RE: Squid with SquidGuard

Mark Sansome <msansome@xxxxxxxxxxxxxxxxxxx> · Sat, 14 Jan 2006 22:00:21 +0000

On Thu, 2006-01-12 at 16:22 -0700, Brian Phillips wrote:
> What firewall rules do you have on the lo interface?
> 
> Iptables -L
> 

Brian + Squid List,

Sorry to take so long to get back to you...

Below is my iptables -L output: Please scroll down also to see the
output from debug_options. Sorry for such a large post...

[root@localhost mark]# /sbin/iptables -L
Chain FORWARD (policy DROP)
target     prot opt source               destination
ACCEPT     icmp --  anywhere             anywhere            limit: avg
10/sec burst 5
TCPMSS     tcp  --  anywhere             anywhere            tcp
flags:SYN,RST/SYN TCPMSS clamp to PMTU
OUTBOUND   all  --  anywhere             anywhere
ACCEPT     tcp  --  anywhere             192.168.123.0/24    state
RELATED,ESTABLISHED
ACCEPT     udp  --  anywhere             192.168.123.0/24    state
RELATED,ESTABLISHED
LOG_FILTER  all  --  anywhere             anywhere
LOG        all  --  anywhere             anywhere            LOG level
info prefix `Unknown Forward'

Chain INBOUND (4 references)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             anywhere            state
RELATED,ESTABLISHED
ACCEPT     udp  --  anywhere             anywhere            state
RELATED,ESTABLISHED
ACCEPT     all  --  192.168.123.103      anywhere
ACCEPT     all  --  82-43-146-103.cable.ubr02.newm.blueyonder.co.uk
anywhere
ACCEPT     all  --  192.168.123.100      anywhere
ACCEPT     all  --  webcache-02-02.ld.th.ifl.net  anywhere
ACCEPT     all  --  217.177.220.65       anywhere
LSI        all  --  anywhere             anywhere

Chain INPUT (policy DROP)
target     prot opt source               destination
ACCEPT     tcp  --  ns1-cro.blueyonder.net  anywhere            tcp
flags:!SYN,RST,ACK/SYN
ACCEPT     udp  --  ns1-cro.blueyonder.net  anywhere
ACCEPT     tcp  --  192.168.123.254      anywhere            tcp flags:!
SYN,RST,ACK/SYN
ACCEPT     udp  --  192.168.123.254      anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     icmp --  anywhere             anywhere            limit: avg
10/sec burst 5
DROP       all  --  anywhere             255.255.255.255
DROP       all  --  anywhere             192.168.123.255
DROP       all  --  BASE-ADDRESS.MCAST.NET/8  anywhere
DROP       all  --  anywhere             BASE-ADDRESS.MCAST.NET/8
DROP       all  --  255.255.255.255      anywhere
DROP       all  --  anywhere             0.0.0.0
DROP       all  --  anywhere             anywhere            state
INVALID
LSI        all  -f  anywhere             anywhere            limit: avg
10/min burst 5
INBOUND    all  --  anywhere             anywhere
INBOUND    all  --  anywhere             192.168.123.101
INBOUND    all  --  anywhere             192.168.123.101
INBOUND    all  --  anywhere             192.168.123.255
LOG_FILTER  all  --  anywhere             anywhere
LOG        all  --  anywhere             anywhere            LOG level
info prefix `Unknown Input'

Chain LOG_FILTER (5 references)
target     prot opt source               destination

Chain LSI (2 references)
target     prot opt source               destination
LOG_FILTER  all  --  anywhere             anywhere
LOG        tcp  --  anywhere             anywhere            tcp
flags:SYN,RST,ACK/SYN limit: avg 1/sec burst 5 LOG level info prefix
`Inbound '
DROP       tcp  --  anywhere             anywhere            tcp
flags:SYN,RST,ACK/SYN
LOG        tcp  --  anywhere             anywhere            tcp
flags:FIN,SYN,RST,ACK/RST limit: avg 1/sec burst 5 LOG level info prefix
`Inbound '
DROP       tcp  --  anywhere             anywhere            tcp
flags:FIN,SYN,RST,ACK/RST
LOG        icmp --  anywhere             anywhere            icmp
echo-request limit: avg 1/sec burst 5 LOG level info prefix `Inbound '
DROP       icmp --  anywhere             anywhere            icmp
echo-request
LOG        all  --  anywhere             anywhere            limit: avg
5/sec burst 5 LOG level info prefix `Inbound '
DROP       all  --  anywhere             anywhere

