Hi all, hi Tom : I am trying to get tproxy working, i follow this http://www.shorewall.net/Shorewall_Squid_Usage.html#TPROXY [1] But when i restart shorewall i get this error : http://pastebin.com/iKK5LjpF [2] i patch squid 2.7 stable-9 with Tproxy version 4 patch Just in case if is needed : iptables v1.4.10 kernel 2.6.37.6-0.5 Regards. Links: ------ [1] http://www.shorewall.net/Shorewall_Squid_Usage.html#TPROXY [2] http://pastebin.com/iKK5LjpF ------------------------------------------------------------------------------ All of the data generated in your IT infrastructure is seriously valuable. Why? It contains a definitive record of application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-d2d-c2
On Jun 29, 2011, at 5:01 PM, Ricardo Rios - Shorewall List wrote:> Hi all, hi Tom : > > I am trying to get tproxy working, i follow this http://www.shorewall.net/Shorewall_Squid_Usage.html#TPROXY > > But when i restart shorewall i get this error : http://pastebin.com/iKK5LjpF > > i patch squid 2.7 stable-9 with Tproxy version 4 patch > > Just in case if is needed : > > iptables v1.4.10 > > kernel 2.6.37.6-0. > >Please see http://www1.shorewall.net/troubleshoot.htm#Start -Tom Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ All of the data generated in your IT infrastructure is seriously valuable. Why? It contains a definitive record of application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-d2d-c2
On Wed, 29 Jun 2011 18:02:18 -0700, Tom Eastep wrote:> On Jun29, 2011, at 5:01 PM, Ricardo Rios - Shorewall List wrote:> >> Hiall, hi Tom :>> >> I am trying to get tproxy working, i follow thishttp://www.shorewall.net/Shorewall_Squid_Usage.html#TPROXY [1]>> >>But when i restart shorewall i get this error : http://pastebin.com/iKK5LjpF [2]>> >> i patch squid 2.7 stable-9 withTproxy version 4 patch>> >> Just in case if is needed : >> >>iptables v1.4.10>> >> kernel 2.6.37.6-0. > > Please seehttp://www1.shorewall.net/troubleshoot.htm#Start [3]> > -Tom > >Tom Eastep When I die, I want to go like my Grandfather who> Shoreline,died peacefully in his sleep. Not screaming like> Washington, USA allof the passengers in his car> http://shorewall.net [4]________________________________________________ Doing a shorewall debug restart i get this : ERROR: Command "/usr/sbin/iptables -A tcpre -p 6 --dport 80 -i eth5 -j TPROXY--on-port 3128 --tproxy-mark 3" Failed I guessing my iptables is not supporting TPROXY ? Thanks for your time Tom. Links: ------ [1] http://www.shorewall.net/Shorewall_Squid_Usage.html#TPROXY [2] http://pastebin.com/iKK5LjpF [3] http://www1.shorewall.net/troubleshoot.htm#Start [4] http://shorewall.net ------------------------------------------------------------------------------ All of the data generated in your IT infrastructure is seriously valuable. Why? It contains a definitive record of application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-d2d-c2
On Jun 29, 2011, at 6:20 PM, Ricardo Rios - Shorewall List wrote:> On Wed, 29 Jun 2011 18:02:18 -0700, Tom Eastep wrote: > >> >> On Jun 29, 2011, at 5:01 PM, Ricardo Rios - Shorewall List wrote: >> >> >>> Hi all, hi Tom : >>> >>> I am trying to get tproxy working, i follow this http://www.shorewall.net/Shorewall_Squid_Usage.html#TPROXY >>> >>> But when i restart shorewall i get this error : http://pastebin.com/iKK5LjpF >>> >>> i patch squid 2.7 stable-9 with Tproxy version 4 patch >>> >>> Just in case if is needed : >>> >>> iptables v1.4.10 >>> >>> kernel 2.6.37.6-0. >>> >> >> Please see http://www1.shorewall.net/troubleshoot.htm#Start >> -Tom >> >> Tom Eastep \ When I die, I want to go like my Grandfather who >> Shoreline, \ died peacefully in his sleep. Not screaming like >> Washington, USA \ all of the passengers in his car >> http://shorewall.net \________________________________________________ >> > Doing a shorewall debug restart i get this : > > ERROR: Command "/usr/sbin/iptables -A tcpre -p 6 --dport 80 -i eth5 -j TPROXY--on-port 3128 --tproxy-mark 3" Failed > > I guessing my iptables is not supporting TPROXY ? > >No -- Your version of Shorewall is generating an invalid rule (note that there is no whitespace between TPROXY and --on-port). Which version are you running? -Tom Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ All of the data generated in your IT infrastructure is seriously valuable. Why? It contains a definitive record of application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-d2d-c2
