For those interested, I just successfully set up a combination of www proxies on my firewall/dialout box for my internal network machines to use. One does this when one is still singing the "low speed internet blues". Anyway, since it was reasonably interesting to configure, and since I could swear I saw someone ask about this exact pairing in the past few days, I thought I'd spend some time documenting how I did it. This was for a SuSE 6.3 box running SuSEfirewall 2.5. All machines, including the dialout/firewall are in: 192.168.1.0/255.255.255.0 or if you like: 192.168.1.0/24 The dialout/firewall is 192.168.1.1 Workstations are 192.168.1.101 102 103 and so on. Ok, enough background. First thing I did was ensure that the Squid2 proxy was installed by YAST1. In /etc/rc.config I changed START_SQUID=no to START_SQUID=yes Then I edited the /etc/squid.conf file and made the following changes, right after the main ACL (access control list) section: = = = cut here = = = # # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS # acl allowed_hosts src 192.168.1.0/255.255.255.0 http_access deny manager all http_access allow allowed_hosts http_access deny all icp_access allow allowed_hosts icp_access deny all = = = cut here = = = Those changes, other than the local 192.168.1.0/255.255.255.0 address definition were directly out of /usr/doc/packages/squid2/QUICKSTART for anyone wanting to go read more documentation. Then I executed the following commands: /sbin/init.d/squid start /sbin/init.d/squid stop /sbin/init.d/squid start (The manual has you stopping it and starting it again the first time to allow it to properly set things up like the caching directories). So, squid's up and running, and presumably listening on port 3128 (the default). So I configured a windows box's Internet Explorer to use a proxy of 192.168.1.1 port 3128. Lo and behold, I'm up and running with Squid. Time for Junkbuster... (This gets more fun because we have to layer a proxy on top of a proxy). Some might ask why I'd want to cache advertising banners only to deny them to workstations with junkbuster. Well, to me it seemed as if Squid2 had much a much more option-rich configuration file, so I thought it prudent to put it closer to the internet. That way, if I didn't like junkbuster, I could remove it and reconfigure the browsers and still have a decent caching proxy. Junkbuster isn't part of the SuSE distribution in 6.3 (at least not as far as I could find). I went out to www.junkbuster.com and downloaded their latest .Z package. http://www.junkbuster.com/ijb20.tar.Z I then saved it in /root/junkbuster uncompress ijb20.tar.Z tar -xvf ijb20.tar cd ijb20 vi README (what, you don't all do this?) ;-) make cp junkbuster /usr/sbin/junkbuster chmod 755 /usr/sbin/junkbuster Ok, that gets the executable good to go, now for the configuration files. I like to put configuration files in /etc, or a subdirectory of same. So: mkdir /etc/junkbuster mkdir /etc/junkbuster/samples cp *.ini /etc/junkbuster/samples (nice to keep samples around) cp *.ini /etc/junkbuster cd /etc/junkbuster (I didn't like the naming conventions of the configuration files. .ini? Windowsish; yuck.) mv junkbusr.ini junkbuster.conf mv saclfile.ini aclfile.conf mv sblock.ini block.conf mv scookie.ini cookie.conf mv sforward.ini forward.conf mv strust.ini trust.conf Ok, time to edit the main configuration file, /etc/junkbuster/junkbuster.conf: vi /etc/junkbuster/junkbuster.conf Change the following lines so that pathnames are explicitly mentioned. (Those beginning with # are commented out, but I figured it was better safe to make the changes now in case I wanted to activate those files in future). blockfile /etc/junkbuster/block.conf cookiefile /etc/junkbuster/cookie.conf logfile /var/junkbuster/log jarfile /var/junkbuster/jarfile forwardfile /etc/junkbuster/forward.conf #trustfile /etc/junkbuster/trust.conf #aclfile /etc/junkbuster/aclfile.conf And then change the listen address so it defines the actual machine address we're listening on for the internal network: listen-address 192.168.1.1:8000 I also have it mess with the From: header a browser provides: from bender@bitemyshinymetalass.com Ok, enough changes there. Before we go any further, make a directory to hold the logfiles and jarfiles we just configured in junkbuster.conf: mkdir /var/junkbuster Now to tweak the other three active configuration files (block.conf, cookie.conf and forward.conf) block.conf I download from: http://www.waldherr.org/blocklist then I save/rename it as /etc/junkbuster/block.conf And ensure it has the right permissions: chmod 644 block.conf Next, let's edit the cookie.conf file: vi cookie.conf I only add one line to this so I can sign into egroups to manage a couple of mailing lists I have there: egroups.com Lastly, forward.conf. This is critical to working properly with squid! vi forward.conf I add these lines to the end of that file: * 192.168.1.1:3128 . . 