Isn't the HTTP Proxy Port# field supposed to set the proxy port clients are supposed to use?

[bzflaglegomaniac@…]

I wanted to set the port to 6000, so I set it as such and saved. Looking at the GUI later, it says it's 6000, but no client can access the Proxy server on that port. The firewall log says it's dropping them.

Looking at Rules Added By Zentyal Services (Advanced), I see: Input HTTP Proxy -m state --state NEW -i eth0 -p tcp --dport 3129 ACCEPT

Input HTTP Proxy -m state --state NEW -p tcp --dport 6000 DROP Input HTTP Proxy -m state --state NEW -i wlan0 -p tcp --dport 3129 ACCEPT NAT prerouting HTTP Proxy -i eth0 ! -d 192.168.0.200 -p tcp --dport 80 REDIRECT --to-ports 3129

_

192.168.0.200 is the Zentyal server.

Correct me if I'm wrong, but doesn't the second line explicitly DROP anything on port 6000?

On a hunch, I changed the proxy port on the clients to 3129 and it works, but I'd still like it to be 6000 so I'll remember it more easily.

I went to the Module Status page and removed HTTP Proxy and saved. I then went to the Rules Added By Zentyal Services (Advanced) page and confirmed that the above rules were removed. I then checked the HTTP Proxy/General? page and confirmed that still lists the port at 6000. Going back to Module Status, I re-added HTTP Proxy and checked the Rules Added By Zentyal Services (Advanced) page and confirmed that the rules listed above were re-added and the clients still cannot connect on 6000 but can on 3129.

Am I wrong in expecting that the HTTP Proxy/General? Port field is supposed to specify the port on which client proxy connections are accepted and not denied?

This is on Core version 2.2.3, updated 2 days ago with no pending updates.

[jamor@…]

Hello Bzflag and thanks for your report,

Yes, it changes the proxy port. The port 3128 you are using it is the DG port. It is no mean to connect oyour clients to it directly. I will recheck the firewall rules to solve it.

[jamor@…]

Forget the previous commentary, this behaviour is correct.

Objects with filter policy are supposed to enter thru the DG port and squid port is blocked. As you may expect, objects with no-filter policy have the DG port blocked and the squid port open.

The thing is that is a redirect rule for the 'filter' objects that redirects them to the DG port from the squid one; this way we use the smae port in both cases. But if you set DG port they also work.

Then your DROPs must be caused because the redirect rule fails. Could you check that?.

[bzflaglegomaniac@…]

Thanks for the explanation. I wasn't aware that DansGuardian? used it's own port. I thought it was just an add-on to squid.

What follows are my firewall rules under "Rules added by Zentyal Server (Advanced)". I presume this is where I should be looking - correct me if it isn't.

There is only one pair of NAT prerouting rules dealing with port 80 being mapped to 3129 in and out of the server. I note that port 6000 (my intended proxy port) is expressly dropped, not re-routed to 3129 as I gather you are saying it should have been...

Input HTTP Proxy -m state --state NEW -i eth0 -p tcp --dport 3129 ACCEPT Input HTTP Proxy -m state --state NEW -i eth0 -s 192.168.0.18/32 -p tcp --dport 6000 DROP Input HTTP Proxy -m state --state NEW -i wlan0 -p tcp --dport 3129 ACCEPT Input HTTP Proxy -m state --state NEW -i eth0 -s 192.168.0.18/32 -p tcp --dport 3129 ACCEPT Input HTTP Proxy -m state --state NEW -i wlan0 -s 192.168.0.18/32 -p tcp --dport 6000 DROP Input HTTP Proxy -m state --state NEW -p tcp --dport 6000 DROP Input HTTP Proxy -m state --state NEW -i wlan0 -s 192.168.0.18/32 -p tcp --dport 3129 ACCEPT NAT prerouting HTTP Proxy -i eth0 ! -d 192.168.0.200 -p tcp --dport 80 REDIRECT --to-ports 3129 NAT prerouting HTTP Proxy -i eth0 -d ! 192.168.0.200 -s 192.168.0.18/32 -p tcp --dport 80 REDIRECT --to-ports 3129

