Re: [squid-users] how to use req_mime_type tag to restrict File Upload
thanks a lot...
i change my squid
from
squid-2.5.STABLE6-3.4E.12
to
squid-2.5.STABLE14-1.RHEL4
http://people.redhat.com/stransky/squid/
after that everything is working...
with same configuration "squid-2.5.STABLE6-3.4E.12" failed to start properly...
regards
jerrynikky.
On 8/18/06, Henrik Nordstrom <[EMAIL PROTECTED]> wrote:
On Fri, 2006-08-18 at 18:09 +0530, updatemyself . wrote:
> is this correct?
> http://www.squid-cache.org/mail-archive/squid-users/200508/0503.html
>
> i tried this way but its also not working
> even squid fail to restart properly..
>
> -
> acl my_net src 10.0.0.1/255.255.255.0
> acl USERA src 10.0.0.1/255.255.255.255
> acl UPLIMIT req_header Content-Length [5-9][0-9]{5,}
> acl UPMETH method post
> http_access deny USERA UPMETH UPLIMIT
> http_access allow my_net
> http_access deny_all
> ---
Should work.
Do you have any other http_access allow rules?
And was your source IP 10.0.0.1 when testing this? (see access.log to
confirm..)
The first acl is slightly wrong. Should be 10.0.0.0/... but you should
have noticed that already.
any other complaints from "squid -k parse"?
Regards
Henrik
Re: [squid-users] Squid -2.6 with Tproxy
have you try my last hints ? I'm using fc4 , then upgrade it to kernel 2.6.15.7 ( did you use fc5 ? then I could be some problem to downgrade from original 2.6.16 to 2.6.15 ?) & patch cttproxy-2.6.15-2.0.4.tar.gz iptables-1.3.0.tar.bz2 from netfilter.org (first i was using 1.3.4 & 5 which not working) after patch with balabit iptables, ./configure & make make sure libipt_tproxy.so exist in /lib/iptables. If it is not there, than you have to 'gcc' manually from iptables source you extracted, check inside folder at /extentions/ regards, Tino - Original Message - From: "Angel Mieres" <[EMAIL PROTECTED]> To: "Sunil K.P." <[EMAIL PROTECTED]> Cc: Sent: Friday, August 18, 2006 7:08 PM Subject: Re: [squid-users] Squid -2.6 with Tproxy Sorry Sunil for my late reply (i have problems with my internet provider) Of course i haven't been able to implement Tproxy, im using since start only sources and all looks like compile ok. This is my procedure: - I patch kernel 2.6.15.2 vanilla with balabit patch from cttproxy-2.6.15-2.0.4.tar.gz - modify my kernel adding TPROXY support. - compiled & etc etc etc - patch iptables sources 1.3.4 , make KERNEL_DIR=... && make install KERNEL_DIR=... - On squid-2.6STABLE2... "./configure --enable-linux-tproxy --enable-linux-netfilter && make all && make install" (if in this step you have problems copy /include/linux/netfilter_ipv4/ into your /usr/include/linux/netfilter_ipv4/ ) When i try to run squid in tproxy mode... Meeeak! Error port assign 0! I think im dreaming with this error all nights xD, the error looks like it's not able to spoofing clients. Can someone help us with this stuff? El mié, 16-08-2006 a las 21:32 +0100, Sunil K.P. escribió: Hi Angel, Have you been able to implement Tproxy successfully? Regards Sunil Angel Mieres wrote: > Sunil, im trying to do the same that you are trying, i patched iptables > 1.3.5 & 1.3.4 and the problem persist. > > Tino, have you work this succesfully? could you told me version have > you > used?(i refer iptables, patch aplied, kernel used, patch tproxy > used...) > > Im using kernel 2.6.15.2 with balabit tproxy patch iptables 1.3.5 and > squid 2.6 STABLE2 and always squid debug mode show me the same that > show > Sunil. > > I think that my problem is on iptables version and his patch. > > Regards, > Angel M. > > >> Your iptables patch not complete >> fc5 use iptables rpm source, you need iptables from tar.gz/bz source >> - uninstall the iptables rpm, >> - download tar.gz/bz source from netfilter.org >> - patch it with iptables-1.3-cttproxy.diff before ./configure >> >> >> rgds, >> Tino >> >> - Original Message - >> From: "Sunil K.P." <[EMAIL PROTECTED]> >> To: >> Sent: Friday, August 11, 2006 4:33 PM >> Subject: [squid-users] Squid -2.6 with Tproxy >> >> >> >>> Hi, >>> >>> I have squid 2.6 STABLE 2 running on FC 2.6.15.2. >>> It is working fine in transparent mode. >>> >>> But