Search squid archive

Re: squid intercept config

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Good.

I don't see any 80 port listens.

This is root of problem.

PF does not work.

05.03.15 23:59, Monah Baki пишет:
> On 10.0.0.24
> 
> root@ISN-PHC-CACHE:/home/support # netstat -an Active Internet
> connections (including servers) Proto Recv-Q Send-Q Local Address
> Foreign Address        (state) tcp4       0     52 10.0.0.24.22
> 96.255.8.226.50911 ESTABLISHED tcp4       0      0 *.3129
> *.*                    LISTEN tcp4       0      0 *.3128
> *.*                    LISTEN tcp4       0      0 *.81
> *.*                    LISTEN tcp6       0      0 *.81
> *.*                    LISTEN tcp4       0      0 *.22
> *.*                    LISTEN tcp6       0      0 *.22
> *.*                    LISTEN tcp6       0      0 ::1.562
> ::1.40066 ESTABLISHED tcp6       0      0 ::1.40066
> ::1.562 ESTABLISHED tcp6       0      0 *.561                  *.*
> LISTEN tcp6       0      0 *.562                  *.*
> LISTEN tcp4       0      0 *.199                  *.*
> LISTEN tcp4       0      0 *.10000                *.*
> LISTEN udp4       0      0 *.3401                 *.* udp4       0
> 0 *.34985                *.* udp4       0      0 *.*
> *.* udp4       0      0 *.161                  *.* udp4       0
> 0 *.162                  *.* udp4       0      0 *.10000
> *.* udp4       0      0 127.0.0.1.123          *.* udp6       0
> 0 fe80::1%lo0.123        *.* udp6       0      0 ::1.123
> *.* udp4       0      0 10.0.0.24.123          *.* udp6       0
> 0 *.123                  *.* udp4       0      0 *.123
> *.* udp4       0      0 *.514                  *.* udp6       0
> 0 *.514                  *.*
> 
> 
> 
> On Thu, Mar 5, 2015 at 12:12 PM, Yuri Voinov <yvoinov@xxxxxxxxx>
> wrote:
> 
> - From your PC run telnet 10.0.0.24 80. You've seen if TCP socket
> opens.
> 
> 05.03.15 23:10, Monah Baki пишет:
>>>> How can I confirm, I have access only to the BSD box
>>>> 
>>>> Thanks
>>>> 
>>>> On Thu, Mar 5, 2015 at 11:12 AM, Yuri Voinov
>>>> <yvoinov@xxxxxxxxx> wrote:
>>>> 
>>>> Does 80 port outside BSD-box listens?
>>>> 
>>>> 05.03.15 21:25, Monah Baki пишет:
>>>>>>> root@ISN-PHC-CACHE:/cache/squid/bin # tcpdump -n -e
>>>>>>> -ttt -i pflog0 tcpdump: WARNING: pflog0: no IPv4
>>>>>>> address assigned tcpdump: verbose output suppressed,
>>>>>>> use -v or -vv for full protocol decode listening on
>>>>>>> pflog0, link-type PFLOG (OpenBSD pflog file), capture
>>>>>>> size 65535 bytes capability mode sandbox enabled
>>>>>>> 00:00:00.000000 rule 0..16777216/0(match): pass in on 
>>>>>>> bge0: 10.0.0.106.5678
>>>>>>>> 255.255.255.255.5678: UDP, length 88
>>>>>>> 00:00:08.342860 rule 0..16777216/0(match): pass in on
>>>>>>> bge0: 10.0.0.14.54264
>>>>>>>> 10.0.0.24.22: Flags [S], seq 3823043622, win 8192,
>>>>>>>> options [mss
>>>>>>> 1460,nop,wscale 2,nop,nop,sackOK], length 0
>>>>>>> 
>>>>>>> 
>>>>>>> 
>>>>>>> On Thu, Mar 5, 2015 at 10:20 AM, Yuri Voinov 
>>>>>>> <yvoinov@xxxxxxxxx> wrote:
>>>>>>> 
>>>>>>> Hm. No.
>>>>>>> 
>>>>>>> We not checked only OS.
>>>>>>> 
>>>>>>> Does your BSD really loads PF module?
>>>>>>> 
>>>>>>> 05.03.15 21:16, Monah Baki пишет:
>>>>>>>>>> Not sure why the client is running old hard/soft
