I just installed squid (RHEL 5) in a vmware vm running on a Win 2k3 host box. Everything seems to be running fine except for when I setup a proxy in bitcomet I can't seem to get an connections when trying to download torrents. I know by default the followings acl's are open:

acl SSL_ports port 443 563
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT

I looked at the access.log file and a see a bunch of TCP_DENIED entries for ports in the 14XX range. Is there something else I am missing? I can browse fine via IE or Firefox.

Can you post a few TCP_DENIED samples from the log?

Here is a screenshot:

http://farm3.static.flickr.com/2072/...bd5b0e.jpg?v=0

In the future, pease copy/paste the text into the thread using code tags instead of linking a screenshot. It makes it easier to analyze output and it makes your post much more useful to people who are trying to find help with the same issue on a search engine. That said, your TCP_DENIEDs are all CONNECTs. Very likely you'll just need to either tweak the http_access rule for the CONNECT method, or create some new ACLs. By default, Squid only allows CONNECT for the SSL_ports ACL.

EDIT: Keep in mind that there are good reasons why Squid by default only allows CONNECT on SSL_ports. Only allow CONNECTs to other ports if it's absolutely necessary/critical (your screenshot makes it look like this isn't the case considering it's mostly torrent sites) and you understand that clients will be able to tunnel through the proxy on those ports. So try to make the new ACLs as specific as possible if you do decide to proceed.

The thing is there are other acl's other than for ssl ports. My first post has a list of my current acl's.

Yeah but of all those ACLs only the SSL_ports one is allowed to use the CONNECT method (by default).

There should be a line like this in your squid.conf:That rule denies use of the CONNECT method for anything that doesn't match the SSL_ports ACL. What you need to do in order to allow CONNECT for other ports/addresses/whatever is create your own ACL (or modify the SSL_ports ACL - not recommended). For example, to stop TCP_DENIEDs such as the first one for a CONNECT which appears in your screenshot you could do something like:EDIT: Of course, this http_access would need to be placed above Squid's default CONNECT one.

Win32sux you r great, thanks for the useful information, can i know about the torrent ports numbers

thanks
tarik