LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices


Reply
  Search this Thread
Old 08-04-2006, 11:00 AM   #1
SBN
Member
 
Registered: Jul 2006
Distribution: UBUNTU, CentOS, FEDORA 8
Posts: 474

Rep: Reputation: 30
Squid Configuration


hello friends hope you can help me out here.

-from the squid.conf i saw the

acl all 0.0.0.0/0.0.0.0
acl localhost 127.0.0.1/255.255.255.255
can any explain to me whats the use of this.

-also from the squid manual it says that you can define a range for a of ip address. i try this one

acl mynetwork 192.168.0.1-192.168.0.100/24

but an error appears saying that its not part of the subnetmask in which i have using this ip address in our network. then i try changing /24 to 255.255.255.255 then it works no problems why is that?
 
Old 08-04-2006, 11:07 AM   #2
dambla
Member
 
Registered: Aug 2006
Posts: 51

Rep: Reputation: 15
maybe you should change that to something like 192.168.0.0/24 for it to work.
 
Old 08-04-2006, 07:06 PM   #3
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Quote:
Originally Posted by SBN
hello friends hope you can help me out here.

-from the squid.conf i saw the

acl all 0.0.0.0/0.0.0.0
acl localhost 127.0.0.1/255.255.255.255
can any explain to me whats the use of this.
the first line creates an ACL which represents *all* source addresses...

the second line creates an ACL which represents your loopback interface...

Quote:
-also from the squid manual it says that you can define a range for a of ip address. i try this one

acl mynetwork 192.168.0.1-192.168.0.100/24

but an error appears saying that its not part of the subnetmask in which i have using this ip address in our network. then i try changing /24 to 255.255.255.255 then it works no problems why is that?
it works with 255.255.255.255 because that defines a network of only *one* device... look at the localhost ACL above, that's what it's doing with the 255.255.255.255... so when you use 192.168.0.100/255.255.255.255 you are doing the equivalent of 192.168.0.100...

notice however, that you are missing the "src" specifier... what you need is actually this:
Code:
acl mynetwork src 192.168.0.1-192.168.0.100
there's no need for a 255.255.255.255 netmask here...

Quote:
Originally Posted by dambla
maybe you should change that to something like 192.168.0.0/24 for it to work.
there's no need for that, as squid works fine with IP ranges - no need to use subnets... as mentioned above, the proper way to achive the OP's goals is with:
Code:
acl mynetwork src 192.168.0.1-192.168.0.100
 
Old 08-05-2006, 02:41 AM   #4
SBN
Member
 
Registered: Jul 2006
Distribution: UBUNTU, CentOS, FEDORA 8
Posts: 474

Original Poster
Rep: Reputation: 30
-tenks for that info so whats the effect if i put:

acl src all 0.0.0.0/0.0.0.0
acl locahost src 127.0.0.1/255.255.255.255

in my squid.conf and the effect if i wont put it.

- i also saw in the squid.conf that it can block port. what i did is i removed the default settings placed in the file and replaced it with only:

acl Safeports port 80
acl Safeports port 21

is this good or not? and how do i test if squid really closed all the ports and only allow 80 & 21.

-SBN-
 
Old 08-05-2006, 03:01 AM   #5
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
ACLs won't have any effect until you use them...

if those are the only lines you have, then that's bad, because you are only creating ACLs... you need to use some "http_access" and "http_reply_access" lines with those ACLs...

if possible, post you entire squid.conf here with a:
Code:
cat /etc/squid/squid.conf | grep -v ^# | grep -v ^$
this will filter all the comments and blank lines so as to save space...
 
Old 08-05-2006, 04:37 AM   #6
SBN
Member
 
Registered: Jul 2006
Distribution: UBUNTU, CentOS, FEDORA 8
Posts: 474

Original Poster
Rep: Reputation: 30
ok that is noted...but how about the ports that i was talking about.
 
Old 08-05-2006, 11:26 AM   #7
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Quote:
Originally Posted by SBN
ok that is noted...but how about the ports that i was talking about.
those are the ports squid (and hence the clients) will be allowed to connect to on remote servers... you also don't need to use separate lines for each port, one will suffice, like:
Code:
acl Safe_ports port 80 8080 21
to deny all traffic which isn't headed for the ports you listed, do a:
Code:
http_access deny !Safe_ports
 
Old 08-05-2006, 12:30 PM   #8
SBN
Member
 
Registered: Jul 2006
Distribution: UBUNTU, CentOS, FEDORA 8
Posts: 474

Original Poster
Rep: Reputation: 30
ok...but how do you test if the ports that are not defined are really denied or block.and also to test if the ports that are defined are working.
 
