Re: [squid-users] Squid with Dansguardian (tcp_outgoing_address problem)

From: Santhosh Kumar Gulla <santy4linux_at_gmail.com>
Date: Wed, 14 Oct 2009 19:01:34 +0530

Amos Jeffries wrote:
> Santhosh Kumar Gulla wrote:
>> Dear All,
>>
>> My setup is like this. I'm using dansguardian, squid, havp and I have
>> two ISP connections. In squid.conf I have given:
>>
>> acl mac arp '/etc/squid/mac'
>> tcp_outgoing_address w.x.y.z mac
>>
>>
>> So, when I'm using only squid, the mac ID's present in
>> '/etc/squid/mac' are going through the IP w.x.y.z . But when I'm
>> using dansguardian this rule is not working. It is going through
>> default wan connection. Can anybody help me solve this problem.
>>
>> Thanks & Regards,
>> Santy
>
> Please read my earlier response about how MAC addresses change when
> going through a Squid and DG. The solution is not to use MAC for ACL
> or not to use DG.
>
> Amos

Thanks for your valuable suggestion. Now I'm using IP address instead of
MAC address. Now Dansguardian isn't giving the problem but at the same
time I'm using havp also in my configuration. If I stop havp the
tcp_outgoing_address is working and If I start havp again, it goes
through the same default IP address.

My havp configuration is attached in a file and my squid havp
parametrers are defined below:

# HAVP Configuration Parameters

acl localhost src 127.0.0.2/255.255.255.255
http_port 127.0.0.2:8090
acl from_havp myport 8090

cache_peer 127.0.0.1 parent 8100 0 no-query no-digest no-netdb-exchange
default
cache_peer 127.0.0.2 parent 3128 0 no-query no-digest no-netdb-exchange
proxy-only
prefer_direct off

always_direct allow localhost
always_direct allow from_havp
always_direct allow CONNECT
never_direct allow all
cache_peer_access 127.0.0.2 allow from_havp
cache_peer_access 127.0.0.1 allow all
redirector_access deny from_havp
redirector_access allow all
header_access via deny all

If this configuration has to be modified kindly suggest.

Regards,
Santy

#
# This is the configuration file for HAVP
#
# All lines starting with a hash (#) or empty lines are ignored.
# Uncomment parameters you want to change!
#
# All parameters configurable in this file are explained and their default
# values are shown. If no default value is defined "NONE" is specified.
#
# General syntax: Parameter Value
# Value can be: true/false, number, or path
#
# Extra spaces and tabs are ignored.
#

# You must remove this line for HAVP to start.
# This makes sure you have (hopefully) reviewed the configuration. :)
# Hint: You must enable some scanner! Find them in the end..
# REMOVETHISLINE deleteme

#
# For reasons of security it is recommended to run a proxy program
# without root rights. It is recommended to create user that is not
# used by any other program.
#
# Default:
USER clamav
GROUP clamav

# If this is true HAVP is running as daemon in background.
# For testing you may run HAVP at your text console.
#
# Default:
# DAEMON true

#
# Process id (PID) of the main HAVP process is written to this file.
# Be sure that it is writeable by the user under which HAVP is running.
# /etc/init.d/havp script requires this to work.
#
# Default:
# PIDFILE /var/run/havp/havp.pid

#
# For performance reasons several instances of HAVP have to run.
# Specify how many servers (child processes) are simultaneously
# listening on port PORT for a connection. Minimum value should be
# the peak requests-per-second expected + 5 for headroom. For best
# performance, you should have atleast 1 CPU core per 16 processes.
#
# For single user home use, 8 should be minimum.
# For 500+ users corporate use, start at 40.
#
# Value can and should be higher than recommended. Memory and
# CPU usage is only affected by the number of concurrent requests.
#
# More childs are automatically created when needed, up to MAXSERVERS.
#
# Default:
# SERVERNUMBER 8
# MAXSERVERS 100

#
# Files where to log requests and info/errors.
# Needs to have write permission for HAVP user.
#
# Default:
# ACCESSLOG /var/log/havp/access.log
# ERRORLOG /var/log/havp/havp.log

#
# Syslog can be used instead of logging to file.
# For facilities and levels, see "man syslog".
#
# Default:
# USESYSLOG false
# SYSLOGNAME havp
# SYSLOGFACILITY daemon
# SYSLOGLEVEL info

#
# true: Log every request to access log
# false: Log only viruses to access log
#
# Default:
# LOG_OKS true

#
# Level of HAVP logging
# 0 = Only serious errors and information
# 1 = Less interesting information is included
#
# Default:
# LOGLEVEL 0