I am trying to use Tproxy so that all the requests will spoofed >>> to >>> show the clients IP address and not the cache server. >>> The patches have been applied to the kernel, compiled and applied as >>> per >>> procedure. >>> After restarting the system the modules ipt_tproxy and ipt_TPROXY are >>> loaded. >>> >>> The problem starts when I apply the following iptables rule >>> iptables -t tproxy -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j >>> TPROXY --on-port 3128 >>> >>> The traffic stops going thru the cache server. If the rule is removed >>> the traffic goes smoothly. >>> Cache.log shows the following error >>> tproxy ip=192.168.10.11,0x9eec383e,port=0 ERROR ASSIGN >>> >>> There seems to be no proper documentation for implementation of >>> tproxy >>> with squid on the net. >>> Pls. advice. >>> >>> Regards >>> Sunil >>> -- Angel Mieres - [EMAIL PROTECTED] / Gentoo has you...
Re: [squid-users] iptables and squid reverse proxy accelerator config
nick humphrey wrote: hi ya'll, i'd just like to preface this by saying that i have been looking in the archive and on the internet for 4 days straight and haven't found a clear answer to my problem =) That could be due to the fact that your set up is a touch convoluted... :o) i have a linux (rh7) machine (webMachine, ip: 192.168.0.5) running a web server on port 7090. RedHat 7? Well, I guess if it ain't broke... i have another linux (debian) machine on the same network (firewallMachine, two interfaces ip: 10.0.0.40 [out to inet], ip: 192.168.0.2 [connected to internal network]). on firewallMachine i have also installed squid, to reverse proxy for webMachine, i.e. hide all external ip addresses from webMachine, so it thinks only 1 ip address is communicating with it. squid is configured to listen to port 7090 and then redirect everything to webMachine on port 7090 (trying to keep it simple at first). Hahahahaha! Ahem... Sorry. the only lines i've changed in the default squid.conf configuration are: http_port 7090 httpd_accel_host 192.168.0.5 httpd_accel_port 7090 httpd_accel_single_host on httpd_accel_uses_host_header on (i can't see anything else in that config file that would need to be enabled/disabled, am i right?) Those look fine to me. here's my firewall.sh: SNIP Yikes... Just... Yikes. I'd love to see the flow chart that maps the rule set you posted. i can't seem to reach webMachine from the internet (everything is set up correctly on my adsl router [sits between firewallMachine and internet], that much i do know). Why are you using NAT to route the packets to the "inside" interface on the firewallMachine (I think that line might be wrong anyway*)? That seems a bit Rube-Goldberg-machine to me (Internet->NAT->NAT->Squid->web server). You've got Squid listening to port 7090 (no IP assignment), and forwarding requests to the web server (in theory). Just let it handle the traffic from 10.0.0.40 (which is already NATed once). Unless I'm mistaken (and that happens with more frequency than I am happy with) you'd just have to remove the NAT rule, and add an accept for port 7090 on the external interface (in with the IMAP and SMTP rules). I don't see any restrictions on what the firewallMachine is allowed to send to the internal network. Then again that's a hell of a rat's nest, and following what is going on is starting to give me a headache... Alternatively, check your firewall logs. Unless you are seeing a Squid error on the computer that is accessing the web site from the Internet, I don't think this is a Squid problem. Thanks for any help and a quick reponse =) Nick Chris * The NAT line... $IPT -t nat -A PREROUTING -p tcp --dport 7090 -j DNAT --to 192.168.0.2 ...doesn't specify a "destination" IP address to match or an input interface, so ANY traffic destined for port 7090 on any interface is NATed (which might lead to a loop). If I'm not mistaken(the previous warning still applies), the line should read... $IPT -t nat -A PREROUTING -p tcp -d 10.0.0.4 --dport 7090 -j DNAT --to 192.168.0.2 ...but considering the traffic is already NATed, perhaps that should be the external IP...
