RE: [squid-users] Squid with SquidGuard from Mark Sansome on 2006-01-14 (squid-users)

From: Mark Sansome <msansome@dont-contact.us>
Date: Sat, 14 Jan 2006 22:00:21 +0000

On Thu, 2006-01-12 at 16:22 -0700, Brian Phillips wrote:
> What firewall rules do you have on the lo interface?
>
> Iptables -L
>

Brian + Squid List,

Sorry to take so long to get back to you...

Below is my iptables -L output: Please scroll down also to see the
output from debug_options. Sorry for such a large post...

[root@localhost mark]# /sbin/iptables -L
Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere limit: avg
10/sec burst 5
TCPMSS tcp -- anywhere anywhere tcp
flags:SYN,RST/SYN TCPMSS clamp to PMTU
OUTBOUND all -- anywhere anywhere
ACCEPT tcp -- anywhere 192.168.123.0/24 state
RELATED,ESTABLISHED
ACCEPT udp -- anywhere 192.168.123.0/24 state
RELATED,ESTABLISHED
LOG_FILTER all -- anywhere anywhere
LOG all -- anywhere anywhere LOG level
info prefix `Unknown Forward'

Chain INBOUND (4 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere state
RELATED,ESTABLISHED
ACCEPT udp -- anywhere anywhere state
RELATED,ESTABLISHED
ACCEPT all -- 192.168.123.103 anywhere
ACCEPT all -- 82-43-146-103.cable.ubr02.newm.blueyonder.co.uk
anywhere
ACCEPT all -- 192.168.123.100 anywhere
ACCEPT all -- webcache-02-02.ld.th.ifl.net anywhere
ACCEPT all -- 217.177.220.65 anywhere
LSI all -- anywhere anywhere

Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT tcp -- ns1-cro.blueyonder.net anywhere tcp
flags:!SYN,RST,ACK/SYN
ACCEPT udp -- ns1-cro.blueyonder.net anywhere
ACCEPT tcp -- 192.168.123.254 anywhere tcp flags:!
SYN,RST,ACK/SYN
ACCEPT udp -- 192.168.123.254 anywhere
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere limit: avg
10/sec burst 5
DROP all -- anywhere 255.255.255.255
DROP all -- anywhere 192.168.123.255
DROP all -- BASE-ADDRESS.MCAST.NET/8 anywhere
DROP all -- anywhere BASE-ADDRESS.MCAST.NET/8
DROP all -- 255.255.255.255 anywhere
DROP all -- anywhere 0.0.0.0
DROP all -- anywhere anywhere state
INVALID
LSI all -f anywhere anywhere limit: avg
10/min burst 5
INBOUND all -- anywhere anywhere
INBOUND all -- anywhere 192.168.123.101
INBOUND all -- anywhere 192.168.123.101
INBOUND all -- anywhere 192.168.123.255
LOG_FILTER all -- anywhere anywhere
LOG all -- anywhere anywhere LOG level
info prefix `Unknown Input'

Chain LOG_FILTER (5 references)
target prot opt source destination

Chain LSI (2 references)
target prot opt source destination
LOG_FILTER all -- anywhere anywhere
LOG tcp -- anywhere anywhere tcp
flags:SYN,RST,ACK/SYN limit: avg 1/sec burst 5 LOG level info prefix
`Inbound '
DROP tcp -- anywhere anywhere tcp
flags:SYN,RST,ACK/SYN
LOG tcp -- anywhere anywhere tcp
flags:FIN,SYN,RST,ACK/RST limit: avg 1/sec burst 5 LOG level info prefix
`Inbound '
DROP tcp -- anywhere anywhere tcp
flags:FIN,SYN,RST,ACK/RST
LOG icmp -- anywhere anywhere icmp
echo-request limit: avg 1/sec burst 5 LOG level info prefix `Inbound '
DROP icmp -- anywhere anywhere icmp
echo-request
LOG all -- anywhere anywhere limit: avg
5/sec burst 5 LOG level info prefix `Inbound '
DROP all -- anywhere anywhere

Chain LSO (0 references)
target prot opt source destination
LOG_FILTER all -- anywhere anywhere
LOG all -- anywhere anywhere limit: avg
5/sec burst 5 LOG level info prefix `Outbound '
REJECT all -- anywhere anywhere reject-with
icmp-port-unreachable