#
# Temporary scan file.
# This file must reside on a partition for which mandatory
# locking is enabled. For Linux, use "-o mand" in mount command.
# See "man mount" for details. Solaris does not need any special
# steps, it works directly.
#
# Specify absolute path to a file which name must contain "XXXXXX".
# These characters are used by system to create unique named files.
#
# Default:
#SCANTEMPFILE /havp/havp/havp-XXXXXX
SCANTEMPFILE /var/spool/havp/havp-XXXXXX

#
# Directory for ClamAV and other scanner created tempfiles.
# Needs to be writable by HAVP user. Use ramdisk for best performance.
#
# Default:
# TEMPDIR /var/tmp

#
# HAVP reloads scanners virus database by receiving a signal
# (send SIGHUP to PID from PIDFILE, see "man kill") or after
# a specified period of time. Specify here the number of
# minutes to wait for reloading.
#
# This only affects library scanners (clamlib, trophie).
# Other scanners must be updated manually.
#
# Default:
# DBRELOAD 60

#
# Run HAVP as transparent Proxy?
#
# If you don't know what this means read the mini-howto
# TransparentProxy written by Daniel Kiracofe.
# (e.g.: http://www.tldp.org/HOWTO/mini/TransparentProxy.html)
# Definitely you have more to do than setting this to true.
# You are warned!
#
# Default:
# TRANSPARENT false

#
# Specify a parent proxy (e.g. Squid) HAVP should use.
#
# Default: NONE
PARENTPROXY 127.0.0.2
PARENTPORT 8090

#
# Write X-Forwarded-For: to log instead of connecters IP?
#
# If HAVP is used as parent proxy by some other proxy, this allows
# to write the real users IP to log, instead of proxy IP.
#
# Default:
# FORWARDED_IP false

#
# Send X-Forwarded-For: header to servers?
#
# If client sent this header, FORWARDED_IP setting defines the value,
# then it is passed on. You might want to keep this disabled for security
# reasons. Enable this if you use your own parent proxy after HAVP, so it
# will see the original client IP.
#
# Disabling this also disables Via: header generation.
#
# Default:
# X_FORWARDED_FOR false

#
# Port HAVP is listening on.
#
# Default:
PORT 8100

#
# IP address that HAVP listens on.
# Let it be undefined to bind all addresses.
#
# Default: NONE
# BIND_ADDRESS 127.0.0.1

#
# IP address used for sending outbound packets.
# Let it be undefined if you want OS to handle right address.
#
# Default: NONE
# SOURCE_ADDRESS 1.2.3.4

#
# Path to template files.
#
# Default:
# TEMPLATEPATH /etc/havp/templates/en

#
# Set to true if you want to prefer Whitelist.
# If URL is Whitelisted, then Blacklist is ignored.
# Otherwise Blacklist is preferred.
#
# Default:
# WHITELISTFIRST true

#
# List of URLs not to scan.
#
# Default:
# WHITELIST /etc/havp/whitelist

#
# List of URLs that are denied access.
#
# Default:
# BLACKLIST /etc/havp/blacklist

#
# Is scanner error fatal?
#
# For example, archive types that are not supported by scanner
# may return error. Also if scanner has invalid pattern files etc.
#
# true: User gets error page
# false: No error is reported (viruses might not be detected)
#
# Default:
# FAILSCANERROR true

#
# When scanning takes longer than this, it will be aborted.
# Timer is started after HAVP has fully received all data.
# If set too low, complex files/archives might produce timeout.
# Timeout is always a fatal error regardless of FAILSCANERROR.
#
# Time in minutes!
#
# Default:
# SCANNERTIMEOUT 10

#
# Allow HTTP Range requests?
#
# false: Broken downloads can NOT be resumed
# true: Broken downloads can be resumed
#
# Allowing Range is a security risk, because partial
# HTTP requests may not be properly scanned.
#
# Whitelisted sites are allowed to use Range in any case.
#
# Default:
# RANGE false

#
# If you really need more performance, you can disable scanning of
# JPG, GIF and PNG files. These are probably the most common files
# around, so it will save lots of CPU. But be warned, image exploits
# exist and more could be found. Think twice if you want to disable!
#
# Default:
# SCANIMAGES true