Re: [squid-users] bandwidth limitization
fre 2006-08-18 klockan 14:11 -0800 skrev Chris Robertson: > The currently supported version of Squid is 2.6STABLE2 (or is it > 2.6STABLE3?). Now it's 2.6.STABLE3. Released some minutes ago with a general upgrade recommendation. Regards Henrik signature.asc Description: Detta är en digitalt signerad meddelandedel
[squid-users] Squid-2.6.STABLE3 released
The Squid Web Proxy developers are pleased to announce the availability of the Squid-2.6.STABLE3 bugfix release. This is a major bugfix release correcting several critical errors in earlier releases. All users are recommended to schedule an upgrade to this release. This new release can be downloaded from our HTTP or FTP servers http://www.squid-cache.org/Versions/v2/2.6/ ftp://ftp.squid-cache.org/pub/squid-2/STABLE/ or the mirrors. For a list of mirror sites see http://www.squid-cache.org/Mirrors/http-mirrors.html http://www.squid-cache.org/Mirrors/ftp-mirrors.html The most important bug fixes in the Squid-2.6.STABLE3 release are: - Several memory leaks corrected, some of which could result in denial of service conditions. - Assertion failure related to Vary/ETag processing, which could result in a denial of service condition. - Delay pools now works again. Was broken in 2.6.STABLE1 and 2, often allowing a lot more bandwidth than the configured limit. - Reguests could hang when using the cache_dir max-size option - Now implements proper TCP fallback on truncated DNS response solving interoperability issues with some DNS servers In addition there is numerous minor bugfixes and improvements. For more information on the individual changes see the Squid-2.6 changes page http://www.squid-cache.org/Versions/v2/2.6/changesets/>. Thanks goes all users who have sent in valuable bug reports and feedback. We would not be where we are today without your help. The Squid project is looking for sponsors of the ongoing Squid maintenance or development efforts. Please contact [EMAIL PROTECTED] or visit http://www.squid-cache.org/donate.html for more information. Regards The Squid Web Proxy developers signature.asc Description: Detta är en digitalt signerad meddelandedel
Re: [squid-users] bandwidth limitization
kashif Mazhar wrote: Hello, I want to limitized (means restrict upto 10MB) my some of selected users from download in squid.In such a way that few users cannot download more than 10MB, coz it's mest up when they use to download heavy movies. kindly guide i am using squid 2.4 Regards, The currently supported version of Squid is 2.6STABLE2 (or is it 2.6STABLE3?). I could guide you towards (roughly) performing this task in Squid 2.5 (set the reply_body_max_size, and have a program to monitor the logs to add ACLs when people exceed the limit). I'm not sure how much help you will find for such an old version... In any case, Squid does not have a native "quota" function. Chris
Re: [squid-users] Help with redirection
fre 2006-08-18 klockan 15:41 -0400 skrev Adam O'Neill: > Well, I found errors in my cache.log related to, as you said, > permissions problems. Giving squidGuard access to the files in its > /db/squidGuard directory and /log/squidGuard.log caused those errors to > stop appearing in cache.log, but it is still the case that squidGuard is > not redirecting any traffic. Is there something I would have to do in > squid.conf other than specifying that squidGuard is the redirection program? There is nothing else in squid.conf. Doublecheck your cache.log. Maybe there is more issues. Also try running squidGuard manually as your cache_effective_user. Regards Henrik signature.asc Description: Detta är en digitalt signerad meddelandedel