Chain LSO (0 references)
target     prot opt source               destination
LOG_FILTER  all  --  anywhere             anywhere
LOG        all  --  anywhere             anywhere            limit: avg
5/sec burst 5 LOG level info prefix `Outbound '
REJECT     all  --  anywhere             anywhere            reject-with
icmp-port-unreachable

Chain OUTBOUND (3 references)
target     prot opt source               destination
ACCEPT     icmp --  anywhere             anywhere
ACCEPT     tcp  --  anywhere             anywhere            state
RELATED,ESTABLISHED
ACCEPT     udp  --  anywhere             anywhere            state
RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere

Chain OUTPUT (policy DROP)
target     prot opt source               destination
ACCEPT     tcp  --  192.168.123.101      ns1-cro.blueyonder.net tcp
dpt:domain
ACCEPT     udp  --  192.168.123.101      ns1-cro.blueyonder.net udp
dpt:domain
ACCEPT     tcp  --  192.168.123.101      192.168.123.254     tcp
dpt:domain
ACCEPT     udp  --  192.168.123.101      192.168.123.254     udp
dpt:domain
ACCEPT     all  --  anywhere             anywhere
DROP       all  --  BASE-ADDRESS.MCAST.NET/8  anywhere
DROP       all  --  anywhere             BASE-ADDRESS.MCAST.NET/8
DROP       all  --  255.255.255.255      anywhere
DROP       all  --  anywhere             0.0.0.0
DROP       all  --  anywhere             anywhere            state
INVALID
OUTBOUND   all  --  anywhere             anywhere
OUTBOUND   all  --  anywhere             anywhere
LOG_FILTER  all  --  anywhere             anywhere
LOG        all  --  anywhere             anywhere            LOG level
info prefix `Unknown Output'
[root@localhost mark]#

On Thu, 2006-01-12 at 16:28 -0700, Brian Phillips wrote: 
> Also try setting
> 
> Debug_options ALL,1 61,9
> 
> And see what you see in cache.log
> 

Debug_options All,1 61,9 seemed to make no difference so I tried with
Debug_options All,9 and this is what I got:

