Re: [Leaf-user] Squid redirect dachstein floppy
Kevin Kropf wrote: I am not that familiar with ipchains and was hoping for a little more detail. I put together the following command from the info on the squid FAQ: $IPCH -A input -p tcp -d 0/0 80 -j REDIRECT 3128 However I am not sure what else is needed and where to put it in ipfilter.conf Thanks for any help on this. Todd Pearsall replied: You can create a file in /etc named ipchains.input and add the command: ipchains -A input -p tcp -d 0/0 www -j REDIRECT 3128 If you are worried about users bypassing the proxy you can add following to block non-proxy web traffic ipchains -A input -i eth1 -d 0/0 www -j reject With those lines added type svi network ipfilter reload this will reload the rules including the ones in the /etc/ipchains.input file. Charles added the ipchains.input , ipchains.output and ipchains.forward cabability so you could extend the rules w/o editing the ipfilter.conf directly. As Todd mentioned, the place for this rule is /etc/ipchains.input. There are a few other things to be aware of, however. One big issue is the fact that inbound connections to high ports (=1024) are allowed by the default firewall rules. In addition to configuring squid so it only answered requests from internal network(s), I'd also want to block inbound connection attemts to squid from the internet. Port-scanners have taken to using proxies (as well as zombies) to do their port-scanning dirty work for them, and I'm sure you don't want that happening with your systems. Anyway, start with a deny of any squid requests from the internet: $IPCH -A input -p tcp -d 0/0 3128 -i $EXTERN_IF If you're running (or port-forwarding) a web server from your LRP box, you need rules to allow that traffic rather than redirecting it to squid. For internal access to weblet, you need something like: $IPCH -A input -j ACCEPT -p tcp -d $INTERN_IP www -i $INTERN_IF For a publicly visible webserver, you need something like the following, due to where the ipchains.input file rules get added to the overall rule-chain: $IPCH -A input -j ACCEPT -p tcp -d $EX_IP www -i $EXTERN_IF Finally, you can redirect all other web queries to your squid proxy: $IPCH -A input -j REDIRECT 3128 -p tcp -d 0/0 www Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
RE: [Leaf-user] Squid redirect dachstein floppy
On a related note, I was having problems after I started using squid on a
dachstein CD (default RAM disk size) on a P75 with 32MB of RAM. After
installing squid it would work fine for a while and then I'd start
periodically seeing messages like:
VM Process Killing: {different service name}
VM Process Killing: {different service name}
VM Process Killing: {different service name}
as services stopped. The error message are from my memory so it may not be
exact, but should be close. I assume this is the kernel killing processes
since it is low on virtual memory to keep the kernel from running out of VM
and crashing. Anyone else running into this? BTW, this is running as
proxy-only, no caching.
I also wanted to log squid to a remote machine but the usual syslog.conf *.*
#re.mo.te.ip didn't seem to work, no squid logs that I could find appeared
on there remote server. Does squid not use the syslog daemon?
Thanks,
Todd
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Todd Pearsall
Sent: Wednesday, December 12, 2001 8:49 AM
To: [EMAIL PROTECTED]; [EMAIL PROTECTED]; Leaf-User (E-mail)
Subject: RE: [Leaf-user] Squid redirect dachstein floppy
You can create a file in /etc named ipchains.input and add the command:
ipchains -A input -p tcp -d 0/0 www -j REDIRECT 3128
If you are worried about users bypassing the proxy you can add
following to
block non-proxy web traffic
ipchains -A input -i eth1 -d 0/0 www -j reject
With those lines added type
svi network ipfilter reload
this will reload the rules including the ones in the /etc/ipchains.input
file.
Charles added the ipchains.input , ipchains.output and ipchains.forward
cabability so you could extend the rules w/o editing the ipfilter.conf
directly.
- Todd
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Kevin Kropf
Sent: Wednesday, December 12, 2001 1:18 AM
To: [EMAIL PROTECTED]; Leaf-User (E-mail)
Subject: RE: [Leaf-user] Squid redirect dachstein floppy
I am not that familiar with ipchains and was hoping for a little more
detail.
I put together the following command from the info on the squid FAQ:
$IPCH -A input -p tcp -d 0/0 80 -j REDIRECT 3128
However I am not sure what else is needed and where to put it in
ipfilter.conf
Thanks for any help on this.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of David
Douthitt
Sent: Tuesday, December 11, 2001 5:32 PM
To: LEAF Users List
Subject: Re: [Leaf-user] Squid redirect dachstein floppy
Kevin Kropf wrote:
I have Squid running on dachstein-rc2-1680.exe and would like
to redirect
all internal port 80 requests to the default Squid port of 3128
on the LRP
box.
I have read through the archives and found very little of use.
What is the best way to do this?
This is in the Squid FAQ - in fact, it's an entire section (#17); go to
the Squid home page at http://www.squid-cache.org/ .
___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Squid redirect dachstein floppy
Todd Pearsall wrote:
On a related note, I was having problems after I started using squid on a
dachstein CD (default RAM disk size) on a P75 with 32MB of RAM. After
installing squid it would work fine for a while and then I'd start
periodically seeing messages like:
VM Process Killing: {different service name}
VM Process Killing: {different service name}
VM Process Killing: {different service name}
as services stopped. The error message are from my memory so it may not be
exact, but should be close. I assume this is the kernel killing processes
since it is low on virtual memory to keep the kernel from running out of VM
and crashing. Anyone else running into this? BTW, this is running as
proxy-only, no caching.
Squid needs *LOTS* of memory and disk space. I'd recommend you run with
64M at least, maybe more. Remember, too, that unlike normal
distributions a major chunk of that 32M is used by the RAM disks, so
you're actually running on something like 16M or less for Squid to run
in. Get more memory
I also wanted to log squid to a remote machine but the usual syslog.conf *.*
#re.mo.te.ip didn't seem to work, no squid logs that I could find appeared
on there remote server. Does squid not use the syslog daemon?
Use squid -s to log startups and shutdowns (and such like) to syslog.
As for accesses, it's not currently possible.
___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Squid redirect dachstein floppy
Kevin Kropf wrote: I have Squid running on dachstein-rc2-1680.exe and would like to redirect all internal port 80 requests to the default Squid port of 3128 on the LRP box. I have read through the archives and found very little of use. What is the best way to do this? This is in the Squid FAQ - in fact, it's an entire section (#17); go to the Squid home page at http://www.squid-cache.org/ . ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
RE: [Leaf-user] Squid redirect dachstein floppy
I am not that familiar with ipchains and was hoping for a little more detail. I put together the following command from the info on the squid FAQ: $IPCH -A input -p tcp -d 0/0 80 -j REDIRECT 3128 However I am not sure what else is needed and where to put it in ipfilter.conf Thanks for any help on this. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of David Douthitt Sent: Tuesday, December 11, 2001 5:32 PM To: LEAF Users List Subject: Re: [Leaf-user] Squid redirect dachstein floppy Kevin Kropf wrote: I have Squid running on dachstein-rc2-1680.exe and would like to redirect all internal port 80 requests to the default Squid port of 3128 on the LRP box. I have read through the archives and found very little of use. What is the best way to do this? This is in the Squid FAQ - in fact, it's an entire section (#17); go to the Squid home page at http://www.squid-cache.org/ . ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