Re: [squid-users] help squid
fre 2006-08-18 klockan 15:35 -0300 skrev Alejandro Decchi: > Hi > > I check in the internet explorar options do not use proxy server for > local address, but it does not work > Have i to configurate anything in the squid proxy ?? The decision to use or not use the proxy is entirely in the browser. All Squid can do is to allow the request or reject it with an error message. Regards Henrik signature.asc Description: Detta är en digitalt signerad meddelandedel
Re: [squid-users] Help with redirection
Henrik Nordstrom wrote: On Fri, 2006-08-18 at 12:08 -0400, Adam O'Neill wrote: (installed on FreeBSD 6.0 from ports) squidGuard.log doesn't show anything, it is literally empty. Check your cache.log for any errors from squidguard. Most likely there is a permissions problem denying SquidGuard access to something it needs. SquidGuard automatically enters passthru mode if there is problems with it's configuration.. Regards Henrik Well, I found errors in my cache.log related to, as you said, permissions problems. Giving squidGuard access to the files in its /db/squidGuard directory and /log/squidGuard.log caused those errors to stop appearing in cache.log, but it is still the case that squidGuard is not redirecting any traffic. Is there something I would have to do in squid.conf other than specifying that squidGuard is the redirection program?
Re: [squid-users] help squid
Hi I check in the internet explorar options do not use proxy server for local address, but it does not work Have i to configurate anything in the squid proxy ?? thz - Original Message - From: "Rayudu Madhava" <[EMAIL PROTECTED]> To: ; "Alejandro Decchi" <[EMAIL PROTECTED]> Sent: Friday, August 18, 2006 12:53 PM Subject: Re: [squid-users] help squid > internet explorer to do not use proxy server for > local address, but it does > not work > > Thz > > Ale > It's problem with IE.. Not Squid's Try a recent version of IE Rayudu __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Re: [squid-users] squid transparent.
On Fri, 2006-08-18 at 14:17 -0300, Charles Regan wrote: > what is the netfilter-bridge integration ? The CONFIG_BRIDGE_NETFILTER "Bridged IP/ARP packets filtering" kernel option. Enabling iptables to be used directly in the bridge without involving ebtables. Found in the generic Netfilter section. Regards Henrik
Re: [squid-users] Help with redirection
On Fri, 2006-08-18 at 12:08 -0400, Adam O'Neill wrote: > (installed on FreeBSD 6.0 from ports) squidGuard.log doesn't show > anything, it is literally empty. Check your cache.log for any errors from squidguard. Most likely there is a permissions problem denying SquidGuard access to something it needs. SquidGuard automatically enters passthru mode if there is problems with it's configuration.. Regards Henrik
Re: [squid-users] squid transparent.
On Fri, 2006-08-18 at 11:46 -0300, Charles Regan wrote: > ebtables -t broute -A BROUTING -p IPv4 --ip-protocol 6 > --ip-destination-port 80 -j redirect --redirect-target > iptables -t nat -A PREROUTING -i my -p tcp --dport 80 -j REDIRECT --to-port > 3128 Should work I think, but I have never used ebtables, only the netfilter-bridge integration Regards Henrik
[squid-users] Help with redirection
Using squidGuard, my squidGuard.conf is a copy of the sample from squidguard.org - to simply redirect porn sites. But all sites are passed, regardless of appearing in the porn list in the squidGuard db. All traffic is passed even if squidGuard is told to pass no traffic by default. I did set "redirect_program /usr/local/bin/squidGuard" (installed on FreeBSD 6.0 from ports) squidGuard.log doesn't show anything, it is literally empty.
