Asim Ahmed Khan wrote: > yes i believe that it is true what you are saying. I really suspect the > glitch is somewhere around the rule that redirects traffic to squid in > transparent mode.
Then there is nothing more that I can do to help you. Because your
configuration is correct. I'll repeat one more time -- if the rule
redirects one request from the loc zone to tcp port 80, then it will
redirect all requests. There is nothing that can cause the rule to work
on some requests and to then fail for 30 seconds to several minutes.
>
> appologies for repeating but just confirm once more that my settings for
> redirecting traffic were correct. This is the first rule in rules file.
> After that i have rules for handling other types of traffic.
>
> ###########################################
> # REDIRECTING PORT 80 TRAFFIC TO SQUID
> ###########################################
> ACCEPT $FW net tcp 80
> REDIRECT loc 4044 tcp 80
Those rules are correct assuming that you have configured Squid to be a
transparent proxy listening on port 4044. In squid.conf:
http_port 4044 transparent
It also assumes that your Squid ACLs are correct.
> This is my policy file
> #SOURCE DEST POLICY LOG LIMIT:BURST
> #
> #all all ACCEPT
> net fw ACCEPT
That's a foolish policy.
fw net ACCEPT
fw loc ACCEPT
loc fw ACCEPT
loc net REJECT
net loc REJECT
all all REJECT
#LAST LINE -- DO NOT REMOVE
> fw net ACCEPT
That policy makes your first ACCEPT rule above unnecessary.
> fw loc ACCEPT
> loc fw ACCEPT
> loc net REJECT
> net loc REJECT
> all all REJECT
I recommend that you specify a LOG level on those REJECT policies. That
way, you will KNOW when the Shorewall-configured ruleset rejects a
connection request.
> #LAST LINE -- DO NOT REMOVE
The only thing that could possibly shed any more light on this would be
the output of 'shorewall dump' collected while users are having issues
with transparent proxy.
One other suggestion; go back in your kernel logs to time periods when
users were experiencing issues. Look for any unusual messages,
especially those having to do with 'conntrack'.
-Tom
--
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ This SF.Net email is sponsored by the Verizon Developer Community Take advantage of Verizon's best-in-class app development support A streamlined, 14 day to market process makes app distribution fast and easy Join now and get one step closer to millions of Verizon customers http://p.sf.net/sfu/verizon-dev2dev
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
