Hi list , I have proxy behind router , router only offers nat to
proxy all my network LAN is connected to proxy to out to Internet ,
proxy works in transparent way with shorewall, with a one network
card, the problem is that it works to me in way is transparent but I
cannot connect to pages https
this is my rules files
Ping/ACCEPT net $FW
SSH/ACCEPT net $FW
ACCEPT net $FW tcp
8080,80,9090,3128,5222,3000,10000,443,69
ACCEPT $FW net tcp 443,53,80
ACCEPT net $FW udp 161,162,69
ACCEPT $FW net udp 161,162,53,69
ACCEPT+ net:172.16.8.49 net
REDIRECT net 8080 tcp 80 -
- 20/sec:5
# Permit all ICMP traffic FROM the firewall TO the net zone
ACCEPT $FW net icmp
if I put proxy manual in the PC, works perfect https , the proxy and
shorewall run in the same pc.
any idea?
regardss
--
rickygm
http://gnuforever.homelinux.com
------------------------------------------------------------------------------
For Developers, A Lot Can Happen In A Second.
Boundary is the first to Know...and Tell You.
Monitor Your Applications in Ultra-Fine Resolution. Try it FREE!
http://p.sf.net/sfu/Boundary-d2dvs2
2012/4/16 troxlinux <xserverlinux@gmail.com>:> Hi list , I have proxy behind router , router only offers nat to > proxy all my network LAN is connected to proxy to out to Internet , > proxy works in transparent way with shorewall, with a one network > card, the problem is that it works to me in way is transparent but I > cannot connect to pages https > > this is my rules files > > Ping/ACCEPT net $FW > SSH/ACCEPT net $FW > ACCEPT net $FW tcp > 8080,80,9090,3128,5222,3000,10000,443,69 > ACCEPT $FW net tcp 443,53,80 > ACCEPT net $FW udp 161,162,69 > ACCEPT $FW net udp 161,162,53,69 > ACCEPT+ net:172.16.8.49 net > REDIRECT net 8080 tcp 80 - > - 20/sec:5 > # Permit all ICMP traffic FROM the firewall TO the net zone > ACCEPT $FW net icmp > > if I put proxy manual in the PC, works perfect https , the proxy and > shorewall run in the same pc.I tried to put in interfaces net eth0 detect blacklist zones fw firewall net ipv4 policy $FW net ACCEPT net $FW ACCEPT info net all DROP info # The FOLLOWING POLICY MUST BE LAST all all REJECT info but it doesn''t work me the https regardss -- rickygm http://gnuforever.homelinux.com ------------------------------------------------------------------------------ Better than sec? Nothing is better than sec when it comes to monitoring Big Data applications. Try Boundary one-second resolution app monitoring today. Free. http://p.sf.net/sfu/Boundary-dev2dev
On 4/16/12 7:07 PM, troxlinux wrote:> 2012/4/16 troxlinux <xserverlinux@gmail.com>: >> > > but it doesn''t work me the https >We are not going to be able to help you until you follow the problem reporting guidelines at http://www.shorewall.net/support.htm#Guidelines. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Better than sec? Nothing is better than sec when it comes to monitoring Big Data applications. Try Boundary one-second resolution app monitoring today. Free. http://p.sf.net/sfu/Boundary-dev2dev
On 4/16/12 7:18 PM, Tom Eastep wrote:> On 4/16/12 7:07 PM, troxlinux wrote: >> 2012/4/16 troxlinux <xserverlinux@gmail.com>: >>> >> >> but it doesn''t work me the https >> > > We are not going to be able to help you until you follow the problem > reporting guidelines at http://www.shorewall.net/support.htm#Guidelines.Never mind. You cannot transparently proxy HTTPS -- think about it; would you want to trust your private data to a protocol where a process in the middle could read everything going back and fourth on the connection? The data is encrypted! So a proxy can''t understand what URL the client is requesting -- understand? -Tom Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Better than sec? Nothing is better than sec when it comes to monitoring Big Data applications. Try Boundary one-second resolution app monitoring today. Free. http://p.sf.net/sfu/Boundary-dev2dev
On 4/16/12 9:26 PM, Tom Eastep wrote:> On 4/16/12 7:18 PM, Tom Eastep wrote: >> On 4/16/12 7:07 PM, troxlinux wrote: >>> 2012/4/16 troxlinux <xserverlinux@gmail.com>: >>>> >>> >>> but it doesn''t work me the https >>> >> >> We are not going to be able to help you until you follow the problem >> reporting guidelines at http://www.shorewall.net/support.htm#Guidelines. > > Never mind. > > You cannot transparently proxy HTTPS -- think about it; would you want > to trust your private data to a protocol where a process in the middle > could read everything going back and fourth on the connection? > > The data is encrypted! So a proxy can''t understand what URL the client > is requesting -- understand?When you manually configure a HTTPS Proxy in your browser, the browser knows that it is connecting through a proxy and uses a modified protocol that allows it to work while still maintaining data security. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Better than sec? Nothing is better than sec when it comes to monitoring Big Data applications. Try Boundary one-second resolution app monitoring today. Free. http://p.sf.net/sfu/Boundary-dev2dev