Re: [squid-users] help squid
> internet explorer to do not use proxy server for > local address, but it does > not work > > Thz > > Ale > It's problem with IE.. Not Squid's Try a recent version of IE Rayudu __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
[squid-users] squid transparent.
LAN - ROUTER -- SQUID -- INTERNET Using this setup is it possible to have a transparent squid ? The squid box is setup as a bridge with an IP routable on the internet. My clients are on a different subnet. I can ping my clients from squid. Squid is working when I am entering it manually in my browser. Using this command it's not working: (my = bridge interface) ebtables -t broute -A BROUTING -p IPv4 --ip-protocol 6 --ip-destination-port 80 -j redirect --redirect-target iptables -t nat -A PREROUTING -i my -p tcp --dport 80 -j REDIRECT --to-port 3128 Any idea ? Thanks
Re: [squid-users] how to use req_mime_type tag to restrict File Upload
On Fri, 2006-08-18 at 18:09 +0530, updatemyself . wrote:
> is this correct?
> http://www.squid-cache.org/mail-archive/squid-users/200508/0503.html
>
> i tried this way but its also not working
> even squid fail to restart properly..
>
> -
> acl my_net src 10.0.0.1/255.255.255.0
> acl USERA src 10.0.0.1/255.255.255.255
> acl UPLIMIT req_header Content-Length [5-9][0-9]{5,}
> acl UPMETH method post
> http_access deny USERA UPMETH UPLIMIT
> http_access allow my_net
> http_access deny_all
> ---
Should work.
Do you have any other http_access allow rules?
And was your source IP 10.0.0.1 when testing this? (see access.log to
confirm..)
The first acl is slightly wrong. Should be 10.0.0.0/... but you should
have noticed that already.
any other complaints from "squid -k parse"?
Regards
Henrik
RE: [squid-users] help on external acl
Hi Henrik Thanks I have done it Regards, Remy -Original Message- From: Henrik Nordstrom [mailto:[EMAIL PROTECTED] Sent: Friday, August 18, 2006 5:50 PM To: Remy Almeida Cc: 'Squd-help' Subject: Re: [squid-users] help on external acl On Fri, 2006-08-18 at 14:45 +0530, Remy Almeida wrote: > Hi all > I have stored my network ips in mysql database. > Can some one give an example on the same? You need to write a small mysql application which can query your database and return OK or ERR depending on if the IP is found or not.. See the external_acl_type directive for guidance on what Squid expects from this helper application. Regards Henrik
[squid-users] help squid
Someone know how to configurate squid-cache to do not resolve the name of the webpage that are in my intranet ??? Because i configurate in the internet explorer to do not use proxy server for local address, but it does not work Thz Ale
Re: [squid-users] how to use req_mime_type tag to restrict File Upload
is this correct?
http://www.squid-cache.org/mail-archive/squid-users/200508/0503.html
i tried this way but its also not working
even squid fail to restart properly..
-
acl my_net src 10.0.0.1/255.255.255.0
acl USERA src 10.0.0.1/255.255.255.255
acl UPLIMIT req_header Content-Length [5-9][0-9]{5,}
acl UPMETH method post
http_access deny USERA UPMETH UPLIMIT
http_access allow my_net
http_access deny_all
---
On 8/18/06, Henrik Nordstrom <[EMAIL PROTECTED]> wrote:
On Fri, 2006-08-18 at 17:08 +0530, updatemyself . wrote:
> Hi all,
>
> how to use req_mime_type tag to restrict File Upload
Using what method?
POST or PUT?
req_mime_type should work reasonably well for PUT, but won't work at all
for forms based upload using POST. This is due how HTTP is being used in
the two forms of upload.
But even for PUT it won't be very reliable. req_mime_type matches what
the client claims the file type is. This may differ both from what the
actual file type is and from what the web server will consider that the
file type is.. Most servers completely ignore the mime type of PUT
requests, just storing the file as-is.
