Hi everybody, I have a problem with SuSEfirewall2 in SuSE 8.2 I can't seem to get solved. I have a dialin server I want to run squid and the firewall in parallel on, so users can surf with squid as proxy and cache, and connect to the internet with my box as a simple forwarding router on all other protocols. When I disable SuSEfirewall2, squid works as intended, but, of course, no IP forwarding is done. When I start up SuSEfirewall2, I get connection timeout errors from squid, but the forwarding works as I expect. I figure that the connections to port 3128 (where I have squid listening) are forwarded somewhere else? I have a Samba server on my box as well, this is not affected but works with and without the firewall. My relevant settings in /etc/sysconfig/SuSEfirewall2 (hope I caught all relevant ones): FW_QUICKMODE="no" FW_DEV_EXT="ippp0" FW_DEV_INT="eth0 eth1" FW_ROUTE="yes" FW_MASQUERADE="yes" FW_MASQ_DEV="$FW_DEV_EXT" FW_MASQ_NETS="0/0" FW_SERVICES_EXT_TCP="139 3128 http ssh" FW_SERVICE_AUTODETECT="yes" FW_SERVICE_DNS="no" FW_SERVICE_SQUID="yes" FW_SERVICE_SAMBA="yes" FW_KERNEL_SECURITY="yes" FW_REDIRECT="" # i tried "192.168.0.0/16,0/0,tcp,80,3128" as well, without success Thanks for any help Helge
* helge preuss; <scout@hyperspace-travel.de> on 05 Feb, 2005 wrote:
My relevant settings in /etc/sysconfig/SuSEfirewall2 (hope I caught all relevant ones):
FW_QUICKMODE="no" FW_DEV_EXT="ippp0" FW_DEV_INT="eth0 eth1" FW_ROUTE="yes" FW_MASQUERADE="yes" FW_MASQ_DEV="$FW_DEV_EXT" FW_MASQ_NETS="0/0"
consider defining your internal lan that is needing masquare
FW_SERVICES_EXT_TCP="139 3128 http ssh"
You sure do not want to have 139 and 3128 in the EXT_TCP unless you want to have the whole world to access windows machines in your net and allow proxy for everyone in the internet FE_SERVICES_EXT_TCP="139 3128" is what you want FW_REDIRECT="192.168.0.0/16,0/0,tcp,80,3128" should work afterwards provided your squid is correctly configured. Since you are using 8.2 I would recomend the SuSEfirewall guide at http://sourceforge.net/projects/susefaq -- Togan Muftuoglu | Unofficial SuSE FAQ Maintainer | Please reply to the list; http://susefaq.sf.net | Please don't put me in TO/CC. Nisi defectum, haud refiecendum
helge preuss wrote:
Hi everybody, I have a problem with SuSEfirewall2 in SuSE 8.2 I can't seem to get solved. I have a dialin server I want to run squid and the firewall in parallel on, so users can surf with squid as proxy and cache, and connect to the internet with my box as a simple forwarding router on all other protocols. When I disable SuSEfirewall2, squid works as intended, but, of course, no IP forwarding is done. When I start up SuSEfirewall2, I get connection timeout errors from squid, but the forwarding works as I expect. I figure that the connections to port 3128 (where I have squid listening) are forwarded somewhere else? I have a Samba server on my box as well, this is not affected but works with and without the firewall. My relevant settings in /etc/sysconfig/SuSEfirewall2 (hope I caught all relevant ones):
FW_QUICKMODE="no" FW_DEV_EXT="ippp0" FW_DEV_INT="eth0 eth1" Are you sure you have 2 NICs for your internal network? FW_ROUTE="yes" FW_MASQUERADE="yes" FW_MASQ_DEV="$FW_DEV_EXT" FW_MASQ_NETS="0/0" Based on the below, you should set this to 192.168.0.0/24 (not 16) FW_SERVICES_EXT_TCP="139 3128 http ssh" Are you running a http server? If not, this should be just ssh or 22. You should add 139 3128 80 to FW_SERVICES_INT_TCP, and add 137 138 to FW_SERVICES_INT_UDP FW_SERVICE_AUTODETECT="yes" FW_SERVICE_DNS="no" FW_SERVICE_SQUID="yes" FW_SERVICE_SAMBA="yes" FW_KERNEL_SECURITY="yes" FW_REDIRECT="" # i tried "192.168.0.0/16,0/0,tcp,80,3128" as well, without success This should be 192.168.0.0/24,0/0,tcp,80,3128 as long as squid is configured as a transparent proxy. If not, you need to set up the proxy in each client machine, and FW_REDIRECT is not needed. HTH -- Joe Morris New Tribes Mission Email Address: Joe_Morris@ntm.org Registered Linux user 231871
Thank you Togan and Joe, I have taken your hints and changed some variables as follows: FW_MASQ_NETS="192.168.0.0/16" FW_SERVICES_EXT_TCP="ssh" FW_SERVICES_INT_TCP="139 3128 http" FW_SERVICES_INT_UDP="137 138" (Oh yes, I have two NICs, and I think 192.168.0.0/16 is the correct network in my case.) This works with squid as a non-transparent proxy, if I set FW_REDIRECT="". However, if I set FW_REDIRECT="192.168.0.0/16,0/0,tcp,80,3128", not the full URL is transmitted from the client to squid. more precisely, the protocol and hostname parts are truncated. So squid bails out with errors like
While trying to retrieve the URL: / <http://www.google.de/imghp?hl=en&tab=wi&q=>
The following error was encountered: Invalid URL
I haven't fiddled with the squid.conf, except for these two lines acl our_networks src 192.168.1.0/24 192.168.2.0/24 http_access allow our_networks I'm scanning the SuSEfirewall guide right now, but it's a long document, and I haven't found any tips on situations like mine on first glance. So if anyone came up with a pointer, I'd be grateful. Helge
helge preuss wrote:
This works with squid as a non-transparent proxy, if I set FW_REDIRECT="". However, if I set FW_REDIRECT="192.168.0.0/16,0/0,tcp,80,3128", not the full URL is transmitted from the client to squid. more precisely, the protocol and hostname parts are truncated. So squid bails out with errors like
While trying to retrieve the URL: / <http://www.google.de/imghp?hl=en&tab=wi&q=>
The following error was encountered: Invalid URL
I haven't fiddled with the squid.conf, except for these two lines acl our_networks src 192.168.1.0/24 192.168.2.0/24 http_access allow our_networks You need to setup squid as a transparent proxy. Check the HTTPD-ACCELERATOR OPTIONS section. Add in the appropriate lines: httpd_accel_host virtual httpd_accel_port 80 httpd_accel_with_proxy on httpd_accel_uses_host_header on
Then, after editing /etc/squid/squid.conf with the above, rcsquid restart to have the changes take effect. Then, re-edit the FW_REDIRECT line and you will be good to go.
I'm scanning the SuSEfirewall guide right now, but it's a long document, and I haven't found any tips on situations like mine on first glance. Our office server is similar, 8.2, with squid and dial-in, etc., so I've been there done that. -- Joe Morris New Tribes Mission Email Address: Joe_Morris@ntm.org Registered Linux user 231871
participants (3)
-
helge preuss -
Joe Morris (NTM) -
Togan Muftuoglu