Re: [squid-users] Squid's IDENT doesn't work through firewall

From: Robert Collins <robert.collins@dont-contact.us>
Date: 14 Aug 2001 17:59:35 +1000

On 13 Aug 2001 12:49:58 +0100, STEPHEN wrote:
> Hi Everyone,
>
> This may or may not be more of a firewall issue, but I'm hoping that
> some of you may have come across this and may be able to help:
>
> I am using ident_aware_hosts to retrieve the ident of clients for simply
> access control. All has worked well until a firewall (Cisco PIX 515) was
> installed between the internal squid proxy and our clients.
> Unfortunately I know very little about the firewall but can simply
> monitor its log on a terminal.
>
> The IDENT no longer works and Squid does not receive an IDENT reply.
> Port 113 is supposedly open on the firewall and it does not report any
> deny/113 errors, but closes comms going on 113 with TCP-RST with 0
> bytes. In other words, the firewall seems to think that the IDENT
> between the squid and client is either 0 bytes or invalid, and
> immediately closes the connection.
>
> Any ideas? Thanks.

This is documented in the PIX installation instructions. Look under
"Sending emails takes a long time" from memory.

You need to create either a conduit and outbound, or matching access
list and apply statements and allow the port 113 traffic through
unfiltered.

Rob
Received on Tue Aug 14 2001 - 01:59:20 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:01:37 MST