192.168.1.10 . . . What that means is that anything requested will be routed through 192.168.1.1:3128, which is the squid proxy. The second line says that I don't want to cache anything off my file server machine at 192.168.1.10 if I contact it's web server. It's a 100 Mb/s internal network with 5 machines, why would I want to clog the firewall's cache with that? Well, with that done, it's time to go make an /sbin/init.d/junkbuster init script. (Are we having fun yet?) Here's mine: = = = begin /sbin/init.d/junkbuster = = = #! /bin/sh # Copyright (c) 1996-99 SuSE Gmbh Nuernberg, Germany. All rights reserved. # # Author: Florian La Roche # # /sbin/init.d/junkbuster # . /etc/rc.config # Determine the base and follow a runlevel link name. base=${0##*/} link=${base#*[SK][0-9][0-9]} # Force execution if not called by a runlevel directory. test $link = $base && START_JUNKBUSTER=yes test "$START_JUNKBUSTER" = yes || exit 0 # The echo return value for success (defined in /etc/rc.config). return=$rc_done case "$1" in start) echo -n "Starting WWW-proxy junkbuster:" startproc /usr/sbin/junkbuster /etc/junkbuster/junkbuster.conf || return=$rc_failed echo -e "$return" ;; stop) echo -n "Shutting down WWW-proxy junkbuster:" killproc -TERM /usr/sbin/junkbuster || return=$rc_failed echo -e "$return" ;; status) echo -n "Checking for WWW-proxy junkbuster: " checkproc /usr/sbin/junkbuster && echo OK || echo No process ;; restart) $0 stop && $0 start || return=$rc_failed ;; reload) echo -n "Reloading WWW-proxy junkbuster:" $0 stop && $0 start || return=$rc_failed ;; *) echo "Usage: $0 {start|stop|status|restart|reload}" exit 1 esac # Inform the caller not only verbosely and set an exit status. test "$return" = "$rc_done" || exit 1 exit 0 = = = end /sbin/init.d/junkbuster = = = I'd suggest copying /sbin/init.d/squid to /sbin/init.d/junkbuster and making changes as I've shown above. That'll help you avoid the whole line-wrap problem you might get by using it straight out of my email. There are things in squid's init script that don't belong in junkbuster's as well. Ensure the proper permissions: chmod 744 /sbin/init.d/junkbuster Make the automatic start and stop links for runlevels 2 & 3: ln -s /sbin/init.d/junkbuster /sbin/init.d/rc2.d/S20junkbuster ln -s /sbin/init.d/junkbuster /sbin/init.d/rc2.d/K20junkbuster ln -s /sbin/init.d/junkbuster /sbin/init.d/rc3.d/S20junkbuster ln -s /sbin/init.d/junkbuster /sbin/init.d/rc3.d/K20junkbuster Now we need to add the following to /etc/rc.config so the automatic scripts will know to start junkbuster up on boot: START_JUNKBUSTER="yes" If you're running SuSEfirewall (I run version 2.5), you might want to edit /etc/rc.firewall and edit the FW_REDIRECT_TCP and UDP options. I *was* trying to get all requests to port 80 from any of my desktop machines to automatically redirect to 192.168.1.1:8000 so all requests would automatically start at the junkbuster proxy, which would call the squid proxy, which would cough up the information you wanted. I haven't been very successful with this, and I still have to configure the browsers at the workstations to manually use 192.168.1.1:8000 as their proxy server. Anyway, here's the lines. Maybe someone else will have more luck at making the proxy-pair truly transparent: FW_REDIRECT_TCP="192.168.1.0/24,0/0,80,8000" FW_REDIRECT_UDP="" If you made changes to /etc/rc.firewall, do a: /sbin/init.d/firewall restart Start junkbuster up: /sbin/init.d/junkbuster start Pray for: Starting WWW-proxy junkbuster: done Ok, go to a browser on a workstation, and configure it to use a proxy address of 192.168.1.1 port 8000. Keep your fingers crossed. That should cover it. There's the possibility I made a few errors in this email, I was documenting after the fact, and removed any trial & error mistakes I made during the discovery process. Hopefully someone will find it useful though. Argentium -- To unsubscribe send e-mail to suse-linux-e-unsubscribe@suse.com For additional commands send e-mail to suse-linux-e-help@suse.com Also check the FAQ at http://www.suse.com/Support/Doku/FAQ/