-------- Original Message -------- SUBJECT: Re: [Shorewall-users] tproxy problem DATE: Thu, 30 Jun 2011 01:38:46 -0300 FROM: Ricardo Rios - Shorewall List TO: Shorewall Users On Wed, 29 Jun 2011 20:02:06 -0700, Tom Eastep wrote:>Thanks, Ricardo> Fix will be in 4.4.21. > -Tom > > On Jun 29, 2011,at 7:49 PM, Ricardo Rios - Shorewall List wrote:> >> On Wed, 29 Jun2011 19:31:40 -0700, Tom Eastep wrote:>> >>> On Jun 29, 2011, at 6:55PM, Ricardo Rios - Shorewall List wrote:>>> On Wed, 29 Jun 201118:47:21 -0700, Tom Eastep wrote:>>> >>>>> No -- Your version ofShorewall is generating an invalid rule (note that there is no whitespace between TPROXY and --on-port). Which version are you running?>>>> >>>> I am using Shorewall-4.4.20.3 >>> >>> Try theattached patch:>>> patch /usr/share/shorewall/Shorewall/Tc.pm <TPROXY.patch>>> -Tom >> >> Patch working >> >> shorewall show tc :>> >> 57142 2917K TPROXY tcp -- eth5 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80TPROXY redirect 0.0.0.0:3128 mark 0x3/0xffffffff>> >> Thanks Tom. >>>>------------------------------------------------------------------------------>>All of the data generated in your IT infrastructure is seriously valuable.>> Why? It contains a definitive record of applicationperformance, security>> threats, fraudulent activity, and more. Splunktakes this data and makes>> sense of it. IT sense. And commonsense.>>http://p.sf.net/sfu/splunk-d2d-c2_______________________________________________ [1]>> Shorewall-users mailing list >>Shorewall-users@lists.sourceforge.net [2]>>https://lists.sourceforge.net/lists/listinfo/shorewall-users> > TomEastep When I die, I want to go like my Grandfather who> Shoreline,died peacefully in his sleep. Not screaming like> Washington, USA allof the passengers in his car> http://shorewall.net [3]________________________________________________ Hi Tom, sorry if i re-open this, i have another issue now, i dunno if is something of shorewall or the tproxy support. After i follow http://www.shorewall.net/Shorewall_Squid_Usage.html#TPROXY [4] i get alof of this logs in /var/log/firewall : http://pastebin.com/iLMG7xzM [5] what is weird, because says "lan2fw" but the destination IP is a public IP ? Shorewall Dump > http://pastebin.com/ktWQBrDH [6] Thanks for your time Tom. Links: ------ [1] http://p.sf.net/sfu/splunk-d2d-c2_______________________________________________ [2] mailto:Shorewall-users@lists.sourceforge.net [3] http://shorewall.net [4] http://www.shorewall.net/Shorewall_Squid_Usage.html#TPROXY [5] http://pastebin.com/iLMG7xzM [6] http://pastebin.com/ktWQBrDH ------------------------------------------------------------------------------ All of the data generated in your IT infrastructure is seriously valuable. Why? It contains a definitive record of application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-d2d-c2
On Thu, 2011-06-30 at 09:26 -0300, Ricardo Rios - Shorewall List wrote:> Hi Tom, sorry if i re-open this, i have another issue now, i dunno if > is something of shorewall or the tproxy support.It''s your configuration. You don''t have an ACCEPT rule for port 80 from lan to fw. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ All of the data generated in your IT infrastructure is seriously valuable. Why? It contains a definitive record of application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-d2d-c2
On Thu, 2011-06-30 at 06:05 -0700, Tom Eastep wrote:> On Thu, 2011-06-30 at 09:26 -0300, Ricardo Rios - Shorewall List wrote: > > > Hi Tom, sorry if i re-open this, i have another issue now, i dunno if > > is something of shorewall or the tproxy support. > > It''s your configuration. You don''t have an ACCEPT rule for port 80 from > lan to fw.And please let me know if that works so I can update the HOWTO. I didn''t have the software to properly test TPROXY support when I developed it, so I could only verify that it was generating the same rules as were recommended in the HOWTO that I followed. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ All of the data generated in your IT infrastructure is seriously valuable. Why? It contains a definitive record of application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-d2d-c2
