RE: Firewall, OpenVPN and Squid question
If you run your own DHCP server then you can lock IP numbers via their MAC id there for the machines you trust. Then allow them appropriate access via ipf and corral the rest. (In DCHP create a 'pool' for others that uses a different section of your ip range) HTH mjt On Thu, 2004-07-22 at 23:51, Paul Hillen wrote: > Want to thank you guys for your help; I setup my first firewall last night. > Granted it is basic, and have a lot of work to do yet, but it's a start. It > is routing and letting my test machines access the web. > > Hopefully the last question (yeah right) > > I decided to use IPFILTER and appears to be easy enough - just have to get > use to the syntax. Does anyone know if IPFILTER can pass/block based on MAC > ADDRESS instead of just IP address. I can not find anything on Goggle unless > I am simply doing an incorrect query. > > Thanks again > Paul > > ___ > [EMAIL PROTECTED] mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "[EMAIL PROTECTED]" > > > This Email has been scanned for Viruses by MailMarshal. > -- Murray Taylor Special Projects Engineer - Bytecraft Systems & Entertainment P: +61 3 8710 2555 F: +61 3 8710 2599 D: +61 3 9238 4275 M: +61 417 319 256 E: [EMAIL PROTECTED] or visit us on the web http://www.bytecraftsystems.com http://www.bytecraftentertainment.com --- The information transmitted in this e-mail is for the exclusive use of the intended addressee and may contain confidential and/or privileged material. Any review, re-transmission, dissemination or other use of it, or the taking of any action in reliance upon this information by persons and/or entities other than the intended recipient is prohibited. If you received this in error, please inform the sender and/or addressee immediately and delete the material. E-mails may not be secure, may contain computer viruses and may be corrupted in transmission. Please carefully check this e-mail (and any attachment) accordingly. No warranties are given and no liability is accepted for any loss or damage caused by such matters. --- This Email has been scanned for Viruses by MailMarshal. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
RE: Firewall, OpenVPN and Squid question
Want to thank you guys for your help; I setup my first firewall last night. Granted it is basic, and have a lot of work to do yet, but it's a start. It is routing and letting my test machines access the web. Hopefully the last question (yeah right) I decided to use IPFILTER and appears to be easy enough - just have to get use to the syntax. Does anyone know if IPFILTER can pass/block based on MAC ADDRESS instead of just IP address. I can not find anything on Goggle unless I am simply doing an incorrect query. Thanks again Paul ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
RE: Firewall, OpenVPN and Squid question
> I would have to guess if a hardware firewall like Watchguard that offers VPN > also, that it would have to be beefer than that. Steve going back to your > initial response about the PIII 800MHz network, are you using a proxy for > the internal users or are they connecting directly to the firewall as their > only means of getting out? [At the main site] (Selected) users go to a content filter (squid+dansguardian) and it goes out to the net (through the fw). The content filter has a private IP, and in itself, it is protected with it's own localized ipfw rules for protection. The rest of the clients go directly through the pipe unrestricted through the firewall to the net. (I know I shouldn't do this with our own proxy, but that's how it is for now). > It seems most hardware firewalls do not include > a > proxy server, just NAT/VPN, which in this case the proxy would be on a separate internal machine anyway. Depends. I once used a Nortel dial-up NAT router box that had it's own built in web cache. Very small cache mind you, but it worked ok, especially on a 26.4Kb link. > > Comment about the ISA Server setup, which I actually like and not sure if > I > can pull off the same type of setup with FreeBSD. The setup is like this: > Yes, you can. Either with 2 BSD boxes replacing the ISA boxen, or with one BSD box configured with 3 NIC's -- 1 for Internet connection, 1 for Internal LAN, and the other from the DMZ. The DMZ NIC can have all sorts of good rules applied to it, and the internal net can be absolutely cut off for inbound traffic except for the VPN's. > External ISA Server (not actual ips) ISP / 10.10.10.6 > | > |-> Postfix Relay Server10.10.10.5 > |-> TinyDNS for internet publishing 10.10.10.4 > |-> TinyDNS for internet publishing 10.10.10.3 > |-> Webserver 10.10.10.2 > | > |-> Internal ISA Server 10.10.10.1 / > 10.0.0.1 > | > |-> Exchange Server 10.0.0.2 > |-> TinyDNS internal publishing 10.0.0.3 > |-> TinyDNS internal publishing 10.0.0.4 > |-> Rest of internal servers and network etc... > > > External sites are actually creating a VPN tunnel with a VPN tunnel and it > works good, but the ISA Server gets to flaky after about a month of use. I > have rebuilt them more than ever thought I would. > > At this point I will be happy to just get the firewall and VPN to work, but > I like the additional layer someone would have to break through in the above > scenario. Like I said above, 2 boxes, or one box with 3 NIC's. Steve > >> Yes, but take into consideration disk reads/writes. It is possible to eliminate these tasks, and I have even done setups where everything was flashed onto a CF card (ro) (obviously w/o logging capabilities). I did a >> custom build, frequently referring to: >> http://neon1.net/misc/minibsd.html and put the system on an IDE->CF card >> converter. > >> Steve > ___ > [EMAIL PROTECTED] mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to > "[EMAIL PROTECTED]" > ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