On Wed, 29 Jun 2011 18:47:21 -0700, Tom Eastep wrote:> On Jun29, 2011, at 6:20 PM, Ricardo Rios - Shorewall List wrote:> >> OnWed, 29 Jun 2011 18:02:18 -0700, Tom Eastep wrote:>> >>> On Jun 29,2011, at 5:01 PM, Ricardo Rios - Shorewall List wrote:>>> >>>> Hiall, hi Tom :>>>> >>>> I am trying to get tproxy working, i followthis http://www.shorewall.net/Shorewall_Squid_Usage.html#TPROXY [1]>>>> >>>> But when i restart shorewall i get this error :http://pastebin.com/iKK5LjpF [2]>>>> >>>> i patch squid 2.7 stable-9with Tproxy version 4 patch>>>> >>>> Just in case if is needed :>>>> >>>> iptables v1.4.10 >>>> >>>> kernel 2.6.37.6-0. >>> >>>Please see http://www1.shorewall.net/troubleshoot.htm#Start [3]>>>-Tom>>> >>> Tom Eastep When I die, I want to go like my Grandfatherwho>>> Shoreline, died peacefully in his sleep. Not screaming like >>>Washington, USA all of the passengers in his car>>>http://shorewall.net [4] ________________________________________________>> >> Doing ashorewall debug restart i get this :>> >> ERROR: Command"/usr/sbin/iptables -A tcpre -p 6 --dport 80 -i eth5 -j TPROXY--on-port 3128 --tproxy-mark 3" Failed>> >> I guessing my iptables is notsupporting TPROXY ?> > No -- Your version of Shorewall is generatingan invalid rule (note that there is no whitespace between TPROXY and --on-port). Which version are you running?> > -Tom > > Tom EastepWhen I die, I want to go like my Grandfather who> Shoreline, diedpeacefully in his sleep. Not screaming like> Washington, USA all of thepassengers in his car> http://shorewall.net [5]________________________________________________ I am using Shorewall-4.4.20.3 Links: ------ [1] http://www.shorewall.net/Shorewall_Squid_Usage.html#TPROXY [2] http://pastebin.com/iKK5LjpF [3] http://www1.shorewall.net/troubleshoot.htm#Start [4] http://shorewall.net/ [5] http://shorewall.net ------------------------------------------------------------------------------ All of the data generated in your IT infrastructure is seriously valuable. Why? It contains a definitive record of application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-d2d-c2
Well, I suppose while you''re looking forward to 4.4.21 and working on parsing problems anyway (with reference to the TPROXY), I should get around to writing up the problem I found. In the masq file, the man page says that you can add an outgoing port range to use, as ":xxx-yyy" appended to the ADDRESS field. But when I try using this, I get: ERROR: The separator for a port range is '':'', not ''-'' (49152-61000) : /etc/shorewall/masq (line 15) And if I use the colon instead.... ERROR: The separator for a port range is '':'', not ''-'' (49152-61000) : /etc/shorewall/masq (line 15) So I took a peek at the code, and I see that in Nat.pm, at line 210 (oh, this is 4.4.17 I''m using, from the Fedora 14-15 RPM), after stripping off any leading colons, it substitutes a dash for a colon, I suppose in case someone tried to use a colon anyway. Which is fine, since the iptables syntax does demand a hyphen, not a colon, like most port ranges. But then, it sends the output of that substitution to validate_portpair, defined in IPAddrs.pm, which expects a colon. So of course, no matter which separator you used in the file, it''s a hyphen at that point, and generates an error. I suppose the main options for fixing would be to either first substitute colon for hyphen, then validate_portpair, then substitute hyphen for colon before generating the iptables line; or, make another function, something like validate_masq_portpair, which does expect hyphens, and run it through that instead. In the meantime, I''ve fixed it up for my own personal use by just commenting out the validate_portpair in Nat.pm, and make damn sure I remember to use a hyphen there. But a real fix would be nice. :) -- J. Randall Owens | http://www.ghiapet.net/ ProofReading Markup Language | http://prml.sourceforge.net/ ------------------------------------------------------------------------------ All of the data generated in your IT infrastructure is seriously valuable. Why? It contains a definitive record of application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-d2d-c2
