thanks tom for your help. But i would like to mention the fact that i tried these rules on a single test computer first. There they worked fine or you can say i couldn't test as much as 100 users with all sorts of traffic needs can test! All problems started except a few after opening it for general users. In transparent proxy i had too many issues of net access braeking too often. But on non-transparent atleast for general users internet is working fine.
I'll try to setup a test computer again and see if i can diagnose problem with transparent mode. thanks, -Asim Ahmed On Wed, Dec 16, 2009 at 3:02 AM, Tom Eastep <teas...@shorewall.net> wrote: > Asim Ahmed Khan wrote: > > hi, > > > > First i tried to run squid as transparent (interception) proxy that > > didn't work. Browsing and other internet usage became too > > inconsisten. too many break ups were occuring and all of a sudden > > browsing stop and restart after some time ranging from a 30 seconds > > to a few minutes. hitting F5 keys numerous times opens up the page. I > > used this rule from > > > > http://www.shorewall.net/Shorewall_Squid_Usage.html#Firewall to > > redirect traffic to squid on port 3128 > > > > #ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE > > ORIGINAL # PORT(S) DEST ACCEPT $FW net tcp www > > REDIRECT loc 3128 tcp www - - > > > > Now I am running as non-transparent mode. Browsing is working fine > > but there are a few major problems i m facing: > > > > 1. All users have to enter proxy settings in default browsers. Now > > some applications don't have proxy setting and some don't work with > > proxy servers. These applications are having great difficulty with > > this new proxy setting hence users getting frustrated. > > > > 2. Ideally squid should only interfere with port 80 traffic and rest > > of the traffic should be handled by shorewall as before but it seems > > like this is not happening. > > Nonsense. But there *are* sites that simply don't work with transparent > proxying; the Sun VirtualBox registration site is one that I've run into. > > > > > I am using these rules as mentioned in following link > > http://www.shorewall.net/Shorewall_Squid_Usage.html#Firewall with > > non-transparent proxy in my rules file: > > > > Squid as a Manual Proxy > > > > > > |/etc/shorewall/rules:| > > > > #ACTION SOURCE DEST PROTO DEST PORT(S) > > ACCEPT loc $FW tcp 3128 > > ACCEPT $FW net tcp 80 > > > > Now I have two questions, if any one can answer, it might help me: > > I count five questions... :-) > > > > > Q-1 -> Does placement of both rules above (transparent / > > non-transparent) in rules file is significant? I am placing these > > rules on first line in rules file rite now in both cases. > > Entries in the rules file are based on first-match. So the first > terminating rule (and both ACCEPT and REDIRECT are terminating) > determines the disposition of the connection. > > > Q-2 -> Do i need to modify any other shorewall file if I install > > squid on same machine (firewall) as the shorewall? > > This is covered in the Shorewall Squid documentation; if there > were more files to modify, we would mention them in the documentation. > > > Q-3 -> What do I need to do to let https traffic go through proxy as > > well? If I modify rule in 2nd line as 80,443 and chck squid > > access.log, TCP_DENIED shows up although SSL_Ports & Safe_Ports are > > both allowed access explicitly in squid. > > As detailed in the Shorewall Squid documentation (and many other places > on the web), you *cannot* transparently proxy HTTPS. > > > Q-4: If I have a link to access as (applogy for being so kinky, but i > > m exhausted by config fixes b/w shorewall & squid) as > > > > https://64.50.169.94:20098 Where should this traffic go, to shorewall > > or squid (incase 2nd line reads as 80,443) > > All traffic goes through the Shorewall-configured firewall rules. It > depends on whether you have configured an HTTPS manual proxy whether > squid will handle the request or if it is simply routed to 64.50.169.94. > > > http://w.x.y.z:8080 where should this traffic go > > provided that squid is listening for port 80 traffic (http). Does > > port 8080 in URL change its traffic type from http(port 80)? > > No -- it is still HTTP. But it changes the port that is opened. So your > REDIRECT rule for port 80 will not redirect traffic to 8080. > > > > > > Q-5 -> Do i need to setup some thing in squid to let people use a > > code repository running on a remote server of URL like > > http://w.x.y.z:8080/ requiring users to authenticate to access code? > > I have no idea how to allow access to port 8080 through Squid. You will > have to ask the Squid folks about that. > > > I see requests going through but returned with TCP_MISS/401 > > (Unauthorized) and user get an error message on application interface > > as "you are not authorized to access this server" users give correct > > username/pwd on the box that appears for authentication. > > One more word of advise -- when you are testing, be sure to check the > configuration of your browser; double check it! It is easy to forget > that and you will end up drawing completely wrong conclusions about your > tests if you think that you don't have a manual proxy configured but you > do and vice versa. > > Also note that you can set up both squid and Shorewall to act on traffic > from a single test computer. So you can do your testing without annoying > your users any more than you already have. > > -Tom > -- > Tom Eastep \ When I die, I want to go like my Grandfather who > Shoreline, \ died peacefully in his sleep. Not screaming like > Washington, USA \ all of the passengers in his car > http://shorewall.net \________________________________________________ > > > > ------------------------------------------------------------------------------ > This SF.Net email is sponsored by the Verizon Developer Community > Take advantage of Verizon's best-in-class app development support > A streamlined, 14 day to market process makes app distribution fast and > easy > Join now and get one step closer to millions of Verizon customers > http://p.sf.net/sfu/verizon-dev2dev > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users > > -- Regards, Asim Ahmed Khan
------------------------------------------------------------------------------ This SF.Net email is sponsored by the Verizon Developer Community Take advantage of Verizon's best-in-class app development support A streamlined, 14 day to market process makes app distribution fast and easy Join now and get one step closer to millions of Verizon customers http://p.sf.net/sfu/verizon-dev2dev
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