RE: Firewall, OpenVPN and Squid question
From: Steve Bertrand [mailto:[EMAIL PROTECTED] >>> I have around 100 users at our site that would require the use of squid, >>> we house are own webserver, mail server, public DNS servers in the DMZ >>> and 2 private DNS servers on the internal network, used by both Internal >>> and VPN users. >>> >>> Sites connecting Gateway to Gateway, there are apprx as follows; >>> Site 1 - 25 users >>> Site 2 - 5 users >>> Site 3 - 12 users >>> Our site VPN users are Apprx 25, and about 50% of them are connected at >>> any given time. >>> >>> My first thought is to put up a Firewall box that can the load of >>> publishing many internal boxes and "publish" a box with OpenVPN and >>> another for SQUID and just keep them all separate. >>> >>> Will this setup put to much strain on the FIREWALL box or will it have >>> no problem handling the NAT/ROUTING in this configuration. >>> >>> Thanks in advance >>> Paul >>> >> >> Considering that many of the current hardware firewall solutions aren't >> much more than either a BSD or Linux kernel in a ROM chip, with a 486 or >> 586 based cpu, memory, and a nice gui (Windows or Internal Web nterface), >> I can't see why a similar system on a PC would be any different. I would have to guess if a hardware firewall like Watchguard that offers VPN also, that it would have to be beefer than that. Steve going back to your initial response about the PIII 800MHz network, are you using a proxy for the internal users or are they connecting directly to the firewall as their only means of getting out? It seems most hardware firewalls do not include a proxy server, just NAT/VPN, which in this case the proxy would be on a separate internal machine anyway. Comment about the ISA Server setup, which I actually like and not sure if I can pull off the same type of setup with FreeBSD. The setup is like this: External ISA Server (not actual ips)ISP / 10.10.10.6 | |-> Postfix Relay Server10.10.10.5 |-> TinyDNS for internet publishing 10.10.10.4 |-> TinyDNS for internet publishing 10.10.10.3 |-> Webserver 10.10.10.2 | |-> Internal ISA Server 10.10.10.1 / 10.0.0.1 | |-> Exchange Server 10.0.0.2 |-> TinyDNS internal publishing 10.0.0.3 |-> TinyDNS internal publishing 10.0.0.4 |-> Rest of internal servers and network etc... External sites are actually creating a VPN tunnel with a VPN tunnel and it works good, but the ISA Server gets to flaky after about a month of use. I have rebuilt them more than ever thought I would. At this point I will be happy to just get the firewall and VPN to work, but I like the additional layer someone would have to break through in the above scenario. > Yes, but take into consideration disk reads/writes. It is possible to > eliminate these tasks, and I have even done setups where everything was > flashed onto a CF card (ro) (obviously w/o logging capabilities). I did a > custom build, frequently referring to: > > http://neon1.net/misc/minibsd.html and put the system on an IDE->CF card > converter. > Steve ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Firewall, OpenVPN and Squid question
>> I have around 100 users at our site that would require the use of squid, > we >> house are own webserver, mail server, public DNS servers in the DMZ and >> 2 >> private DNS servers on the internal network, used by both Internal and >> VPN >> users. >> >> Sites connecting Gateway to Gateway, there are apprx as follows; >> Site 1 - 25 users >> Site 2 - 5 users >> Site 3 - 12 users >> Our site VPN users are Apprx 25, and about 50% of them are connected at > any >> given time. >> >> My first thought is to put up a Firewall box that can the load of > publishing >> many internal boxes and "publish" a box with OpenVPN and another for >> SQUID >> and just keep them all separate. >> >> Will this setup put to much strain on the FIREWALL box or will it have >> no >> problem handling the NAT/ROUTING in this configuration. >> >> Thanks in advance >> Paul >> > > Considering that many of the current hardware firewall solutions aren't > much > more than either a BSD or Linux kernel in a ROM chip, with a 486 or 586 > based cpu, memory, and a nice gui (Windows or Internal Web interface), I > can't see why a similar system on a PC would be any different. > Yes, but take into consideration disk reads/writes. It is possible to eliminate these tasks, and I have even done setups where everything was flashed onto a CF card (ro) (obviously w/o logging capabilities). I did a custom build, frequently referring to: http://neon1.net/misc/minibsd.html and put the system on an IDE->CF card converter. Steve > -- > > Micheal Patterson > TSG Network Administration > 405-917-0600 > > Confidentiality Notice: This e-mail message, including any attachments, > is > for the sole use of the intended recipient(s) and may contain confidential > and privileged information. Any unauthorized review, use, disclosure or > distribution is prohibited. If you are not the intended recipient, please > contact the sender by reply e-mail and destroy all copies of the original > message. > > ___ > [EMAIL PROTECTED] mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to > "[EMAIL PROTECTED]" > ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
RE: Firewall, OpenVPN and Squid question
