Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
user OS:
Ubuntu and windows XP both with FireFox and foxyproxy.
all with mcafee siteadvisor installed
situation:
Squid for caching, works perfect.
firefox and internet explorer are both configed for use with squid as proxy.
now i got some lan users who share internet with me to.
for denieing use or bittorrend and other p2p stuff, i added a rule in pf.conf like this.
rdr on $int_if proto { tcp,udp } from any to any port { 80,443 } -> 192.168.0.240
so that all trafic is redirectect to the local apache, wich advises to setup the proxy settings.
so a direct connection to internet is not possible any more.
works good.
but the weard stuff is, after i enabled above line, siteadvisor refuse to work with firefox, also not works with internet explorer.
when doing google search, i dont get the green or red warnings any more on searched, and when visiting site it doesnt gives green or what collor SA should give in that site.
so i disabled the redirect line in pf.conf and it works again.
after some search, it seems that siteavisor needs to contact dss1.siteadvisor.com to comunicate with.
but when blocking direct traffic to internet is wont work, and SA isnt correct working over squid.
is there a way to override this behaveing ?
i dont want exesive use of p2p on my network.
Maybe allow communication with dss1.siteadvisor.com? Or, do you not want to do this? How is your system communicating with siteadvisor.com? TCP? UDP? Would be nice to see a tcpdump of the traffic. In fact, when I've issues with a FW policy (at work AND at home), the first thing I do is look at the raw traffic. To get a good indication of what's going on, I'd run tcpdump or snort, analyse the results and parse the FW logs, attempt to find any drops/blocks or (if you're not logging drops in the FW logs) a steady stream of non-bidirectional traffic. If there's not a three-way handshake, you know you've an issue.
Without knowing your full network architecture or your full FW policy, it is difficult to determine what's going on. Since it works when you remove the redirect but doesn't when you enable the redirect, there's probably an issue with the way your redirect rule is configured. It could also be that maybe you need to add something more to your policy. Then again, it could be how your Squid is set up (ie, the FW rule may be working, but because the traffic is being handed off to your Squid setup, maybe there's something within your Squid ACLs that may be blocking that traffic).
I know what info I gave may not be of any help, but I'd suggest posting your whole FW policy (at the very least) so that we can make a better assessment of your issue.
Location: netherlands, europe, in a crapy house. xD
Distribution: openBSD
Posts: 73
Original Poster
Rep:
hi.
i have adapted my pf.conf with following.
rdr on $int_if proto tcp from any to dss1.siteadvisor.com port { 80,443 } -> 208.69.152.105
rdr on $int_if proto tcp from any to dss2.siteadvisor.com port { 80,443 } -> 208.69.152.106
rdr on $int_if proto { tcp,udp } from any to any port { 80,443 } -> 192.168.0.240
where dss1 and dss2 are the adresses where siteadvisor does talk to.
the other is the normal http redirect to the local webserver what advises users to set the correct proxy settings.
i also set dss1/dss2 in my DNS server.
sometimes it happens that SA is comunicating ,mostly not.
but if they need UDP to, mhh, i need to do some adapting..
as sayed, when i remove rdr on $int_if proto { tcp,udp } from any to any port { 80,443 } -> 192.168.0.240
it al works, but everyone can work without the proxy.
normaly i dont care, but SA is such a usefull tool.
a shame that it cannot be configed for work with a proxy.
set block-policy return
set loginterface $ext_if
set limit { frags 5000, states 2500 }
set state-policy if-bound
set optimization high-latency
set skip on lo
#
scrub in on $ext_if all fragment reassemble min-ttl 15 max-mss 1400
scrub in on $ext_if all no-df
scrub on $ext_if all reassemble tcp
#
nat on $ext_if from $int_if:network to any -> ($ext_if)
#
rdr on $int_if proto { tcp,udp } from any to dss1.siteadvisor.com port { 80,443 } -> 208.69.152.105
rdr on $int_if proto { tcp,udp } from any to dss2.siteadvisor.com port { 80,443 } -> 208.69.152.106
rdr on $int_if proto { tcp,udp } from any to any port { 21,22,23,113,80,443 } -> 192.168.0.240
block on { $ext_if, $int_if } all
pass in on $ext_if inet proto tcp from any to 192.168.0.254 port { 25,110 } flags S/SA keep state
antispoof for $ext_if inet
pass out quick keep state
pass in quick on $int_if
## END CONFIG ##
p.s
i removed dss1 and dss2 out of my dns server.
seems that it couses some #$@@&&$&( troubles to..
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
