Re: [squid-users] Squid with Dansguardian (tcp_outgoing_address problem)
Amos Jeffries wrote: Santhosh Kumar Gulla wrote: Dear All, My setup is like this. I'm using dansguardian, squid, havp and I have two ISP connections. In squid.conf I have given: acl mac arp '/etc/squid/mac' tcp_outgoing_address w.x.y.z mac So, when I'm using only squid, the mac ID's present in '/etc/squid/mac' are going through the IP w.x.y.z . But when I'm using dansguardian this rule is not working. It is going through default wan connection. Can anybody help me solve this problem. Thanks Regards, Santy Please read my earlier response about how MAC addresses change when going through a Squid and DG. The solution is not to use MAC for ACL or not to use DG. Amos Thanks for your valuable suggestion. Now I'm using IP address instead of MAC address. Now Dansguardian isn't giving the problem but at the same time I'm using havp also in my configuration. If I stop havp the tcp_outgoing_address is working and If I start havp again, it goes through the same default IP address. My havp configuration is attached in a file and my squid havp parametrers are defined below: # HAVP Configuration Parameters acl localhost src 127.0.0.2/255.255.255.255 http_port 127.0.0.2:8090 acl from_havp myport 8090 cache_peer 127.0.0.1 parent 8100 0 no-query no-digest no-netdb-exchange default cache_peer 127.0.0.2 parent 3128 0 no-query no-digest no-netdb-exchange proxy-only prefer_direct off always_direct allow localhost always_direct allow from_havp always_direct allow CONNECT never_direct allow all cache_peer_access 127.0.0.2 allow from_havp cache_peer_access 127.0.0.1 allow all redirector_access deny from_havp redirector_access allow all header_access via deny all If this configuration has to be modified kindly suggest. Regards, Santy # # This is the configuration file for HAVP # # All lines starting with a hash (#) or empty lines are ignored. # Uncomment parameters you want to change! # # All parameters configurable in this file are explained and their default # values are shown. If no default value is defined NONE is specified. # # General syntax: Parameter Value # Value can be: true/false, number, or path # # Extra spaces and tabs are ignored. # # You must remove this line for HAVP to start. # This makes sure you have (hopefully) reviewed the configuration. :) # Hint: You must enable some scanner! Find them in the end.. # REMOVETHISLINE deleteme # # For reasons of security it is recommended to run a proxy program # without root rights. It is recommended to create user that is not # used by any other program. # # Default: USER clamav GROUP clamav # If this is true HAVP is running as daemon in background. # For testing you may run HAVP at your text console. # # Default: # DAEMON true # # Process id (PID) of the main HAVP process is written to this file. # Be sure that it is writeable by the user under which HAVP is running. # /etc/init.d/havp script requires this to work. # # Default: # PIDFILE /var/run/havp/havp.pid # # For performance reasons several instances of HAVP have to run. # Specify how many servers (child processes) are simultaneously # listening on port PORT for a connection. Minimum value should be # the peak requests-per-second expected + 5 for headroom. For best # performance, you should have atleast 1 CPU core per 16 processes. # # For single user home use, 8 should be minimum. # For 500+ users corporate use, start at 40. # # Value can and should be higher than recommended. Memory and # CPU usage is only affected by the number of concurrent requests. # # More childs are automatically created when needed, up to MAXSERVERS. # # Default: # SERVERNUMBER 8 # MAXSERVERS 100 # # Files where to log requests and info/errors. # Needs to have write permission for HAVP user. # # Default: # ACCESSLOG /var/log/havp/access.log # ERRORLOG /var/log/havp/havp.log # # Syslog can be used instead of logging to file. # For facilities and levels, see man syslog. # # Default: # USESYSLOG false # SYSLOGNAME havp # SYSLOGFACILITY daemon # SYSLOGLEVEL info # # true: Log every request to access log # false: Log only viruses to access log # # Default: # LOG_OKS true # # Level of HAVP logging # 0 = Only serious errors and information # 1 = Less interesting information is included # # Default: # LOGLEVEL 0 # # Temporary scan file. # This file must reside on a partition for which mandatory # locking is enabled. For Linux, use -o mand in mount command. # See man mount for details. Solaris does not need any special # steps, it works directly. # # Specify absolute path to a file which name must contain XX. # These characters are used by system to create unique named files. # # Default: #SCANTEMPFILE /havp/havp/havp-XX SCANTEMPFILE /var/spool/havp/havp-XX # # Directory for ClamAV and other scanner created tempfiles. # Needs to be writable by HAVP user. Use ramdisk for best performance. # # Default: # TEMPDIR /var/tmp # # HAVP reloads scanners virus database by receiving a signal
Re: [squid-users] Squid with Dansguardian (tcp_outgoing_address problem)
Amos Jeffries wrote: Santhosh Kumar Gulla wrote: Dear All, My setup is like this. I'm using dansguardian, squid, havp and I have two ISP connections. In squid.conf I have given: acl mac arp '/etc/squid/mac' tcp_outgoing_address w.x.y.z mac So, when I'm using only squid, the mac ID's present in '/etc/squid/mac' are going through the IP w.x.y.z . But when I'm using dansguardian this rule is not working. It is going through default wan connection. Can anybody help me solve this problem. Thanks Regards, Santy Please read my earlier response about how MAC addresses change when going through a Squid and DG. The solution is not to use MAC for ACL or not to use DG. Amos Thanks for your valuable suggestion. Now I'm using IP address instead of MAC address. Now Dansguardian isn't giving the problem but at the same time I'm using havp also in my configuration. If I stop havp the tcp_outgoing_address is working and If I start havp again, it goes through the same default