>>>>>>>>>> ware, could it be cause of the hardware? Is
>>>>>>>>>> FreeBSD an issue, should I switch to linux?
>>>>>>>>>> 
>>>>>>>>>> On Thu, Mar 5, 2015 at 10:14 AM, Yuri Voinov 
>>>>>>>>>> <yvoinov@xxxxxxxxx> wrote:
>>>>>>>>>> 
>>>>>>>>>> Wow, 7600!
>>>>>>>>>> 
>>>>>>>>>> But why is so antique iOS?! Current is 15.4
>>>>>>>>>> 
>>>>>>>>>> 05.03.15 21:09, Monah Baki пишет:
>>>>>>>>>>>>> PORT   STATE SERVICE VERSION 23/tcp open
>>>>>>>>>>>>> telnet Cisco IOS telnetd MAC Address:
>>>>>>>>>>>>> 88:5A:92:63:77:81 (Cisco) Device type:
>>>>>>>>>>>>> router Running: Cisco IOS 12.X OS CPE:
>>>>>>>>>>>>> cpe:/h:cisco:7600_router 
>>>>>>>>>>>>> cpe:/o:cisco:ios:12.2 OS details: Cisco
>>>>>>>>>>>>> 7600 router (IOS 12.2) Network Distance: 1
>>>>>>>>>>>>> hop TCP Sequence Prediction: Difficulty=258
>>>>>>>>>>>>> (Good luck!) IP ID Sequence Generation:
>>>>>>>>>>>>> Randomized Service Info: OS: IOS; Device:
>>>>>>>>>>>>> switch; CPE: cpe:/o:cisco:ios
>>>>>>>>>>>>> 
>>>>>>>>>>>>> 
>>>>>>>>>>>>> On Thu, Mar 5, 2015 at 9:31 AM, Yuri
>>>>>>>>>>>>> Voinov <yvoinov@xxxxxxxxx> wrote:
>>>>>>>>>>>>> 
>>>>>>>>>>>>> What is Cisco model and iOS version?
>>>>>>>>>>>>> 
>>>>>>>>>>>>> 05.03.15 20:25, Monah Baki пишет:
>>>>>>>>>>>>>>>> Yes, correct
>>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>>> On Thu, Mar 5, 2015 at 9:23 AM, Yuri 
>>>>>>>>>>>>>>>> Voinov <yvoinov@xxxxxxxxx> wrote:
>>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>>> 10.0.0.23 is your host? And 10.0.0.24
>>>>>>>>>>>>>>>> is proxy box?
>>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>>> 05.03.15 20:15, Monah Baki пишет:
>>>>>>>>>>>>>>>>>>> '--prefix=/cache/squid' 
>>>>>>>>>>>>>>>>>>> '--enable-follow-x-forwarded-for'
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> 
'--with-large-files' '--enable-ssl'
>>>>>>>>>>>>>>>>>>> '--disable-ipv6'
>>>>>>>>>>>>>>>>>>> '--enable-esi' 
>>>>>>>>>>>>>>>>>>> '--enable-kill-parent-hack' 
>>>>>>>>>>>>>>>>>>> '--enable-snmp'
>>>>>>>>>>>>>>>>>>> '--with-pthreads' 
>>>>>>>>>>>>>>>>>>> '--with-filedescriptors=65535' 
>>>>>>>>>>>>>>>>>>> '--enable-cachemgr-hostname=hostname'
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>
>
>>>>>>>>>>>>>>>>>>> 
'--enable-storeio=ufs,aufs,diskd,rock'
>>>>>>>>>>>>>>>>>>> '--enable-ipfw-transparent' 
>>>>>>>>>>>>>>>>>>> '--enable-pf-transparent' 
>>>>>>>>>>>>>>>>>>> '--with-nat-devpf' 
>>>>>>>>>>>>>>>>>>> --enable-ltdl-convenience
>>>>>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>>>>>> On Thu, Mar 5, 2015 at 9:14 AM,
>>>>>>>>>>>>>>>>>>> Yuri Voinov <yvoinov@xxxxxxxxx>
>>>>>>>>>>>>>>>>>>> wrote:
>>>>>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>>>>>> This looking good too.
>>>>>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>>>>>> Stupid question:
>>>>>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>>>>>> With witch interception option
>>>>>>>>>>>>>>>>>>> squid builed?
>>>>>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>>>>>> I.e, squid -v?
>>>>>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>>>>>> 05.03.15 18:19, Monah Baki
>>>>>>>>>>>>>>>>>>> пишет:
>>>>>>>>>>>>>>>>>>>>>> Hi all, can anyone verify
>>>>>>>>>>>>>>>>>>>>>> if this is correct, need
>>>>>>>>>>>>>>>>>>>>>> to make ure that users
