Sorry to be pain in the arse but this still doesn't work. I've open port 20 and 21 (TCP) and forward this to anoter mandrake box with proFTPd (IP 192.168.0.251) to set FTP in active mode. I've also open 80 and forward it to another machine with apache (IP 192.168.0.23) this works fine and doesn't affect the proxy. But as soon as I open port 21 the internet connection is broken. Altough I can see in /var/squid/log/access.log that people are trying to connect but they can't get anywhere. Basically the browser says "Web page found..." but just doesn't display it. after a long while it eventually time out. All the other things seems to work (FTP, POP, etc... just HTTP is broken). I can open other ports and the thing just works fine but not port 21. I've attached my config (the one you get by doing backup) if that help. Even if the actual service i.e. proFTPd is not running or the machine is not powerup the proxy refuse to display the pages if I've got port 21 open, so I don't think is something to do with proFTPd. Also I was trying to change apache port on the second machine (192.168.0.23) to use 81 instead and then open port 81 on SNF but this wouldn't work either (I've tried 8080, 79, and other numbers but it seems to me that I can only reach my internal web server from outside if it is setup on port 80 (I've tried to access locally using port 81 and this worked fine). That's a shame since I'd like to be able to open several web servers.
BTW: when you say open all high ports what do you actually mean? have I got to manually open all ports above 1024? Thanks Gael > Hello there, > > here are two points of view for the ftp connections with a firewall: > > - open tcp ports 21 (control) *and* 20 (data) in > incoming traffic on the > firewall to allow active ftp from the clients > - open tcp port 21 and all high ports (> 1024) on the > firewall to allow > passive clients > > I have set here squid in transparent mode and the I did a > port forwarding > of ftp to some internal ftp server using proftpd. > > with ncftp or lftp lftp clients, connect and then type : set > passive off > (ncftp), or set ftp:passive-mode off and then you will be > able to connect ... > > squid and ftp port-forwarding work together ... >
SystemName=firewall DomainName=dummyDomain.com DNSPrimaryIP=62.128.xxx.xxx DNSSecondaryIP= AdminInterface=eth0 FullAdminName=admin ChangeAdminPasswd='set: change-password.pl' CurrentMirror=ftp://ftp.stealth.net/pub/mirrors/ftp.mandrake.com/Mandrake/updates PackagesList=squid OfficialList='get: mirrors.pl' PackagesToUpdate='get: packages_to_update.pl' PackagesToDownload='get: download_packages.pl' PackagesToInstall='get: rpm-install.pl' PackageDescription='get: show_description.pl' DHCPClient=dhcp-client DHCPServer=off DHCPInterface=eth0 DHCPServerEnd=254 DHCPServerStart=65 DHCP_LEASE_DEFAULT=21600 DHCP_LEASE_MAX=43200 DNS_SERVER_DYN_UPDATE=Y DNS_UPDATER_SECRET=Y SYSLOGLocal=yes SYSLOGTargetServer= SYSLOGTargetServerLevel= SYSLOGTty=tty12 SYSLOGTtyLevel=alert PreludeState=off SnortState=off SnortLogs='get: snortsnarf.sh' MessagesLogs='get: logs.pl' DynDnsAccount=dnsaccount DynDnsPassword=dnspassword DynDnsService=off DNSServer=off TimeZoneList='get: timezone.pl tzlist' Zone=GMT ChangeDate='set: date.pl $md5 ' NTPServer= ServicesList='get: services.pl list' ServiceStatus='get: services.pl status' ServiceRestart='set: services.pl restart' ServiceReload='set: services.pl reload' ServiceStart='set: services.pl start' ServiceStop='set: services.pl stop' ServiceRemove='set: services.pl remove' ServiceAdd='set: services.pl add' SquidServer=transparent SquidParents=N SquidPort=3328 SquidCacheDir=/var/spool/squid SquidCacheSize=100 SquidWarningMesage=<A HREF=mailto:[EMAIL PROTECTED]>Mail to Admin</A> SquidWarningMesagePosition=Bottom [EMAIL PROTECTED] SquidRedirector=squidGuard SquidAnonymizer=Y SquidGuardAddPrivilegedIp='set: squidGuard_manage.pl $md5 /usr/share/squidGuard-1.1.4/db/privilegedsource/ips -a ' SquidGuardDeletePrivilegedIp='set: squidGuard_manage.pl $md5 /usr/share/squidGuard-1.1.4/db/privilegedsource/ips -d' SquidGuardPrivilegedIpsList='get: squidGuard_manage.pl $md5 /usr/share/squidGuard-1.1.4/db/privilegedsource/ips -l' SquidGuardAddBannedIp='set: squidGuard_manage.pl $md5 /usr/share/squidGuard-1.1.4/db/bannedsource/ips -a ' SquidGuardDeleteBannedIp='set: squidGuard_manage.pl $md5 /usr/share/squidGuard-1.1.4/db/bannedsource/ips -d' SquidGuardBannedIpsList='get: squidGuard_manage.pl $md5 /usr/share/squidGuard-1.1.4/db/bannedsource/ips -l' SquidGuardAddLansourceNetworkMask='set: squidGuard_manage.pl $md5 /usr/share/squidGuard-1.1.4/db/lansource/lan -a ' SquidGuardDeleteLansourceNetworkMask='set: squidGuard_manage.pl $md5 /usr/share/squidGuard-1.1.4/db/lansource/lan -d' SquidGuardLansourceNetworkMasksList='get: squidGuard_manage.pl $md5 /usr/share/squidGuard-1.1.4/db/lansource/lan -l' SquidGuardAddBanneddestinationUrl='set: squidGuard_manage.pl $md5 /usr/share/squidGuard-1.1.4/db/banneddestination/urls -a ' SquidGuardDeleteBanneddestinationUrl='set: squidGuard_manage.pl $md5 /usr/share/squidGuard-1.1.4/db/banneddestination/urls -d' SquidGuardBanneddestinationUrlsList='get: squidGuard_manage.pl $md5 /usr/share/squidGuard-1.1.4/db/banneddestination/urls -l' SquidGuardAddBanneddestinationDomain='set: squidGuard_manage.pl $md5 /usr/share/squidGuard-1.1.4/db/banneddestination/domains -a ' SquidGuardDeleteBanneddestinationDomain='set: squidGuard_manage.pl $md5 /usr/share/squidGuard-1.1.4/db/banneddestination/domains -d' SquidGuardBanneddestinationDomainsList='get: squidGuard_manage.pl $md5 /usr/share/squidGuard-1.1.4/db/banneddestination/domains -l' SquidGuardAddBanneddestinationRegExp='set: squidGuard_manage.pl $md5 /usr/share/squidGuard-1.1.4/db/banneddestination/expressions -ea ' SquidGuardDeleteBanneddestinationRegExp='set: squidGuard_manage.pl $md5 /usr/share/squidGuard-1.1.4/db/banneddestination/expressions -ed' SquidGuardBanneddestinationRegExpsList='get: squidGuard_manage.pl $md5 /usr/share/squidGuard-1.1.4/db/banneddestination/expressions -el' SquidGuardAddAdvertisingUrl='set: squidGuard_manage.pl $md5 /usr/share/squidGuard-1.1.4/db/advertising/urls -a ' SquidGuardDeleteAdvertisingUrl='set: squidGuard_manage.pl $md5 /usr/share/squidGuard-1.1.4/db/advertising/urls -d' SquidGuardAdvertisingUrlsList='get: squidGuard_manage.pl $md5 /usr/share/squidGuard-1.1.4/db/advertising/urls -l' SquidGuardAddAdvertisingDomain='set: squidGuard_manage.pl $md5 /usr/share/squidGuard-1.1.4/db/advertising/domains -a ' SquidGuardDeleteAdvertisingDomain='set: squidGuard_manage.pl $md5 /usr/share/squidGuard-1.1.4/db/advertising/domains -d' SquidGuardAdvertisingDomainsList='get: squidGuard_manage.pl $md5 /usr/share/squidGuard-1.1.4/db/advertising/domains -l' SquidGuard=on [EMAIL PROTECTED] SquidGuardDb=/usr/share/squidGuard-1.1.4/db SquidGuardLogDir=/var/log/squidGuard SquidGuardTimeRestriction=N SquidGuardTimeRestrictionRedirectUrl=squidGuard.cgi?clientaddr=%a&srcclass=%s&targetclass=%t&url=%u SquidGuardWorkHoursSunAM=09:30-12:00 SquidGuardWorkHoursSunPM=13:00-19:00 SquidGuardWorkHoursMonAM=09:00-12:00 SquidGuardWorkHoursMonPM=13:00-19:00 SquidGuardWorkHoursTueAM=09:00-11:00 SquidGuardWorkHoursTuePM=12:00-19:00 SquidGuardWorkHoursWedAM=09:00-12:00 SquidGuardWorkHoursWedPM=12:00-18:00 SquidGuardWorkHoursThuAM=09:00-13:00 SquidGuardWorkHoursThuPM=13:00-18:00 SquidGuardWorkHoursFriAM=09:00-12:00 SquidGuardWorkHoursFriPM=13:30-18:00 SquidGuardWorkHoursSatAM=08:20-13:00 SquidGuardWorkHoursSatPM=13:30-19:00 SquidGuardPrivilegedSourceRedirectUrl=squidGuard.cgi?clientaddr=%a&srcclass=%s&targetclass=%t&url=%u SquidGuardBannedSourceRedirectUrl=squidGuard.cgi?clientaddr=%a&srcclass=%s&targetclass=%t&url=%u SquidGuardBannedSourceLog= SquidGuardLanSourceRedirectUrl=squidGuard.cgi?clientaddr=%a&srcclass=%s&targetclass=%t&url=%u SquidGuardLanSourceLog= SquidGuardAdvertisingRedirectUrl=nulbanner.png SquidGuardAdvertisingLog=/var/log/squidGuard/advertising.log SquidGuardDefaultRedirectUrl=squidGuard.cgi?clientaddr=%a&srcclass=%s&targetclass=%t&url=%u SquidGuardBackup='get: squidGuard_backup.pl $md5 --backup' SquidGuardRestore='get: squidGuard_backup.pl $md5 --restore' UsersList='get: users.pl' UserCreate='set: users.pl -a' UserDelete='set: users.pl -d' UserShell='get: users.pl --shell -g ; set: users.pl --shell -s' UserHome='get: users.pl --home -g ; set: users.pl --home -s' UserPasswd='set: users.pl --passwd' UserPrimaryGroup='get: users.pl --primarygroup -g ; set: users.pl --primarygroup -s' UserGroupsList='get: users.pl --groups -g ; set: users.pl --groups -s' FilteringRules=on FirewallMasquerade=on FirewallingLog=off FirewallingLevel='get: change-firewalling-level.pl' FirewallingConfigType=expert FirewallingRuleAnalyse='get: analyse-firewalling-rules.pl' FirewallingOptimizeTOS=off TCP_AUDIT_SERVICES= UDP_AUDIT_SERVICES= ICMP_AUDIT_TYPES= TCP_PUBLIC_SERVICES=21 (forward=192.168.0.251 action=allow),80 (forward=192.168.0.23 action=allow),20 (forward=192.168.0.251 action=allow) UDP_PUBLIC_SERVICES= TCP_INTERNAL_SERVICES=ssh UDP_INTERNAL_SERVICES= TCP_FORWARD_SERVICES=all UDP_FORWARD_SERVICES=all TCP_BLOCKED_SERVICES=6000:6020 UDP_BLOCKED_SERVICES=2049 ICMP_ALLOWED_TYPES=destination-unreachable,echo-reply,time-exceeded IP_MASQ_MODULES=cuseeme,ftp,irc,quake,raudio,vdolive,dplay,icq,h323 ICMP_OUTBOUND_DISABLED_TYPES= FirewallAlwaysForwardPortTCP=domain