<html>
<head>
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">On 12/10/2014 11:33 AM, Timothy Spear
wrote:<br>
</div>
<blockquote
cite="mid:674CE95A-8326-4B1C-A63D-50D678BFF440@gmail.com"
type="cite">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
B,
<div><br>
</div>
<div>I was going to attach the logs, but I now feel like an idiot.
:D</div>
<div>The jump box I am running Squid on, currently only allows 80
and 443 outbound. I recalled this when I went to scp the log
files and the connection was refused....</div>
<div>I detest overlooking things like this. Sometimes, you really
need question any assumptions.</div>
</blockquote>
<br>
You are not alone! "Sometimes"->"Always"<br>
<br>
<blockquote
cite="mid:674CE95A-8326-4B1C-A63D-50D678BFF440@gmail.com"
type="cite">
<div><br>
</div>
<div>Tim</div>
<div><br>
<div>
<div>On Oct 12, 2014, at 11:11 AM, crazy world <<a
moz-do-not-send="true"
href="mailto:crazyworld@outlook.com">crazyworld@outlook.com</a>>
wrote:</div>
<br class="Apple-interchange-newline">
<blockquote type="cite">
<div class="hmmessage" style="font-size: 12pt; font-family:
Calibri; font-style: normal; font-variant: normal;
font-weight: normal; letter-spacing: normal; line-height:
normal; orphans: auto; text-align: start; text-indent:
0px; text-transform: none; white-space: normal; widows:
auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;">
<div dir="ltr">Do you have the log for the connection when
you can't access? Other than 22 and 443 as you said.<br>
<br>
Thanks,<br>
<br>
-B<br>
<br>
<div>
<hr id="stopSpelling">Subject: Re: [squid-users]
SSL/SSH/SFTP/FTPS to alternate ports<br>
From: <a moz-do-not-send="true"
href="mailto:n614cd@gmail.com">n614cd@gmail.com</a><br>
Date: Sun, 12 Oct 2014 10:49:05 -0400<br>
CC: <a moz-do-not-send="true"
href="mailto:n614cd@gmail.com">n614cd@gmail.com</a>;
<a moz-do-not-send="true"
href="mailto:squid-users@lists.squid-cache.org">squid-users@lists.squid-cache.org</a><br>
To: <a moz-do-not-send="true"
href="mailto:crazyworld@outlook.com">crazyworld@outlook.com</a><br>
<br>
Here is the access log. I should have included it in
the original post. This is accessing a test machine I
setup to hit SSH on 22 and 443. I can also hit HTTPS
on multiple other ports.
<div><br>
</div>
<div>
<div style="font-size: 11px; font-family: Menlo;">1413125068.706
87 10.110.98.21 TCP_MISS/503 0 CONNECT<span
class="Apple-converted-space"> </span><a
moz-do-not-send="true"
href="http://xxx.xxxx.com/" target="_blank">XXX.XXXX.com</a>:22
- HIER_NONE/- -</div>
<div style="font-size: 11px; font-family: Menlo;">1413125086.496
8061 10.110.98.21 TCP_MISS/200 3657 CONNECT<span
class="Apple-converted-space"> </span><a
moz-do-not-send="true"
href="http://xxx.xxxx.com/" target="_blank">XXX.XXXX.com</a>:443
- HIER_DIRECT/54.68.15.208 -</div>
<div style="font-size: 11px; font-family: Menlo;"><br>
</div>
<div style="font-size: 11px; font-family: Menlo;">Yes,
my intent in the rule set is to provide a list of
allowed ports and sites. </div>
<div style="font-size: 11px; font-family: Menlo;"><br>
</div>
<div style="font-size: 11px; font-family: Menlo;">Tim</div>
<div style="font-size: 11px; font-family: Menlo;"><br>
</div>
<div>
<div>On Oct 11, 2014, at 11:37 PM, B <<a
moz-do-not-send="true"
href="mailto:crazyworld@outlook.com">crazyworld@outlook.com</a>>
wrote:</div>
<br class="ecxApple-interchange-newline">
<blockquote>
<div class="ecxmoz-cite-prefix">check out your
access log seeing what it says. Sounds like
you are looking for an AFW from squid. The
ports themselves are defined. You need to make
sure the other ports are opened.<br>
<br>
Your rule tells squid to block the non-allowed
sites to the non-allowed ports. Still sounds
like FW function, but with the domain feature
only.<br>
<br>
<div class="ecxmoz-signature">-B</div>
On 10/12/2014 7:48 AM, Timothy Spear wrote:<br>
</div>
<blockquote
cite="mid:19B1C111-165B-4A69-8EB7-6CDCE8C27875@gmail.com">
<div>Hello,</div>
<div><br>
</div>