I remember that for transparent proxy work properly, your PC Customers must have as gateway Proxy Server IP (LAN). Greeting !! 2012/4/17 Tom Eastep <teastep@shorewall.net>:> On 4/16/12 9:26 PM, Tom Eastep wrote: >> On 4/16/12 7:18 PM, Tom Eastep wrote: >>> On 4/16/12 7:07 PM, troxlinux wrote: >>>> 2012/4/16 troxlinux <xserverlinux@gmail.com>: >>>>> >>>> >>>> but it doesn''t work me the https >>>> >>> >>> We are not going to be able to help you until you follow the problem >>> reporting guidelines at http://www.shorewall.net/support.htm#Guidelines. >> >> Never mind. >> >> You cannot transparently proxy HTTPS -- think about it; would you want >> to trust your private data to a protocol where a process in the middle >> could read everything going back and fourth on the connection? >> >> The data is encrypted! So a proxy can''t understand what URL the client >> is requesting -- understand? > > When you manually configure a HTTPS Proxy in your browser, the browser > knows that it is connecting through a proxy and uses a modified protocol > that allows it to work while still maintaining data security. > > -Tom > -- > Tom Eastep \ When I die, I want to go like my Grandfather who > Shoreline, \ died peacefully in his sleep. Not screaming like > Washington, USA \ all of the passengers in his car > http://shorewall.net \________________________________________________ > > > ------------------------------------------------------------------------------ > Better than sec? Nothing is better than sec when it comes to > monitoring Big Data applications. Try Boundary one-second > resolution app monitoring today. Free. > http://p.sf.net/sfu/Boundary-dev2dev > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users >-- I.S.C. William López Jiménez -- User Linux # 379636 MSN wljkoala23@hotmail.com Jabber koalasoft@jabber.org Web: www.koalasoftmx.tk Twitter: @koalasoft Facebook: william.koalasoft ------------------------------------------------------------------------------ Better than sec? Nothing is better than sec when it comes to monitoring Big Data applications. Try Boundary one-second resolution app monitoring today. Free. http://p.sf.net/sfu/Boundary-dev2dev
2012/4/17 Tom Eastep <teastep@shorewall.net>:>> You cannot transparently proxy HTTPS -- think about it; would you want >> to trust your private data to a protocol where a process in the middle >> could read everything going back and fourth on the connection?I understand your point Tom, but I explain my situation to you before having this box linux, I had a called UTM Astaro and he works to me perfectly of way is transparent, but we do not have money to pay but license .>> >> The data is encrypted! So a proxy can''t understand what URL the client >> is requesting -- understand? > > When you manually configure a HTTPS Proxy in your browser, the browser > knows that it is connecting through a proxy and uses a modified protocol > that allows it to work while still maintaining data security. > > -TomI describe my infrastructure: Router 172.16.8.1 ====== Proxy Shorewall (eth0) 172.16.8.49 ===Switch ===LAN 172.16.0.0/22 , gw lan 172.16.8.49 shorewall running ok , version shorewall-4.4.17-2.el5 it works perfect in transparent way, but I can access to pages https regardss -- rickygm http://gnuforever.homelinux.com ------------------------------------------------------------------------------ Better than sec? Nothing is better than sec when it comes to monitoring Big Data applications. Try Boundary one-second resolution app monitoring today. Free. http://p.sf.net/sfu/Boundary-dev2dev