Old 08-05-2006, 12:33 PM   #9
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Quote:
Originally Posted by SBN
ok...but how do you test if the ports that are not defined are really denied or block.and also to test if the ports that are defined are working.
easy, to test the blocked ports just try and connect to a port which *isn't* in your Safe_ports ACL... you should receive an ACCESS DENIED message... and to test the allowed ports just connect to a port which *is* listed in your ACL and you should have normal access...

here's an illustration of what happens if i try to access (for example) port 666 through my squid:
Quote:
ERROR
The requested URL could not be retrieved


While trying to retrieve the URL: http://www.google.com:666/

The following error was encountered:

* Access Denied.

Access control configuration prevents your request from being allowed at this time. Please contact your service provider if you feel this is incorrect.

Your cache administrator is win32sux@microsoft.com.
Generated Sat, 05 Aug 2006 17:32:27 GMT by linux.microsoft.com (squid/2.5.STABLE12)

Last edited by win32sux; 08-05-2006 at 12:40 PM.
 
Old 08-06-2006, 12:32 AM   #10
SBN
Member
 
Registered: Jul 2006
Distribution: UBUNTU, CentOS, FEDORA 8
Posts: 474

Original Poster
Rep: Reputation: 30
-ok that is noted...

-so is it ok if i only allow port 80 for internet access and port 21 or 20 for ftp and block all the rest. will there be no negative effects on my windows clients because it try to only allow port 80 and 21 and block all the rest then i installed a simple port scanner on my windows server and i scan it to see if the only open ports are 80 and 21 and i saw that some windows system programs are listening to a remote ports and some are already established and when i try to disconnect thier connections there is an error appearing that windows encountered some problems and is making a countdown to restarts...why is that?.

-also im using a UBUNTU desktop this is where i installed squid and ubuntu has a port scanner and i try to scan my windows servers for opened ports and i saw i few of them that are open in which i only specify port 80 and 21 in my squid.conf...is that normal?
 
Old 08-06-2006, 01:52 PM   #11
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Quote:
Originally Posted by SBN
-ok that is noted...

-so is it ok if i only allow port 80 for internet access and port 21 or 20 for ftp and block all the rest. will there be no negative effects on my windows clients because it try to only allow port 80 and 21 and block all the rest
what about port 443?? you need 443 for HTTPS... without HTTPS your clients woon't be able to use secure websites...

Quote:
then i installed a simple port scanner on my windows server and i scan it to see if the only open ports are 80 and 21 and i saw that some windows system programs are listening to a remote ports and some are already established and when i try to disconnect thier connections there is an error appearing that windows encountered some problems and is making a countdown to restarts...why is that?.
i have no idea...

Quote:
-also im using a UBUNTU desktop this is where i installed squid and ubuntu has a port scanner and i try to scan my windows servers for opened ports and i saw i few of them that are open in which i only specify port 80 and 21 in my squid.conf...is that normal?
squid has no control over which services your LAN's boxes want to run... if you want to control that, you need a *firewall*...
 
Old 08-07-2006, 02:12 AM   #12
SBN
Member
 
Registered: Jul 2006
Distribution: UBUNTU, CentOS, FEDORA 8
Posts: 474

Original Poster
Rep: Reputation: 30
-so you mean squid cant totally block these ports?

-anyway what are the ports that are really needed?
 
Old 08-07-2006, 07:20 AM   #13
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Quote:
Originally Posted by SBN
-so you mean squid cant totally block these ports?
squid can only prevent people from connecting to those ports when they are actually _using_ squid...

Quote:
-anyway what are the ports that are really needed?
it really depends... different people will need different ports... for example, at home i just allow 80 and 21 on squid, and i NAT 443 with iptables...
 
Old 08-07-2006, 07:18 PM   #14
SBN
Member
 
Registered: Jul 2006
Distribution: UBUNTU, CentOS, FEDORA 8
Posts: 474

Original Poster
Rep: Reputation: 30
-ok thanks for all the info...
-do you have a good iptables tutorial for beginners.
 
Old 08-07-2006, 07:29 PM   #15
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Quote:
Originally Posted by SBN
-ok thanks for all the info...
-do you have a good iptables tutorial for beginners.
not really... but i did a quick search and this was the first result:

http://www.spotswood-computer.net/pr...iptables2.html

i glanced over it and it looks fine... of course there's no way for me to know that without reading it, so don't take my word for it... if anything, use the search i linked above and you will surely find something...

Last edited by win32sux; 08-07-2006 at 07:30 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
squid configuration er.pankajg General 3 03-13-2006 12:55 AM
Squid Configuration sajidmumtaz Linux - Networking 1 01-09-2006 09:03 AM
Squid: special configuration for remote Squid server hamish Linux - Software 0 12-06-2005 03:58 PM
best squid configuration shanino Linux - Networking 11 08-21-2004 02:55 AM
Squid Configuration accelicim_ho Linux - Software 2 03-26-2002 05:42 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Software

All times are GMT -5. The time now is 11:38 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration