From: Josh Nerius <jnerius@gmail.com>
To: netfilter@lists.netfilter.org
Subject: Re: Fwd: Linux as router (Gateway Server)
Date: Sat, 12 Feb 2005 20:33:52 -0600 [thread overview]
Message-ID: <4f3930a70502121833627af1bd@mail.gmail.com> (raw)
In-Reply-To: <420EB7C3.7040303@hotpop.com>
> hello josh.
>
> I stand 100% with Jason O.'s opinion ..
> netfilter/iptables has nothing to do with squid binding to some/any port.
> whoever had to do his homework ... i beleive has done it.
> Accessing that port is something different (-i lo -j ACCEPT), but i
> beleive that's not the case.
>
> regards,
> Georgi Alexandrov
Hello George,
From experience...not speculation, I still stand by what I said.
Squid can be a strange animal. In many configurations, the
communication between child processes relies on being able to
communicate via the loopback interface of the machine. Iptables can,
and and in configurations I've worked with, has caused the same
symptoms described. Basically, the daemon never gets a chance to bind
to a port as the initial communication between these child processes
is broken causing the entire startup procedure to fail. This makes the
illusion that the problem is related to binding the port when in fact
the program can't start for other reasons.
This problem *can* be caused by firewall rules in place that prevent
this communication from happening. If you examine the rulesets posted,
it looks like he is using policy DROP on the INPUT chain which may
certainly cause problems with squid if proper rules to allow the
necessary traffic are not in place.
Another thing to note here, and the reason that I'm of the opinion
that this could be a netfilter/iptables problem is the fact that the
original poster seems to have indicated that squid works when iptables
is flushed.
The last point mentioned above, coupled with the fact that I've dealt
with this problem during the development of a transparent redirection
appliance for the company I work for, is why I maintain the opinion
that I do.
As mentioned before, Jason has a good knowledge of netfilter, but
apparently not Squid, thus my homework comment.
Thanks, and hopefully this information helps to clarify the
information I posted. :-)
Josh Nerius
--
Math problems? Call 1-800-[(10x)(13i)^2]-[sin(xy)/2.362x]
next prev parent reply other threads:[~2005-02-13 2:33 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <1dceb012050211233357e23dd4@mail.gmail.com>
2005-02-12 7:48 ` Fwd: Linux as router (Gateway Server) Navneet Choudhary
2005-02-12 8:15 ` Askar
2005-02-13 16:06 ` Navneet Choudhary
2005-02-12 14:01 ` Fwd: " Jason Opperisano
2005-02-12 22:02 ` Josh Nerius
2005-02-13 2:13 ` Georgi Alexandrov
2005-02-13 2:33 ` Josh Nerius [this message]
2005-02-13 11:55 ` Georgi Alexandrov
2005-02-13 17:34 ` Navneet Choudhary
2005-02-13 17:26 ` Navneet Choudhary
[not found] ` <420F4010.7050609@hotpop.com>
2005-02-13 21:38 ` Josh Nerius
2005-02-14 22:15 ` Jason Opperisano
2005-02-15 2:32 ` Josh Nerius
2005-02-13 17:21 ` Navneet Choudhary
2005-02-13 17:19 ` Navneet Choudhary
2005-02-13 17:04 ` Navneet Choudhary
2005-02-13 17:24 Gary W. Smith
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4f3930a70502121833627af1bd@mail.gmail.com \
--to=jnerius@gmail.com \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.