On Jun 29, 2011, at 6:55 PM, Ricardo Rios - Shorewall List wrote: On Wed, 29 Jun 2011 18:47:21 -0700, Tom Eastep wrote:>> >> >> No -- Your version of Shorewall is generating an invalid rule (note that there is no whitespace between TPROXY and --on-port). Which version are you running? > I am using Shorewall-4.4.20.3 > >Try the attached patch: patch /usr/share/shorewall/Shorewall/Tc.pm < TPROXY.patch -Tom Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ All of the data generated in your IT infrastructure is seriously valuable. Why? It contains a definitive record of application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-d2d-c2
On Jun 29, 2011, at 7:26 PM, J. Randall Owens wrote:> Well, I suppose while you''re looking forward to 4.4.21 and working on > parsing problems anyway (with reference to the TPROXY), I should get > around to writing up the problem I found. In the masq file, the man page > says that you can add an outgoing port range to use, as ":xxx-yyy" > appended to the ADDRESS field. But when I try using this, I get: > > ERROR: The separator for a port range is '':'', not ''-'' (49152-61000) : > /etc/shorewall/masq (line 15) >Been fixed for several releases. -Tom Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ All of the data generated in your IT infrastructure is seriously valuable. Why? It contains a definitive record of application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-d2d-c2
On Wed, 29 Jun 2011 19:31:40 -0700, Tom Eastep wrote:> On Jun29, 2011, at 6:55 PM, Ricardo Rios - Shorewall List wrote:> On Wed, 29Jun 2011 18:47:21 -0700, Tom Eastep wrote:> >>>> >>> >>> No -- Yourversion of Shorewall is generating an invalid rule (note that there is no whitespace between TPROXY and --on-port). Which version are you running?>> >> I am using Shorewall-4.4.20.3 > > Try the attachedpatch:> > patch /usr/share/shorewall/Shorewall/Tc.pm < TPROXY.patch> > -TomPatch working shorewall show tc : 57142 2917K TPROXY tcp -- eth5 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 TPROXY redirect 0.0.0.0:3128 mark 0x3/0xffffffff Thanks Tom. ------------------------------------------------------------------------------ All of the data generated in your IT infrastructure is seriously valuable. Why? It contains a definitive record of application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-d2d-c2
Thanks, Ricardo Fix will be in 4.4.21. -Tom On Jun 29, 2011, at 7:49 PM, Ricardo Rios - Shorewall List wrote:> On Wed, 29 Jun 2011 19:31:40 -0700, Tom Eastep wrote: > >> >> On Jun 29, 2011, at 6:55 PM, Ricardo Rios - Shorewall List wrote: >> On Wed, 29 Jun 2011 18:47:21 -0700, Tom Eastep wrote: >>> >>> No -- Your version of Shorewall is generating an invalid rule (note that there is no whitespace between TPROXY and --on-port). Which version are you running? >>> I am using Shorewall-4.4.20.3 >>> >> >> Try the attached patch: >> patch /usr/share/shorewall/Shorewall/Tc.pm < TPROXY.patch >> -Tom > Patch working > > shorewall show tc : > > 57142 2917K TPROXY tcp -- eth5 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 TPROXY redirect 0.0.0.0:3128 mark 0x3/0xffffffff > > > Thanks Tom. > > > ------------------------------------------------------------------------------ > All of the data generated in your IT infrastructure is seriously valuable. > Why? It contains a definitive record of application performance, security > threats, fraudulent activity, and more. Splunk takes this data and makes > sense of it. IT sense. And common sense. > http://p.sf.net/sfu/splunk-d2d-c2_______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-usersTom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ All of the data generated in your IT infrastructure is seriously valuable. Why? It contains a definitive record of application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-d2d-c2