Output Antivirus --protocol tcp --dport 80 ACCEPT Output File Sharing -m state --state NEW -o eth0 -p udp --sport 445 ACCEPT Output File Sharing -m state --state NEW -o eth0 -p tcp --sport 139 ACCEPT Output File Sharing -m state --state NEW -o wlan0 -p tcp --dport 138 ACCEPT Output File Sharing -m state --state NEW -o eth0 -p tcp --dport 137 ACCEPT Output HTTP Proxy -m state --state NEW -p tcp --dport 80 ACCEPT Output File Sharing -m state --state NEW -o eth0 -p tcp --sport 137 ACCEPT Output HTTP Proxy -m state --state NEW -p tcp --dport 443 ACCEPT Output File Sharing -m state --state NEW -o eth0 -p udp --dport 138 ACCEPT Output File Sharing -m state --state NEW -o wlan0 -p tcp --dport 137 ACCEPT Output File Sharing -m state --state NEW -o eth0 -p tcp --sport 445 ACCEPT Output File Sharing -m state --state NEW -o wlan0 -p udp --dport 139 ACCEPT Output File Sharing -m state --state NEW -o wlan0 -p udp --sport 139 ACCEPT Output File Sharing -m state --state NEW -o wlan0 -p udp --dport 445 ACCEPT Output File Sharing -m state --state NEW -o wlan0 -p udp --sport 137 ACCEPT Output File Sharing -m state --state NEW -o eth0 -p tcp --sport 138 ACCEPT Output File Sharing -m state --state NEW -o wlan0 -p tcp --dport 139 ACCEPT Output File Sharing -m state --state NEW -o eth0 -p tcp --dport 139 ACCEPT Output File Sharing -m state --state NEW -o eth0 -p udp --dport 445 ACCEPT Output File Sharing -m state --state NEW -o wlan0 -p udp --dport 137 ACCEPT Output File Sharing -m state --state NEW -o wlan0 -p tcp --dport 445 ACCEPT Output File Sharing -m state --state NEW -o eth0 -p udp --sport 137 ACCEPT Output File Sharing -m state --state NEW -o eth0 -p udp --dport 137 ACCEPT Output File Sharing -m state --state NEW -o wlan0 -p tcp --sport 445 ACCEPT Output File Sharing -m state --state NEW -o wlan0 -p tcp --sport 138 ACCEPT Output File Sharing -m state --state NEW -o wlan0 -p udp --dport 138 ACCEPT Output File Sharing -m state --state NEW -o wlan0 -p tcp --sport 139 ACCEPT Output File Sharing -m state --state NEW -o eth0 -p tcp --dport 138 ACCEPT Output File Sharing -m state --state NEW -o wlan0 -p udp --sport 138 ACCEPT Output File Sharing -m state --state NEW -o wlan0 -p udp --sport 445 ACCEPT Output File Sharing -m state --state NEW -o wlan0 -p tcp --sport 137 ACCEPT Output VPN --protocol tcp --destination-port 80 ACCEPT Output File Sharing -m state --state NEW -o eth0 -p tcp --dport 445 ACCEPT Output File Sharing -m state --state NEW -o eth0 -p udp --sport 139 ACCEPT Output File Sharing -m state --state NEW -o eth0 -p udp --dport 139 ACCEPT Output File Sharing -m state --state NEW -o eth0 -p udp --sport 138 ACCEPT

[BZFlagLEGOManiac@…]

Checking back for a response, I noticed that the formatting for the firewall rules was all messed up.

