Koozali.org: home of the SME Server
Legacy Forums => Experienced User Forum => Topic started by: Ed on May 12, 2003, 07:29:20 AM
-
I am running SME 5,5 with Dansguardian as my firewall control panel, as a family server/firewall.
I am using the MACs on each computer to assign specific IPs so that I can control access and closely monitor web surfing.
There is one computer on the network that cannot access the internet at all - everything is blocked, regardless of if the site is in the black list or not. Another computer on the net is working fine, and the two are configured identically in the server. (One is running XP and the other W2K; the problem machine is running W2K, but I don't know why this would make any difference).
The various logs don't provide much help.
I don't understand Squid well enough to know where to look to see if this computer's IP has been unconditionally blocked.
Can someone provide some needed advice?
TIA.
Ed
-
Post your /etc/squid/squid.conf settings and the ipaddresses on you network, and we can see if there is a restriction.
Steven
-
OK, here is squid.conf (I can't see anything wrong here):
#------------------------------------------------------------
# DO NOT MODIFY THIS FILE! It is updated automatically by the
# Mitel Networks server software. Instead, modify the source
# template in the /etc/e-smith/templates directory. For more
# information, see http://www.e-smith.org/.
#
# copyright (C) 2001 Mitel Networks Corporation
#------------------------------------------------------------
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localsrc src 127.0.0.1
acl localdst dst 127.0.0.1
acl SSL_ports port 443 563
acl Safe_ports port 80 21 443 563 70 210 1025-65535 980
acl CONNECT method CONNECT
acl webdav method PROPFIND TRACE PURGE PROPPATCH MKCOL COPY MOVE LOCK UNLOCK
append_domain .edhamlin.org
cache_mgr admin@edhamlin.org
ftp_user nobody@edhamlin.org
http_access allow manager localsrc
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localsrc
http_access deny all
httpd_accel_host virtual
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
icp_access allow all
miss_access allow all
store_avg_object_size 3 KB
always_direct allow webdav
always_direct allow all
=====
The server configuration is essentially "out of the box" except as noted:
- Dansguardian/Dungog Dansguardian is the WWW content filter
Generally the ipaddresses are dynamically assigned in the range 192.168.235.65 - .255
- I have assigned specific static IPs, mapping the MACs using the "Hostnames" function as follows:
192.168.235.20 -- me, iMac 700 (Mac OS X)
192.168.235.30 - Toshiba laptop (WIN XP Pro)
192.168.235.35 - eMachines 900 (WIN2K), PROBLEM MACHINE
IP 192.168.235.20 (my Mac) is set up in Danguardian to "Allow ALL", the other machines are supposed to be filtered.
- I have used a "Deny Port" function to turn off port 1863 to block MSN Messenger
- I have Port Forwarding enabled for ports 5198-5200 to enable EchoMac (a ham radio voice-over-IP application) to work with 192.168.235.20
I didn't mention that I tried changing the problem machine's IP from x.x.x.30 to x.x.x.35 just to see if it was the IP that was somehow causing the problem. Didn't work. The other machines work fine! (The problem machine USED to work & suddenly stopped). This is really a mystery.....
-
Try this
Next to
acl localsrc src 127.0.0.1
and
acl localdst dst 127.0.0.1
put your (internal) network id, mine is 192.168.1.0
and put in the masking bits /255.255.255.0 (for a class c network)
so your lines would look like this
acl localsrc src 127.0.0.1 192.168.1.0/255.255.255.0
acl localdst dst 127.0.0.1 192.168.1.0/255.255.255.0
this says to squid to allow anything coming from your network to access (rule) http
Let me know how you come allong.
Steven
-
Thanks! I will try this and report how it works....
Regards
Ed
-
Thanks again, Steven.
I tried the fix and it worked - the problem computer was now able to access the web.
There is problem - it seems that doing the above has removed any kind of filtering, however, and there were sites being accessed that should not have passed through dansguardian.
I'm wondering if these settings somehow bypass dansguardian's settings as to which IPs on the internal network have filtered access and which don't.
I've posted another question on the board regarding squid behavior, because I plain don't understand what the squid.access.log is telling me, compared to the dansguard access log.
Thanks again, I think I'm a lot closer to getting this one solved!
Steven wrote:
>
> Try this
> Next to
>
> acl localsrc src 127.0.0.1
> and
> acl localdst dst 127.0.0.1
>
> put your (internal) network id, mine is 192.168.1.0
> and put in the masking bits /255.255.255.0 (for a class c
> network)
> so your lines would look like this
>
> acl localsrc src 127.0.0.1 192.168.1.0/255.255.255.0
> acl localdst dst 127.0.0.1 192.168.1.0/255.255.255.0
>
> this says to squid to allow anything coming from your network
> to access (rule) http
>
> Let me know how you come allong.
>
> Steven
-
Sorry I havn't answered, I been doing confrences and launches, and am very busy at the moment, I will be able to look into it on Thursday.
Sorry I can't help you sooner
Steven
-
Try reading this, particularly the SQUID config section possibly all you need to do is set your port to 8080 in your proxy -
http://dansguardian.org/downloads/detailedinstallation2.4.html
Steven