Squid 3.0 fails to start? vulnerability????
I just installed Squid 3.0 and it won't start? is there a bug or vulnerability in it? or is a problem with 3.0?? here is what squid -k parse says when I try to start it on my SuSE 9.0 box. The same thing is in the logs. Sorry if this is off topic, but Squid is going to help protect Exchange so its security related I think. gateway:~ # squid -k parse FATAL: ERROR: Unknown policy lru Squid Cache (Version 3.0-PRE3): Terminated abnormally. CPU Usage: 0.008 seconds = 0.006 user + 0.002 sys Maximum Resident Size: 0 KB Page faults with physical i/o: 504 Aborted Thank, Eric
-----Original Message-----
From: Eric Kahklen
I just installed Squid 3.0 and it won't start? is there a bug or vulnerability in it? or is a problem with 3.0?? here is what squid -k parse says when I try to start it on my SuSE 9.0 box. The same thing is in the logs. Sorry if this is off topic, but Squid is going to help protect Exchange so its security related I think.
gateway:~ # squid -k parse FATAL: ERROR: Unknown policy lru
vi /etc/squid.conf and search for lru. there are notes that explain what the setting is and alternatives. Ken
I did and both were commented out. Should I just try all of the combinations to see which method works?? Thanks, Eric Ken Schneider wrote:
-----Original Message----- From: Eric Kahklen
To: suse-security@suse.com Date: Thu, 19 Feb 2004 12:52:55 -0800 Subject: [suse-security] Squid 3.0 fails to start? vulnerability???? I just installed Squid 3.0 and it won't start? is there a bug or vulnerability in it? or is a problem with 3.0?? here is what squid -k parse says when I try to start it on my SuSE 9.0 box. The same thing is in the logs. Sorry if this is off topic, but Squid is going to help protect Exchange so its security related I think.
gateway:~ # squid -k parse FATAL: ERROR: Unknown policy lru
vi /etc/squid.conf and search for lru. there are notes that explain what the setting is and alternatives.
Ken
My teenage daughter spends all her time at home chatting on MSN. It distracts her completely from being civil to her family and actually concentrating on her homework. It's hard to ration because she does (sometimes) use her computer for study. If I just turn off her access to the internet she will appear with some reason she needs to connect. How can I turn on a block on MSN so there is only 1 hour a day it works? The house server (Suse8.2 soon to be 9.0) has the ADSL connection and runs SuSEfirewall2, NAT, squid, DNS, etc. Thanks for any pointers, michaelj PS: The solution need not be very watertight, I would be delighted if she learned enough about networks to circumvent it. -- Michael James michael.james@csiro.au System Administrator voice: 02 6246 5040 CSIRO Bioinformatics Facility fax: 02 6246 5166
I imagine you could cron an iptables command (well two, one to accept and then one to deny an hour later). I'm not familiar with SuSEfirewall2, not sure if raw iptables commands are compatible with it. Joel Michael James wrote:
My teenage daughter spends all her time at home chatting on MSN. It distracts her completely from being civil to her family and actually concentrating on her homework.
It's hard to ration because she does (sometimes) use her computer for study. If I just turn off her access to the internet she will appear with some reason she needs to connect.
How can I turn on a block on MSN so there is only 1 hour a day it works?
The house server (Suse8.2 soon to be 9.0) has the ADSL connection and runs SuSEfirewall2, NAT, squid, DNS, etc.
Thanks for any pointers, michaelj
PS: The solution need not be very watertight, I would be delighted if she learned enough about networks to circumvent it.
On Fri, 2004-02-20 at 08:47, Joel Luth wrote:
I imagine you could cron an iptables command (well two, one to accept and then one to deny an hour later). I'm not familiar with SuSEfirewall2, not sure if raw iptables commands are compatible with it.
Currently I use a similar setup to allow ftp after hours. If you're interested, I can send you the script, crontab entries and config files. Hey, I can even customise them for MSN messenger.
Joel
Michael James wrote:
My teenage daughter spends all her time at home chatting on MSN. It distracts her completely from being civil to her family and actually concentrating on her homework.
It's hard to ration because she does (sometimes) use her computer for study. If I just turn off her access to the internet she will appear with some reason she needs to connect.
How can I turn on a block on MSN so there is only 1 hour a day it works?
The house server (Suse8.2 soon to be 9.0) has the ADSL connection and runs SuSEfirewall2, NAT, squid, DNS, etc.
Thanks for any pointers, michaelj
PS: The solution need not be very watertight, I would be delighted if she learned enough about networks to circumvent it.
-- -- Raymond Leach
Network Support Specialist http://www.knowledgefactory.co.za "lynx -source http://www.rchq.co.za/raymondl.asc | gpg --import" Key fingerprint = 7209 A695 9EE0 E971 A9AD 00EE 8757 EE47 F06F FB28 --
On Friday 20 February 2004 07:07, Michael James wrote:
How can I turn on a block on MSN so there is only 1 hour a day it works?
The house server (Suse8.2 soon to be 9.0) has the ADSL connection and runs SuSEfirewall2, NAT, squid, DNS, etc.
Since you're running Squid already, I would suggest to solve it there. If you didn't modify the 'Safe_ports', the port MSN chat uses (1863 if I'm not mistaken) is in the defined ones. Remove it from this range (by splitting the 1025-65535 region in two, excluding this port) and create a new set of rules, only allowing access to that port at a certain time of the day for your daughter. Read up on the ACL settings of Squid. I wouldn't mess with your firewall if you have Squid running already (if you need to solve things like this in your firewall, what's the point of using proxies then...) Best regards, Arjen
On Fri, 2004-02-20 at 10:11, Arjen de Korte wrote:
On Friday 20 February 2004 07:07, Michael James wrote:
How can I turn on a block on MSN so there is only 1 hour a day it works?
