RE: [squid-users] Problems with Squid and ebtables

From: Chris Robertson <crobertson@dont-contact.us>
Date: Fri, 29 Apr 2005 09:38:36 -0800

> -----Original Message-----
> From: Louis [mailto:lkutter@excite.com]
> Sent: Friday, April 29, 2005 5:18 AM
> To: squid-users@squid-cache.org
> Subject: [squid-users] Problems with Squid and ebtables
>
>
>
> I have server running fedora and squid. It is running in a bridge mode.
> It has two nics and ebtables running, ebtables redirects to squid
> process. All seems to work fine except the server appears to be
> sending spam, when I do a netstat -p | grep smtp it shows the squid
> process trying to send out to many different servers. Here is the main
> part of the config that I am having problems with
>
> visible_hostname cache.mydomain.com`
>
> acl net1 src 10.0.0.0/255.0.0.0
> acl net2 src 0.0.0.0/0.0.0.0
>
> #
> # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
> #
> http_access allow net1
> http_access allow net2
> httpd_accel_host virtual
> httpd_accel_port 80
> httpd_accel_with_proxy on
> httpd_accel_uses_host_header on
>
> I know take out the 0.0.0.0 subnet but when I do that people on the
> outside world cannot access the internal web servers. But the smtp
> traffic Stops. I have tried varies access rules but haven't hit the
> right combination yet.
> Thanks in advance.
> Louis

I don't run a Web-Accelerator Proxy, so my advice might not be accurate, but
I would think that you would need to restrict where net2 is allowed to go.
Something like:
acl net1 src 10.0.0.0/8
acl net2 src 0.0.0.0/0
acl webserver 10.10.10.10/32 # This IP should be your webserver

http_access allow net1
http_access allow net2 webserver
http_access deny net2 # for clarity
etc...

Chris
Received on Fri Apr 29 2005 - 11:39:31 MDT

This archive was generated by hypermail pre-2.1.9 : Sun May 01 2005 - 12:00:04 MDT