>> We have about 6000 users, and the FBSD firewall never ever hiccup'ed. I >> could even run tcpdump for hours, and it would rarely ever drop even a >> single packet. > > What size hardware is your firewall running on to handle the potential of > 6000 users accessing your internal servers for mail, etc... The best I can > come up with is a P4 1.8Ghz with 768MB memory, other than that I have > PII's > with around 384MB memory. I would have to assume the Squid server would be > the best place for the P4? This one is a P4 2.0 Ghz with 1024M memory. I'd try the P3 as the firewall and the P4 as the squid server initially (all things considered so far). >> Sounds like a good setup you are planning. I would set it up, implement >> it >> (with the old setup on standby), and if you find performance problems, >> pull the drive out of the P3 and do as you say, go on a 'spending >> spree', >> and put the drive directly into a p4 with a gig of memory, and drop it >> back in place. > > Okay, the tough question, due you know of any good resources that I can > use > to put this together. Any pitfalls that I might want to think about in > this > design? Well, searching "ipfw+natd+howto" in google is a great place to start. I did not use one single definitive guide, I used a variety of sources, man pages, sample rules, and finally conjured up what works for us. In planning rules, I placed each openvpn connections rules in it's own ruleset, as to allow a reload of each connections rules individually if they needed to be changed. I also would set up a 'fwd' rule, to forward all packets destined to ``any 80'' from the Internal net to be passed directly to the squid box, as then you would have a transparent proxy. This will prevent you from having to change browser settings. >> Please note that natd is NOT running on the ISP firewall, but on the >> other >> such setup it is, and I"ve never seen any performance problems at all. > > I am assuming that I will have to use NATD on the firewall in this > scenario, > am I thinking right here? It appears so, yes. natd(8) is quite flexible, and will allow you to many things, including port forward etc. By the sounds of it, you are planning on ridding yourself of a DMZ, which means your mail(etc) servers will be behind the NAT router. natd will take care of this, however, another option is to put in a third NIC into the box, connect it to a switch, plug in the servers into the switch. Give each server it's own IP, and route packets as nessicary to the servers. Effectively, this will still allow you to keep your DMZ, but eliminating one entire firewall server, and thus, one license of MS ISA server (and the headaches that comes with it :o) Sounds like you'll want to do some testing in a lab first. Hopefully all your P3's you have available are still loaded with Windows so you can test effectively and ensure everything works properly. Steve > > Thanks again > Paul > > ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Firewall, OpenVPN and Squid question
- Original Message - From: "Paul Hillen" <[EMAIL PROTECTED]> To: "Steve Bertrand" <[EMAIL PROTECTED]>; "Paul Hillen" <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]> Sent: Wednesday, July 21, 2004 1:33 PM Subject: RE: Firewall, OpenVPN and Squid question > I have around 100 users at our site that would require the use of squid, we > house are own webserver, mail server, public DNS servers in the DMZ and 2 > private DNS servers on the internal network, used by both Internal and VPN > users. > > Sites connecting Gateway to Gateway, there are apprx as follows; > Site 1 - 25 users > Site 2 - 5 users > Site 3 - 12 users > Our site VPN users are Apprx 25, and about 50% of them are connected at any > given time. > > My first thought is to put up a Firewall box that can the load of publishing > many internal boxes and "publish" a box with OpenVPN and another for SQUID > and just keep them all separate. > > Will this setup put to much strain on the FIREWALL box or will it have no > problem handling the NAT/ROUTING in this configuration. > > Thanks in advance > Paul > Considering that many of the current hardware firewall solutions aren't much more than either a BSD or Linux kernel in a ROM chip, with a 486 or 586 based cpu, memory, and a nice gui (Windows or Internal Web interface), I can't see why a similar system on a PC would be any different. -- Micheal Patterson TSG Network Administration 405-917-0600 Confidentiality Notice: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
RE: Firewall, OpenVPN and Squid question
> I have around 100 users at our site that would require the use of squid, > we > house are own webserver, mail server, public DNS servers in the DMZ and 2 > private DNS servers on the internal network, used by both Internal and VPN > users. > > Sites connecting Gateway to Gateway, there are apprx as follows; > Site 1 - 25 users > Site 2 - 5 users > Site 3 - 12 users > Our site VPN users are Apprx 25, and about 50% of them are connected at > any > given time. > > My first thought is to put up a Firewall box that can the load of > publishing > many internal boxes and "publish" a box with OpenVPN and another for SQUID > and just keep them all separate. > > Will this setup put to much strain on the FIREWALL box or will it have no > problem handling the NAT/ROUTING in this configuration. I'll go as far as to say that it should have no problem. At the ISP I am currently working full time for, we recently deployed an ipfw bridge configured firewall (internally) to protect our core servers from improper access. There's 8 servers in all (mail, web, mysql, ftp, radius, ssh and dns). We have about 6000 users, and the FBSD firewall never ever hiccup'ed. I could even run tcpdump for hours, and it would rarely ever drop even a single packet. Sounds like a good setup you are planning. I would set it up, implement it (with the old setup on standby), and if you find performance problems, pull the drive out of the P3 and do as you say, go on a 'spending spree', and put the drive directly into a p4 with a gig of memory, and drop it back in place. Please note that natd is NOT running on the ISP firewall, but on the other such setup it is, and I"ve never seen any performance problems at all. Steve >> >> ___ >> [EMAIL PROTECTED] mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-questions >> To unsubscribe, send any mail to >> "[EMAIL PROTECTED]" >> > > ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
