El 11/05/12 20:25, Tom Eastep escribió:
On 5/11/12 3:09 PM, Ricardo Rios wrote:
El 11/05/12 15:31, Tom Eastep escribió:
Beta 1 is now available for testing.
Problems Corrected:
1) Previously, nested conditionals did not work correctly in all
cases. In particular:
?IF $FALSE
?IF $FALSE
foo
bar
?ENDIF
baz
bop
?ENDIF
In this case, the lines 'baz' and 'bop' were incorrectly included
when they should have beeen omitted.
New Features:
1) The TPROXY tcrules action introduced in Shorewall 4.4.7 was
incomplete and required additional logic to be added in the 'start'
or 'started' extension scripts.
In this release, the TPROXY implementation has been changed and an
additional DIVERT action has been created. Because the new TPROXY
has a different set of parameters than the prior one, the tcrules
file now supports two formats:
FORMAT 1 - (default, deprecated )
The TPROXY action allows three arguments, the first of which
('mark') is required.
FORMAT 2
The TPROXY action has two optional arguments:
port -- the port on which the proxy is listening. While
this argument is optional, it will normally be
supplied.
ip address -- The address on which the proxy is listening.
The format is specified by a line line this:
FORMAT {1|2}
The Sample configurations have been updated to use FORMAT 2.
The format-2 tcrules file also supports the DIVERT action. The
DIVERT action directs matching packets to the local system if there
is a transparent socket in the local system that matches the
destination of the packet.
Finally, the providers file supports a new 'tproxy' option. When
'tproxy' is specified:
- It must be the only OPTION given
- The MARK, DUPLICATE and GATEWAY columns must be empty.
The 'tproxy' option causes a reserved mark value to be associated
with the provider and for its associated routing rule to have
priority 1.
Here is the TPROXY configuration at shorewall.net:
tcrules:
FORMAT 2
#ACTION SOURCE DEST PROTO DEST SOURCE
# PORT(S) PORT(S)
...
DIVERT eth1 - tcp - 80
DIVERT eth0 - tcp - 80
TPROXY(3129,172.20.1.254) eth2 - tcp 80
Note: eth1 and eth0 are Internet interfaces and eth2 connects to
the local LAN.
providers:
#NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS
...
Squid 3 - - lo - tproxy
/etc/squid3/squid.conf:
...
http_port 172.20.1.254:3129 tproxy
...
Thank you for testing,
-Tom
Hi all, hi Tom
I am using 2 providers in the same ethernet (realm) , in that case, is
ok to set ? :
tcrules:
FORMAT 2
#ACTION SOURCE DEST PROTO DEST SOURCE
# PORT(S) PORT(S)
...
DIVERT eth4:192.168.150.199 - tcp -
80
DIVERT eth4:192.168.150.200 - tcp -
80
No -- Simply have a single entry for eth4 with no qualifying addresses.
Thanks for the Great Work Tom, i got few nightmares nights with TPROXY
before trying to make it work.
You're most welcome; I hope it works well for you. It's working fine here.
-Tom
Hi all, hi Tom
So i go TPROXY working now, but i have a question, if i check my http
headers on any internet website, i keep seeing my squid proxy :
http://pastebin.com/HK3sjinn
I whonder if is this ok or not.
Regards.
Ricardo
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