#
# Temporary file will grow only up to this size. This means scanner
# will scan data until this limit is reached.
#
# There are two sides to this setting. By limiting the size, you gain
# performance, less waiting for big files and less needed temporary space.
# But there is slightly higher chance of virus slipping through (though
# scanning large archives should not be gateways function, HAVP is more
# geared towards small exploit detection etc).
#
# VALUE IN BYTES NOT KB OR MB!!!!
# 0 = No size limit
#
# Default:
# MAXSCANSIZE 5000000

#
# Amount of data going to browser that is held back, until it
# is scanned. When we know file is clean, this held back data
# can be sent to browser. You can safely set bigger value, only
# thing you will notice is some "delay" in beginning of download.
# Virus found in files bigger than this might not produce HAVP
# error page, but result in a "broken" download.
#
# VALUE IN BYTES NOT KB OR MB!!!!
#
# Default:
# KEEPBACKBUFFER 200000

#
# This setting complements KEEPBACKBUFFER. It tells how many Seconds to
# initially receive data from server, before sending anything to client.
# Even trickling is not done before this time elapses. This way files that
# are received fast are more secure and user can get virus report page for
# files bigger than KEEPBACKBUFFER.
#
# Setting to 0 will disable this, and only KEEPBACKBUFFER is used.
#
# Default:
# KEEPBACKTIME 5

#
# After Trickling Time (seconds), some bytes are sent to browser
# to keep the connection alive. Trickling is not needed if timeouts
# are not expected for files smaller than KEEPBACKBUFFER, but it is
# recommended to set anyway.
#
# 0 = No Trickling
#
# Default:
# TRICKLING 30

#
# Send this many bytes to browser every TRICKLING seconds, see above
#
# Default:
# TRICKLINGBYTES 1

#
# Downloads larger than MAXDOWNLOADSIZE will be blocked.
# Only if not Whitelisted!
#
# VALUE IN BYTES NOT KB OR MB!!!!
# 0 = Unlimited Downloads
#
# Default:
# MAXDOWNLOADSIZE 0

#
# Space separated list of strings to partially match User-Agent: header.
# These are used for streaming content, so scanning is generally not needed
# and tempfiles grow unnecessary. Remember when enabled, that user could
# fake header and pass some scanning. HTTP Range requests are allowed for
# these, so players can seek content.
#
# You can uncomment here a list of most popular players.
#
# Default: NONE
# STREAMUSERAGENT Player Winamp iTunes QuickTime Audio RMA/ MAD/ Foobar2000 XMMS

#
# Bytes to scan from beginning of streams.
# When set to 0, STREAMUSERAGENT scanning will be completely disabled.
# It is not recommended as there are some exploits for players.
#
# Default:
# STREAMSCANSIZE 20000

#
# Disable mandatory locking (dynamic scanning) for certain file types.
# This is intended for fixing cases where a scanner forces use of mmap()
# call. Mandatory locking might not allow this, so you could get errors
# regarding memory allocation or I/O. You can test the "None" option
# anyway, as it might even work depending on your OS (some Linux seems
# to allow mand+mmap).
#
# Allowed values:
# None
# ClamAV:BinHex (mmap forced in all versions, no ETA for fix)
# ClamAV:PDF (mmap forced in all versions, no ETA for fix)
# ClamAV:ZIP (mmap forced in 0.93.x, should work in 0.94)
#
# Default:
# DISABLELOCKINGFOR ClamAV:BinHex ClamAV:PDF ClamAV:ZIP

#
# Whitelist specific viruses by case-insensitive substring match.
# For example, "Oversized." and "Encrypted." are good candidates,
# if you can't disable those checks any other way.
#
# Default: NONE
# IGNOREVIRUS Oversized. Encrypted. Phishing.

#####
##### ClamAV Library Scanner (libclamav)
#####

ENABLECLAMLIB true

# HAVP uses libclamav hardcoded pattern directory, which usually is
# /usr/share/clamav. You only need to set CLAMDBDIR, if you are
# using non-default DatabaseDirectory setting in clamd.conf.
#
# Default: NONE
# CLAMDBDIR /var/lib/clamav

# Should we block broken executables?
#
# Default:
# CLAMBLOCKBROKEN false

# Should we block encrypted archives?
#
# Default:
# CLAMBLOCKENCRYPTED false

# Should we block files that go over maximum archive limits?
#
# Default:
# CLAMBLOCKMAX false

# Scanning limits?
# You can find some additional info from documentation or clamd.conf
#
# Stop when this many total bytes scanned (MB) (only for 0.93+ !)
# CLAMMAXSCANSIZE 20
#
# Stop when this many files have been scanned
# CLAMMAXFILES 50
#
# Don't scan files over this size (MB)
# CLAMMAXFILESIZE 100
#
# Maximum archive recursion
# CLAMMAXRECURSION 8
#
# Maximum compression ratio for a file (setting deprecated in 0.93+ !)
# CLAMMAXRATIO 250

#####
##### ClamAV Socket Scanner (clamd)
#####
##### NOTE: ClamAV Library Scanner should be preferred (less overhead)
#####

ENABLECLAMD false

# Path to clamd socket
#
# Default:
CLAMDSOCKET /var/run/clamav/clamd.ctl

# ..OR if you use clamd TCP socket, uncomment to enable use
#
# Clamd daemon needs to run on the same server as HAVP
#
# Default: NONE
# CLAMDSERVER 127.0.0.1
# CLAMDPORT 3310

#####
##### F-Prot Socket Scanner
#####

ENABLEFPROT false

# F-Prot daemon needs to run on same server as HAVP
#
# Default:
# FPROTSERVER 127.0.0.1
# FPROTPORT 10200

# F-Prot options (only for version 6+ !)
#
# See "fpscand-client.sh --help" for possible options.
#
# At the moment:
# --scanlevel=<n> Which scanlevel to use, 0-4 (2).
# --heurlevel=<n> How aggressive heuristics should be used, 0-4 (2).
# --archive=<n> Scan inside supported archives n levels deep 1-99 (5).
# --adware Instructs the daemon to flag adware.
# --applications Instructs the daemon to flag potentially unwanted applications.
#
# Default: NONE
# FPROTOPTIONS --scanlevel=2 --heurlevel=2

#####
##### AVG Socket Scanner
#####

ENABLEAVG false

# AVG daemon needs to run on the same server as HAVP
#
# Default:
# AVGSERVER 127.0.0.1
# AVGPORT 55555

#####
##### Kaspersky Socket Scanner
#####

ENABLEAVESERVER false

# Path to aveserver socket
#
# Default:
# AVESOCKET /var/run/aveserver

#####
##### Sophos Scanner (Sophie)
#####

ENABLESOPHIE false

# Path to sophie socket
#
# Default:
# SOPHIESOCKET /var/run/sophie

#####
##### Trend Micro Library Scanner (Trophie)
#####

ENABLETROPHIE false

# Scanning limits inside archives (filesize = MB):
#
# Default:
# TROPHIEMAXFILES 50
# TROPHIEMAXFILESIZE 10
# TROPHIEMAXRATIO 250

#####
##### NOD32 Socket Scanner
#####

ENABLENOD32 false

# Path to nod32d socket
#
# Default:
# NOD32SOCKET /tmp/nod32d.sock

# Used NOD32 Version
# 25 = 2.5+
# 21 = 2.x (try this if 25 doesn't work)
#
# Default:
# NOD32VERSION 25

#####
##### Avast! Socket Scanner
#####

ENABLEAVAST false

# Path to avastd socket
#
# Default:
# AVASTSOCKET /var/run/avast4/local.sock

# ..OR if you use avastd TCP socket, uncomment to enable use
#
# Avast daemon needs to run on the same server as HAVP
#
# Default: NONE
# AVASTSERVER 127.0.0.1
# AVASTPORT 5036

#####
##### Arcavir Socket Scanner
#####

ENABLEARCAVIR false

# Path to arcavird socket
#
# For version 2008, default socket is /var/run/arcad.ctl
#
# Default:
# ARCAVIRSOCKET /var/run/arcavird.socket

# Used Arcavir version
# 2007 = Version 2007 and earlier
# 2008 = Version 2008 and later
#
# Default:
# ARCAVIRVERSION 2007

#####
##### DrWeb Socket Scanner
#####

ENABLEDRWEB false

# Enable heuristic scanning?
#
# Default:
# DRWEBHEURISTIC true

# Enable malware detection?
# (Adware, Dialer, Joke, Riskware, Hacktool)
#
# Default:
# DRWEBMALWARE true

# Path to drwebd socket
#
# Default:
# DRWEBSOCKET /var/drweb/run/.daemon

# ..OR if you use drwebd TCP socket, uncomment to enable use
#
# DrWeb daemon needs to run on the same server as HAVP
#
# Default: NONE
# DRWEBSERVER 127.0.0.1
# DRWEBPORT 3000
Received on Wed Oct 14 2009 - 13:27:24 MDT

This archive was generated by hypermail 2.2.0 : Wed Oct 14 2009 - 12:00:02 MDT