FirewallAlwaysForwardPortUDP=domain FORCE_PASV_FTP=Y LOG_FAILURES=N ENABLE_SRC_ADDR_VERIFY=Y REJECT_METHOD=DENY TmpInterfaceToSet= InternetAccessType=LAN InternetInterface=eth1 InternetOnBoot= InternetGateway=62.128.xxx.xxx HostToPing=198.41.0.6 InternetStart='get: internet-access.pl -start;' InternetStop='get: internet-access.pl -stop;' EthernetInterfacesList='get: interfaces.pl net;' EthernetModulesList='get: ethernet-modules.pl;' EthernetLoadModule='get: ethernet-modules.pl --load;' EthernetKnownInterfaces='get: ethernet-known-interfaces.pl ;' Eth0Known=true Eth0IP=192.168.0.250 Eth0Mask=255.255.255.0 Eth0Mac= Eth0BootProto=static Eth0OnBoot=yes Eth0Hostname=firewall.dummyDomain.com Eth0HostAlias=firewall Eth0Driver=8139too Eth0Irq= Eth0Port= Eth0DHCPClient= Eth0DHCPHostname= Eth0DHCPServerName= Eth1Known=true Eth1IP=62.128.xxx.yyy Eth1Mask=255.255.255.252 Eth1Mac= Eth1BootProto=static Eth1OnBoot=yes Eth1Hostname=firewall.dummyDomain.com Eth1HostAlias=firewall Eth1Driver=8139too Eth1Irq= Eth1Port= Eth1DHCPClient=/sbin/dhcpcd Eth1DHCPHostname= Eth1DHCPServerName= Eth2Known=false Eth2IP= Eth2Mask= Eth2Mac= Eth2BootProto= Eth2OnBoot= Eth2Hostname=firewall.dummyDomain.com Eth2HostAlias=firewall Eth2Driver= Eth2Irq= Eth2Port= Eth2DHCPClient= Eth2DHCPHostname= Eth2DHCPServerName= Eth3Known=false Eth3IP= Eth3Mask= Eth3Mac= Eth3BootProto= Eth3OnBoot= Eth3Hostname=firewall.dummyDomain.com Eth3HostAlias=firewall Eth3Driver= Eth3Irq= Eth3Port= Eth3DHCPClient= Eth3DHCPHostname= Eth3DHCPServerName= Eth4Known=false Eth4IP= Eth4Mask= Eth4Mac= Eth4BootProto= Eth4OnBoot= Eth4Hostname=firewall.dummyDomain.com Eth4HostAlias=firewall Eth4Driver= Eth4Irq= Eth4Port= Eth4DHCPClient= Eth4DHCPHostname= Eth4DHCPServerName= DialupConnOffice=continuous DialupConnOutside=continuous DialupConnWeekend=continuous ISDNProviders= ISDNInterfacesList='get: interfaces.pl isdn;' ISDNProvidersList='get: isdn-providers.pl ;' ISDNChosenProvider='get: set-provider.pl;' ISDNProviderInfo='get: isdn-providers.pl --info ;' ISDNCardsList='get: isdn-cards.pl ;' ISDNCardInfo='get: isdn-cards.pl --info ;' ISDNDriver= ISDNDeviceType= ISDNIrq= ISDNMem= ISDNIo= ISDNIo0= ISDNIo1= ISDNProtocol= ISDNCardDescription= ISDNCardVendor= ISDNId= ISDNProvider= ISDNProviderPhone= ISDNProviderDomain= ISDNProviderDNS1= ISDNProviderDNS2= ISDNDialing= ISDNHomePhone= ISDNLogin= ISDNPassword= ISDNConfirmPassword= PPPInterfacesList='get: interfaces.pl modem;' PPPChosenProvider='get: set-provider.pl;' PPPProviders= PPPDevice= PPPDeviceSpeed= PPPConnectionName= PPPProviderPhone= PPPProviderDomain= PPPProviderDNS1= PPPProviderDNS2= PPPLogin= PPPPassword= PPPConfirmPassword= PPPAuth= PPPSpecialCommand= ADSLInterfacesList='get: interfaces.pl adsl;' ADSLChosenProvider='get: set-provider.pl;' ADSLPhysicalInterface= ADSLProviders= ADSLModem= ADSLType= ADSLProviderDomain= ADSLProviderDNS1= ADSLProviderDNS2= ADSLLogin= ADSLPassword= ADSLConfirmPassword= ADSLAutomaticReconnect=off ADSLAutomaticReconnectDelay=5 MONITORINGEnable=yes DynamicImagesPath=monitoring InterfaceVolume='get: sumtraffic' NaatServerPort=8443 PowerOff='get: gotosleep.sh'
