to it. No more and no less. > > -Tom > -- > Tom Eastep \ When I die, I want to go like my Grandfather who > Shoreline, \ died peacefully in his sleep. Not screaming like > Washington, USA \ all of the passengers in his car > http://shorewall.net \________________________________________________ > > > > ------------------------------------------------------------------------------ > Return on Information: > Google Enterprise Search pays you back > Get the facts. > http://p.sf.net/sfu/google-dev2dev > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users > >-- Regards, Asim Ahmed Khan ------------------------------------------------------------------------------ Return on Information: Google Enterprise Search pays you back Get the facts. http://p.sf.net/sfu/google-dev2dev
Asim Ahmed Khan wrote:> Hi, > > Below you''ll find information on all 6 questions posted there: > 1. shorewall.conf points log files to /var/log/messages and it is working > 2. Processing /etc/shorewall/params ... > Shorewall Counters Reset > 3. dump file attached > 4. requests originating from 202.142.150.34 and going to 72.166.1.90So the request originated on the firewall itself? And is going to TCP port 8080 on 72.166.1.90? Or was this using Squid as a manually-configured proxy and the real client was a host in 192.168.4.0/24? Or??? -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Return on Information: Google Enterprise Search pays you back Get the facts. http://p.sf.net/sfu/google-dev2dev
requests originating from loc zone and coming to FW zone (loc can''t talk to net zone directly according to policy file) then FW zone should send them to 72.166.1.90 on port 8080 On Sat, Dec 12, 2009 at 8:37 PM, Tom Eastep <teastep@shorewall.net> wrote:> Asim Ahmed Khan wrote: > > Hi, > > > > Below you''ll find information on all 6 questions posted there: > > 1. shorewall.conf points log files to /var/log/messages and it is working > > 2. Processing /etc/shorewall/params ... > > Shorewall Counters Reset > > 3. dump file attached > > 4. requests originating from 202.142.150.34 and going to 72.166.1.90 > > So the request originated on the firewall itself? And is going to TCP > port 8080 on 72.166.1.90? Or was this using Squid as a > manually-configured proxy and the real client was a host in > 192.168.4.0/24? Or??? > > -Tom > -- > Tom Eastep \ When I die, I want to go like my Grandfather who > Shoreline, \ died peacefully in his sleep. Not screaming like > Washington, USA \ all of the passengers in his car > http://shorewall.net \________________________________________________ > > > > ------------------------------------------------------------------------------ > Return on Information: > Google Enterprise Search pays you back > Get the facts. > http://p.sf.net/sfu/google-dev2dev > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users > >-- Regards, Asim Ahmed Khan ------------------------------------------------------------------------------ Return on Information: Google Enterprise Search pays you back Get the facts. http://p.sf.net/sfu/google-dev2dev
Asim Ahmed Khan wrote:> requests originating from loc zone and coming to FW zone (loc can''t talk > to net zone directly according to policy file) then FW zone should send > them to 72.166.1.90 on port 8080And you are doing that by configuring Squid as a proxy? -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Return on Information: Google Enterprise Search pays you back Get the facts. http://p.sf.net/sfu/google-dev2dev
Tom Eastep wrote:> Asim Ahmed Khan wrote: >> requests originating from loc zone and coming to FW zone (loc can''t talk >> to net zone directly according to policy file) then FW zone should send >> them to 72.166.1.90 on port 8080 > > And you are doing that by configuring Squid as a proxy?The reason that I ask is that if you aren''t doing it with Squid then you must have a loc->net rule that allows the traffic: ACCEPT loc net tcp 8080 You may, of course, limit the SOURCE and DEST by IP address(es). -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Return on Information: Google Enterprise Search pays you back Get the facts. http://p.sf.net/sfu/google-dev2dev
No, by default shorewall is working as firewall / NAT software. Only port 80 traffic is routed to squid by shorewall. On Sun, Dec 13, 2009 at 1:33 AM, Tom Eastep <teastep@shorewall.net> wrote:> Asim Ahmed Khan wrote: > > requests originating from loc zone and coming to FW zone (loc can''t talk > > to net zone directly according to policy file) then FW zone should send > > them to 72.166.1.90 on port 8080 > > And you are doing that by configuring Squid as a proxy? > > -Tom > -- > Tom Eastep \ When I die, I want to go like my Grandfather who > Shoreline, \ died peacefully in his sleep. Not screaming like > Washington, USA \ all of the passengers in his car > http://shorewall.net \________________________________________________ > > > > ------------------------------------------------------------------------------ > Return on Information: > Google Enterprise Search pays you back > Get the facts. > http://p.sf.net/sfu/google-dev2dev > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users > >-- Regards, Asim Ahmed Khan ------------------------------------------------------------------------------ Return on Information: Google Enterprise Search pays you back Get the facts. http://p.sf.net/sfu/google-dev2dev