etz257 Napisano Kwiecień 10, 2006 Zgłoszenie Share Napisano Kwiecień 10, 2006 Witam! Wiem że temat dość często się przewija, ale pewne rzeczy są przestarzałe, a inne nie do końca jasne. Sam próbowałem dojśc do pewnych rzeczy ale z braku czasu nie mam okazji zagłębic sie w temat a chciałbym dośc szyko skonfigurować moją FC5. Więc tak: 1. Czy znalazłby się ktoś kto by ładnie napisał od początku do końca jak skonfigurować firewalla, tak aby system był bezpieczny i udostepniał internet. 2. Do tego by się przydała ładnie opisana konfiguracja squid'a, tak aby był "przeźroczysty" i służył komputerowi na którym jest zainstalowany i temu któremu jest udostepniane łącze. Mam nadzieje że nie zagmatfałem za bardzo:) Ja osobiście uzywam Neostrady i udostepniam net przez eth1, w FC4 poszło mi bez wiekszych problemów i myślałem że na FC5 też sobie szybko poradzę ale narazie na drugim kompie neta nie mam. Brakuje mi w FC5 w Iptables zakładki zaufanych urządzeń. W FC4 było to i udostępnianie neostrady poszło bez problemu. Moją konfiguracje SQUIDA przedstawiam poniżej, może ktoś sprawdzi i poradzi czy coś jeszcze zmienić, no i nie włacza mi się przy starcie systemu SQUID # WELCOME TO SQUID 2 # NETWORK OPTIONS # ----------------------------------------------------------------------------- # TAG: http_port # Usage: port # hostname:port # 1.2.3.4:port # # # #Default: # http_port 3128 # TAG: https_port # TAG: ssl_unclean_shutdown # Some browsers (especially MSIE) bugs out on SSL shutdown # messages. # #Default: # ssl_unclean_shutdown off # TAG: icp_port # #Default: # icp_port 3130 # TAG: htcp_port #Default: # htcp_port 4827 # TAG: mcast_groups # # Usage: mcast_groups 239.128.16.128 224.0.1.20 # # #Default: # none # TAG: udp_incoming_address # TAG: udp_outgoing_address # # NOTE, udp_incoming_address and udp_outgoing_address can not # have the same value since they both use port 3130. # #Default: # udp_incoming_address 0.0.0.0 # udp_outgoing_address 255.255.255.255 # OPTIONS WHICH AFFECT THE NEIGHBOR SELECTION ALGORITHM # ----------------------------------------------------------------------------- # TAG: cache_peer # To specify other caches in a hierarchy, use the format: # # cache_peer hostname type http_port icp_port # # For example, # # # proxy icp # # hostname type port port options # # -------------------- -------- ----- ----- ----------- # cache_peer parent.foo.net parent 3128 3130 [proxy-only] # cache_peer sib1.foo.net sibling 3128 3130 [proxy-only] # cache_peer sib2.foo.net sibling 3128 3130 [proxy-only] # #Default: # none # TAG: cache_peer_domain # # #Default: # none # TAG: neighbor_type_domain # #EXAMPLE: # cache_peer parent cache.foo.org 3128 3130 # neighbor_type_domain cache.foo.org sibling .com .net # neighbor_type_domain cache.foo.org sibling .au .de # #Default: # none # TAG: icp_query_timeout (msec) # # icp_query_timeout 2000 # #Default: # icp_query_timeout 0 # TAG: maximum_icp_query_timeout (msec) # #Default: # maximum_icp_query_timeout 2000 # TAG: mcast_icp_query_timeout (msec) # #Default: # mcast_icp_query_timeout 2000 # TAG: dead_peer_timeout (seconds) # # #Default: # dead_peer_timeout 10 seconds # TAG: hierarchy_stoplist #We recommend you to use at least the following line. hierarchy_stoplist cgi-bin ? # TAG: no_cache # #We recommend you to use the following two lines. acl QUERY urlpath_regex cgi-bin \? no_cache deny QUERY # OPTIONS WHICH AFFECT THE CACHE SIZE # ----------------------------------------------------------------------------- # TAG: cache_mem (bytes) # # #Default: cache_mem 48 MB # TAG: cache_swap_low (percent, 0-100) # TAG: cache_swap_high (percent, 0-100) # # #Default: cache_swap_low 90 cache_swap_high 95 # TAG: maximum_object_size (bytes) # #Default: maximum_object_size 4096 KB # TAG: minimum_object_size (bytes) # Objects smaller than this size will NOT be saved on disk. The # value is specified in kilobytes, and the default is 0 KB, which # means there is no minimum. # #Default: minimum_object_size 0 KB # TAG: maximum_object_size_in_memory (bytes) # #Default: maximum_object_size_in_memory 32 KB # TAG: ipcache_size (number of entries) # TAG: ipcache_low (percent) # TAG: ipcache_high (percent) # The size, low-, and high-water marks for the IP cache. # #Default: ipcache_size 2048 ipcache_low 90 ipcache_high 95 # TAG: fqdncache_size (number of entries) # Maximum number of FQDN cache entries. # #Default: fqdncache_size 2048 # TAG: cache_replacement_policy # # #Default: cache_replacement_policy lru # TAG: memory_replacement_policy # The memory replacement policy parameter determines which # objects are purged from memory when memory space is needed. # # See cache_replacement_policy for details. # #Default: memory_replacement_policy lru # LOGFILE PATHNAMES AND CACHE DIRECTORIES # ----------------------------------------------------------------------------- # TAG: cache_dir # Usage: # # # # # # Common options: # # read-only, this cache_dir is read only. # # #Default: cache_dir ufs /var/spool/squid 4000 10 256 # TAG: cache_access_log # Logs the client request activity. Contains an entry for # every HTTP and ICP queries received. To disable, enter "none". # #Default: cache_access_log /var/log/squid/access.log # TAG: cache_log # Cache logging file. This is where general information about # your cache's behavior goes. You can increase the amount of data # logged to this file with the "debug_options" tag below. # #Default: cache_log /var/log/squid/cache.log # TAG: cache_store_log # #Default: cache_store_log none # TAG: cache_swap_log # # If have more than one 'cache_dir', and %s is not used in the name # these swap logs will have names such as: # # cache_swap_log.00 # cache_swap_log.01 # cache_swap_log.02 # # #Default: # none # TAG: emulate_httpd_log on|off # #Default: emulate_httpd_log off # TAG: log_ip_on_direct on|off # Log the destination IP address in the hierarchy log tag when going # direct. Earlier Squid versions logged the hostname here. If you # prefer the old way set this to off. # #Default: log_ip_on_direct on # TAG: mime_table # Pathname to Squid's MIME table. You shouldn't need to change # this, but the default file contains examples and formatting # information if you do. # #Default: mime_table /etc/squid/mime.conf # TAG: log_mime_hdrs on|off # #Default: log_mime_hdrs off useragent_log none # Squid will write the User-Agent field from HTTP requests # to the filename specified here. By default useragent_log # is disabled. # #Default: # none referer_log none # Squid will write the Referer field from HTTP requests to the # filename specified here. By default referer_log is disabled. # #Default: # none # TAG: pid_filename # A filename to write the process-id to. To disable, enter "none". # #Default: pid_filename /var/run/squid.pid # TAG: debug_options # #Default: debug_options ALL,1 # TAG: log_fqdn on|off # #Default: log_fqdn off # TAG: client_netmask # A netmask for client addresses in logfiles and cachemgr output. # Change this to protect the privacy of your cache clients. # A netmask of 255.255.255.0 will log all IP's in that range with # the last digit set to '0'. # #Default: client_netmask 255.255.255.255 # OPTIONS FOR EXTERNAL SUPPORT PROGRAMS # ----------------------------------------------------------------------------- # TAG: ftp_user # #Default: ftp_user Squid@ # TAG: ftp_list_width # Sets the width of ftp listings. This should be set to fit in # the width of a standard browser. Setting this too small # can cut off long filenames when browsing ftp sites. # #Default: ftp_list_width 32 # TAG: ftp_passive # If your firewall does not allow Squid to use passive # connections, turn off this option. # #Default: ftp_passive on # TAG: ftp_sanitycheck # #Default: ftp_sanitycheck on # TAG: ftp_telnet_protocol # #Default: # ftp_telnet_protocol on # TAG: cache_dns_program # Note: This option is only available if Squid is rebuilt with the # --disable-internal-dns option # # Specify the location of the executable for dnslookup process. # #Default: # cache_dns_program /usr/lib/squid/dnsserver # TAG: dns_children # #Default: # dns_children 5 # TAG: dns_retransmit_interval # Initial retransmit interval for DNS queries. The interval is # doubled each time all configured DNS servers have been tried. # # #Default: # dns_retransmit_interval 5 seconds # TAG: dns_timeout # DNS Query timeout. If no response is received to a DNS query # within this time all DNS servers for the queried domain # are assumed to be unavailable. # #Default: # dns_timeout 2 minutes # TAG: dns_defnames on|off # Note: This option is only available if Squid is rebuilt with the # #Default: # dns_defnames off # TAG: dns_nameservers # # Example: dns_nameservers 10.0.0.1 192.172.0.4 # #Default: # none # TAG: hosts_file # #Default: # hosts_file /etc/hosts # TAG: diskd_program # Specify the location of the diskd executable. # Note that this is only useful if you have compiled in # diskd as one of the store io modules. # #Default: # diskd_program /usr/lib/squid/diskd # TAG: unlinkd_program # Specify the location of the executable for file deletion process. # #Default: # unlinkd_program /usr/lib/squid/unlinkd # TAG: pinger_program # Note: This option is only available if Squid is rebuilt with the # --enable-icmp option # # Specify the location of the executable for the pinger process. # #Default: # pinger_program /usr/lib/squid/pinger # TAG: redirect_program # #Default: # none # TAG: redirect_children # #Default: # redirect_children 5 # TAG: redirect_rewrites_host_header # By default Squid rewrites any Host: header in redirected # requests. If you are running an accelerator this may # not be a wanted effect of a redirector. # #Default: # redirect_rewrites_host_header on # TAG: redirector_access # If defined, this access list specifies which requests are # sent to the redirector processes. By default all requests # are sent. # #Default: # none # TAG: auth_param # # === Parameters for the basic scheme follow. === # # # # # === Parameters for the digest scheme follow === # # === NTLM scheme options follow === # # #Recommended minimum configuration: #auth_param digest program <uncomment and complete this line> #auth_param digest children 5 #auth_param digest realm Squid proxy-caching web server #auth_param digest nonce_garbage_interval 5 minutes #auth_param digest nonce_max_duration 30 minutes #auth_param digest nonce_max_count 50 #auth_param ntlm program <uncomment and complete this line to activate> #auth_param ntlm children 5 #auth_param ntlm max_challenge_reuses 0 #auth_param ntlm max_challenge_lifetime 2 minutes #auth_param ntlm use_ntlm_negotiate off #auth_param basic program <uncomment and complete this line> auth_param basic children 5 auth_param basic realm Squid proxy-caching web server auth_param basic credentialsttl 2 hours auth_param basic casesensitive off # TAG: authenticate_cache_garbage_interval # #Default: # authenticate_cache_garbage_interval 1 hour # TAG: authenticate_ttl # The time a user & their credentials stay in the logged in user cache # since their last request. When the garbage interval passes, all user # credentials that have passed their TTL are removed from memory. # #Default: # authenticate_ttl 1 hour # TAG: authenticate_ip_ttl # #Default: # authenticate_ip_ttl 0 seconds # TAG: external_acl_type # This option defines external acl classes using a helper program to # look up the status # # external_acl_type name [options] FORMAT.. /path/to/helper [helper arguments..] # # Options: # # ttl=n TTL in seconds for cached results (defaults to 3600 # for 1 hour) # negative_ttl=n # TTL for cached negative lookups (default same # as ttl) # children=n Concurrency level / number of processes spawn # to service external acl lookups of this type. # Note: see compatibility note below # cache=n result cache size, 0 is unbounded (default) # protocol=3.0 Use URL-escaped strings instead of quoting # # FORMAT specifications # # %LOGIN Authenticated user login name # %IDENT Ident user name # %SRC Client IP # %DST Requested host # %PROTO Requested protocol # %PORT Requested port # %METHOD Request method # %{Header} HTTP request header # %{Hdr:member} HTTP request header list member # %{Hdr:;member} # HTTP request header list member using; as # list separator.; can be any non-alphanumeric # character. # # # user= The users name (login) # error= Error description (only defined for ERR results) # # Keyword values need to be enclosed in quotes if they may contain # whitespace, or the whitespace escaped using \. Any quotes or \ # characters within the keyword value must be \ escaped. # # If protocol=3.0 then URL escaping of the strings is used instead # of the above described quoting format. # # #Default: # none # OPTIONS FOR TUNING THE CACHE # ----------------------------------------------------------------------------- # TAG: wais_relay_host # TAG: wais_relay_port # Relay WAIS request to host (1st arg) at port (2 arg). # #Default: # wais_relay_port 0 # TAG: request_header_max_size (KB) . # #Default: # request_header_max_size 20 KB # TAG: request_body_max_size (KB) # #Default: # request_body_max_size 0 KB # TAG: refresh_pattern # usage: refresh_pattern [-i] regex min percent max [options] # # By default, regular expressions are CASE-SENSITIVE. To make # them case-insensitive, use the -i option. # # # # Note, you must uncomment all the default lines if you want # to change one. The default setting is only active if none is # used. # #Suggested default: refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern . 0 20% 4320 # TAG: quick_abort_min (KB) # TAG: quick_abort_max (KB) # TAG: quick_abort_pct (percent) # # #Default: # quick_abort_min 16 KB # quick_abort_max 16 KB # quick_abort_pct 95 # TAG: negative_ttl time-units # #Default: # negative_ttl 5 minutes # TAG: positive_dns_ttl time-units # Upper limit on how long Squid will cache positive DNS responses. # Default is 6 hours (360 minutes). This directive must be set # larger than negative_dns_ttl. # #Default: # positive_dns_ttl 6 hours # TAG: negative_dns_ttl time-units # #Default: # negative_dns_ttl 1 minute # TAG: range_offset_limit (bytes) # # A value of -1 causes Squid to always fetch the object from the # beginning so it may cache the result. (2.0 style) # # A value of 0 causes Squid to never fetch more than the # client requested. (default) # #Default: # range_offset_limit 0 KB # TIMEOUTS # ----------------------------------------------------------------------------- # TAG: forward_timeout time-units # This parameter specifies how long Squid should at most attempt in # finding a forwarding path for the request before giving up. # #Default: # forward_timeout 4 minutes # TAG: connect_timeout time-units # This parameter specifies how long to wait for the TCP connect to # the requested server or peer to complete before Squid should # attempt to find another path where to forward the request. # #Default: # connect_timeout 1 minute # TAG: peer_connect_timeout time-units # #Default: # peer_connect_timeout 30 seconds # TAG: read_timeout time-units # #Default: # read_timeout 15 minutes # TAG: request_timeout # How long to wait for an HTTP request after initial # connection establishment. # #Default: # request_timeout 5 minutes # TAG: persistent_request_timeout # How long to wait for the next HTTP request on a persistent # connection after the previous request completes. # #Default: # persistent_request_timeout 1 minute # TAG: client_lifetime time-units # # #Default: # client_lifetime 1 day # TAG: half_closed_clients # #Default: # half_closed_clients on # TAG: pconn_timeout # Timeout for idle persistent connections to servers and other # proxies. # #Default: # pconn_timeout 120 seconds # TAG: ident_timeout # #Default: # ident_timeout 10 seconds # TAG: shutdown_lifetime time-units # #Default: # shutdown_lifetime 30 seconds # ACCESS CONTROLS # ----------------------------------------------------------------------------- # TAG: acl # Defining an Access List # # # # #acl javascript rep_mime_type -i ^application/x-javascript$ # #Recommended minimum configuration: acl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl to_localhost dst 127.0.0.0/8 acl SSL_ports port 443 563 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 563 # https, snews acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT # TAG: follow_x_forwarded_for # # SECURITY CONSIDERATIONS: # #Default: # follow_x_forwarded_for deny all # TAG: acl_uses_indirect_client on|off # Controls whether the indirect client address # (see follow_x_forwarded_for) is used instead of the # direct client address in acl matching. # #Default: # acl_uses_indirect_client on # TAG: delay_pool_uses_indirect_client on|off # Controls whether the indirect client address # (see follow_x_forwarded_for) is used instead of the # direct client address in delay pools. # #Default: # delay_pool_uses_indirect_client on # TAG: log_uses_indirect_client on|off # Controls whether the indirect client address # (see follow_x_forwarded_for) is used instead of the # direct client address in the access log. # #Default: # log_uses_indirect_client on # TAG: http_access # Allowing or Denying access based on defined access lists # # Access to the HTTP port: # http_access allow|deny [!]aclname ... # # NOTE on default values: # #Default: http_access deny all # #Recommended minimum configuration: # # Only allow cachemgr access from localhost http_access allow manager localhost http_access deny manager # Deny requests to unknown ports http_access deny !Safe_ports # Deny CONNECT to other than SSL ports http_access deny CONNECT !SSL_ports # # We strongly recommend the following be uncommented to protect innocent # web applications running on the proxy server who think the only # one who can access services on "localhost" is a local user #http_access deny to_localhost # # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS # Example rule allowing access from your local networks. Adapt # to list your (internal) IP networks from where browsing should # be allowed #acl our_networks src 192.168.1.0/24 192.168.2.0/24 http_access allow our_networks # And finally deny all other access to this proxy http_access allow localhost http_access deny all # TAG: http_reply_access # # Insert your own rules here. # # # and finally allow by default http_reply_access allow all # TAG: icp_access # #Allow ICP queries from everyone icp_access allow all # TAG: miss_access # Use to force your neighbors to use you as a sibling instead of # a parent. For example: # # #Default setting: # miss_access allow all # TAG: cache_peer_access # #Default: # none # TAG: ident_lookup_access # ident_lookup_access deny all # # Only src type ACL checks are fully supported. A src_domain # ACL might work at times, but it will not always provide # the correct result. # #Default: # ident_lookup_access deny all # TAG: tcp_outgoing_tos # # #Default: # none # TAG: tcp_outgoing_address # # acl normal_service_net src 10.0.0.0/255.255.255.0 # acl good_service_net src 10.0.1.0/255.255.255.0 # tcp_outgoing_address 10.0.0.1 normal_service_net # tcp_outgoing_address 10.0.0.2 good_service_net # tcp_outgoing_address 10.0.0.3 # #Default: # none # TAG: reply_header_max_size (KB) # This specifies the maximum size for HTTP headers in a reply. # Reply headers are usually relatively small (about 512 bytes). # Placing a limit on the reply header size will catch certain # bugs (for example with persistent connections) and possibly # buffer-overflow or denial-of-service attacks. # #Default: # reply_header_max_size 20 KB # TAG: reply_body_max_size bytes allow|deny acl acl... # # # If you set this parameter to zero (the default), there will be # no limit imposed. # #Default: # reply_body_max_size 0 allow all # ADMINISTRATIVE PARAMETERS # ----------------------------------------------------------------------------- # TAG: cache_mgr # Email-address of local cache manager who will receive # mail if the cache dies. The default is "root". # #Default: # cache_mgr root # TAG: mail_from # From: email-address for mail sent when the cache dies. # The default is to use 'appname@unique_hostname'. # Default appname value is "squid", can be changed into # src/globals.h before building squid. # #Default: # none # TAG: mail_program # Email program used to send mail if the cache dies. # The default is "mail". The specified program must complain # with the standard Unix mail syntax: # mail_program recipient < mailfile # Optional command line options can be specified. # #Default: # mail_program mail # TAG: cache_effective_user # #Default: cache_effective_user squid # TAG: cache_effective_group cache_effective_group squid # #Default: # cache_effective_group squid # TAG: visible_hostname # #Default: # none # TAG: unique_hostname # If you want to have multiple machines with the same # 'visible_hostname' you must give each machine a different # 'unique_hostname' so forwarding loops can be detected. # #Default: # none # TAG: hostname_aliases # A list of other DNS names your cache has. # #Default: # none # OPTIONS FOR THE CACHE REGISTRATION SERVICE # ----------------------------------------------------------------------------- # # http_port # icp_port # cache_mgr # # All current information is processed regularly and made # available on the Web at http://www.ircache.net/Cache/Tracker/. # TAG: announce_period # This is how frequently to send cache announcements. The # default is `0' which disables sending the announcement # messages. # # To enable announcing your cache, just uncomment the line # below. # #Default: # announce_period 0 # #To enable announcing your cache, just uncomment the line below. #announce_period 1 day # TAG: announce_host # TAG: announce_file # TAG: announce_port # announce_host and announce_port set the hostname and port # number where the registration message will be sent. # # HTTPD-ACCELERATOR OPTIONS # ----------------------------------------------------------------------------- httpd_accel_host virtual # TAG: httpd_accel_port # #Default: httpd_accel_port 80 # TAG: httpd_accel_single_host on|off # # See also redirect_rewrites_host_header. # #Default: # httpd_accel_single_host off # TAG: httpd_accel_with_proxy on|off # #Default: httpd_accel_with_proxy on # TAG: httpd_accel_uses_host_header on|off # #Default: httpd_accel_uses_host_header on # TAG: httpd_accel_no_pmtu_disc on|off # #Default: # httpd_accel_no_pmtu_disc off # MISCELLANEOUS # ----------------------------------------------------------------------------- # TAG: dns_testnames # The DNS tests exit as soon as the first site is successfully looked up # # This test can be disabled with the -D command line option. # #Default: # dns_testnames netscape.com internic.net nlanr.net microsoft.com # TAG: logfile_rotate # #logfile_rotate 0 # #Default: # logfile_rotate 0 # TAG: append_domain # Appends local domain name to hostnames without any dots in # them. append_domain must begin with a period. # # Be warned there are now Internet names with no dots in # them using only top-domain names, so setting this may # cause some Internet sites to become unavailable. # #Example: # append_domain .yourdomain.com # #Default: # none # TAG: tcp_recv_bufsize (bytes) # Size of receive buffer to set for TCP sockets. Probably just # as easy to change your kernel's default. Set to zero to use # the default buffer size. # #Default: # tcp_recv_bufsize 0 bytes # TAG: err_html_text # #Default: # none # TAG: deny_info # # #Default: # none # TAG: memory_pools on|off # If set, Squid will keep pools of allocated (but unused) memory # available for future use. If memory is a premium on your # system and you believe your malloc library outperforms Squid # routines, disable this. # #Default: # memory_pools on # TAG: memory_pools_limit (bytes) # Used only with memory_pools on: # memory_pools_limit 50 MB # # # #Default: # memory_pools_limit 5 MB # TAG: forwarded_for on|off # If set, Squid will include your system's IP address or name # in the HTTP requests it forwards. By default it looks like # this: # # X-Forwarded-For: 192.1.2.3 # # If you disable this, it will appear as # # X-Forwarded-For: unknown # #Default: # forwarded_for on # TAG: log_icp_queries on|off # If set, ICP queries are logged to access.log. You may wish # do disable this if your ICP load is VERY high to speed things # up or to simplify log analysis. # #Default: # log_icp_queries on # TAG: icp_hit_stale on|off # #Default: # icp_hit_stale off # TAG: minimum_direct_hops # If using the ICMP pinging stuff, do direct fetches for sites # which are no more than this many hops away. # #Default: # minimum_direct_hops 4 # TAG: minimum_direct_rtt # If using the ICMP pinging stuff, do direct fetches for sites # which are no more than this many rtt milliseconds away. # #Default: # minimum_direct_rtt 400 # TAG: cachemgr_passwd # Specify passwords for cachemgr operations. # # Usage: cachemgr_passwd password action action ... # # Some valid actions are (see cache manager menu for a full list): # 5min # 60min # asndb # authenticator # cbdata # client_list # comm_incoming # config * # counters # delay # digest_stats # dns # events # filedescriptors # fqdncache # histograms # http_headers # info # io # ipcache # mem # menu # netdb # non_peers # objects # offline_toggle * # pconn # peer_select # redirector # refresh # server_list # shutdown * # store_digest # storedir # utilization # via_headers # vm_objects # # * Indicates actions which will not be performed without a # valid password, others can be performed if not listed here. # # To disable an action, set the password to "disable". # To allow performing an action without a password, set the # password to "none". # # Use the keyword "all" to set the same password for all actions. # #Example: # cachemgr_passwd secret shutdown # cachemgr_passwd lesssssssecret info stats/objects # cachemgr_passwd disable all # #Default: # none # TAG: store_avg_object_size (kbytes) # Average object size, used to estimate number of objects your # cache can hold. See doc/Release-Notes-1.1.txt. The default is # 13 KB. # #Default: # store_avg_object_size 13 KB # TAG: store_objects_per_bucket # Target number of objects per bucket in the store hash table. # Lowering this value increases the total number of buckets and # also the storage maintenance rate. The default is 50. # #Default: # store_objects_per_bucket 20 # TAG: client_db on|off # If you want to disable collecting per-client statistics, # turn off client_db here. # #Default: # client_db on # TAG: netdb_low # TAG: netdb_high # The low and high water marks for the ICMP measurement # database. These are counts, not percents. The defaults are # 900 and 1000. When the high water mark is reached, database # entries will be deleted until the low mark is reached. # #Default: # netdb_low 900 # netdb_high 1000 # TAG: netdb_ping_period # The minimum period for measuring a site. There will be at # least this much delay between successive pings to the same # network. The default is five minutes. # #Default: # netdb_ping_period 5 minutes # TAG: query_icmp on|off # If you want to ask your peers to include ICMP data in their ICP # replies, enable this option. # # If your peer has configured Squid (during compilation) with # '--enable-icmp' that peer will send ICMP pings to origin server # sites of the URLs it receives. If you enable this option the # ICP replies from that peer will include the ICMP data (if available). # Then, when choosing a parent cache, Squid will choose the parent with # the minimal RTT to the origin server. When this happens, the # hierarchy field of the access.log will be # "CLOSEST_PARENT_MISS". This option is off by default. # #Default: # query_icmp off # TAG: test_reachability on|off # When this is 'on', ICP MISS replies will be ICP_MISS_NOFETCH # instead of ICP_MISS if the target host is NOT in the ICMP # database, or has a zero RTT. # #Default: # test_reachability off # TAG: buffered_logs on|off # #Default: # buffered_logs off # TAG: reload_into_ims on|off # When you enable this option, client no-cache or ``reload'' # requests will be changed to If-Modified-Since requests. # Doing this VIOLATES the HTTP standard. Enabling this # feature could make you liable for problems which it # causes. # # see also refresh_pattern for a more selective approach. # #Default: # reload_into_ims off # TAG: always_direct # Usage: always_direct allow|deny [!]aclname ... # # Here you can use ACL elements to specify requests which should # ALWAYS be forwarded by Squid to the origin servers without using # any peers. For example, to always directly forward requests for # local servers ignoring any parents or siblings you may have use # something like: # # acl local-servers dstdomain my.domain.net # always_direct allow local-servers # # To always forward FTP requests directly, use # # acl FTP proto FTP # always_direct allow FTP # # # NOTE: This directive is not related to caching. The replies # is cached as usual even if you use always_direct. To not cache # the replies see no_cache. # # This option replaces some v1.1 options such as local_domain # and local_ip. # #Default: # none # TAG: never_direct # Usage: never_direct allow|deny [!]aclname ... # # # This option replaces some v1.1 options such as inside_firewall # and firewall_ip. # #Default: # none # TAG: header_access # Usage: header_access header_name allow|deny [!]aclname ... # # # # Or, to reproduce the old 'http_anonymizer paranoid' feature # you should use: # # # By default, all headers are allowed (no anonymizing is # performed). # #Default: # none # TAG: header_replace #Default: # none # TAG: icon_directory # Where the icons are stored. These are normally kept in # /usr/share/squid/icons # #Default: # icon_directory /usr/share/squid/icons # TAG: global_internal_static # #Default: # global_internal_static on # TAG: short_icon_urls # If this is enabled Squid will use short URLs for icons. # # If off the URLs for icons will always be absolute URLs # including the proxy name and port. # #Default: # short_icon_urls off # TAG: error_directory # #error_directory /usr/share/squid/errors/English # #Default: error_directory /usr/share/squid/errors/Polish # TAG: maximum_single_addr_tries # #Default: # maximum_single_addr_tries 1 # TAG: retry_on_error # If set to on Squid will automatically retry requests when # receiving an error response. This is mainly useful if you # are in a complex cache hierarchy to work around access # control errors. # #Default: # retry_on_error off # TAG: snmp_port # Squid can now serve statistics and status information via SNMP. # A value of "0" disables SNMP support. If you wish to use SNMP, # set this to "3401" to use the normal SNMP support. # #Default: # snmp_port 0 # TAG: snmp_access # Allowing or denying access to the SNMP port. # # All access to the agent is denied by default. # usage: # # snmp_access allow|deny [!]aclname ... # #Example: # snmp_access allow snmppublic localhost # snmp_access deny all # #Default: # snmp_access deny all # TAG: snmp_incoming_address # TAG: snmp_outgoing_address # #Default: # snmp_incoming_address 0.0.0.0 # snmp_outgoing_address 255.255.255.255 # TAG: as_whois_server # WHOIS server to query for AS numbers. NOTE: AS numbers are # queried only when Squid starts up, not for every request. # #Default: # as_whois_server whois.ra.net # as_whois_server whois.ra.net # TAG: wccp_router # Use this option to define your WCCP ``home'' router for # Squid. Setting the 'wccp_router' to 0.0.0.0 (the default) # disables WCCP. # #Default: # wccp_router 0.0.0.0 # TAG: wccp_version # According to some users, Cisco IOS 11.2 only supports WCCP # version 3. If you're using that version of IOS, change # this value to 3. # #Default: # wccp_version 4 # TAG: wccp_incoming_address # TAG: wccp_outgoing_address # # The default behavior is to not bind to any specific address. # # NOTE, wccp_incoming_address and wccp_outgoing_address can not have # the same value since they both use port 2048. # #Default: # wccp_incoming_address 0.0.0.0 # wccp_outgoing_address 255.255.255.255 # DELAY POOL PARAMETERS (all require DELAY_POOLS compilation option) # ----------------------------------------------------------------------------- # TAG: delay_pools # This represents the number of delay pools to be used. For example, # if you have one class 2 delay pool and one