<div>Here is the issue:</div>
<div>I can proxy through Squid just fine to
HTTP and HTTPS. I can also run SSH via
Corkscrew to a SSH server running on port
443 and it works fine.</div>
<div>What I cannot do, is access HTTPS or SSH
on any other port except 443. I have lost
track of the number of things I have tried
so any help will be appreciated and I feel
like I am missing something simple. </div>
<div>OS: Ubuntu 14.04.1 LTS</div>
<div>Squid: <span style="font-family: Menlo;
font-size: 11px;">3.3.8-1ubuntu6.1</span></div>
<div><br>
</div>
<div>Here is my current Squid 3 configuration:</div>
<div><br>
</div>
<div><br>
</div>
<div>
<div style="font-size: 11px; font-family:
Menlo; color: rgb(206, 121, 36);">debug_options<span> </span><span
style="color: rgb(195, 55, 32);">all</span><span>,</span><span
style="color: rgb(195, 55, 32);">3</span></div>
<div style="font-size: 11px; font-family:
Menlo; min-height: 13px;"><br>
</div>
<div style="font-size: 11px; font-family:
Menlo; color: rgb(83, 48, 225);"># local
network we proxy for</div>
<div style="font-size: 11px; font-family:
Menlo; color: rgb(195, 55, 32);"><span
style="color: rgb(206, 121, 36);">acl</span><span><span
class="Apple-converted-space"> </span>localnet<span
class="Apple-converted-space"> </span></span><span
style="color: rgb(206, 121, 36);">src</span><span> </span>10.110.98.0<span>/</span>24</div>
<div style="font-size: 11px; font-family:
Menlo; color: rgb(195, 55, 32);"><br>
</div>
<div style="font-size: 11px; font-family:
Menlo; color: rgb(83, 48, 225);"># what
ports can be the desitnation</div>
<div style="font-size: 11px; font-family:
Menlo;"><span style="color: rgb(206, 121,
36);">acl</span><span
class="Apple-converted-space"> </span>allowedPorts<span
class="Apple-converted-space"> </span><span
style="color: rgb(206, 121, 36);">port</span><span
class="Apple-converted-space"> </span><span
style="color: rgb(195, 55, 32);">21</span></div>
<div style="font-size: 11px; font-family:
Menlo;"><span style="color: rgb(206, 121,
36);">acl</span><span
class="Apple-converted-space"> </span>allowedPorts<span
class="Apple-converted-space"> </span><span
style="color: rgb(206, 121, 36);">port</span><span
class="Apple-converted-space"> </span><span
style="color: rgb(195, 55, 32);">22</span></div>
<div style="font-size: 11px; font-family:
Menlo;"><span style="color: rgb(206, 121,
36);">acl</span> allowedPorts <span
style="color: rgb(206, 121, 36);">port</span> <span
style="color: rgb(195, 55, 32);">2222</span></div>
<div style="font-size: 11px; font-family:
Menlo;"><span style="color: rgb(206, 121,
36);">acl</span><span
class="Apple-converted-space"> </span>allowedPorts<span
class="Apple-converted-space"> </span><span
style="color: rgb(206, 121, 36);">port</span><span
class="Apple-converted-space"> </span><span
style="color: rgb(195, 55, 32);">80</span></div>
<div style="font-size: 11px; font-family:
Menlo;"><span style="color: rgb(206, 121,
36);">acl</span> allowedPorts <span
style="color: rgb(206, 121, 36);">port</span> <span
style="color: rgb(195, 55, 32);">443</span></div>
<div style="font-size: 11px; font-family:
Menlo;"><span style="color: rgb(206, 121,
36);">acl</span> allowedPorts <span
style="color: rgb(206, 121, 36);">port</span> <span
style="color: rgb(195, 55, 32);">8443</span></div>
<div style="font-size: 11px; font-family:
Menlo;"><br>
</div>
<div style="font-size: 11px; font-family:
Menlo; color: rgb(83, 48, 225);"><span
style="color: rgb(206, 121, 36);">acl</span><span
class="Apple-converted-space"> </span>CONNECT<span
class="Apple-converted-space"> </span><span
style="color: rgb(206, 121, 36);">method</span><span
class="Apple-converted-space"> </span>CONNECT</div>
<div style="font-size: 11px; font-family:
Menlo; color: rgb(83, 48, 225);"><br>
</div>
<div style="font-size: 11px; font-family:
Menlo; color: rgb(83, 48, 225);">#
determine the available sites</div>
<div style="font-size: 11px; font-family:
Menlo;"><span style="color: rgb(206, 121,