IP address. My havp configuration is attached in a file and my squid havp parametrers are defined below: # HAVP Configuration Parameters acl localhost src 127.0.0.2/255.255.255.255 http_port 127.0.0.2:8090 acl from_havp myport 8090 cache_peer 127.0.0.1 parent 8100 0 no-query no-digest no-netdb-exchange default cache_peer 127.0.0.2 parent 3128 0 no-query no-digest no-netdb-exchange proxy-only prefer_direct off always_direct allow localhost always_direct allow from_havp always_direct allow CONNECT never_direct allow all cache_peer_access 127.0.0.2 allow from_havp cache_peer_access 127.0.0.1 allow all redirector_access deny from_havp redirector_access allow all header_access via deny all If this configuration has to be modified kindly suggest. Regards, Santy # # This is the configuration file for HAVP # # All lines starting with a hash (#) or empty lines are ignored. # Uncomment parameters you want to change! # # All parameters configurable in this file are explained and their default # values are shown. If no default value is defined NONE is specified. # # General syntax: Parameter Value # Value can be: true/false, number, or path # # Extra spaces and tabs are ignored. # # You must remove this line for HAVP to start. # This makes sure you have (hopefully) reviewed the configuration. :) # Hint: You must enable some scanner! Find them in the end.. # REMOVETHISLINE deleteme # # For reasons of security it is recommended to run a proxy program # without root rights. It is recommended to create user that is not # used by any other program. # # Default: USER clamav GROUP clamav # If this is true HAVP is running as daemon in background. # For testing you may run HAVP at your text console. # # Default: # DAEMON true # # Process id (PID) of the main HAVP process is written to this file. # Be sure that it is writeable by the user under which HAVP is running. # /etc/init.d/havp script requires this to work. # # Default: # PIDFILE /var/run/havp/havp.pid # # For performance reasons several instances of HAVP have to run. # Specify how many servers (child processes) are simultaneously # listening on port PORT for a connection. Minimum value should be # the peak requests-per-second expected + 5 for headroom. For best # performance, you should have atleast 1 CPU core per 16 processes. # # For single user home use, 8 should be minimum. # For 500+ users corporate use, start at 40. # # Value can and should be higher than recommended. Memory and # CPU usage is only affected by the number of concurrent requests. # # More childs are automatically created when needed, up to MAXSERVERS. # # Default: # SERVERNUMBER 8 # MAXSERVERS 100 # # Files where to log requests and info/errors. # Needs to have write permission for HAVP user. # # Default: # ACCESSLOG /var/log/havp/access.log # ERRORLOG /var/log/havp/havp.log # # Syslog can be used instead of logging to file. # For facilities and levels, see man syslog. # # Default: # USESYSLOG false # SYSLOGNAME havp # SYSLOGFACILITY daemon # SYSLOGLEVEL info # # true: Log every request to access log # false: Log only viruses to access log # # Default: # LOG_OKS true # # Level of HAVP logging # 0 = Only serious errors and information # 1 = Less interesting information is included # # Default: # LOGLEVEL 0 # # Temporary scan file. # This file must reside on a partition for which mandatory # locking is enabled. For Linux, use -o mand in mount command. # See man mount for details. Solaris does not need any special # steps, it works directly. # # Specify absolute path to a file which name must contain XX. # These characters are used by system to create unique named files. # # Default: #SCANTEMPFILE /havp/havp/havp-XX SCANTEMPFILE /var/spool/havp/havp-XX # # Directory for ClamAV and other scanner created tempfiles. # Needs to be writable by HAVP user. Use ramdisk for best performance. # # Default: # TEMPDIR /var/tmp # # HAVP reloads scanners virus database by receiving a signal #
Re: [squid-users] Squid with Dansguardian (tcp_outgoing_address problem)
Santhosh Kumar Gulla wrote: Dear All, My setup is like this. I'm using dansguardian, squid, havp and I have two ISP connections. In squid.conf I have given: acl mac arp '/etc/squid/mac' tcp_outgoing_address w.x.y.z mac So, when I'm using only squid, the mac ID's present in '/etc/squid/mac' are going through the IP w.x.y.z . But when I'm using dansguardian this rule is not working. It is going through default wan connection. Can anybody help me solve this problem. Thanks Regards, Santy Please read my earlier response about how MAC addresses change when going through a Squid and DG. The solution is not to use MAC for ACL or not to use DG. Amos -- Please be using Current Stable Squid 2.7.STABLE6 or 3.0.STABLE19 Current Beta Squid 3.1.0.13
Re: [squid-users] Squid with Dansguardian (tcp_outgoing_address problem)
Santhosh Kumar Gulla wrote: Dear All, My setup is like this. I'm using dansguardian, squid, havp and I have two ISP connections. In squid.conf I have given: acl mac arp '/etc/squid/mac' tcp_outgoing_address w.x.y.z mac So, when I'm using only squid, the mac ID's present in '/etc/squid/mac' are going through the IP w.x.y.z . But when I'm using dansguardian this rule is not working. It is going through default wan connection. Can anybody help me solve this problem. Not without a LOT more info about your setup, Squid, and operational needs and resources than you are likely to provide. Please understand WHY this is happening... DG plugs in between the client and Squid or Squid and the Internet. Which means... DG will be the 'client' as far as Squid can tell - thus the MAC address will always 100% be the MAC of the DG host machine. OR... Squid will always be connecting out to DG - thus Squid outgoing address is never contacting the Internet and so setting it means nothing. This is one of the reasons why ARP / MAC is considered generally useless. SOLUTION: Try another ACL type. Amos -- Please be using Current Stable Squid 2.7.STABLE6 or 3.0.STABLE18 Current Beta Squid 3.1.0.13