class 3 delays pool, you # have a total of 2 delay pools. # #Default: # delay_pools 0 # TAG: delay_class # This defines the class of each delay pool. There must be exactly one # delay_class line for each delay pool. For example, to define two # delay pools, one of class 2 and one of class 3, the settings above # and here would be: # #Example: # delay_pools 2 # 2 delay pools # delay_class 1 2 # pool 1 is a class 2 pool # delay_class 2 3 # pool 2 is a class 3 pool # # #Default: # none # TAG: delay_access # #Example: # delay_access 1 allow some_big_clients # delay_access 1 deny all # delay_access 2 allow lotsa_little_clients # delay_access 2 deny all # #Default: # none # TAG: delay_parameters # #delay_parameters pool aggregate # # For a class 2 delay pool: # #delay_parameters pool aggregate individual # # For a class 3 delay pool: # #delay_parameters pool aggregate network individual # # The variables here are: # # pool a pool number - ie, a number between 1 and the # number specified in delay_pools as used in # delay_class lines. # # aggregate the "delay parameters" for the aggregate bucket # (class 1, 2, 3). # # individual the "delay parameters" for the individual # buckets (class 2, 3). # # network the "delay parameters" for the network buckets # (class 3). # # #delay_parameters 1 -1/-1 8000/8000 # #delay_parameters 2 32000/32000 8000/8000 600/8000 # # There must be one delay_parameters line for each delay pool. # #Default: # none # TAG: delay_initial_bucket_level (percent, 0-100) # The initial bucket percentage is used to determine how much is put # in each bucket when squid starts, is reconfigured, or first notices # a host accessing it (in class 2 and class 3, individual hosts and # networks only have buckets associated with them once they have been # "seen" by squid). # #Default: # delay_initial_bucket_level 50 # TAG: incoming_icp_average # TAG: incoming_http_average # TAG: incoming_dns_average # TAG: min_icp_poll_cnt # TAG: min_dns_poll_cnt # TAG: min_http_poll_cnt # Heavy voodoo here. I can't even believe you are reading this. # Are you crazy? Don't even think about adjusting these unless # you understand the algorithms in comm_select.c first! # #Default: # incoming_icp_average 6 # incoming_http_average 4 # incoming_dns_average 4 # min_icp_poll_cnt 8 # min_dns_poll_cnt 8 # min_http_poll_cnt 8 # TAG: max_open_disk_fds # To avoid having disk as the I/O bottleneck Squid can optionally # bypass the on-disk cache if more than this amount of disk file # descriptors are open. # # A value of 0 indicates no limit. # #Default: # max_open_disk_fds 0 # TAG: offline_mode # Enable this option and Squid will never try to validate cached # objects. # #Default: # offline_mode off # TAG: uri_whitespace # What to do with requests that have whitespace characters in the # URI. Options: # # #Default: # uri_whitespace strip # TAG: broken_posts # #Example: # acl buggy_server url_regex ^http://.... # broken_posts allow buggy_server # #Default: # none # TAG: mcast_miss_addr # #Default: # mcast_miss_addr 255.255.255.255 # TAG: mcast_miss_ttl # Note: This option is only available if Squid is rebuilt with the # -DMULTICAST_MISS_TTL option # #Default: # mcast_miss_ttl 16 # TAG: mcast_miss_port # Note: This option is only available if Squid is rebuilt with the # -DMULTICAST_MISS_STREAM option # # This is the port number to be used in conjunction with # 'mcast_miss_addr'. # #Default: # mcast_miss_port 3135 # TAG: mcast_miss_encode_key # Note: This option is only available if Squid is rebuilt with the # -DMULTICAST_MISS_STREAM option # # The URLs that are sent in the multicast miss stream are # encrypted. This is the encryption key. # #Default: # mcast_miss_encode_key XXXXXXXXXXXXXXXX # TAG: nonhierarchical_direct # #Default: # nonhierarchical_direct on # TAG: prefer_direct # #Default: # prefer_direct off # TAG: strip_query_terms # By default, Squid strips query terms from requested URLs before # logging. This protects your user's privacy. # #Default: # strip_query_terms on # TAG: coredump_dir # By default Squid leaves core files in the directory from where # it was started. If you set 'coredump_dir' to a directory # that exists, Squid will chdir() to that directory at startup # and coredump files will be left there. # #Default: # coredump_dir none # # Leave coredumps in the first cache dir coredump_dir /var/spool/squid # TAG: redirector_bypass # #Default: # redirector_bypass off # TAG: ignore_unknown_nameservers # #Default: # ignore_unknown_nameservers on # TAG: digest_generation # This controls whether the server will generate a Cache Digest # of its contents. By default, Cache Digest generation is # enabled if Squid is compiled with USE_CACHE_DIGESTS defined. # #Default: # digest_generation on # TAG: digest_bits_per_entry # This is the number of bits of the server's Cache Digest which # will be associated with the Digest entry for a given HTTP # Method and URL (public key) combination. The default is 5. # #Default: # digest_bits_per_entry 5 # TAG: digest_rebuild_period (seconds) # This is the number of seconds between Cache Digest rebuilds. # #Default: # digest_rebuild_period 1 hour # TAG: digest_rewrite_period (seconds) # This is the number of seconds between Cache Digest writes to # disk. # #Default: # digest_rewrite_period 1 hour # TAG: digest_swapout_chunk_size (bytes) # This is the number of bytes of the Cache Digest to write to # disk at a time. It defaults to 4096 bytes (4KB), the Squid # default swap page. # #Default: # digest_swapout_chunk_size 4096 bytes # TAG: digest_rebuild_chunk_percentage (percent, 0-100) # This is the percentage of the Cache Digest to be scanned at a # time. By default it is set to 10% of the Cache Digest. # #Default: # digest_rebuild_chunk_percentage 10 # TAG: chroot # Use this to have Squid do a chroot() while initializing. This # also causes Squid to fully drop root privileges after # initializing. This means, for example, that if you use a HTTP # port less than 1024 and try to reconfigure, you will get an # error. # #Default: # none # TAG: client_persistent_connections # TAG: server_persistent_connections # Persistent connection support for clients and servers. By # default, Squid uses persistent connections (when allowed) # with its clients and servers. You can use these options to # disable persistent connections with clients and/or servers. # #Default: # client_persistent_connections on # server_persistent_connections on # TAG: persistent_connection_after_error # With this directive the use of persistent connections after # HTTP errors can be disabled. Useful if you have clients # who fail to handle errors on persistent connections proper. # #Default: # persistent_connection_after_error off # TAG: detect_broken_pconn # #Default: # detect_broken_pconn off # TAG: balance_on_multiple_ip # #Default: # balance_on_multiple_ip on # TAG: pipeline_prefetch # To boost the performance of pipelined requests to closer # match that of a non-proxied environment Squid can try to fetch # up to two requests in parallel from a pipeline. # # Defaults to off for bandwidth management and access logging # reasons. # #Default: # pipeline_prefetch off # TAG: extension_methods # Squid only knows about standardized HTTP request methods. # You can add up to 20 additional "extension" methods here. # #Default: # none # TAG: request_entities # #Default: # request_entities off # TAG: high_response_time_warning (msec) # If the one-minute median response time exceeds this value, # Squid prints a WARNING with debug level 0 to get the # administrators attention. The value is in milliseconds. # #Default: # high_response_time_warning 0 # TAG: high_page_fault_warning # If the one-minute average page fault rate exceeds this # value, Squid prints a WARNING with debug level 0 to get # the administrators attention. The value is in page faults # per second. # #Default: # high_page_fault_warning 0 # TAG: high_memory_warning # If the memory usage (as determined by mallinfo) exceeds # value, Squid prints a WARNING with debug level 0 to get # the administrators attention. # #Default: # high_memory_warning 0 # TAG: store_dir_select_algorithm # Set this to 'round-robin' as an alternative. # #Default: # store_dir_select_algorithm least-load # TAG: forward_log # Note: This option is only available if Squid is rebuilt with the # -DWIP_FWD_LOG option # # Logs the server-side requests. # # This is currently work in progress. # #Default: # none # TAG: ie_refresh on|off # #Default: ie_refresh on # TAG: vary_ignore_expire on|off # #Default: # vary_ignore_expire off # TAG: sleep_after_fork (microseconds) # #Default: # sleep_after_fork 0 # TAG: relaxed_header_parser on|off|warn # In the default "on" setting Squid accepts certain forms # of non-compliant HTTP messages where it is unambiguous # what the sending application intended even if the message # is not correctly formatted. The messages is then normalized # to the correct form when forwarded by Squid. # # If set to "warn" then a warning will be emitted in cache.log # each time such HTTP error is encountered. # # If set to "off" then such HTTP errors will cause the request # or response to be rejected. # #Default: # relaxed_header_parser on # TAG: max_filedesc # The maximum number of open file descriptors. # #Default: # max_filedesc 1024 Mam nadzieje że znadzie się odwazny i napisze co i jak z ymi waznymi elementami systemu. Pozdrawiam uzywaj [ codebox ] zamiast [ code ] dla masakrycznie dlugich tasiemcow - uosiu Odnośnik do komentarza Udostępnij na innych stronach More sharing options...
@WalDo Napisano Kwiecień 10, 2006 Zgłoszenie Share Napisano Kwiecień 10, 2006 Brakuje mi w FC5 w Iptables zakładki zaufanych urządzeń. W FC4 było to i udostępnianie neostrady poszło bez problemu. Sorki, że ja się wtrącę OT, ale gdzie w iptables są zakładki? Przecież to polecenie wydawane z poziomu powłoki, to gdzie tam są jakieś zakładki? Może miałeś zainstalowany jakiś program ułatwiający ustawianie iptables. Coś w rodzaju firestarter, shorewall czy fwbuilder. Pozdr, W. Odnośnik do komentarza Udostępnij na innych stronach More sharing options...
etz257 Napisano Kwiecień 11, 2006 Autor Zgłoszenie Share Napisano Kwiecień 11, 2006 Brakuje mi w FC5 w Iptables zakładki zaufanych urządzeń. W FC4 było to i udostępnianie neostrady poszło bez problemu. Sorki, że ja się wtrącę OT, ale gdzie w iptables są zakładki? Przecież to polecenie wydawane z poziomu powłoki, to gdzie tam są jakieś zakładki? Może miałeś zainstalowany jakiś program ułatwiający ustawianie iptables. Coś w rodzaju firestarter, shorewall czy fwbuilder. Pozdr, W. Chodzi mi o zakładki w poziomie bezpieczenstwa. Środowisko->Administracja->Poziom bezpieczeństwa i zapora sieciowa. I tam są ustawienia, ale to chybato samo co iptables? No w każdym razie o to mi chodzilo Odnośnik do komentarza Udostępnij na innych stronach More sharing options...
smali Napisano Kwiecień 11, 2006 Zgłoszenie Share Napisano Kwiecień 11, 2006 widać że mamy tu kolegę, który stawia serwer razem z X'ami Odnośnik do komentarza Udostępnij na innych stronach More sharing options...
etz257 Napisano Kwiecień 11, 2006 Autor Zgłoszenie Share Napisano Kwiecień 11, 2006 widać że mamy tu kolegę, który stawia serwer razem z X'ami Nie nie stawiam serwera! Chce tylko żeby mi śmigał szybko net na moim kompie i na tym któremu udostepniam łacze a SQUID wydaje się idealny do przyspiesenia neta No i co do Firewalla to wiadomo przydalo by się żeby komputery byly bezpieczne, ale jak narazie to na tym drugim kompiem mam neta ale tylko jak u mnie jest XP właczony Pozdrawiam Odnośnik do komentarza Udostępnij na innych stronach More sharing options...
yoda6886 Napisano Kwiecień 11, 2006 Zgłoszenie Share Napisano Kwiecień 11, 2006 wiesz na squida to sie zazwyczaj osobny serw stawia. i to tylko z nim. ciekawe jak bedzie Ci to dzialac. tzn czy zauwazysz jakiekolwiek przyspieszenie. bo to ile dales pamieci, nie jest za duzo... Odnośnik do komentarza Udostępnij na innych stronach More sharing options...
etz257 Napisano Kwiecień 13, 2006 Autor Zgłoszenie Share Napisano Kwiecień 13, 2006 To co nikt się nie pokusi coś napisać? "To co pomorzecie? No pomorzecie!" Wciąż mam problem z udostepnieniem netu Help! Odnośnik do komentarza Udostępnij na innych stronach More sharing options...
yoda6886 Napisano Kwiecień 13, 2006 Zgłoszenie Share Napisano Kwiecień 13, 2006 jezu czlowieku o tym jest multum naprawde multum w sieci. najpierw udostepnij sobie net bez squida. to jest trywialne. jak to bedziesz juz mial, przeczytasz jak sie odpala i konfiguruje squida z www.squid-cache.org i jak dalej cos Ci nie bedzie chodzilo to napisz. firewall - zainteresuj sie iptables -> o tym jest chyba najwiecej materialow dotyczacych (_linuxa_ → Linuksa) ORT w sieci... np http://debian.one.pl/index.php?url=4 ludzie google nie boli. nie robcie z siebie ciot. Odnośnik do komentarza Udostępnij na innych stronach More sharing options...