RE: Firewall, OpenVPN and Squid question
I have around 100 users at our site that would require the use of squid, we house are own webserver, mail server, public DNS servers in the DMZ and 2 private DNS servers on the internal network, used by both Internal and VPN users. Sites connecting Gateway to Gateway, there are apprx as follows; Site 1 - 25 users Site 2 - 5 users Site 3 - 12 users Our site VPN users are Apprx 25, and about 50% of them are connected at any given time. My first thought is to put up a Firewall box that can the load of publishing many internal boxes and "publish" a box with OpenVPN and another for SQUID and just keep them all separate. Will this setup put to much strain on the FIREWALL box or will it have no problem handling the NAT/ROUTING in this configuration. Thanks in advance Paul -Original Message- From: Steve Bertrand [mailto:[EMAIL PROTECTED] Sent: Wednesday, July 21, 2004 2:10 PM To: Paul Hillen Cc: [EMAIL PROTECTED] Subject: Re: Firewall, OpenVPN and Squid question > There are 3 remote sites connecting to our network using GATEWAY to > GATEWAY > VPN and around 25 remote VPN users that must be dealt with also. Last > item, > there is a chance that I will have to connect 3 more remote sites into the > picture within the next 6 months, so this needs to be scalable to handle > the > load.. > > My question is, what is the best way to set this up. Here are my thoughts, > but not sure what is the best way. > > * Setup one FreeBSD box that contains FIREWALL, SQUID and OPENVPN or > * Setup 3 separate boxes to break up the work load. > What will the load requirements be? (How many users will require the use of squid). I have a FBSD PIII 800 w/256M RAM as a firewall for one of our clients, with 3 OpenVPN instances running simultaneously (Two are site->site, and one is an XP-client->site). The box is also performing NAT (ipfw/natd) for the internal users, which when all are accounted for equal ~120, and I find it works great. There are about 30 users through the VPN's, though usually never on all at the same time. Depending on caching requirements though, you might be better off splitting that off onto it's own box, especially if you have the hardware readily available as you suggest. YMMV. Steve > > > Many thanks in advance for being patient with what I am sure is stupid > beginner questions to most of you. > > > > When giving your choice of which setup, please point me in the direction > of > the best resource to put it all together and the hardware requirement you > would recommend. I have a truck load of PII 300 - 450's due to upgrades, > so > if I can use them great, if not, time to go on a spending spree. > > > > Thanks again > > Paul > > > > > > ___ > [EMAIL PROTECTED] mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to > "[EMAIL PROTECTED]" > ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Firewall, OpenVPN and Squid question
> There are 3 remote sites connecting to our network using GATEWAY to > GATEWAY > VPN and around 25 remote VPN users that must be dealt with also. Last > item, > there is a chance that I will have to connect 3 more remote sites into the > picture within the next 6 months, so this needs to be scalable to handle > the > load.. > > My question is, what is the best way to set this up. Here are my thoughts, > but not sure what is the best way. > > * Setup one FreeBSD box that contains FIREWALL, SQUID and OPENVPN or > * Setup 3 separate boxes to break up the work load. > What will the load requirements be? (How many users will require the use of squid). I have a FBSD PIII 800 w/256M RAM as a firewall for one of our clients, with 3 OpenVPN instances running simultaneously (Two are site->site, and one is an XP-client->site). The box is also performing NAT (ipfw/natd) for the internal users, which when all are accounted for equal ~120, and I find it works great. There are about 30 users through the VPN's, though usually never on all at the same time. Depending on caching requirements though, you might be better off splitting that off onto it's own box, especially if you have the hardware readily available as you suggest. YMMV. Steve > > > Many thanks in advance for being patient with what I am sure is stupid > beginner questions to most of you. > > > > When giving your choice of which setup, please point me in the direction > of > the best resource to put it all together and the hardware requirement you > would recommend. I have a truck load of PII 300 - 450's due to upgrades, > so > if I can use them great, if not, time to go on a spending spree. > > > > Thanks again > > Paul > > > > > > ___ > [EMAIL PROTECTED] mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to > "[EMAIL PROTECTED]" > ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Firewall, OpenVPN and Squid question
