Hi!
We use Shorewall squid to block unwanted web sites. In the file
etc/squid/squid-block.acl is the web sites list. I removed one name from the
list. For testing I removed from list all sites. Then I ran
"etc/init.d/shorewall restart". But the web sites are still blocked.
Before restart I made "shorewall check". Result is same. All those
sites are bloked. Below is outputs of some command. Where is the problem?
/etc/squid$ shorewall check
Checking...
Checking /etc/shorewall/zones...
Checking /etc/shorewall/interfaces...
Determining Hosts in Zones...
Preprocessing Action Files...
Pre-processing /usr/share/shorewall/action.Drop...
Pre-processing /usr/share/shorewall/action.Reject...
Checking /etc/shorewall/policy...
Adding Anti-smurf Rules
WARNING: The ''norfc1918'' option is deprecated
Checking /usr/share/shorewall/rfc1918...
Checking TCP Flags filtering...
Checking Kernel Route Filtering...
Checking Martian Logging...
Checking /etc/shorewall/masq...
Checking MAC Filtration -- Phase 1...
Checking /etc/shorewall/rules...
Generating Transitive Closure of Used-action List...
Processing /usr/share/shorewall/action.Reject for chain Reject...
Processing /usr/share/shorewall/action.Drop for chain Drop...
Checking MAC Filtration -- Phase 2...
Applying Policies...
Generating Rule Matrix...
Shorewall configuration verified
-----------------------------------------
/etc/squid$ shorewall restart
Compiling...
Compiling /etc/shorewall/zones...
Compiling /etc/shorewall/interfaces...
Determining Hosts in Zones...
Preprocessing Action Files...
Pre-processing /usr/share/shorewall/action.Drop...
Pre-processing /usr/share/shorewall/action.Reject...
Compiling /etc/shorewall/policy...
Compiling /etc/shorewall/routestopped for critical hosts...
Compiling /etc/shorewall/routestopped...
Adding Anti-smurf Rules
WARNING: The ''norfc1918'' option is deprecated
Compiling /usr/share/shorewall/rfc1918...
Compiling TCP Flags filtering...
Compiling Kernel Route Filtering...
Compiling Martian Logging...
Compiling /etc/shorewall/masq...
Compiling MAC Filtration -- Phase 1...
Compiling /etc/shorewall/rules...
Generating Transitive Closure of Used-action List...
Processing /usr/share/shorewall/action.Reject for chain Reject...
Processing /usr/share/shorewall/action.Drop for chain Drop...
Compiling MAC Filtration -- Phase 2...
Applying Policies...
Generating Rule Matrix...
Creating iptables-restore input...
Compiling iptables-restore input for chains blacklst,mangle:...
Shorewall configuration compiled to /var/lib/shorewall/.restart
Processing /etc/shorewall/params ...
Restarting Shorewall....
Initializing...
Processing /etc/shorewall/init ...
Setting up ARP filtering...
Setting up Route Filtering...
Setting up Martian Logging...
Setting up Accept Source Routing...
Setting up Proxy ARP...
Setting up Traffic Control...
Preparing iptables-restore input...
Running /sbin/iptables-restore...
IPv4 Forwarding Enabled
Processing /etc/shorewall/start ...
Processing /etc/shorewall/started ...
done.