Regards
Henrik
Re: [squid-users] how to use req_mime_type tag to restrict File Upload
On Fri, 2006-08-18 at 17:08 +0530, updatemyself . wrote: > Hi all, > > how to use req_mime_type tag to restrict File Upload Using what method? POST or PUT? req_mime_type should work reasonably well for PUT, but won't work at all for forms based upload using POST. This is due how HTTP is being used in the two forms of upload. But even for PUT it won't be very reliable. req_mime_type matches what the client claims the file type is. This may differ both from what the actual file type is and from what the web server will consider that the file type is.. Most servers completely ignore the mime type of PUT requests, just storing the file as-is. Regards Henrik
[squid-users] iptables and squid reverse proxy accelerator config
hi ya'll, i'd just like to preface this by saying that i have been looking in the archive and on the internet for 4 days straight and haven't found a clear answer to my problem =) i have a linux (rh7) machine (webMachine, ip: 192.168.0.5) running a web server on port 7090. i have another linux (debian) machine on the same network (firewallMachine, two interfaces ip: 10.0.0.40 [out to inet], ip: 192.168.0.2 [connected to internal network]). on firewallMachine i have also installed squid, to reverse proxy for webMachine, i.e. hide all external ip addresses from webMachine, so it thinks only 1 ip address is communicating with it. squid is configured to listen to port 7090 and then redirect everything to webMachine on port 7090 (trying to keep it simple at first). the only lines i've changed in the default squid.conf configuration are: http_port 7090 httpd_accel_host 192.168.0.5 httpd_accel_port 7090 httpd_accel_single_host on httpd_accel_uses_host_header on (i can't see anything else in that config file that would need to be enabled/disabled, am i right?) here's my firewall.sh: #!/bin/sh SYSCTL="/sbin/sysctl -w" # IPTables Location - adjust if needed IPT="/sbin/iptables" IPTS="/sbin/iptables-save" IPTR="/sbin/iptables-restore" # Interface Information INET_IFACE="eth0" LOCAL_IFACE="eth1" LOCAL_IP="192.168.0.2" LOCAL_NET="192.168.0.0/24" LOCAL_BCAST="192.168.0.255" LO_IFACE="lo" LO_IP="127.0.0.1" # Save and Restore arguments handled here if [ "$1" = "save" ] then echo -n "Saving firewall to /etc/sysconfig/iptables ... " $IPTS > /etc/sysconfig/iptables echo "done" exit 0 elif [ "$1" = "restore" ] then echo -n "Restoring firewall from /etc/sysconfig/iptables ... " $IPTR < /etc/sysconfig/iptables echo "done" exit 0 fi # Load Modules echo "Loading kernel modules ..." /sbin/modprobe ip_tables /sbin/modprobe ip_conntrack /sbin/modprobe ip_nat_ftp /sbin/modprobe ip_conntrack_ftp /sbin/modprobe ip_conntrack_irc # Kernel Parameter Configuration if [ "$SYSCTL" = "" ] then echo "1" > /proc/sys/net/ipv4/ip_forward else $SYSCTL net.ipv4.ip_forward="1" fi # This enables SYN flood protection. if [ "$SYSCTL" = "" ] then echo "1" > /proc/sys/net/ipv4/tcp_syncookies else $SYSCTL net.ipv4.tcp_syncookies="1" fi # This enables source validation by reversed path according to RFC1812. if [ "$SYSCTL" = "" ] then echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter else $SYSCTL net.ipv4.conf.all.rp_filter="1" fi # This kernel parameter instructs the kernel to ignore all ICMP if [ "$SYSCTL" = "" ] then echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts else $SYSCTL net.ipv4.icmp_echo_ignore_broadcasts="1" fi # This option can be used to accept or refuse source routed packets. if [ "$SYSCTL" = "" ] then echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route else $SYSCTL net.ipv4.conf.all.accept_source_route="0" fi # This option accepts only from