Skip to main content

originalip option in dansguardian

I upgraded my firewall on Mandriva 2009.1 to 2010 and got into problem with dansguardian. Client computers got DansGuardian 400 - Bad Request , url is malformed for certain sites such as google and facebook. I suspected it must be related to new option introduced by newly installed dansguardian (2.10.1.1). In changelog, I got this:


Jan 21 17:18:39 firewall6 dansguardian[1090]: Destination host of dnl-15.geo.kaspersky.com did not match the original destination IP of 95.211.85.42
Jan 21 17:18:40 firewall6 dansguardian[1111]: Destination host of www.google-analytics.com did not match the original destination IP of 72.14.213.113
Jan 21 17:18:40 firewall6 dansguardian[1074]: Destination host of us.bc.yahoo.com did not match the original destination IP of 216.252.124.30
Jan 21 17:18:40 firewall6 dansguardian[1072]: Destination host of dnl-11.geo.kaspersky.com did not match the original destination IP of 38.117.98.202
Jan 21 17:18:41 firewall6 dansguardian[1091]: Destination host of dnl-04.geo.kaspersky.com did not match the original destination IP of 38.117.98.199
Jan 21 17:18:42 firewall6 dansguardian[1083]: Destination host of dnl-07.geo.kaspersky.com did not match the original destination IP of 38.117.98.199
Jan 21 17:18:42 firewall6 dansguardian[1116]: Destination host of newsrss.bbc.co.uk did not match the original destination IP of 212.58.226.73
Jan 21 17:18:43 firewall6 dansguardian[1076]: Destination host of dnl-11.geo.kaspersky.com did not match the original destination IP of 38.117.98.202
Jan 21 17:18:43 firewall6 dansguardian[1086]: Destination host of dnl-02.geo.kaspersky.com did not match the original destination IP of 38.117.98.196
Jan 21 17:18:49 firewall6 dansguardian[1270]: Started sucessfully.


After diff'ing between previous dansguardian.conf (currently in use) and the current version of the file (not in use). It turned out that originalip option was the culprit. It was on by default if it wasn't in there. To turn it off, I must tell it off as below:


# Network Settings
#
# the IP that DansGuardian listens on. If left blank DansGuardian will
# listen on all IPs. That would include all NICs, loopback, modem, etc.
# Normally you would have your firewall protecting this, but if you want
# you can limit it to a certain IP. To bind to multiple interfaces,
# specify each IP on an individual filterip line.
filterip = 192.168.6.6

# the port that DansGuardian listens to.
filterport = 8080

# the ip of the proxy (default is the loopback - i.e. this server)
proxyip = 127.0.0.1

# the port DansGuardian connects to proxy on
proxyport = 3128

originalip = off

This is what changelog says about originalip option:

Fri 5th June 2009 - DansGuardian 2.10.1.1 - stable
Add "originalip" option to dansguardian.conf, for determining the original destination IP in transparent proxy set-ups, and ensuring that the destination domain of the request resolves to that IP. This can help to address a particular transparent proxy security vulnerability (US-CERT VU#435052), but because of certain limitations - only implemented on Linux/Netfilter; potential breakage of websites using round-robin DNS - the code is not enabled by default. Enable by passing "--enable-orig-ip" to the configure script. Fix a crash which could occur when dealing with simultaneous incoming connections in configurations using more than one listening socket. Fix a crash when checking time limits on item lists. Fix potential usage of uninitialised memory during phrase filtering.

Luckily, Mandriva package was built with --enable-orig-ip enabled.

Cheers.

Comments

Popular posts from this blog

mplayer-gui error : Error in skin config file

After installing mplayer-gui package, I can't start it.

$ gmplayer MPlayer 1.1-4.8 (C) 2000-2012 MPlayer Team mplayer: could not connect to socket mplayer: No such file or directory Failed to open LIRC support. You will not be able to use your remote control. Error in skin config file on line 6: PNG read error in /usr/share/mplayer/skins/default/main Config file processing error with skin 'default'
After googling a bit, I found out that it was due to the png files in dir /usr/share/mplayer/skins/default. This is the default skin directory. To fix this error, I have to install ImageMagick package because I want to use the convert program to convert all of the png files to format png24. Thus, cd /usr/share/mplayer/skins/default; for FILE in *.png ; do sudo convert $FILE -define png:format=png24 $FILE ; done
Rerun gmplayer and all should be fine.
Have fun!
UPDATE (02-10-2017)

It doesn't work on Ubuntu 16.04 (xenial) but there's a workaround here.

You can update your syst…

Moving your mysql database to another hard disk

Recently, my server's only hard disk was almost full. I bought a new hard disk with bigger size and I decided to just add it as a second hard disk. Since I need to move it to the 2nd hard disk, I need to find a proper way to move the db with minimum downtime. So I googled around and found a solution.
First, I needed to format the 2nd hard disk and I chose xfs as the filesystem. I created 2 partitions using Linux's fdisk for this task. First partition is 10 GB and 2nd one is around 900 GB. That's approximately added up to 1 TB. Then I mounted the 2nd partition in current partition eg /media/hd2 as follows:
mount -t xfs /dev/sdb5 /media/hd2
where /dev/sdb5 is the partition and /media/hd2 is the mounting dir.
Stop mysql db before doing anything:
service mysql stop
Afterthat, I copied the entire db to newly mounted hard disk:
cp -rv /var/lib/mysql /media/hd2
It will take a while if you have huge databases.
Then, change the ownership of the dir to user and group of mysql:
chown -R mysql:…

postfix - mailbox size limit and message size limit

postfix is my MTA of choice. I use it for my mailserver because its simplicity , security and sendmail-compatible (the widely used smtp in the world but not as secure). It is also extensible by plugging other servers for various purposes (antispam, antivirus,database etc).

I had one problem with file attachment larger than 10MB. Users couldn't send it although I have setup squirrelmail (SM) to be able to attach files summed up more than 20MB and I had modified php settings as per here. The problem was not in SM setting. It was postfix. By default, attachment size that can be sent by postfix is 10MB ~ 10240000 byte. How did I know it? I looked in log file (for my system it is in /var/log/mail/errors. For other system, the file to look is /var/log/maillog). The line looked like this:

Feb 26 16:30:53 webmail postfix/sendmail[30775]: fatal: me@mymailserver.org(74): Message file too big


Solution
Open /etc/postfix/main.cf with a text editor of choice and find message_size_limit directive an…