--------------------------------------------
/etc/squid$ /sbin/shorewall version
4.2.10
--------------------------------------------
/etc/squid$ ip addr show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen
1000
link/ether 00:1e:c9:55:54:09 brd ff:ff:ff:ff:ff:ff
inet 88.196.75.122/30 brd 88.196.75.123 scope global eth0
inet 192.168.67.15/24 brd 192.168.67.255 scope global eth0
inet6 fe80::21e:c9ff:fe55:5409/64 scope link
valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen
1000
link/ether 00:1a:70:11:be:86 brd ff:ff:ff:ff:ff:ff
inet 192.168.3.1/24 brd 192.168.3.255 scope global eth1
inet6 fe80::21a:70ff:fe11:be86/64 scope link
valid_lft forever preferred_lft forever
4: sit0: <NOARP> mtu 1480 qdisc noop
link/sit 0.0.0.0 brd 0.0.0.0
-------------------------------------------------
/etc/squid$ ip route show
88.196.75.120/30 dev eth0 proto kernel scope link src 88.196.75.122
192.168.3.0/24 dev eth1 proto kernel scope link src 192.168.3.1
192.168.67.0/24 dev eth0 proto kernel scope link src 192.168.67.15
169.254.0.0/16 dev eth0 scope link
default via 88.196.75.121 dev eth0
Best Regards,
Arvi
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today''s security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
On 09/19/2012 06:02 AM, Arvi Murel wrote:> Hi! > > We use Shorewall squid to block unwanted web sites. In the file > etc/squid/squid-block.acl is the web sites list. I removed one name > from the list. For testing I removed from list all sites. Then I ran > "etc/init.d/shorewall restart". But the web sites are still blocked. > Before restart I made "shorewall check". Result is same. All those > sites are bloked. Below is outputs of some command. Where is the > problem? >Restarting Shorewall doesn''t restart Squid! -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
Ricardo Rios - Shorewall List
2012-Sep-19 15:10 UTC
Re: Problems with Shorewall squid changing
El 2012-09-19 10:45, Tom Eastep escribió:> On 09/19/2012 06:02 AM, Arvi Murel wrote: > >> Hi! We use Shorewall squid to block unwanted web sites. In the file >> etc/squid/squid-block.acl is the web sites list. I removed one name >> from the list. For testing I removed from list all sites. Then I ran >> "etc/init.d/shorewall restart". But the web sites are still blocked. >> Before restart I made "shorewall check". Result is same. All those >> sites are bloked. Below is outputs of some command. Where is the >> problem? > > Restarting Shorewall doesn't restart Squid! > > -TomWhy not !!!!! bad Tom bad :) Arvi, what you need is restart squid, you can do it by running "squid -k reconfigure" or "/usr/local/squid/sbin/squid -k reconfigure" Regards ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
I think you can use "squid -k reconfigure" in "start" or "started", see http://shorewall.net/shorewall_extension_scripts.htm Em 19-09-2012 12:10, Ricardo Rios - Shorewall List escreveu:> El 2012-09-19 10:45, Tom Eastep escribió: > >> On 09/19/2012 06:02 AM, Arvi Murel wrote: >> >>> Hi! We use Shorewall squid to block unwanted web sites. In the file >>> etc/squid/squid-block.acl is the web sites list. I removed one name >>> from the list. For testing I removed from list all sites. Then I ran >>> "etc/init.d/shorewall restart". But the web sites are still blocked. >>> Before restart I made "shorewall check". Result is same. All those >>> sites are bloked. Below is outputs of some command. Where is the >>> problem? >> Restarting Shorewall doesn't restart Squid! >> >> -Tom > Why not !!!!! bad Tom bad :) > > Arvi, what you need is restart squid, you can do it by running "squid > -k reconfigure" or "/usr/local/squid/sbin/squid -k reconfigure" > > > Regards > > ------------------------------------------------------------------------------ > Live Security Virtual Conference > Exclusive live event will cover all the ways today's security and > threat landscape has changed and how IT managers can respond. Discussions > will include endpoint security, mobile security and the latest in malware > threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
On 9/19/12 4:05 PM, "José D. Grieco" <jdgrieco@ig.com.br> wrote:>I think you can use "squid -k reconfigure" in "start" or "started", see >http://shorewall.net/shorewall_extension_scripts.htmThat works, of course. But I think it is better to understand that Shorewall and Squid are separate independently-developed products and that they each have their own set of configuration files. -Tom You do not need a parachute to skydive. You only need a parachute to skydive twice. ------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://ad.doubleclick.net/clk;258768047;13503038;j? http://info.appdynamics.com/FreeJavaPerformanceDownload.html
Hi! Thanks! Helped me the command line /sbin/service squid reload. Arvi -----Original Message----- From: Tom Eastep [mailto:teastep@shorewall.net] Sent: Thursday, September 20, 2012 3:57 AM To: Shorewall Users Subject: Re: [Shorewall-users] Problems with Shorewall squid changing On 9/19/12 4:05 PM, "José D. Grieco" <jdgrieco@ig.com.br> wrote:>I think you can use "squid -k reconfigure" in "start" or "started", see >http://shorewall.net/shorewall_extension_scripts.htmThat works, of course. But I think it is better to understand that Shorewall and Squid are separate independently-developed products and that they each have their own set of configuration files. -Tom You do not need a parachute to skydive. You only need a parachute to skydive twice. ------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://ad.doubleclick.net/clk;258768047;13503038;j? http://info.appdynamics.com/FreeJavaPerformanceDownload.html _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users ------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://ad.doubleclick.net/clk;258768047;13503038;j? http://info.appdynamics.com/FreeJavaPerformanceDownload.html _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users