gateways in the default gateways list. if [ "$SYSCTL" = "" ] then echo "1" > /proc/sys/net/ipv4/conf/all/secure_redirects else $SYSCTL net.ipv4.conf.all.secure_redirects="1" fi # This option logs packets from impossible addresses. if [ "$SYSCTL" = "" ] then echo "1" > /proc/sys/net/ipv4/conf/all/log_martians else $SYSCTL net.ipv4.conf.all.log_martians="1" fi # Flush Any Existing Rules or Chains echo "Flushing Tables ..." # Reset Default Policies $IPT -P INPUT ACCEPT $IPT -P FORWARD ACCEPT $IPT -P OUTPUT ACCEPT $IPT -t nat -P PREROUTING ACCEPT $IPT -t nat -P POSTROUTING ACCEPT $IPT -t nat -P OUTPUT ACCEPT $IPT -t mangle -P PREROUTING ACCEPT $IPT -t mangle -P OUTPUT ACCEPT # Flush all rules $IPT -F $IPT -t nat -F $IPT -t mangle -F # Erase all non-default chains $IPT -X $IPT -t nat -X $IPT -t mangle -X if [ "$1" = "stop" ] then echo "Firewall completely flushed! Now running with no firewall." exit 0 fi # Rules Configuration # Filter Table # Set Policies $IPT -P INPUT DROP $IPT -P OUTPUT DROP $IPT -P FORWARD DROP # User-Specified Chains # Create user chains to reduce the number of rules each packet must traverse. echo "Create and populate custom rule chains ..." # Create a chain to filter INVALID packets $IPT -N bad_packets # Create another chain to filter bad tcp packets $IPT -N bad_tcp_packets # Create separate chains for icmp, tcp (incoming and outgoing), and incoming udp packets. $IPT -N icmp_packets # Used for UDP packets inbound from the Internet $IPT -N udp_inbound # Used to block outbound UDP services from internal network, default to allow all $IPT -N udp_outbound # Used to allow inbound services if desired, default fail except for established sessions $IPT -N tcp_inbound # Used to block outbound services from internal network, default to allow all $IPT -N tcp_outbound # Populate User Chains # bad_packets chain # Drop INVALID packets immediately $IPT -A bad_packets -p ALL -m state --state INVALID -j LOG --log-prefix "Invalid packet: " $IPT -A bad_packets -p ALL -m state --state INVALID -j DROP # Then check the
Re: [squid-users] help on external acl
On Fri, 2006-08-18 at 14:45 +0530, Remy Almeida wrote: > Hi all > I have stored my network ips in mysql database. > Can some one give an example on the same? You need to write a small mysql application which can query your database and return OK or ERR depending on if the IP is found or not.. See the external_acl_type directive for guidance on what Squid expects from this helper application. Regards Henrik
Re: [squid-users] Squid -2.6 with Tproxy
Sorry Sunil for my late reply (i have problems with my internet provider) Of course i haven't been able to implement Tproxy, im using since start only sources and all looks like compile ok. This is my procedure: - I patch kernel 2.6.15.2 vanilla with balabit patch from cttproxy-2.6.15-2.0.4.tar.gz - modify my kernel adding TPROXY support. - compiled & etc etc etc - patch iptables sources 1.3.4 , make KERNEL_DIR=... && make install KERNEL_DIR=... - On squid-2.6STABLE2... "./configure --enable-linux-tproxy --enable-linux-netfilter && make all && make install" (if in this step you have problems copy /include/linux/netfilter_ipv4/ into your /usr/include/linux/netfilter_ipv4/ ) When i try to run squid in tproxy mode... Meeeak! Error port assign 0! I think im dreaming with this error all nights xD, the error looks like it's not able to spoofing clients. Can someone help us with this stuff? El mié, 16-08-2006 a las 21:32 +0100, Sunil K.P. escribió: > Hi Angel, > > Have you been able to implement Tproxy successfully? > > Regards > Sunil > > Angel Mieres wrote: > > Sunil, im trying to do the same that you are trying, i patched iptables > > 1.3.5 & 1.3.4 and the problem persist. > > > > Tino, have you work this succesfully? could you told me version have you > > used?