Hi everyone, I am relatively new to the Unix world, have setup a couple TINYDNS server and a postfix relay server, so that is the extent of my FreeBSD knowledge. I have 2 Microsoft ISA servers in a BACK to BACK configuration providing a DMZ in-between that I would like to get rid of, way more trouble than what they are worth. They work well for about a month and then the performance goes south. There are 3 remote sites connecting to our network using GATEWAY to GATEWAY VPN and around 25 remote VPN users that must be dealt with also. Last item, there is a chance that I will have to connect 3 more remote sites into the picture within the next 6 months, so this needs to be scalable to handle the load.. My question is, what is the best way to set this up. Here are my thoughts, but not sure what is the best way. * Setup one FreeBSD box that contains FIREWALL, SQUID and OPENVPN or * Setup 3 separate boxes to break up the work load. Many thanks in advance for being patient with what I am sure is stupid beginner questions to most of you. When giving your choice of which setup, please point me in the direction of the best resource to put it all together and the hardware requirement you would recommend. I have a truck load of PII 300 - 450's due to upgrades, so if I can use them great, if not, time to go on a spending spree. Thanks again Paul ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
squid question
hello, again, I will insist on my question, because it is urgent... I Have a squid box (2.5-Stable, FreeBSD 4.7-RELEASE). It sends all requisitions to a proxy box over my firewall, that sends all requisitions to Internet. The proxy is a SWS-windows200 server. The PROBLEM is that it works for any requisition, but when I try to make a search on any search site (like YAHOO), i get a requisition timeout. Does anyone have any ideia of what is happening ??? Thanks a lot ! = Alex Antão == Analista de Sistemas e Suporte Virago XV250s (índia) - Brasília,DF - ICQ:5144629 http://motoviagens.pagina.de http://e-modelismo.pagina.de == ___ Busca Yahoo! O melhor lugar para encontrar tudo o que você procura na Internet http://br.busca.yahoo.com/ To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message
Re: SQUID question
On Sun, Dec 22, 2002 at 04:17:02PM -0300 Fernando Gleiser <[EMAIL PROTECTED]> wrote: > On Sun, 22 Dec 2002, P. U. Kruppa wrote: > > > > > > > What does the access.log say for Squid? > > it completely ignores any access from 192.168.10.2 - the Win2k > > machine. > > What do you mean? aren't there any lines for 192.168.10.2? > > If there are no lines for 192.168.10.2, the Win box is not connecting to > the proxy. If the proxy is blocking the connection, it should log > a TCP_DENIED line for the requesting IP. Exactly. I'm not sure Peter is even connecting to Squid. Ideally, I would like a screenshot (close up window capture) of his proxy config from IE, an entire copy of his squid.conf, and the last two days of his access.log and his cache.log. If *nothing* happens when he's trying to connect to the proxy, the browser just times out with no error from Squid, that tells me IE probably isn't even *seeing* the proxy, although you can never be sure with M$ error descriptions. :-) If the winbox *is* seeing the proxy, perhaps the proxy is busy, deaf, or dead, due to misconfiguration. Hell, it could be as simple as a permissions problem where Squid can't write to or read a file or something. But let's at least be sure Squid is running with no errors and that it's willing and able to talk to his winbox. -- David S. Jackson[EMAIL PROTECTED] =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= I sold my memoirs of my love life to Parker Brothers -- they're going to make a game out of it. -- Woody Allen To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message
RE: SQUID question
If you change the port number in IE to 80, does it see the web server? (bepassing Squid). If it does then Squid maybe OK but your ip filtering or forwarding is not setup properly. Are you using an up-stream ISP or just running a local Web Server? What port is it set to? Also, have you looked at this page? http://www.squid-cache.org/Doc/FAQ/FAQ-17.html It deals with your problem especially item 3 and the notes section. GL Howard > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]]On Behalf Of P. U. Kruppa > Sent: Monday, 23 December 2002 3:06 AM > To: Howard Picken > Cc: [EMAIL PROTECTED] > Subject: RE: SQUID question > > > On Sun, 22 Dec 2002, Howard Picken wrote: > > > I may have missed a reply here but > > I can't see anything about the Windows > > setup. > > > > What is the proxy setup on the win box? > 192.168.10.1:3128 > > > What is the gateway setup on win box? > 192.168.10.1 > > > > > Ping will work even if none of the above > > have been setup because it works on > > the IP part. Would you're trying to use > > is the TCP part. > > > > Run "ipconfig" from the run menu on > > the w2k box and let us know the result. > IP address192.168.10.2 > subnetmask255.255.255.0 > gateway 192.168.10.1 > > And: when I kill Squid and reset IE it can access the Internet as > it always did. > > > Uli. > > > > > > > Howard > > > > > -Original Message- > > > From: [EMAIL PROTECTED] > > > [mailto:[EMAIL PROTECTED]]On Behalf Of David S. > > > Jackson > > > Sent: Sunday, 22 December 2002 6:11 AM > > > To: P. U. Kruppa > > > Cc: [EMAIL PROTECTED] > > > Subject: Re: SQUID question > > > > > > > > > On Sat, Dec 21, 2002 at 09:35:33AM + P. U. Kruppa > > > <[EMAIL PROTECTED]> wrote: > > > > Hi, > > > > > > > > I am testing Squid on my home network: > > > > > > > > +--+ +--+ > > > > | 192.168.10.1 | | 192.168.10.2 | > > > > | squid proxy |<--|Win2k | > > > > | on -STABLE | | Client | > > > > +--+ +--+ > > > > > > > > Squid can be used properly on the proxy-machine (with > > > > linux-mozilla1.2.1 directed to localhost:3128 ), > > > > but Win2k's InternetExploder (directed to 192.168.10.1:3128) > > > > cannot open any webpages: After some minutes it ends up with > > > > "... couldn't be opened" > > > > > > > > C:> telnet 192.168.10.1 3128 > > > > seems to be ok: the dialog window is opened. > > > > > > > > This is my rule set in squid.conf so far: > > > > > > > > acl pukruppa src 192.168.10.0/255.255.255.0 > > > > http_access allow pukruppa > > > > http_access allow localhost > > > > http_access deny all > > > > > > > > > > > > Thanks for any ideas. > > > > > > What does the access.log say for Squid? > > > > > > Are you sure the proxy is set up properly in IE? > > > > > > Are there any other proxies you're chaining together with squid, like > > > junkbuster or something? > > > > > > Are you running any add-ons to squid, like squidguard? > > > > > > I'm sure there are other possibilities, but I'd check those first. > > > > > > -- > > > David S. Jackson[EMAIL PROTECTED] > > > =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= > > > I could dance with you till the cows come home. > > > On second thought, I'd rather dance with the cows > > > till you come home. -- Groucho Marx > > > > > > To Unsubscribe: send mail to [EMAIL PROTECTED] > > > with "unsubscribe freebsd-questions" in the body of the message > > > > > > --- > > > Incoming mail is certified Virus Free. > > > Checked by AVG anti-virus system (http://www.grisoft.com). > > > Version: 6.0.431 / Virus Database: 242 - Release Date: 17/12/2002 > > > > > --- > > Outgoing mail is certified Virus Free. > > Checked by AVG anti-virus system (http://www.grisoft.com). > > Version: 6.0.431 / Virus Database: 242 - Release Date: 17/12/2002 > > > > > > To Unsubscribe: send mail to [EMAIL PROTECTED] > > with "unsubscribe freebsd-questions" in the body of the message > > > > *---* > *Peter Ulrich Kruppa* > * - Wuppertal - * > * Germany * > *---* > > > To Unsubscribe: send mail to [EMAIL PROTECTED] > with "unsubscribe freebsd-questions" in the body of the message > > --- > Incoming mail is certified Virus Free. > Checked by AVG anti-virus system (http://www.grisoft.com). > Version: 6.0.431 / Virus Database: 242 - Release Date: 17/12/2002 > --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.431 / Virus Database: 242 - Release Date: 17/12/2002 To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message
Re: SQUID question
On Sun, 22 Dec 2002, P. U. Kruppa wrote: > > > > What does the access.log say for Squid? > it completely ignores any access from 192.168.10.2 - the Win2k > machine. What do you mean? aren't there any lines for 192.168.10.2? If there are no lines for 192.168.10.2, the Win box is not connecting to the proxy. If the proxy is blocking the connection, it should log a TCP_DENIED line for the requesting IP. Fer To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message
Re: SQUID question
On Sun, 22 Dec 2002, P. U. Kruppa wrote: > When I change > http_port to > http_port 192.168.10.1:3128 > Squid doesn't even work locally on the proxy. > So I stayed with > http_port 3128 What does 'sockstat -4 | grep squid' say? Fer To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message
Re: SQUID question
please don't cc me, I'll pick up your posts from the list. # [EMAIL PROTECTED] / 2002-12-22 15:56:03 +: > On Sat, 21 Dec 2002, Roman Neuhauser wrote: > > > # [EMAIL PROTECTED] / 2002-12-21 09:35:33 +: > > > I am testing Squid on my home network: > > > > > > +--+ +--+ > > > | 192.168.10.1 | | 192.168.10.2 | > > > | squid proxy |<--|Win2k | > > > | on -STABLE | | Client | > > > +--+ +--+ > > > > > > Squid can be used properly on the proxy-machine (with > > > linux-mozilla1.2.1 directed to localhost:3128 ), > > > but Win2k's InternetExploder (directed to 192.168.10.1:3128) > > > cannot open any webpages: After some minutes it ends up with > > > "... couldn't be opened" > > > > localhost is 127.0.0.1, you want squid to listen on 192.168.10.1 > > When I change http_port to > http_port 192.168.10.1:3128 > Squid doesn't even work locally on the proxy. "Squid doesn't even work locally on the proxy" is as vague as it can get. what are the symptoms? assuming 192.168.10.1 is the gateway's / squid box's address, what do you get with "http_port 192.168.10.1:3128", a browser on another box set to use that proxy, and going to, say, www.google.com? -- If you cc me or remove the list(s) completely I'll most likely ignore your message.see http://www.eyrie.org./~eagle/faqs/questions.html To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message
RE: SQUID question
On Sun, 22 Dec 2002, Howard Picken wrote: > I may have missed a reply here but > I can't see anything about the Windows > setup. > > What is the proxy setup on the win box? 192.168.10.1:3128 > What is the gateway setup on win box? 192.168.10.1 > > Ping will work even if none of the above > have been setup because it works on > the IP part. Would you're trying to use > is the TCP part. > > Run "ipconfig" from the run menu on > the w2k box and let us know the result. IP address192.168.10.2 subnetmask255.255.255.0 gateway 192.168.10.1 And: when I kill Squid and reset IE it can access the Internet as it always did. Uli. > > Howard > > > -Original Message- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED]]On Behalf Of David S. > > Jackson > > Sent: Sunday, 22 December 2002 6:11 AM > > To: P. U. Kruppa > > Cc: [EMAIL PROTECTED] > > Subject: Re: SQUID question > > > > > > On Sat, Dec 21, 2002 at 09:35:33AM + P. U. Kruppa > > <[EMAIL PROTECTED]> wrote: > > > Hi, > > > > > > I am testing Squid on my home network: > > > > > > +--+ +--+ > > > | 192.168.10.1 | | 192.168.10.2 | > > > | squid proxy |<--|Win2k | > > > | on -STABLE | | Client | > > > +--+ +--+ > > > > > > Squid can be used properly on the proxy-machine (with > > > linux-mozilla1.2.1 directed to localhost:3128 ), > > > but Win2k's InternetExploder (directed to 192.168.10.1:3128) > > > cannot open any webpages: After some minutes it ends up with > > > "... couldn't be opened" > > > > > > C:> telnet 192.168.10.1 3128 > > > seems to be ok: the dialog window is opened. > > > > > > This is my rule set in squid.conf so far: > > > > > > acl pukruppa src 192.168.10.0/255.255.255.0 > > > http_access allow pukruppa > > > http_access allow localhost > > > http_access deny all > > > > > > > > > Thanks for any ideas. > > > > What does the access.log say for Squid? > > > > Are you sure the proxy is set up properly in IE? > > > > Are there any other proxies you're chaining together with squid, like > > junkbuster or something? > > > > Are you running any add-ons to squid, like squidguard? > > > > I'm sure there are other possibilities, but I'd check those first. > > > > -- > > David S. Jackson[EMAIL PROTECTED] > > =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= > > I could dance with you till the cows come home. > > On second thought, I'd rather dance with the cows > > till you come home. -- Groucho Marx > > > > To Unsubscribe: send mail to [EMAIL PROTECTED] > > with "unsubscribe freebsd-questions" in the body of the message > > > > --- > > Incoming mail is certified Virus Free. > > Checked by AVG anti-virus system (http://www.grisoft.com). > > Version: 6.0.431 / Virus Database: 242 - Release Date: 17/12/2002 > > > --- > Outgoing mail is certified Virus Free. > Checked by AVG anti-virus system (http://www.grisoft.com). > Version: 6.0.431 / Virus Database: 242 - Release Date: 17/12/2002 > > > To Unsubscribe: send mail to [EMAIL PROTECTED] > with "unsubscribe freebsd-questions" in the body of the message > *---* *Peter Ulrich Kruppa* * - Wuppertal - * * Germany * *---* To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message
Re: SQUID question
On Sat, 21 Dec 2002, David S. Jackson wrote: > On Sat, Dec 21, 2002 at 09:35:33AM + P. U. Kruppa ><[EMAIL PROTECTED]> wrote: > > Hi, > > > > I am testing Squid on my home network: > > > > +--+ +--+ > > | 192.168.10.1 | | 192.168.10.2 | > > | squid proxy |<--|Win2k | > > | on -STABLE | | Client | > > +--+ +--+ > > > > Squid can be used properly on the proxy-machine (with > > linux-mozilla1.2.1 directed to localhost:3128 ), > > but Win2k's InternetExploder (directed to 192.168.10.1:3128) > > cannot open any webpages: After some minutes it ends up with > > "... couldn't be opened" > > > > C:> telnet 192.168.10.1 3128 > > seems to be ok: the dialog window is opened. > > > > This is my rule set in squid.conf so far: > > > > acl pukruppa src 192.168.10.0/255.255.255.0 > > http_access allow pukruppa > > http_access allow localhost > > http_access deny all > > > > > > Thanks for any ideas. > > What does the access.log say for Squid? it completely ignores any access from 192.168.10.2 - the Win2k machine. > > Are you sure the proxy is set up properly in IE? Yes, I put in IP and channel manually. > Are there any other proxies you're chaining together with squid, like > junkbuster or something? No. > > Are you running any add-ons to squid, like squidguard? Not that I know. Uli. > > I'm sure there are other possibilities, but I'd check those first. > > -- > David S. Jackson[EMAIL PROTECTED] > =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= > I could dance with you till the cows come home. > On second thought, I'd rather dance with the cows > till you come home. -- Groucho Marx > > To Unsubscribe: send mail to [EMAIL PROTECTED] > with "unsubscribe freebsd-questions" in the body of the message > *---* *Peter Ulrich Kruppa* * - Wuppertal - * * Germany * *---* To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message
Re: SQUID question
On Sat, 21 Dec 2002, Roman Neuhauser wrote: > # [EMAIL PROTECTED] / 2002-12-21 09:35:33 +: > > I am testing Squid on my home network: > > > > +--+ +--+ > > | 192.168.10.1 | | 192.168.10.2 | > > | squid proxy |<--|Win2k | > > | on -STABLE | | Client | > > +--+ +--+ > > > > Squid can be used properly on the proxy-machine (with > > linux-mozilla1.2.1 directed to localhost:3128 ), > > but Win2k's InternetExploder (directed to 192.168.10.1:3128) > > cannot open any webpages: After some minutes it ends up with > > "... couldn't be opened" > > localhost is 127.0.0.1, you want squid to listen on 192.168.10.1 When I change http_port to http_port 192.168.10.1:3128 Squid doesn't even work locally on the proxy. So I stayed with http_port 3128 Uli. > > > C:> telnet 192.168.10.1 3128 > > seems to be ok: the dialog window is opened. > > > > This is my rule set in squid.conf so far: > > > > acl pukruppa src 192.168.10.0/255.255.255.0 > > http_access allow pukruppa > > http_access allow localhost > > http_access deny all > > -- > If you cc me or remove the list(s) completely I'll most likely ignore > your message.see http://www.eyrie.org./~eagle/faqs/questions.html > > To Unsubscribe: send mail to [EMAIL PROTECTED] > with "unsubscribe freebsd-questions" in the body of the message > *---* *Peter Ulrich Kruppa* * - Wuppertal - * * Germany * *---* To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message
RE: SQUID question