Input HTTP Proxy -m state --state NEW -i eth0 -p tcp --dport 3129 ACCEPT Input HTTP Proxy -m state --state NEW -i eth0 -s 192.168.0.18/32 -p tcp --dport 6000 DROP Input HTTP Proxy -m state --state NEW -i wlan0 -p tcp --dport 3129 ACCEPT Input HTTP Proxy -m state --state NEW -i eth0 -s 192.168.0.18/32 -p tcp --dport 3129 ACCEPT Input HTTP Proxy -m state --state NEW -i wlan0 -s 192.168.0.18/32 -p tcp --dport 6000 DROP Input HTTP Proxy -m state --state NEW -p tcp --dport 6000 DROP Input HTTP Proxy -m state --state NEW -i wlan0 -s 192.168.0.18/32 -p tcp --dport 3129 ACCEPT NAT prerouting HTTP Proxy -i eth0 ! -d 192.168.0.200 -p tcp --dport 80 REDIRECT --to-ports 3129 NAT prerouting HTTP Proxy -i eth0 -d ! 192.168.0.200 -s 192.168.0.18/32 -p tcp --dport 80 REDIRECT --to-ports 3129

Output Antivirus --protocol tcp --dport 80 ACCEPT Output File Sharing -m state --state NEW -o eth0 -p udp --sport 445 ACCEPT Output File Sharing -m state --state NEW -o eth0 -p tcp --sport 139 ACCEPT Output File Sharing -m state --state NEW -o wlan0 -p tcp --dport 138 ACCEPT Output File Sharing -m state --state NEW -o eth0 -p tcp --dport 137 ACCEPT Output HTTP Proxy -m state --state NEW -p tcp --dport 80 ACCEPT Output File Sharing -m state --state NEW -o eth0 -p tcp --sport 137 ACCEPT Output HTTP Proxy -m state --state NEW -p tcp --dport 443 ACCEPT Output File Sharing -m state --state NEW -o eth0 -p udp --dport 138 ACCEPT Output File Sharing -m state --state NEW -o wlan0 -p tcp --dport 137 ACCEPT Output File Sharing -m state --state NEW -o eth0 -p tcp --sport 445 ACCEPT Output File Sharing -m state --state NEW -o wlan0 -p udp --dport 139 ACCEPT Output File Sharing -m state --state NEW -o wlan0 -p udp --sport 139 ACCEPT Output File Sharing -m state --state NEW -o wlan0 -p udp --dport 445 ACCEPT Output File Sharing -m state --state NEW -o wlan0 -p udp --sport 137 ACCEPT Output File Sharing -m state --state NEW -o eth0 -p tcp --sport 138 ACCEPT Output File Sharing -m state --state NEW -o wlan0 -p tcp --dport 139 ACCEPT Output File Sharing -m state --state NEW -o eth0 -p tcp --dport 139 ACCEPT Output File Sharing -m state --state NEW -o eth0 -p udp --dport 445 ACCEPT Output File Sharing -m state --state NEW -o wlan0 -p udp --dport 137 ACCEPT Output File Sharing -m state --state NEW -o wlan0 -p tcp --dport 445 ACCEPT Output File Sharing -m state --state NEW -o eth0 -p udp --sport 137 ACCEPT Output File Sharing -m state --state NEW -o eth0 -p udp --dport 137 ACCEPT Output File Sharing -m state --state NEW -o wlan0 -p tcp --sport 445 ACCEPT Output File Sharing -m state --state NEW -o wlan0 -p tcp --sport 138 ACCEPT Output File Sharing -m state --state NEW -o wlan0 -p udp --dport 138 ACCEPT Output File Sharing -m state --state NEW -o wlan0 -p tcp --sport 139 ACCEPT Output File Sharing -m state --state NEW -o eth0 -p tcp --dport 138 ACCEPT Output File Sharing -m state --state NEW -o wlan0 -p udp --sport 138 ACCEPT Output File Sharing -m state --state NEW -o wlan0 -p udp --sport 445 ACCEPT Output File Sharing -m state --state NEW -o wlan0 -p tcp --sport 137 ACCEPT Output VPN --protocol tcp --destination-port 80 ACCEPT Output File Sharing -m state --state NEW -o eth0 -p tcp --dport 445 ACCEPT Output File Sharing -m state --state NEW -o eth0 -p udp --sport 139 ACCEPT Output File Sharing -m state --state NEW -o eth0 -p udp --dport 139 ACCEPT Output File Sharing -m state --state NEW -o eth0 -p udp --sport 138 ACCEPT

That's better...

[jamor@…]

Hello bzflag,

I think the following changeset fixes your problem:

 http://trac.zentyal.org/changeset/23714

Regards, Javier