(i refer iptables, patch aplied, kernel used, patch tproxy used...) > > > > Im using kernel 2.6.15.2 with balabit tproxy patch iptables 1.3.5 and > > squid 2.6 STABLE2 and always squid debug mode show me the same that show > > Sunil. > > > > I think that my problem is on iptables version and his patch. > > > > Regards, > > Angel M. > > > > > >> Your iptables patch not complete > >> fc5 use iptables rpm source, you need iptables from tar.gz/bz source > >> - uninstall the iptables rpm, > >> - download tar.gz/bz source from netfilter.org > >> - patch it with iptables-1.3-cttproxy.diff before ./configure > >> > >> > >> rgds, > >> Tino > >> > >> - Original Message - > >> From: "Sunil K.P." <[EMAIL PROTECTED]> > >> To: > >> Sent: Friday, August 11, 2006 4:33 PM > >> Subject: [squid-users] Squid -2.6 with Tproxy > >> > >> > >> > >>> Hi, > >>> > >>> I have squid 2.6 STABLE 2 running on FC 2.6.15.2. > >>> It is working fine in transparent mode. > >>> > >>> But I am trying to use Tproxy so that all the requests will spoofed to > >>> show the clients IP address and not the cache server. > >>> The patches have been applied to the kernel, compiled and applied as per > >>> procedure. > >>> After restarting the system the modules ipt_tproxy and ipt_TPROXY are > >>> loaded. > >>> > >>> The problem starts when I apply the following iptables rule > >>> iptables -t tproxy -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j > >>> TPROXY --on-port 3128 > >>> > >>> The traffic stops going thru the cache server. If the rule is removed > >>> the traffic goes smoothly. > >>> Cache.log shows the following error > >>> tproxy ip=192.168.10.11,0x9eec383e,port=0 ERROR ASSIGN > >>> > >>> There seems to be no proper documentation for implementation of tproxy > >>> with squid on the net. > >>> Pls. advice. > >>> > >>> Regards > >>> Sunil > >>> > -- Angel Mieres - [EMAIL PROTECTED] / Gentoo has you...
[squid-users] how to use req_mime_type tag to restrict File Upload
Hi all, how to use req_mime_type tag to restrict File Upload my squid.conf acl deny_mime rep_mime_type -i ^application/pdf$ acl deny_mime rep_mime_type -i ^image/gif$ acl iasnet src 192.168.1.0/255.255.255.0 http_access deny deny_mime http_access allow iasnet but i was still able to upload pdf files and gif files... can anyone help me about this.. i am using squid-2.5.STABLE6-3.4E.12 with Red Hat Enterprise Linux WS (2.6.9-34.EL) thank you in advance jerrynikky.
[squid-users] Re: Yahoo Messenger cannot join room
is there any solution for this ??? help me please... On 8/18/06, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: I have the same problem here and it's not about logging in automatically. still haven't got solution. Quoting Rayudu Madhava <[EMAIL PROTECTED]>: > > > > You have been sign out because you signed in on a > > different computer or device > > > > This normally happens when people allow their systems > to login to ym automatically. They forget this and try > to login to ym on some other system. > > Regards > > Rayudu > > __ > Do You Yahoo!? > Tired of spam? Yahoo! Mail has the best spam protection around > http://mail.yahoo.com > > -- Peter Collins Wasenda Network Administrator IT Division, Corporate Services Uganda Revenue Authority P.O. Box 7279, Kampala Tel: (041)334474,334535 Mob: 0752-996477 --- This message was sent using IMP, the Internet Messaging Program.
[squid-users] help on external acl
Hi all I have stored my network ips in mysql database. Can some one give an example on the same? Thanks in advance Thanks & Regards, Remy Almeida NIO System Admin
