[Firehol-support] SQUID_USERS, 'time' and overlapping sources/destinations

Jack Olszewski jacek at hermes.net.au
Wed Oct 29 10:14:47 GMT 2003

Thanks to the FireHOL author for a tool I've been just looking
for. Very good indeed.

After a few days of trying it I've successfuly put it on our
production router-transparent-proxy, RH7.2, kernel-2.4.20-20.7bigmem,
iptables-1.2.5-3, firehol-1.159-rh7up, where it seems to run okay.

During tests prior to that, I encountered three problems - the first
two seem bugs, and the third is something that perhaps needs to be
mentioned in the documentation. 


Consider the following piece of firehol.conf:


reported for:

# Run a transparent cache

SQUID_PORT="8080"       # Leave empty to disable SQUID
SQUID_USERS="squid"     # Users to be excluded from the cache
SQUID_EXCLUDE="$MCAFEE $GOOGLE" # Web Server IPs to be excluded from the cache

transparent_squid "${SQUID_PORT}" "${SQUID_USERS}" \
        inface eth0  src "${LAN} ${DYN}" dst not "${SQUID_EXCLUDE}"

At the start, it reports:

FireHOL: Saving your old firewall to a temporary file:     [  OK  ]
FireHOL: Processing file /etc/firehol/firehol.conf:        [  OK  ]
FireHOL: Activating new firewall:

ERROR   : # 1.
WHAT    : A runtime command failed to execute (returned error 1).
SOURCE  : line 21 of /etc/firehol/firehol.conf
COMMAND : /sbin/iptables -t nat -A out_trsquid.1 -m owner --uid-owner squid -j RETURN 

iptables: Invalid argument


FireHOL: Restoring old firewall:                           [  OK  ]

Moreover, if SQUID_USERS contains more than one name, the same error
is reported, with the last name shown as --uid-owner. 


'time' as a protocol name seems not to be recognized. I had to replace
it by the following two lines:

	client custom timetcp tcp/37 default accept
	client custom timeudp udp/37 default accept


Do not define two or more interfaces with overlapping sources or
destinations. Eg. with the following definitions:

# coming from lan
interface eth0 lan src $LAN dst $GATE

# coming from lan or dyn
interface eth0 landyn src "$LAN $DYN" dst $GATE

a packet coming from $LAN will only be processed according to the lan
interface, not according to landyn.

Best regards to the author and to the users,
Jack Olszewski
Hermes Internet

More information about the Firehol-support mailing list