etz257 Napisano Kwiecień 14, 2006 Autor Zgłoszenie Share Napisano Kwiecień 14, 2006 Witam poraz kolejny. Szukałem grzebałem ustwaiwałem i dalej nic Skorzystałem teraz z tego postu i dalej nic http://forum.fedora.pl/index.php?showtopic...914&hl=iptables Moge dodać że wyłączając firewalla net śmiga że hej ale po właczeniu tylko pingi dzialają Juź opadam z sił na FC4 śmigało a tu cos nie che ruszyc Dotarłęm również do informacji takiej: Komenda echo 1 >/proc/sys/net/ipv4/ip_forward nie działa w FC 5 trzeba zmienić: /etc/sysctl.conf net.ipv4.ip_forward = 1 i nic nie dało. tu http://forum.fedora.pl/index.php?showtopic=10220&hl= ktoś ma podobny problem i też chyba nie rozwiązał Dodam jeszcze że SELinux mam tez wyłączony. I nie wiem co się stało ale nie widzę w otoczeniu sieciowym kompa na którym jest Linux. Ma ktoś jakis pomysł? Pozdrawiam ED: [root@localhost ~]# iptables -L -v --line-number Chain INPUT (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination 1 3886 2821K RH-Firewall-1-INPUT all -- any any anywhere anywhere Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination 1 0 0 RH-Firewall-1-INPUT all -- any any anywhere anywhere Chain OUTPUT (policy ACCEPT 4033 packets, 1777K bytes) num pkts bytes target prot opt in out source destination Chain RH-Firewall-1-INPUT (2 references) num pkts bytes target prot opt in out source destination 1 1454 1491K ACCEPT all -- lo any anywhere anywhere 2 1 60 ACCEPT icmp -- any any anywhere anywhere icmp any 3 0 0 ACCEPT ipv6-crypt-- any any anywhere anywhere 4 0 0 ACCEPT ipv6-auth-- any any anywhere anywhere 5 54 6868 ACCEPT udp -- any any anywhere 224.0.0.251 udp dpt:mdns 6 0 0 ACCEPT udp -- any any anywhere anywhere udp dpt:ipp 7 0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:ipp 8 1723 1286K ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED 9 0 0 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:ftp 10 0 0 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:smtp 11 0 0 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:ssh 12 55 4290 ACCEPT udp -- any any anywhere anywhere state NEW udp dpt:netbios-ns 13 0 0 ACCEPT udp -- any any anywhere anywhere state NEW udp dpt:netbios-dgm 14 33 1648 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:netbios-ssn 15 376 18220 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:microsoft-ds 16 0 0 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:http 17 0 0 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:https 18 190 13111 REJECT all -- any any anywhere anywhere reject-with icmp-host-prohibited [root@localhost ~]# iptables -t nat -L -v --line-number Chain PREROUTING (policy ACCEPT 603 packets, 33221 bytes) num pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 151 packets, 9404 bytes) num pkts bytes target prot opt in out source destination 1 7 686 MASQUERADE all -- any any 192.168.0.0/24 anywhere Chain OUTPUT (policy ACCEPT 158 packets, 10090 bytes) num pkts bytes target prot opt in out source destination Chyba mam wszystko ok. To czemu nie ma netu Odnośnik do komentarza Udostępnij na innych stronach More sharing options...
webmaster.euro-web.pl Napisano Kwiecień 28, 2006 Zgłoszenie Share Napisano Kwiecień 28, 2006 Witam serdecznie i pozdrawiam wszystkich równie serdecznie. Miałem podobny problem co Ty - kilku kompikom udostępniałem neta z mojego (i też korzystam z X'ów), w squidzie Ci nie pomogę bo go po prostu nie stawiałem - szkoda mojego czasu, a przyspieszenie w małych sieciach nieznaczne (czasem nawet zwolnienie). Biłem się z moją gotową konfigurką która pięknie śmigała i w Mandarynkach (10.0, 10.1 i 2006) potem bez zmian również na Reksiu 10.1 (Aurox) Fedorce 2 i 4 a potem na Reksiu 11.1. Po postawieniu FC 5 klapa. Efekt identyczny - pingi są a firewall nie przepuszcza, już myślałem, że mam zainstalowany jeszcze jakiś pakiet zabezpieczeń. Problem rozwiązałem następująco: moja dotychczasowa konfigurka (dopięta np. do /etc/rc.d/rc.local) echo "1" > /proc/sys/net/ipv4/ip_forward /sbin/route add 192.168.0.3 eth3 /sbin/route add 192.168.0.4 eth2 /sbin/route add 192.168.0.2 eth1 /sbin/iptables -t filter -A FORWARD -s 192.168.0.0/255.255.255.0 -d 0/0 -j ACCEPT /sbin/iptables -t filter -A FORWARD -s 0/0 -d 192.168.0.0/255.255.255.0 -j ACCEPT /sbin/iptables -t nat -A POSTROUTING -s 192.168.0.0/255.255.255.0 -d 0/0 -j MASQUERADE /sbin/modprobe ip_conntrack /sbin/modprobe ip_conntrack_ftp ku ścisłości - eth3, eth2, eth1 - to odbiorcy netu ode mnie - moje okno na świat - wlan0 W tej konfiguracji miałem tak samo - po zdjęciu firewalla - net śmiga, po założeniu - wraz z tymi klauzulami - nie. W moim przypadku zbawienna okazała się linijka: /sbin/iptables -I FORWARD -i ethx -o wlan0 -j ACCEPT Mam nadzieję, że Tobie również to pomoże - pozdrawiam wszystkich serdeczniście Odnośnik do komentarza Udostępnij na innych stronach More sharing options...
butek Napisano Sierpień 22, 2006 Zgłoszenie Share Napisano Sierpień 22, 2006 Jeśli chcesz aby usługa uruchamiała sie przy starcie to wpisz chkconfig squid on - włączenia (off wyłaczenie) jeśli chodzi o firewalla to w sieci jest strona z generatorem skryptu do tworzenia firewalla. Napisz do mnie [email protected] to ci przyślę ten skrypt Odnośnik do komentarza Udostępnij na innych stronach More sharing options...
Rekomendowane odpowiedzi
Jeśli chcesz dodać odpowiedź, zaloguj się lub zarejestruj nowe konto
Jedynie zarejestrowani użytkownicy mogą komentować zawartość tej strony.
Zarejestruj nowe konto
Załóż nowe konto. To bardzo proste!
Zarejestruj sięZaloguj się
Posiadasz już konto? Zaloguj się poniżej.
Zaloguj się