2006/01/14 21:36:07| fd_open FD 4 /var/log/squid/cache.log
2006/01/14 21:36:07| Starting Squid Cache version 2.5.STABLE11 for
i386-redhat-linux-gnu...
2006/01/14 21:36:07| Process ID 12879
2006/01/14 21:36:07| With 1024 file descriptors available
2006/01/14 21:36:07| Initializing IP Cache...
2006/01/14 21:36:07| ipcache_init: Skipping DNS name lookup tests.
2006/01/14 21:36:07| cachemgrRegister: registered ipcache
2006/01/14 21:36:07| Initializing FQDN Cache...
2006/01/14 21:36:07| cachemgrRegister: registered fqdncache
2006/01/14 21:36:07| etc_hosts: line is '127.0.0.1
localhost.localdomain localhost
'
2006/01/14 21:36:07| etc_hosts: address is '127.0.0.1'
2006/01/14 21:36:07| etc_hosts: multiple spaces, skipping
2006/01/14 21:36:07| etc_hosts: got hostname 'localhost.localdomain'
2006/01/14 21:36:07| etc_hosts: got hostname 'localhost'
2006/01/14 21:36:07| comm_open: FD 5 is a new socket
2006/01/14 21:36:07| fd_open FD 5 DNS Socket
2006/01/14 21:36:07| comm_local_port: FD 5: port 33347
2006/01/14 21:36:07| DNS Socket created at 0.0.0.0, port 33347, FD 5
2006/01/14 21:36:07| Adding nameserver 62.30.112.39
from /etc/resolv.conf
2006/01/14 21:36:07| idnsAddNameserver: Added nameserver #0:
62.30.112.39
2006/01/14 21:36:07| Adding nameserver 192.168.123.254
from /etc/resolv.conf
2006/01/14 21:36:07| idnsAddNameserver: Added nameserver #1:
192.168.123.254
2006/01/14 21:36:07| cachemgrRegister: registered idns
2006/01/14 21:36:07| helperOpenServers: Starting 5 'squidGuard'
processes
2006/01/14 21:36:07| comm_open: FD 6 is a new socket
2006/01/14 21:36:07| fd_open FD 6 squidGuard
2006/01/14 21:36:07| comm_open: FD 7 is a new socket
2006/01/14 21:36:07| fd_open FD 7 squidGuard
2006/01/14 21:36:07| ipcCreate: prfd FD 7
2006/01/14 21:36:07| ipcCreate: pwfd FD 7
2006/01/14 21:36:07| ipcCreate: crfd FD 6
2006/01/14 21:36:07| ipcCreate: cwfd FD 6
2006/01/14 21:36:07| ipcCreate: FD 7 sockaddr 127.0.0.1:32990
2006/01/14 21:36:07| ipcCreate: FD 6 sockaddr 127.0.0.1:32989
2006/01/14 21:36:07| ipcCreate: FD 6 listening...
2006/01/14 21:36:07| leave_suid: PID 12881 called
2006/01/14 21:36:07| leave_suid: PID 12881 giving up root priveleges
forever
2006/01/14 21:36:07| ipcCreate: calling accept on FD 6
2006/01/14 21:36:07| comm_close: FD 6
2006/01/14 21:36:07| commCallCloseHandlers: FD 6
2006/01/14 21:36:07| fd_close FD 6 squidGuard
2006/01/14 21:36:07| connect FD 7: (13) Permission denied
2006/01/14 21:36:07| comm_close: FD 7
2006/01/14 21:36:07| commCallCloseHandlers: FD 7
2006/01/14 21:36:07| fd_close FD 7 squidGuard
2006/01/14 21:36:07| WARNING: Cannot run
'/usr/local/squidguard/bin/squidGuard' process.
2006/01/14 21:36:07| comm_open: FD 6 is a new socket
2006/01/14 21:36:07| fd_open FD 6 squidGuard
2006/01/14 21:36:07| comm_open: FD 7 is a new socket
2006/01/14 21:36:07| fd_open FD 7 squidGuard
2006/01/14 21:36:07| ipcCreate: prfd FD 7
2006/01/14 21:36:07| ipcCreate: pwfd FD 7
2006/01/14 21:36:07| ipcCreate: crfd FD 6
2006/01/14 21:36:07| ipcCreate: cwfd FD 6
2006/01/14 21:36:07| ipcCreate: FD 7 sockaddr 127.0.0.1:32992
2006/01/14 21:36:07| ipcCreate: FD 6 sockaddr 127.0.0.1:32991
2006/01/14 21:36:07| ipcCreate: FD 6 listening...
2006/01/14 21:36:07| leave_suid: PID 12882 called
2006/01/14 21:36:07| leave_suid: PID 12882 giving up root priveleges
forever
2006/01/14 21:36:07| ipcCreate: calling accept on FD 6
2006/01/14 21:36:07| comm_close: FD 6
2006/01/14 21:36:07| commCallCloseHandlers: FD 6
2006/01/14 21:36:07| fd_close FD 6 squidGuard
2006/01/14 21:36:07| connect FD 7: (13) Permission denied
2006/01/14 21:36:07| comm_close: FD 7
2006/01/14 21:36:07| commCallCloseHandlers: FD 7
2006/01/14 21:36:07| fd_close FD 7 squidGuard
2006/01/14 21:36:07| WARNING: Cannot run
'/usr/local/squidguard/bin/squidGuard' process.
2006/01/14 21:36:07| comm_open: FD 6 is a new socket
2006/01/14 21:36:07| fd_open FD 6 squidGuard
2006/01/14 21:36:07| comm_open: FD 7 is a new socket
2006/01/14 21:36:07| fd_open FD 7 squidGuard