>>>>>>>>>>>>>>>>>>>>>> will be able to access
>>>>>>>>>>>>>>>>>>>>>> the internet via the 
>>>>>>>>>>>>>>>>>>>>>> squid.
>>>>>>>>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>>>>>>>>> Running FreeBSD with a
>>>>>>>>>>>>>>>>>>>>>> single interface with
>>>>>>>>>>>>>>>>>>>>>> Squid-3.5.2
>>>>>>>>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>>>>>>>>> Policy based routing on
>>>>>>>>>>>>>>>>>>>>>> Cisco with the
>>>>>>>>>>>>>>>>>>>>>> following:
>>>>>>>>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>>>>>>>>> interface 
>>>>>>>>>>>>>>>>>>>>>> GigabitEthernet0/0/1.1
>>>>>>>>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>>>>>>>>> encapsulation dot1Q 1
>>>>>>>>>>>>>>>>>>>>>> native
>>>>>>>>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>>>>>>>>> ip address 10.0.0.9 
>>>>>>>>>>>>>>>>>>>>>> 255.255.255.0
>>>>>>>>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>>>>>>>>> no ip redirects
>>>>>>>>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>>>>>>>>> no ip unreachables
>>>>>>>>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>>>>>>>>> ip nat inside
>>>>>>>>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>>>>>>>>> standby 1 ip 10.0.0.10
>>>>>>>>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>>>>>>>>> standby 1 priority 120
>>>>>>>>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>>>>>>>>> standby 1 preempt
>>>>>>>>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>>>>>>>>> standby 1 name HSRP
>>>>>>>>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>>>>>>>>> ip policy route-map
>>>>>>>>>>>>>>>>>>>>>> CFLOW
>>>>>>>>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>>>>>>>>> ip access-list extended 
>>>>>>>>>>>>>>>>>>>>>> REDIRECT
>>>>>>>>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>>>>>>>>> deny   tcp host 10.0.0.24
>>>>>>>>>>>>>>>>>>>>>> any eq www
>>>>>>>>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>>>>>>>>> permit tcp host 10.0.0.23
>>>>>>>>>>>>>>>>>>>>>> any eq www
>>>>>>>>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>>>>>>>>> route-map CFLOW permit
>>>>>>>>>>>>>>>>>>>>>> 10
>>>>>>>>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>>>>>>>>> match ip address REDIRECT
>>>>>>>>>>>>>>>>>>>>>> set ip next-hop
>>>>>>>>>>>>>>>>>>>>>> 10.0.0.24
>>>>>>>>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>>>>>>>>> In my /etc/pf.conf rdr
>>>>>>>>>>>>>>>>>>>>>> pass inet proto tcp from
>>>>>>>>>>>>>>>>>>>>>> 10.0.0.0/8 to any port 80
>>>>>>>>>>>>>>>>>>>>>> -> 10.0.0.24 port 3129
>>>>>>>>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>>>>>>>>> # block in pass in log
>>>>>>>>>>>>>>>>>>>>>> quick on bge0 pass out
>>>>>>>>>>>>>>>>>>>>>> log quick on bge0 pass
>>>>>>>>>>>>>>>>>>>>>> out keep state
>>>>>>>>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>>>>>>>>> and finally in my
>>>>>>>>>>>>>>>>>>>>>> squid.conf: http_port
>>>>>>>>>>>>>>>>>>>>>> 3128 http_port 3129 
>>>>>>>>>>>>>>>>>>>>>> intercept
>>>>>>>>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>>>>>>>>> And for testing purposes
>>>>>>>>>>>>>>>>>>>>>> from the squid server:
>>>>>>>>>>>>>>>>>>>>>> ./squidclient -h
>>>>>>>>>>>>>>>>>>>>>> 10.0.0.24 -p 3128 
>>>>>>>>>>>>>>>>>>>>>> http://www.freebsd.org/
>>>>>>>>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>>>>>>>>> If I replace -p 3128 with