The house server (Suse8.2 soon to be 9.0) has the ADSL connection and runs SuSEfirewall2, NAT, squid, DNS, etc.
Since you're running Squid already, I would suggest to solve it there. If you didn't modify the 'Safe_ports', the port MSN chat uses (1863 if I'm not mistaken) is in the defined ones. Remove it from this range (by splitting the 1025-65535 region in two, excluding this port) and create a new set of rules, only allowing access to that port at a certain time of the day for your daughter. Read up on the ACL settings of Squid. I wouldn't mess with your firewall if you have Squid running already (if you need to solve things like this in your firewall, what's the point of using proxies then...)
So, are you saying that squid can proxy any protocol?
Best regards, Arjen -- -- Raymond Leach
Network Support Specialist http://www.knowledgefactory.co.za "lynx -source http://www.rchq.co.za/raymondl.asc | gpg --import" Key fingerprint = 7209 A695 9EE0 E971 A9AD 00EE 8757 EE47 F06F FB28 --
On Friday 20 February 2004 09:23, Ray Leach wrote:
So, are you saying that squid can proxy any protocol?
No, I'm saying because MSN Chat is able to work via a proxy AFAIK, security wise it is probably a better solution than using masquerading of the internal network and firewalling the ports in question. Since there is a Squid proxy on the network already, this will provide far better granularity for whom and when to block access and will provide much better access (proxy authentication comes to mind) and logging facilities than you'll ever get with a masquerading/firewall based approach. Therefor I think it is a better solution to block access on the proxy. One may need to block other ports/hosts than I mentioned previously, but this can be done fairly easily once you have gathered a few days worth of proxy access logfiles and know which ports and hosts the girl in question needs for chatting. Best regards, Arjen
On Fri, 2004-02-20 at 17:25, Arjen de Korte wrote:
On Friday 20 February 2004 09:23, Ray Leach wrote:
So, are you saying that squid can proxy any protocol?
No, I'm saying because MSN Chat is able to work via a proxy AFAIK, security wise it is probably a better solution than using masquerading of the internal network and firewalling the ports in question.
Except that MSN Messenger is a crafty little piece of cr#p. It uses UPnP (initially on TCP port 1863) to try and find a way through the firewall and bypass the squid proxy.
Since there is a Squid proxy on the network already, this will provide far better granularity for whom and when to block access and will provide much better access (proxy authentication comes to mind) and logging facilities than you'll ever get with a masquerading/firewall based approach. Therefor I think it is a better solution to block access on the proxy.
If there is a squid proxy on the network, then it should have acl's similar to these in order to block MSN messenger: acl msnmessenger req_mime_type -i ^X-MSN-Messenger$ http_access deny msnmessenger
One may need to block other ports/hosts than I mentioned previously, but this can be done fairly easily once you have gathered a few days worth of proxy access logfiles and know which ports and hosts the girl in question needs for chatting.
Best regards, Arjen -- -- Raymond Leach
Network Support Specialist http://www.knowledgefactory.co.za "lynx -source http://www.rchq.co.za/raymondl.asc | gpg --import" Key fingerprint = 7209 A695 9EE0 E971 A9AD 00EE 8757 EE47 F06F FB28 --
On Saturday 21 February 2004 19:34, Ray Leach wrote:
No, I'm saying because MSN Chat is able to work via a proxy AFAIK, security wise it is probably a better solution than using masquerading of the internal network and firewalling the ports in question. Except that MSN Messenger is a crafty little piece of cr#p. It uses UPnP (initially on TCP port 1863) to try and find a way through the firewall and bypass the squid proxy.
If you don't have a router between internal and external networks (only allow connections through proxies), MSN Chat will HAVE to use the Squid proxy. As far as I know SuSE doesn't even ship a UPnP aware firewall (if any exists for Linux at all), so the risk that it manages to punch a hole in your precious firewall is virtually non-existant. It may try to bypass the proxy, but it will most certainly fail doing so. Best regards, Arjen
I tried replacing the two lines with lru to the following: cache_replacement_policy heap memory_replacement_policy heap With this it starts up fine. I am not sure what "heap" does. I understand the concept of lru and the others. I am not trying to set squid up in a regular proxy fashion, but in a reverse proxy manner so I wouldn't think I need a cache any ways. Thanks, Eric Ken Schneider wrote:
-----Original Message----- From: Eric Kahklen
To: suse-security@suse.com Date: Thu, 19 Feb 2004 12:52:55 -0800 Subject: [suse-security] Squid 3.0 fails to start? vulnerability???? I just installed Squid 3.0 and it won't start? is there a bug or vulnerability in it? or is a problem with 3.0?? here is what squid -k parse says when I try to start it on my SuSE 9.0 box. The same thing is in the logs. Sorry if this is off topic, but Squid is going to help protect Exchange so its security related I think.
gateway:~ # squid -k parse FATAL: ERROR: Unknown policy lru
vi /etc/squid.conf and search for lru. there are notes that explain what the setting is and alternatives.
Ken
participants (6)
-
Arjen de Korte
-
Eric Kahklen
-
Joel Luth
-
Ken Schneider
-
Michael James
-
Ray Leach