-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi! medwinz schrieb:
Hi all,
I try to setup transparent proxy on 10.3 using squid from the dvd (squid -v shows that it is 2.6.STABLE14). I configure the SuSEfirewall to redirect the port 80 to 8080 FW_REDIRECT="192.168.1.0/24,0/0,tcp,80,8080"
In squid I configure http_port 8080 transparent
If I see with netstat I saw that all traffic is forwarded to 8080 but when i see with iptraf there are traffic that are not forwarded to 8080
Do I miss something ?
Any help really appreciated
regards, medwinz Squid - or the things catching a hover boat in a special movie ...
First at all try to find out what you intend to do with your squid. There are a lot facts to keep in mind. Squid is not running by typing some random written lines or without a better knowledge of how it works and what you can do with it. First of all logging what to log and for which group of people and of this you may get into trouble in some cases (for private purpose never mind). Do you run an apache webserver as well then you can accelerate it with squid as well. Do you run squid alone in the dark or as content filter and/or online virus protection? Do you like small files to be stored even or what I prefer to keep lifetime for your hdd high only cache bigger files (some may have another idea of it). Squid can be run as caching proxy as well. Find a solution on different website (google will help you a lot with wisely choosen search syntax). If you know what you want then first at all try to setup squid and check the function with manually setup proxy in your browser of choice. If it ain't running (type "./etc/init.d/squid status" in a console then watch the output with strg + up/down for scrolling) then try to setup ACL lines before restarting it. You can even check check with "less /var/loq/messages | grep squid" what syslog says. I would start at a clean setup and copy config file to a backup location before doing any changes, commend each line you edit with your name and date of change for later error finding. I used it as caching server and http acceelerator combined with squidguard and via script updated list of spyware and evil domains (this would be to much to mention here) and the server itself as dial up gateway for my webpages. As you can see logging is off and only files >2k and <1024k are cached. If you like to not cache anything set the sizes vice versa (minimum geater maximum) and intend to use it as content filter (like I did), any way some parts will be kept in mem cache. Change YOURDOMAIN.TDL to your needs and the same to EXTERNAT_IP_Firewall, INTERNAL_IP_Firewall and SECRET. As network I chose here 192.168.1.0/24 and even change this to your needs. This config I used which is without the lines for my squidguard. hierarchy_stoplist cgi-bin ? acl QUERY urlpath_regex cgi-bin \? acl APACHE dstdomain .YOURDOMAIN.TDL always_direct allow APACHE cache_mem 48 MB maximum_object_size 1024 KB minimum_object_size 2 KB maximum_object_size_in_memory 128 KB ipcache_size 8192 fqdncache_size 16384 cache_dir ufs /var/cache/squid 128 16 256 read-only cache_access_log /dev/null cache_log /dev/null cache_store_log /dev/null mime_table /usr/share/squid/mime.conf pid_filename /var/run/squid.pid refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern . 0 20% 4320 acl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object acl localhost src 127.0.0.1 acl SSL_ports port 443 563 acl Safe_ports port 80 21 280 488 591 777 443 563 70 210 1025-65535 acl CONNECT method CONNECT acl localnet src 192.168.1.0-192.168.1.255 acl extern_eth0 src EXTERNAT_IP_Firewall acl inter_eth1 src INTERNAL_IP_Firewall acl worm urlpath_regex -i \.eml$ http_access allow manager http_access allow localhost http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access deny worm http_access allow localnet http_access deny all no_cache deny QUERY icp_access deny all cache_mgr webmaster@YOURDOMAIN.TDL cache_effective_user squid cache_effective_group nogroup log_icp_queries off cachemgr_passwd SECRET all buffered_logs off Firewall After squid works for you start to configure firewall. What you have should be enough: FW_REDIRECT="192.168.1.0/24,0/0,tcp,80,8080" Add rules allowing your services locally: FW_SERVICES_INT_TCP="WHAT_EVER_PORTS_BEFORE 8080 WHAT_EVER_MORE_PORTS" or limit it to your local net FW_TRUSTED_NETS="192.168.1.0/24,tcp,3128" Restart firewall and squid and check again. HTH Best Regards Philippe - -- Diese Nachricht ist digital signiert und enthält weder Siegel noch Unterschrift! Die unaufgeforderte Zusendung einer Werbemail an Privatleute verstößt gegen §1 UWG und 823 I BGB (Beschluß des LG Berlin vom 2.8.1998 Az: 16 O 201/98). Jede kommerzielle Nutzung der übermittelten persönlichen Daten sowie deren Weitergabe an Dritte ist ausdrücklich untersagt! -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: GnuPT v3.6.1 Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iPwEAQECAAYFAkkTWBgACgkQQ2DUNFUgaMH14Qb/R6GuQboz9EyHrkXj1bhTn28T QnnPnOBErggXKl9N/gpxZxfxgVm8juodKQnuemew6oERe0DAypJlpaqv3DIrgydX IkvuLurT7vcSKfojfFIFMI89GmkhdpwdJPceyOhRwcuXbdlWVIHqfa+FxXltua6L I0FD2xG0l48XKyqG1/aj0Dm/kynNwo7MBzQhuTyshtm7UWd+DONeWjKYh2/iHyn5 7BMoZbRpHfxo20MHkDkRFzltMmWlhXMvOAZtIspKX2NOt8CEm03Y/g1RpKH+AFqq fd6aJ85hhoSlCnA4Q7M= =tr+L -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org