[Firehol-support] SQUID_USERS, 'time' and overlapping sources/destinations

Jack Olszewski jacek at hermes.net.au
Wed Oct 29 11:14:47 CET 2003 

Thanks to the FireHOL author for a tool I've been just looking
for. Very good indeed.

After a few days of trying it I've successfuly put it on our
production router-transparent-proxy, RH7.2, kernel-2.4.20-20.7bigmem,
iptables-1.2.5-3, firehol-1.159-rh7up, where it seems to run okay.

During tests prior to that, I encountered three problems - the first
two seem bugs, and the third is something that perhaps needs to be
mentioned in the documentation. 

First:
======

Consider the following piece of firehol.conf:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

reported for:

# Run a transparent cache
MCAFEE=216.49.80.0/19
GOOGLE=216.239.57.99/32

SQUID_PORT="8080"       # Leave empty to disable SQUID
SQUID_USERS="squid"     # Users to be excluded from the cache
SQUID_EXCLUDE="$MCAFEE $GOOGLE" # Web Server IPs to be excluded from the cache

transparent_squid "${SQUID_PORT}" "${SQUID_USERS}" \
        inface eth0  src "${LAN} ${DYN}" dst not "${SQUID_EXCLUDE}"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

At the start, it reports:

----------------------------------------------------------------------
FireHOL: Saving your old firewall to a temporary file:     [  OK  ]
FireHOL: Processing file /etc/firehol/firehol.conf:        [  OK  ]
FireHOL: Activating new firewall:

ERROR   : # 1.
WHAT    : A runtime command failed to execute (returned error 1).
SOURCE  : line 21 of /etc/firehol/firehol.conf
COMMAND : /sbin/iptables -t nat -A out_trsquid.1 -m owner --uid-owner squid -j RETURN 
OUTPUT  : 

iptables: Invalid argument

                                                           [FAILED]

FireHOL: Restoring old firewall:                           [  OK  ]
----------------------------------------------------------------------

Moreover, if SQUID_USERS contains more than one name, the same error
is reported, with the last name shown as --uid-owner. 

Second:
=======

'time' as a protocol name seems not to be recognized. I had to replace
it by the following two lines:

	client custom timetcp tcp/37 default accept
	client custom timeudp udp/37 default accept


Third:
======

Do not define two or more interfaces with overlapping sources or
destinations. Eg. with the following definitions:

# coming from lan
interface eth0 lan src $LAN dst $GATE
        ...

# coming from lan or dyn
interface eth0 landyn src "$LAN $DYN" dst $GATE
        ...

a packet coming from $LAN will only be processed according to the lan
interface, not according to landyn.


Best regards to the author and to the users,
--
Jack Olszewski
Hermes Internet
http://www.hermes.net.au/

More information about the Firehol-support mailing list