RE: [squid-users] Squid bypassing my firewall rules

From: Andreas Piesk <[email protected]>
Date: Thu, 14 Feb 2002 15:47:29 +0100

> From: Brian Schonecker [mailto:brian.schonecker@xtek.com]
> Sent: Thursday, February 14, 2002 3:08 PM
>
> I have my Internet gateway, firewall and squid cache all on the same
> machine.
>
> I'm trying to block all access to SPINNER.COM and have been successful
> UNLESS the users type in the proxy in the spinner (real
> player) player.
> Then squid bypasses my ipchains firewall rules and allows access. I've
> confirmed this for WWW and the Real Player.
>
> If I disable proxy settings in my broswer and Real Player,
> then the firewall
> prevents access to SPINNER.COM successfully.
>
> My squid proxy is listening on a single physical NIC
> interface but I have
> two IP addresses: eth0 192.168.1.45 and eth0:0 192.168.1.44. I have a
> single external interface eth1: 192.168.2.45.
>
> Here's a sample of my ipchains rules that work
>
> # Deny all traffic for SPINNER.COM - a music site
> $IPCHAINS -A input -s $REMOTENET -d 205.188.228.1/24 -j DENY -l
> $IPCHAINS -A input -s $REMOTENET -d spinner.com -j DENY -l
> $IPCHAINS -A input -s 192.168.1.44 -d 205.188.228.1/24 -j DENY -l

squid isn't bypassing your filter. your rules aren't correct.

don't use DENY. this gives you only timeouts because the packets will be
dropped silently. REJECT is much better.

if you want deny direct access use the FORWARD chain.

$IPCHAINS -A forward -s $REMOTENET -d 205.188.228.1/24 -j REJECT -l

if you want deny access via proxy you must deny traffic from your proxy
(your filter host) to that site => OUTPUT chain

$IPCHAINS -A output -s $EXT_PROXY -d 205.188.228.1/24 -j REJECT -l

but this will cut off _ALL_ traffic to that site. maybe you want to
restrict the access by port?

in general, use INPUT chain to filter traffic to the filter host,
OUTPUT chain to filter from the filter host and the FORWARD chain
to filter traffic going through the filter.

ciao -ap
Received on Thu Feb 14 2002 - 07:46:19 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:06:22 MST