I may have missed a reply here but I can't see anything about the Windows setup. What is the proxy setup on the win box? What is the gateway setup on win box? Ping will work even if none of the above have been setup because it works on the IP part. Would you're trying to use is the TCP part. Run "ipconfig" from the run menu on the w2k box and let us know the result. Howard > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]]On Behalf Of David S. > Jackson > Sent: Sunday, 22 December 2002 6:11 AM > To: P. U. Kruppa > Cc: [EMAIL PROTECTED] > Subject: Re: SQUID question > > > On Sat, Dec 21, 2002 at 09:35:33AM + P. U. Kruppa > <[EMAIL PROTECTED]> wrote: > > Hi, > > > > I am testing Squid on my home network: > > > > +--+ +--+ > > | 192.168.10.1 | | 192.168.10.2 | > > | squid proxy |<--|Win2k | > > | on -STABLE | | Client | > > +--+ +--+ > > > > Squid can be used properly on the proxy-machine (with > > linux-mozilla1.2.1 directed to localhost:3128 ), > > but Win2k's InternetExploder (directed to 192.168.10.1:3128) > > cannot open any webpages: After some minutes it ends up with > > "... couldn't be opened" > > > > C:> telnet 192.168.10.1 3128 > > seems to be ok: the dialog window is opened. > > > > This is my rule set in squid.conf so far: > > > > acl pukruppa src 192.168.10.0/255.255.255.0 > > http_access allow pukruppa > > http_access allow localhost > > http_access deny all > > > > > > Thanks for any ideas. > > What does the access.log say for Squid? > > Are you sure the proxy is set up properly in IE? > > Are there any other proxies you're chaining together with squid, like > junkbuster or something? > > Are you running any add-ons to squid, like squidguard? > > I'm sure there are other possibilities, but I'd check those first. > > -- > David S. Jackson[EMAIL PROTECTED] > =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= > I could dance with you till the cows come home. > On second thought, I'd rather dance with the cows > till you come home. -- Groucho Marx > > To Unsubscribe: send mail to [EMAIL PROTECTED] > with "unsubscribe freebsd-questions" in the body of the message > > --- > Incoming mail is certified Virus Free. > Checked by AVG anti-virus system (http://www.grisoft.com). > Version: 6.0.431 / Virus Database: 242 - Release Date: 17/12/2002 > --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.431 / Virus Database: 242 - Release Date: 17/12/2002 To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message
Re: SQUID question
On Sat, Dec 21, 2002 at 09:35:33AM + P. U. Kruppa <[EMAIL PROTECTED]> wrote: > Hi, > > I am testing Squid on my home network: > > +--+ +--+ > | 192.168.10.1 | | 192.168.10.2 | > | squid proxy |<--|Win2k | > | on -STABLE | | Client | > +--+ +--+ > > Squid can be used properly on the proxy-machine (with > linux-mozilla1.2.1 directed to localhost:3128 ), > but Win2k's InternetExploder (directed to 192.168.10.1:3128) > cannot open any webpages: After some minutes it ends up with > "... couldn't be opened" > > C:> telnet 192.168.10.1 3128 > seems to be ok: the dialog window is opened. > > This is my rule set in squid.conf so far: > > acl pukruppa src 192.168.10.0/255.255.255.0 > http_access allow pukruppa > http_access allow localhost > http_access deny all > > > Thanks for any ideas. What does the access.log say for Squid? Are you sure the proxy is set up properly in IE? Are there any other proxies you're chaining together with squid, like junkbuster or something? Are you running any add-ons to squid, like squidguard? I'm sure there are other possibilities, but I'd check those first. -- David S. Jackson[EMAIL PROTECTED] =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= I could dance with you till the cows come home. On second thought, I'd rather dance with the cows till you come home. -- Groucho Marx To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message
Re: SQUID question
# [EMAIL PROTECTED] / 2002-12-21 09:35:33 +: > I am testing Squid on my home network: > > +--+ +--+ > | 192.168.10.1 | | 192.168.10.2 | > | squid proxy |<--|Win2k | > | on -STABLE | | Client | > +--+ +--+ > > Squid can be used properly on the proxy-machine (with > linux-mozilla1.2.1 directed to localhost:3128 ), > but Win2k's InternetExploder (directed to 192.168.10.1:3128) > cannot open any webpages: After some minutes it ends up with > "... couldn't be opened" localhost is 127.0.0.1, you want squid to listen on 192.168.10.1 > C:> telnet 192.168.10.1 3128 > seems to be ok: the dialog window is opened. > > This is my rule set in squid.conf so far: > > acl pukruppa src 192.168.10.0/255.255.255.0 > http_access allow pukruppa > http_access allow localhost > http_access deny all -- If you cc me or remove the list(s) completely I'll most likely ignore your message.see http://www.eyrie.org./~eagle/faqs/questions.html To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message
SQUID question
Hi, I am testing Squid on my home network: +--+ +--+ | 192.168.10.1 | | 192.168.10.2 | | squid proxy |<--|Win2k | | on -STABLE | | Client | +--+ +--+ Squid can be used properly on the proxy-machine (with linux-mozilla1.2.1 directed to localhost:3128 ), but Win2k's InternetExploder (directed to 192.168.10.1:3128) cannot open any webpages: After some minutes it ends up with "... couldn't be opened" C:> telnet 192.168.10.1 3128 seems to be ok: the dialog window is opened. This is my rule set in squid.conf so far: acl pukruppa src 192.168.10.0/255.255.255.0 http_access allow pukruppa http_access allow localhost http_access deny all Thanks for any ideas. Uli. *---* *Peter Ulrich Kruppa* * - Wuppertal - * * Germany * *---* To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message