Chain OUTBOUND (3 references)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere state
RELATED,ESTABLISHED
ACCEPT udp -- anywhere anywhere state
RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere

Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT tcp -- 192.168.123.101 ns1-cro.blueyonder.net tcp
dpt:domain
ACCEPT udp -- 192.168.123.101 ns1-cro.blueyonder.net udp
dpt:domain
ACCEPT tcp -- 192.168.123.101 192.168.123.254 tcp
dpt:domain
ACCEPT udp -- 192.168.123.101 192.168.123.254 udp
dpt:domain
ACCEPT all -- anywhere anywhere
DROP all -- BASE-ADDRESS.MCAST.NET/8 anywhere
DROP all -- anywhere BASE-ADDRESS.MCAST.NET/8
DROP all -- 255.255.255.255 anywhere
DROP all -- anywhere 0.0.0.0
DROP all -- anywhere anywhere state
INVALID
OUTBOUND all -- anywhere anywhere
OUTBOUND all -- anywhere anywhere
LOG_FILTER all -- anywhere anywhere
LOG all -- anywhere anywhere LOG level
info prefix `Unknown Output'
[root@localhost mark]#

On Thu, 2006-01-12 at 16:28 -0700, Brian Phillips wrote:
> Also try setting
>
> Debug_options ALL,1 61,9
>
> And see what you see in cache.log
>

Debug_options All,1 61,9 seemed to make no difference so I tried with
Debug_options All,9 and this is what I got:

2006/01/14 21:36:07| fd_open FD 4 /var/log/squid/cache.log
2006/01/14 21:36:07| Starting Squid Cache version 2.5.STABLE11 for
i386-redhat-linux-gnu...
2006/01/14 21:36:07| Process ID 12879
2006/01/14 21:36:07| With 1024 file descriptors available
2006/01/14 21:36:07| Initializing IP Cache...
2006/01/14 21:36:07| ipcache_init: Skipping DNS name lookup tests.
2006/01/14 21:36:07| cachemgrRegister: registered ipcache
2006/01/14 21:36:07| Initializing FQDN Cache...
2006/01/14 21:36:07| cachemgrRegister: registered fqdncache
2006/01/14 21:36:07| etc_hosts: line is '127.0.0.1
localhost.localdomain localhost
'
2006/01/14 21:36:07| etc_hosts: address is '127.0.0.1'
2006/01/14 21:36:07| etc_hosts: multiple spaces, skipping
2006/01/14 21:36:07| etc_hosts: got hostname 'localhost.localdomain'
2006/01/14 21:36:07| etc_hosts: got hostname 'localhost'
2006/01/14 21:36:07| comm_open: FD 5 is a new socket
2006/01/14 21:36:07| fd_open FD 5 DNS Socket
2006/01/14 21:36:07| comm_local_port: FD 5: port 33347
2006/01/14 21:36:07| DNS Socket created at 0.0.0.0, port 33347, FD 5
2006/01/14 21:36:07| Adding nameserver 62.30.112.39
from /etc/resolv.conf
2006/01/14 21:36:07| idnsAddNameserver: Added nameserver #0:
62.30.112.39
2006/01/14 21:36:07| Adding nameserver 192.168.123.254
from /etc/resolv.conf
2006/01/14 21:36:07| idnsAddNameserver: Added nameserver #1:
192.168.123.254
2006/01/14 21:36:07| cachemgrRegister: registered idns
2006/01/14 21:36:07| helperOpenServers: Starting 5 'squidGuard'
processes
2006/01/14 21:36:07| comm_open: FD 6 is a new socket
2006/01/14 21:36:07| fd_open FD 6 squidGuard
2006/01/14 21:36:07| comm_open: FD 7 is a new socket
2006/01/14 21:36:07| fd_open FD 7 squidGuard
2006/01/14 21:36:07| ipcCreate: prfd FD 7
2006/01/14 21:36:07| ipcCreate: pwfd FD 7
2006/01/14 21:36:07| ipcCreate: crfd FD 6
2006/01/14 21:36:07| ipcCreate: cwfd FD 6
2006/01/14 21:36:07| ipcCreate: FD 7 sockaddr 127.0.0.1:32990
2006/01/14 21:36:07| ipcCreate: FD 6 sockaddr 127.0.0.1:32989
2006/01/14 21:36:07| ipcCreate: FD 6 listening...
2006/01/14 21:36:07| leave_suid: PID 12881 called
2006/01/14 21:36:07| leave_suid: PID 12881 giving up root priveleges
forever
2006/01/14 21:36:07| ipcCreate: calling accept on FD 6
2006/01/14 21:36:07| comm_close: FD 6
2006/01/14 21:36:07| commCallCloseHandlers: FD 6
2006/01/14 21:36:07| fd_close FD 6 squidGuard
2006/01/14 21:36:07| connect FD 7: (13) Permission denied
2006/01/14 21:36:07| comm_close: FD 7
2006/01/14 21:36:07| commCallCloseHandlers: FD 7
2006/01/14 21:36:07| fd_close FD 7 squidGuard
2006/01/14 21:36:07| WARNING: Cannot run
'/usr/local/squidguard/bin/squidGuard' process.
2006/01/14 21:36:07| comm_open: FD 6 is a new socket
2006/01/14 21:36:07| fd_open FD 6 squidGuard
2006/01/14 21:36:07| comm_open: FD 7 is a new socket
2006/01/14 21:36:07| fd_open FD 7 squidGuard
2006/01/14 21:36:07| ipcCreate: prfd FD 7
2006/01/14 21:36:07| ipcCreate: pwfd FD 7
2006/01/14 21:36:07| ipcCreate: crfd FD 6
2006/01/14 21:36:07| ipcCreate: cwfd FD 6
2006/01/14 21:36:07| ipcCreate: FD 7 sockaddr 127.0.0.1:32992
2006/01/14 21:36:07| ipcCreate: FD 6 sockaddr 127.0.0.1:32991
2006/01/14 21:36:07| ipcCreate: FD 6 listening...
2006/01/14 21:36:07| leave_suid: PID 12882 called
2006/01/14 21:36:07| leave_suid: PID 12882 giving up root priveleges
forever
2006/01/14 21:36:07| ipcCreate: calling accept on FD 6
2006/01/14 21:36:07| comm_close: FD 6
2006/01/14 21:36:07| commCallCloseHandlers: FD 6
2006/01/14 21:36:07| fd_close FD 6 squidGuard
2006/01/14 21:36:07| connect FD 7: (13) Permission denied
2006/01/14 21:36:07| comm_close: FD 7
2006/01/14 21:36:07| commCallCloseHandlers: FD 7
2006/01/14 21:36:07| fd_close FD 7 squidGuard
2006/01/14 21:36:07| WARNING: Cannot run
'/usr/local/squidguard/bin/squidGuard' process.
2006/01/14 21:36:07| comm_open: FD 6 is a new socket
2006/01/14 21:36:07| fd_open FD 6 squidGuard
2006/01/14 21:36:07| comm_open: FD 7 is a new socket
2006/01/14 21:36:07| fd_open FD 7 squidGuard
2006/01/14 21:36:07| ipcCreate: prfd FD 7
2006/01/14 21:36:07| ipcCreate: pwfd FD 7