36);">acl</span><span
class="Apple-converted-space"> </span>allowedSites<span
class="Apple-converted-space"> </span><span
style="color: rgb(206, 121, 36);">dstdomain</span><span
class="Apple-converted-space"> </span>"/etc/squid3/allowed-sites.squid"</div>
<div style="font-size: 11px; font-family:
Menlo; min-height: 13px;"><br>
</div>
<div style="font-size: 11px; font-family:
Menlo; color: rgb(83, 48, 225);"># now
block anything not on the localnet or
ports</div>
<div style="font-size: 11px; font-family:
Menlo;"><span style="color: rgb(206, 121,
36);">http_access</span><span
class="Apple-converted-space"> </span><span
style="color: rgb(195, 55, 32);">deny</span><span
class="Apple-converted-space"> </span>!localnet</div>
<div style="font-size: 11px; font-family:
Menlo; min-height: 13px;"><br>
</div>
<div style="font-size: 11px; font-family:
Menlo; min-height: 13px;">
<div style="color: rgb(83, 48, 225);">#
allow connect only for approved ports</div>
<div><span style="color: rgb(206, 121,
36);">http_access</span> <span
style="color: rgb(195, 55, 32);">deny</span> CONNECT
!allowedPorts</div>
<div><br>
</div>
</div>
<div style="font-size: 11px; font-family:
Menlo; color: rgb(83, 48, 225);"># now
only allow to the specific sites</div>
<div style="font-size: 11px; font-family:
Menlo;"><span style="color: rgb(206, 121,
36);">http_access</span><span
class="Apple-converted-space"> </span><span
style="color: rgb(195, 55, 32);">allow</span><span
class="Apple-converted-space"> </span>localnet
allowedSites allowedPorts</div>
<div style="font-size: 11px; font-family:
Menlo; min-height: 13px;"><br>
</div>
<div style="font-size: 11px; font-family:
Menlo; color: rgb(206, 121, 36);">http_port<span> </span><span
style="color: rgb(195, 55, 32);">3128</span></div>
<div style="font-size: 11px; font-family:
Menlo;">access_<span style="color:
rgb(195, 55, 32);">log</span><span
class="Apple-converted-space"> </span>/var/<span
style="color: rgb(195, 55, 32);">log</span>/squid3/access.<span
style="color: rgb(195, 55, 32);">log</span><span
class="Apple-converted-space"> </span>squid</div>
<div style="font-size: 11px; font-family:
Menlo;">hosts_file /etc/hosts</div>
</div>
<div><br>
</div>
<div><br>
</div>
<div>Background (just FYI):</div>
<div>I am trying to setup Squid to control
network access from a local subnet to a
select number of domains. I do not need to
bump the encrypted traffic and play man in
the middle, I just need to prevent the
servers on the local network from accessing
unauthorized networks. Yes, I know I can do
this in the Firewall, but that is IP based
and I am dealing with enough other companies
that maintaining the IP list has become a
major pain. Instead I want to use domains,
which I can do in Squid.</div>
<div><br>
</div>
<div>Thanks,</div>
<div><br>
</div>
<div>Tim</div>
<br>
<fieldset class="ecxmimeAttachmentHeader"></fieldset>
<br>
<pre>_______________________________________________
squid-users mailing list
<a moz-do-not-send="true" class="ecxmoz-txt-link-abbreviated" href="mailto:squid-users@lists.squid-cache.org">squid-users@lists.squid-cache.org</a>
<a moz-do-not-send="true" class="ecxmoz-txt-link-freetext" href="http://lists.squid-cache.org/listinfo/squid-users" target="_blank">http://lists.squid-cache.org/listinfo/squid-users</a></pre>
</blockquote>
</blockquote>
</div>
</div>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
squid-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:squid-users@lists.squid-cache.org">squid-users@lists.squid-cache.org</a>
<a class="moz-txt-link-freetext" href="http://lists.squid-cache.org/listinfo/squid-users">http://lists.squid-cache.org/listinfo/squid-users</a>
</pre>
</blockquote>
<br>
<br>
<pre class="moz-signature" cols="72">--
Ron Wheeler
President
Artifact Software Inc
email: <a class="moz-txt-link-abbreviated" href="mailto:rwheeler@artifact-software.com">rwheeler@artifact-software.com</a>
skype: ronaldmwheeler
phone: 866-970-2435, ext 102</pre>
</body>
</html>