>>>>>>>>>>>>>>>>>>>>>> -p 80, I get a access
>>>>>>>>>>>>>>>>>>>>>> denied, and if I omit the
>>>>>>>>>>>>>>>>>>>>>> -p 3128 completely, I can
>>>>>>>>>>>>>>>>>>>>>> access the websites.
>>>>>>>>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>>>>>>>>> tcpdump with (-p 3128)
>>>>>>>>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>>>>>>>>> 13:15:02.681106 IP 
>>>>>>>>>>>>>>>>>>>>>> ISN-PHC-CACHE.44017 > 
>>>>>>>>>>>>>>>>>>>>>> wfe0.ysv.freebsd.org.http:
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> 
Flags [.], ack 17377, win 1018,
>>>>>>>>>>>>>>>>>>>>>> options [nop,nop,TS val 
>>>>>>>>>>>>>>>>>>>>>> 985588797 ecr
>>>>>>>>>>>>>>>>>>>>>> 1054387720], length 0
>>>>>>>>>>>>>>>>>>>>>> 13:15:02.681421 IP 
>>>>>>>>>>>>>>>>>>>>>> wfe0.ysv.freebsd.org.http
>>>>>>>>>>>>>>>>>>>>>> > ISN-PHC-CACHE.44017:
>>>>>>>>>>>>>>>>>>>>>> Flags [.], seq
>>>>>>>>>>>>>>>>>>>>>> 17377:18825, ack 289,
>>>>>>>>>>>>>>>>>>>>>> win 1040, options
>>>>>>>>>>>>>>>>>>>>>> [nop,nop,TS val 
>>>>>>>>>>>>>>>>>>>>>> 1054387720 ecr
>>>>>>>>>>>>>>>>>>>>>> 985588501], length 1448
>>>>>>>>>>>>>>>>>>>>>> 13:15:02.681575 IP 
>>>>>>>>>>>>>>>>>>>>>> wfe0.ysv.freebsd.org.http
>>>>>>>>>>>>>>>>>>>>>> > ISN-PHC-CACHE.44017:
>>>>>>>>>>>>>>>>>>>>>> Flags [.], seq
>>>>>>>>>>>>>>>>>>>>>> 18825:20273, ack 289,
>>>>>>>>>>>>>>>>>>>>>> win 1040, options
>>>>>>>>>>>>>>>>>>>>>> [nop,nop,TS val 
>>>>>>>>>>>>>>>>>>>>>> 1054387720 ecr
>>>>>>>>>>>>>>>>>>>>>> 985588501], length 1448
>>>>>>>>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>>>>>>>>> Did I miss anything?
>>>>>>>>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>>>>>>>>> Thanks Monah
>>>>>>>>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>>>>>>>>> _______________________________________________
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>
>>>>
>>>>>>>>>>>>>>>>>>>>>>
>
>>>>>>>>>>>>>>>>>>>>>> 
squid-users mailing list
>>>>>>>>>>>>>>>>>>>>>> squid-users@xxxxxxxxxxxxxxxxxxxxx
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>
>
>>>>>>>>>>>>>>>>>>>>>> 
http://lists.squid-cache.org/listinfo/squid-users
>>>>>>>>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>>>>>>>>> 
>>>>>>>>>> 
>>>>>>>>>>>>>>>>>>>>>> 
>>>>>>> 
>>>>>>>>>>>>>>>>>>>>>> 
>>>> _______________________________________________
>>>>>>>>>>>>>>>>>>>> squid-users mailing list 
>>>>>>>>>>>>>>>>>>>> squid-users@xxxxxxxxxxxxxxxxxxxxx
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> 
http://lists.squid-cache.org/listinfo/squid-users
>>>>>>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>> 
>>>>>>>>>>>>> 
>>>>>>>>>>> 
>>>>>>>>>> 
>>>>>>>> 
>>>>>>> 
>>>>> 
>>>> 
>> 
> 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBAgAGBQJU+JnwAAoJENNXIZxhPexGZyAIALntLpMhoacCb/BEpimuJtq/
9lddOw02qrA9imxJvXfGRmqz5cosbecQcCAeZoXaY2XRtvWF0jM5y+GgeHeLDnjA
3n0mXORBS9LkWNgaOmP6CTyvs4InDEHJExk1SPF1su+4bvDUXwv5XuCJEQERDy3E
r80/p4bmtNTg4WR30abxICBIzffDodzAVg81wt5IvDrkKUdX6c5CYt25ASDBFqIU
gJOKMcAFgUgeyQzjrnTxNt+wxDGLRoIGXitYPy1h+EZ+XnNfrUDxx3DFfoFXmZyQ
P/IPE3XbBZXkRw1sDBnz2jgZddUBknqsGgl1o5Bl8UiLtSPqEDQrLD003GB8krI=
=TnLr
-----END PGP SIGNATURE-----
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users





[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux