Skip to main content

originalip option in dansguardian

I upgraded my firewall on Mandriva 2009.1 to 2010 and got into problem with dansguardian. Client computers got DansGuardian 400 - Bad Request , url is malformed for certain sites such as google and facebook. I suspected it must be related to new option introduced by newly installed dansguardian (2.10.1.1). In changelog, I got this:


Jan 21 17:18:39 firewall6 dansguardian[1090]: Destination host of dnl-15.geo.kaspersky.com did not match the original destination IP of 95.211.85.42
Jan 21 17:18:40 firewall6 dansguardian[1111]: Destination host of www.google-analytics.com did not match the original destination IP of 72.14.213.113
Jan 21 17:18:40 firewall6 dansguardian[1074]: Destination host of us.bc.yahoo.com did not match the original destination IP of 216.252.124.30
Jan 21 17:18:40 firewall6 dansguardian[1072]: Destination host of dnl-11.geo.kaspersky.com did not match the original destination IP of 38.117.98.202
Jan 21 17:18:41 firewall6 dansguardian[1091]: Destination host of dnl-04.geo.kaspersky.com did not match the original destination IP of 38.117.98.199
Jan 21 17:18:42 firewall6 dansguardian[1083]: Destination host of dnl-07.geo.kaspersky.com did not match the original destination IP of 38.117.98.199
Jan 21 17:18:42 firewall6 dansguardian[1116]: Destination host of newsrss.bbc.co.uk did not match the original destination IP of 212.58.226.73
Jan 21 17:18:43 firewall6 dansguardian[1076]: Destination host of dnl-11.geo.kaspersky.com did not match the original destination IP of 38.117.98.202
Jan 21 17:18:43 firewall6 dansguardian[1086]: Destination host of dnl-02.geo.kaspersky.com did not match the original destination IP of 38.117.98.196
Jan 21 17:18:49 firewall6 dansguardian[1270]: Started sucessfully.


After diff'ing between previous dansguardian.conf (currently in use) and the current version of the file (not in use). It turned out that originalip option was the culprit. It was on by default if it wasn't in there. To turn it off, I must tell it off as below:


# Network Settings
#
# the IP that DansGuardian listens on. If left blank DansGuardian will
# listen on all IPs. That would include all NICs, loopback, modem, etc.
# Normally you would have your firewall protecting this, but if you want
# you can limit it to a certain IP. To bind to multiple interfaces,
# specify each IP on an individual filterip line.
filterip = 192.168.6.6

# the port that DansGuardian listens to.
filterport = 8080

# the ip of the proxy (default is the loopback - i.e. this server)
proxyip = 127.0.0.1

# the port DansGuardian connects to proxy on
proxyport = 3128

originalip = off

This is what changelog says about originalip option:

Fri 5th June 2009 - DansGuardian 2.10.1.1 - stable
Add "originalip" option to dansguardian.conf, for determining the original destination IP in transparent proxy set-ups, and ensuring that the destination domain of the request resolves to that IP. This can help to address a particular transparent proxy security vulnerability (US-CERT VU#435052), but because of certain limitations - only implemented on Linux/Netfilter; potential breakage of websites using round-robin DNS - the code is not enabled by default. Enable by passing "--enable-orig-ip" to the configure script. Fix a crash which could occur when dealing with simultaneous incoming connections in configurations using more than one listening socket. Fix a crash when checking time limits on item lists. Fix potential usage of uninitialised memory during phrase filtering.

Luckily, Mandriva package was built with --enable-orig-ip enabled.

Cheers.

Comments

Popular posts from this blog

mplayer-gui error : Error in skin config file

After installing mplayer-gui package, I can't start it.

$ gmplayer MPlayer 1.1-4.8 (C) 2000-2012 MPlayer Team mplayer: could not connect to socket mplayer: No such file or directory Failed to open LIRC support. You will not be able to use your remote control. Error in skin config file on line 6: PNG read error in /usr/share/mplayer/skins/default/main Config file processing error with skin 'default'
After googling a bit, I found out that it was due to the png files in dir /usr/share/mplayer/skins/default. This is the default skin directory. To fix this error, I have to install ImageMagick package because I want to use the convert program to convert all of the png files to format png24. Thus, cd /usr/share/mplayer/skins/default; for FILE in *.png ; do sudo convert $FILE -define png:format=png24 $FILE ; done
Rerun gmplayer and all should be fine.
Have fun!
UPDATE (02-10-2017)

It doesn't work on Ubuntu 16.04 (xenial) but there's a workaround here.

You can update your syst…

Moving your mysql database to another hard disk

Recently, my server's only hard disk was almost full. I bought a new hard disk with bigger size and I decided to just add it as a second hard disk. Since I need to move it to the 2nd hard disk, I need to find a proper way to move the db with minimum downtime. So I googled around and found a solution.
First, I needed to format the 2nd hard disk and I chose xfs as the filesystem. I created 2 partitions using Linux's fdisk for this task. First partition is 10 GB and 2nd one is around 900 GB. That's approximately added up to 1 TB. Then I mounted the 2nd partition in current partition eg /media/hd2 as follows:
mount -t xfs /dev/sdb5 /media/hd2
where /dev/sdb5 is the partition and /media/hd2 is the mounting dir.
Stop mysql db before doing anything:
service mysql stop
Afterthat, I copied the entire db to newly mounted hard disk:
cp -rv /var/lib/mysql /media/hd2
It will take a while if you have huge databases.
Then, change the ownership of the dir to user and group of mysql:
chown -R mysql:…

Transparent proxy with squid 2.6

I have upgraded my squid from 2.5 STABLE13 to 2.6 STABLE18. Transparent proxy is setup differently in this version. You need this directives in squid.conf (usually in /etc or /usr/local/etc or /usr/local/squid/etc, check with your distro).

acl our_networks src 192.168.2.0/24 127.0.0.1
http_access allow our_networks
http_port 192.168.2.1:3128 transparent
always_direct allow all

where 192.168.2.1 is your proxy server IP address.


If you have flushed your iptables, create new rule:

iptables -t nat -A PREROUTING -i eth0 -p tcp –dport 80 -j REDIRECT –to-port 3128

where 3128 is the port where squid is running.
References:
http://www.deckle.co.za/squid-users-guide/Transparent_Caching/Proxy