2006/01/14 21:36:07| ipcCreate: prfd FD 7
2006/01/14 21:36:07| ipcCreate: pwfd FD 7
2006/01/14 21:36:07| ipcCreate: crfd FD 6
2006/01/14 21:36:07| ipcCreate: cwfd FD 6
2006/01/14 21:36:07| ipcCreate: FD 7 sockaddr 127.0.0.1:32994
2006/01/14 21:36:07| ipcCreate: FD 6 sockaddr 127.0.0.1:32993
2006/01/14 21:36:07| ipcCreate: FD 6 listening...
2006/01/14 21:36:07| leave_suid: PID 12883 called
2006/01/14 21:36:07| leave_suid: PID 12883 giving up root priveleges
forever
2006/01/14 21:36:07| ipcCreate: calling accept on FD 6
2006/01/14 21:36:07| comm_close: FD 6
2006/01/14 21:36:07| commCallCloseHandlers: FD 6
2006/01/14 21:36:07| fd_close FD 6 squidGuard
2006/01/14 21:36:07| connect FD 7: (13) Permission denied
2006/01/14 21:36:07| comm_close: FD 7
2006/01/14 21:36:07| commCallCloseHandlers: FD 7
2006/01/14 21:36:07| fd_close FD 7 squidGuard
2006/01/14 21:36:07| WARNING: Cannot run
'/usr/local/squidguard/bin/squidGuard' process.
2006/01/14 21:36:07| comm_open: FD 6 is a new socket
2006/01/14 21:36:07| fd_open FD 6 squidGuard
2006/01/14 21:36:07| comm_open: FD 7 is a new socket
2006/01/14 21:36:07| fd_open FD 7 squidGuard
2006/01/14 21:36:07| ipcCreate: prfd FD 7
2006/01/14 21:36:07| ipcCreate: pwfd FD 7
2006/01/14 21:36:07| ipcCreate: crfd FD 6
2006/01/14 21:36:07| ipcCreate: cwfd FD 6
2006/01/14 21:36:07| ipcCreate: FD 7 sockaddr 127.0.0.1:32996
2006/01/14 21:36:07| ipcCreate: FD 6 sockaddr 127.0.0.1:32995
2006/01/14 21:36:07| ipcCreate: FD 6 listening...
2006/01/14 21:36:07| leave_suid: PID 12884 called
2006/01/14 21:36:07| leave_suid: PID 12884 giving up root priveleges
forever
2006/01/14 21:36:07| ipcCreate: calling accept on FD 6
2006/01/14 21:36:07| comm_close: FD 6
2006/01/14 21:36:07| commCallCloseHandlers: FD 6
2006/01/14 21:36:07| fd_close FD 6 squidGuard
2006/01/14 21:36:07| connect FD 7: (13) Permission denied
2006/01/14 21:36:07| comm_close: FD 7
2006/01/14 21:36:07| commCallCloseHandlers: FD 7
2006/01/14 21:36:07| fd_close FD 7 squidGuard
2006/01/14 21:36:07| WARNING: Cannot run
'/usr/local/squidguard/bin/squidGuard' process.
2006/01/14 21:36:07| comm_open: FD 6 is a new socket
2006/01/14 21:36:07| fd_open FD 6 squidGuard
2006/01/14 21:36:07| comm_open: FD 7 is a new socket
2006/01/14 21:36:07| fd_open FD 7 squidGuard
2006/01/14 21:36:07| ipcCreate: prfd FD 7
2006/01/14 21:36:07| ipcCreate: pwfd FD 7
2006/01/14 21:36:07| ipcCreate: crfd FD 6
2006/01/14 21:36:07| ipcCreate: cwfd FD 6
2006/01/14 21:36:07| ipcCreate: FD 7 sockaddr 127.0.0.1:32998
2006/01/14 21:36:07| ipcCreate: FD 6 sockaddr 127.0.0.1:32997
2006/01/14 21:36:07| ipcCreate: FD 6 listening...
2006/01/14 21:36:07| leave_suid: PID 12885 called
2006/01/14 21:36:07| leave_suid: PID 12885 giving up root priveleges
forever
2006/01/14 21:36:07| ipcCreate: calling accept on FD 6
2006/01/14 21:36:07| comm_close: FD 6
2006/01/14 21:36:07| commCallCloseHandlers: FD 6
2006/01/14 21:36:07| fd_close FD 6 squidGuard
2006/01/14 21:36:07| connect FD 7: (13) Permission denied
2006/01/14 21:36:07| comm_close: FD 7
2006/01/14 21:36:07| commCallCloseHandlers: FD 7
2006/01/14 21:36:07| fd_close FD 7 squidGuard
2006/01/14 21:36:07| WARNING: Cannot run
'/usr/local/squidguard/bin/squidGuard' process.
2006/01/14 21:36:07| cachemgrRegister: registered redirector
2006/01/14 21:36:07| authBasicConfigured: returning unconfigured
2006/01/14 21:36:07| eventAdd: Adding 'User Cache Maintenance', in
3600.000000 seconds
2006/01/14 21:36:07| cachemgrRegister: registered external_acl
2006/01/14 21:36:07| User-Agent logging is disabled.
2006/01/14 21:36:07| Referer logging is disabled.
2006/01/14 21:36:07| cachemgrRegister: registered http_headers
2006/01/14 21:36:07| file_open: FD 6
2006/01/14 21:36:07| fd_open FD
6 /usr/share/squid/errors/English/ERR_READ_TIMEOUT
2006/01/14 21:36:07| file_close: FD 6, really closing

+ More the same...

Any clues?

I really appreciate your help...

Thanks again

Mark

Attachment:
signature.asc

Description: This is a digitally signed message part