Try open port https /etc/shorewall/rules HTTPS(ACCEPT) loc net and reload shorewall .. 2012/4/17 troxlinux <xserverlinux@gmail.com>:> 2012/4/17 Tom Eastep <teastep@shorewall.net>: > >>> You cannot transparently proxy HTTPS -- think about it; would you want >>> to trust your private data to a protocol where a process in the middle >>> could read everything going back and fourth on the connection? > > I understand your point Tom, but I explain my situation to you before > having this box linux, I had a called UTM Astaro and he works to me > perfectly of way is transparent, but we do not have money to pay but > license . > > >>> >>> The data is encrypted! So a proxy can''t understand what URL the client >>> is requesting -- understand? >> >> When you manually configure a HTTPS Proxy in your browser, the browser >> knows that it is connecting through a proxy and uses a modified protocol >> that allows it to work while still maintaining data security. >> >> -Tom > > I describe my infrastructure: > > Router 172.16.8.1 ====== Proxy Shorewall (eth0) 172.16.8.49 ===> Switch ===LAN 172.16.0.0/22 , gw lan 172.16.8.49 > > shorewall running ok , version shorewall-4.4.17-2.el5 > > it works perfect in transparent way, but I can access to pages https > > regardss > > > > > > > > > > > > > -- > rickygm > > http://gnuforever.homelinux.com > > ------------------------------------------------------------------------------ > Better than sec? Nothing is better than sec when it comes to > monitoring Big Data applications. Try Boundary one-second > resolution app monitoring today. Free. > http://p.sf.net/sfu/Boundary-dev2dev > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users-- I.S.C. William López Jiménez -- User Linux # 379636 MSN wljkoala23@hotmail.com Jabber koalasoft@jabber.org Web: www.koalasoftmx.tk Twitter: @koalasoft Facebook: william.koalasoft ------------------------------------------------------------------------------ Better than sec? Nothing is better than sec when it comes to monitoring Big Data applications. Try Boundary one-second resolution app monitoring today. Free. http://p.sf.net/sfu/Boundary-dev2dev
On 4/17/12 9:15 AM, troxlinux wrote:> 2012/4/17 Tom Eastep <teastep@shorewall.net>: > >>> You cannot transparently proxy HTTPS -- think about it; would you want >>> to trust your private data to a protocol where a process in the middle >>> could read everything going back and fourth on the connection? > > I understand your point Tom, but I explain my situation to you before > having this box linux, I had a called UTM Astaro and he works to me > perfectly of way is transparent, but we do not have money to pay but > license .Are you sure that it was transparent and not autoconfigured? -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Better than sec? Nothing is better than sec when it comes to monitoring Big Data applications. Try Boundary one-second resolution app monitoring today. Free. http://p.sf.net/sfu/Boundary-dev2dev
2012/4/17 I.S.C. William <william.koalasoft@gmail.com>:> Try open port https > > /etc/shorewall/rules > > HTTPS(ACCEPT) loc net > > and reload shorewall .. >yes I have, but it does not work ... ACCEPT net $FW tcp 8080,80,69,443 ACCEPT $FW net tcp 53,80,443 regardss , -- rickygm http://gnuforever.homelinux.com ------------------------------------------------------------------------------ Better than sec? Nothing is better than sec when it comes to monitoring Big Data applications. Try Boundary one-second resolution app monitoring today. Free. http://p.sf.net/sfu/Boundary-dev2dev
2012/4/17 troxlinux <xserverlinux@gmail.com>:> 2012/4/17 I.S.C. William <william.koalasoft@gmail.com>: >> Try open port https >> >> /etc/shorewall/rules >> >> HTTPS(ACCEPT) loc net >> >> and reload shorewall .. >> > yes I have, but it does not work ... > > > ACCEPT net $FW tcp 8080,80,69,443This Open port Internet to Firewall only> ACCEPT $FW net tcp 53,80,443This Open 443,53,80 Firewall to Internet,>But try Opne Port to Local (LAN) to Internet (net) HTTPS(ACCEPT) loc net or ACCEPT loc net tcp 443 This for pages https sure .. Greetings !! ------------------------------------------------------------------------------ Better than sec? Nothing is better than sec when it comes to monitoring Big Data applications. Try Boundary one-second resolution app monitoring today. Free. http://p.sf.net/sfu/Boundary-dev2dev
2012/4/17 I.S.C. William <william.koalasoft@gmail.com>:> > > But try Opne Port to Local (LAN) to Internet (net) > > HTTPS(ACCEPT) loc net > > or > > ACCEPT loc net tcp 443 > > This for pages https sure .. >Hi walliam , mi server only have a one interfaz eth0, basically the design of my firewall is this http://www.shorewall.net/standalone.html for that reason it is that you see that definition of rules regardsss -- rickygm http://gnuforever.homelinux.com ------------------------------------------------------------------------------ Better than sec? Nothing is better than sec when it comes to monitoring Big Data applications. Try Boundary one-second resolution app monitoring today. Free. http://p.sf.net/sfu/Boundary-dev2dev