2006/01/14 21:36:07| ipcCreate: crfd FD 6
2006/01/14 21:36:07| ipcCreate: cwfd FD 6
2006/01/14 21:36:07| ipcCreate: FD 7 sockaddr 127.0.0.1:32994
2006/01/14 21:36:07| ipcCreate: FD 6 sockaddr 127.0.0.1:32993
2006/01/14 21:36:07| ipcCreate: FD 6 listening...
2006/01/14 21:36:07| leave_suid: PID 12883 called
2006/01/14 21:36:07| leave_suid: PID 12883 giving up root priveleges
forever
2006/01/14 21:36:07| ipcCreate: calling accept on FD 6
2006/01/14 21:36:07| comm_close: FD 6
2006/01/14 21:36:07| commCallCloseHandlers: FD 6
2006/01/14 21:36:07| fd_close FD 6 squidGuard
2006/01/14 21:36:07| connect FD 7: (13) Permission denied
2006/01/14 21:36:07| comm_close: FD 7
2006/01/14 21:36:07| commCallCloseHandlers: FD 7
2006/01/14 21:36:07| fd_close FD 7 squidGuard
2006/01/14 21:36:07| WARNING: Cannot run
'/usr/local/squidguard/bin/squidGuard' process.
2006/01/14 21:36:07| comm_open: FD 6 is a new socket
2006/01/14 21:36:07| fd_open FD 6 squidGuard
2006/01/14 21:36:07| comm_open: FD 7 is a new socket
2006/01/14 21:36:07| fd_open FD 7 squidGuard
2006/01/14 21:36:07| ipcCreate: prfd FD 7
2006/01/14 21:36:07| ipcCreate: pwfd FD 7
2006/01/14 21:36:07| ipcCreate: crfd FD 6
2006/01/14 21:36:07| ipcCreate: cwfd FD 6
2006/01/14 21:36:07| ipcCreate: FD 7 sockaddr 127.0.0.1:32996
2006/01/14 21:36:07| ipcCreate: FD 6 sockaddr 127.0.0.1:32995
2006/01/14 21:36:07| ipcCreate: FD 6 listening...
2006/01/14 21:36:07| leave_suid: PID 12884 called
2006/01/14 21:36:07| leave_suid: PID 12884 giving up root priveleges
forever
2006/01/14 21:36:07| ipcCreate: calling accept on FD 6
2006/01/14 21:36:07| comm_close: FD 6
2006/01/14 21:36:07| commCallCloseHandlers: FD 6
2006/01/14 21:36:07| fd_close FD 6 squidGuard
2006/01/14 21:36:07| connect FD 7: (13) Permission denied
2006/01/14 21:36:07| comm_close: FD 7
2006/01/14 21:36:07| commCallCloseHandlers: FD 7
2006/01/14 21:36:07| fd_close FD 7 squidGuard
2006/01/14 21:36:07| WARNING: Cannot run
'/usr/local/squidguard/bin/squidGuard' process.
2006/01/14 21:36:07| comm_open: FD 6 is a new socket
2006/01/14 21:36:07| fd_open FD 6 squidGuard
2006/01/14 21:36:07| comm_open: FD 7 is a new socket
2006/01/14 21:36:07| fd_open FD 7 squidGuard
2006/01/14 21:36:07| ipcCreate: prfd FD 7
2006/01/14 21:36:07| ipcCreate: pwfd FD 7
2006/01/14 21:36:07| ipcCreate: crfd FD 6
2006/01/14 21:36:07| ipcCreate: cwfd FD 6
2006/01/14 21:36:07| ipcCreate: FD 7 sockaddr 127.0.0.1:32998
2006/01/14 21:36:07| ipcCreate: FD 6 sockaddr 127.0.0.1:32997
2006/01/14 21:36:07| ipcCreate: FD 6 listening...
2006/01/14 21:36:07| leave_suid: PID 12885 called
2006/01/14 21:36:07| leave_suid: PID 12885 giving up root priveleges
forever
2006/01/14 21:36:07| ipcCreate: calling accept on FD 6
2006/01/14 21:36:07| comm_close: FD 6
2006/01/14 21:36:07| commCallCloseHandlers: FD 6
2006/01/14 21:36:07| fd_close FD 6 squidGuard
2006/01/14 21:36:07| connect FD 7: (13) Permission denied
2006/01/14 21:36:07| comm_close: FD 7
2006/01/14 21:36:07| commCallCloseHandlers: FD 7
2006/01/14 21:36:07| fd_close FD 7 squidGuard
2006/01/14 21:36:07| WARNING: Cannot run
'/usr/local/squidguard/bin/squidGuard' process.
2006/01/14 21:36:07| cachemgrRegister: registered redirector
2006/01/14 21:36:07| authBasicConfigured: returning unconfigured
2006/01/14 21:36:07| eventAdd: Adding 'User Cache Maintenance', in
3600.000000 seconds
2006/01/14 21:36:07| cachemgrRegister: registered external_acl
2006/01/14 21:36:07| User-Agent logging is disabled.
2006/01/14 21:36:07| Referer logging is disabled.
2006/01/14 21:36:07| cachemgrRegister: registered http_headers
2006/01/14 21:36:07| file_open: FD 6
2006/01/14 21:36:07| fd_open FD
6 /usr/share/squid/errors/English/ERR_READ_TIMEOUT
2006/01/14 21:36:07| file_close: FD 6, really closing

+ More the same...

Any clues?

I really appreciate your help...

Thanks again

Mark

application/pgp-signature attachment: This is a digitally signed message part

Received on Sat Jan 14 2006 - 15:00:33 MST

This archive was generated by hypermail pre-2.1.9 : Wed Feb 01 2006 - 12:00:01 MST