On Thu, 30 Jun 2011 06:13:28 -0700, Tom Eastep wrote:> On Thu,2011-06-30 at 06:05 -0700, Tom Eastep wrote:>> On Thu, 2011-06-30 at09:26 -0300, Ricardo Rios - Shorewall List wrote:>> >>> Hi Tom, sorryif i re-open this, i have another issue now, i dunno if is something of shorewall or the tproxy support.>> It''s your configuration. You don''thave an ACCEPT rule for port 80 from lan to fw.> And please let me knowif that works so I can update the HOWTO. I didn''t have the software to properly test TPROXY support when I developed it, so I could only verify that it was generating the same rules as were recommended in the HOWTO that I followed. -Tom -- Tom Eastep When I die, I want to go like my Grandfather who Shoreline, died peacefully in his sleep. Not screaming like Washington, USA all of the passengers in his car http://shorewall.net [1] ________________________________________________ Well, i set the rule for allow lan to fw port 80, now there is nothing show on /var/log/firewall. But navigation is not working, and when i check squid logs shows : http://pastebin.com/b0j3rjhH [2] Links: ------ [1] http://shorewall.net [2] http://pastebin.com/b0j3rjhH ------------------------------------------------------------------------------ All of the data generated in your IT infrastructure is seriously valuable. Why? It contains a definitive record of application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-d2d-c2
On Thu, 2011-06-30 at 10:40 -0300, Ricardo Rios - Shorewall List wrote:> > Well, i set the rule for allow lan to fw port 80, now there is nothing > show on /var/log/firewall. > > But navigation is not working, and when i check squid logs > shows : http://pastebin.com/b0j3rjhHThat''s a Squid configuration issue. You need to configure your Squid acls to accept your traffic. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ All of the data generated in your IT infrastructure is seriously valuable. Why? It contains a definitive record of application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-d2d-c2
El 30/06/11 10:51, Tom Eastep escribió:> On Thu, 2011-06-30 at 10:40 -0300, Ricardo Rios - Shorewall List wrote: > >> Well, i set the rule for allow lan to fw port 80, now there is nothing >> show on /var/log/firewall. >> >> But navigation is not working, and when i check squid logs >> shows : http://pastebin.com/b0j3rjhH > That''s a Squid configuration issue. You need to configure your Squid > acls to accept your traffic. > > -Tom > > > ------------------------------------------------------------------------------ > All of the data generated in your IT infrastructure is seriously valuable. > Why? It contains a definitive record of application performance, security > threats, fraudulent activity, and more. Splunk takes this data and makes > sense of it. IT sense. And common sense. > http://p.sf.net/sfu/splunk-d2d-c2 > > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-usersTom, just let you know i am trying to fix the problem with squid, because i am sure i have the ACLs right but still not working, i let you know when i get this working using the exact configuration you recommend here http://www.shorewall.net/Shorewall_Squid_Usage.html#TPROXY Regards ------------------------------------------------------------------------------ All of the data generated in your IT infrastructure is seriously valuable. Why? It contains a definitive record of application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-d2d-c2
On Jun 30, 2011, at 4:14 PM, Ricardo Rios wrote:>> > Tom, just let you know i am trying to fix the problem with squid, because i am sure i have the ACLs right but still not working, i let you know when i get this working using the exact configuration you recommend here http://www.shorewall.net/Shorewall_Squid_Usage.html#TPROXYWhat are you seeing now in the Squid logs? -Tom Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ All of the data generated in your IT infrastructure is seriously valuable. Why? It contains a definitive record of application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-d2d-c2
> What are you seeing now in the Squid logs? > > -Tom > > TomEastep When I die, I want to go like my Grandfather who> Shoreline,died peacefully in his sleep. Not screaming like> Washington, USA allof the passengers in his car> http://shorewall.net [1]________________________________________________ squid logs keep saying the same, i send a email to squid-users list with my squid config but i am waiting for some response. Squid-Users mail i send : Hello people, i am trying to setup a squid-2.7.STABLE9 + squid-2.7s9-tproxy-4.patch + COSS cache the problem is the tproxy, is not working, i know maybe i am asking in the wrong place but maybe someone knows what i have wrong. Error : http://pastebin.com/b0j3rjhH [2] My squid setup is : http://pastebin.com/imx88CNJ [3] and i have this : OpenSuSE 11.4 iptables v1.4.11 kernel 2.6.37.6-0.5 Shorewall-4.4.20.3 Compiled Opcions: --enable-async-io --with-maxfd=16384 --enable-storeio=coss --with-large-files --disable-ssl --enable-coss-aio-ops --enable-linux-tproxy Links: ------ [1] http://shorewall.net [2] http://pastebin.com/b0j3rjhH [3] http://pastebin.com/imx88CNJ ------------------------------------------------------------------------------ All of the data generated in your IT infrastructure is seriously valuable. Why? It contains a definitive record of application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-d2d-c2