RE: [SLUG] Squid/Firewall Helpppppp (Please)

[Chris Barnes]

hehe yeah im usually pretty quick to read the new messages since i stay up real late...now that i dont have a job..dont have much to do during the day cept buy the latest papers and check for jobs, and then play the playstation..i leave the house work upto my girlfriend.. :)   anyways back to the problem, if any of this advise still fails to remedy the problem then before you reply please check a couple of things for me. check for any errors in /var/log/squid/cache.log and add them to the email so i can see whats goen on. also make note of any other errors you might see during boot.  i'm assuming your still using the 2 NICS and i'm assuming 1 NIC is for your lan, which i'll call Internal, and the other is for your internet, which i'll call External. I'm also going to call the machien with both these NICS and Squid proxy and the firewall the Gateway. these terms should minimise confusion (for me...its hard to thin straight at 3am).   You need to make sure that both the NICS are active...unless you only want internet on the Gateway...inwhich only the Externet nic would need to be active. Secondly you need to make sure that the ip addresses bound to each NIC (Internet and External) are for different networks. I mean, if your Internal network is 192.168.5.x then dont make your External network on the same subnet...give it something different else your internet packets may get routed to the wrong NIC or vise-versa.   For basic squid operation there is very little you need to do to the conf file..open your squid conf and look for the line: cache_peer   you may wish to set this if you have an upstream proxy. I dont know which isp your with but my isp uses transparent proxies so i dont need to set this. if you do need to set this then use this syntax:   cache_peer proxy.myisp.com.au parent 3128 3130   these are generic setings and should work in most cases although you may need to change the number 3128 to which ever port your isp's proxy listens on, and obviously change "proxy.myisp.com.au" you the hostname or ip of your isp's proxy. if you dont wish to set an upstream proxy then just ignore that part.   now look for the line: dns_nameservers and make sure it has a comment infront (meaning make sure its got # at the beginning of he line so it looks like: #dns_nameservers 144.139.5.53   now look for the line: acl all src 0.0.0.0/0.0.0.0 in the same area you found the above line you should also add a line (if you havent already) to define the source address of your Internal network so add a line like this: acl internal src 192.168.5.0/255.255.255.0   now look for the line: http_access make sure you see this line last: http_access deny all   now put, before the above line, http_access allow internal you should also see in the same area a line that says http_allow localhost   these basic settings chould be suffice to run squid for basic use. if it still doesn't work then check out http://rte.freeshell.org/squid.conf remember you may need to change permissions on it to be readble by squid. just check the current squid config you've got and reflect the changes on my squid.conf. remember to keep a backup of your current squid.conf.   i've posted a simple squid conf there for you to try with your squid cache...its only a basic configuration so it should work ok...you might need to change the cache_peer line tho.     now for the firewall, it sounds to me like the firewall is reallybasic and doesn't cater for ip masquerading or forwarding which would explain why your Internal network isn't getting a response front anything external. I'm no expert on this but i'll give it a stab...i dont know where RedHat keeps its firewall script but i'll have a guess....have a look at /etc/rc.d/init.d/ipchains  and /etc/sysconfig/ipchains (thats if they exist on your system)..i'm using Mandrake which is very similar to RedHat except its got lots of stupid little scripts so i'm not 100% sure where RedHat keeps its firewall script. you need to look for soemthign that refers to masquerading and farwarding. I cant give you the exact answer to fix the firewall..its to complex...just try everything i've told you so far to see if Squid works properly.   I'll try to dig up an old firewall script i found that was pretty good....you should use it instead of the one generated by redhat because the redhat one is generally very basic. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Chrisj Sent: Tuesday, 30 April 2002 1:04 PM To: [EMAIL PROTECTED] Subject: [SLUG] Squid/Firewall Helpppppp (Please) Hi guys,  I am not sure how to reply to a thread, so I hope Chris Barnes can see this message.  I would like to thank him for his prompt reply and help.  I will have a look at the suggestions to see if they fix the problems.    Just some more info, (in case it helps with more suggestions).    * We originally had RH5.2, on a P120 with 2 10Mb NICS,  which has been happily working away for about 4 years.  We have updated the hardware, so I thought I would update the OS.  (The original box was set up by someone else who is no longer involved in this area).  The orignal squid was V1.1.  I tried to use the same settings from that squid.conf but the new version has major changes * The network setup is an internal network with the 192.168.5.x addresses.  These go through the squid/proxy linx box to a router.  The router then goes to an ISP * The email server is another linux box on the other side of the squid server * The pinging is happening from inside the network * The DNS question .. I read the squid manual and it states that it no longer uses an external DNS program, but it is internal.  Therefore, I have done nothing with any DNS servers  (Am I wrong in this).  If I point the line is the squid,conf file to the external DNS program it complains that it cant find it.   Again, thanks for your help.   Cheers Chrisj