BFW Firewall & Router

[Brow]

Olá, a todos

nesses últimos 3 dias tenho percebido algo estranho no meu squid.conf. As vzs quando dou um reload no squid ou quando dou um reboot no BFW, percebo algumas alterações no arquivo. Vou postar o squid.conf ok e com alteração depois de um reload ou reboot.

squid.conf ok:

Código: Selecionar todos

http_port 3128
icp_port 0

#SquidCacheAux ACL start
acl store_rewrite_list urlpath_regex \/(get_video\?|videodownload\?|videoplayback.*id)
acl store_rewrite_list_orkut dstdomain .orkut.com .orkut.com.br
cache allow store_rewrite_list_orkut
acl QUERY2 urlpath_regex get_video\? videoplayback\? videodownload\?
cache allow QUERY2
acl youtube dstdomain .youtube.com
cache allow youtube
#SquidCacheAux ACL end

acl video_cache dstdomain -i "/usr/local/squid/etc/cache.flt"
cache allow video_cache
hierarchy_stoplist cgi-bin ?
   acl QUERY urlpath_regex cgi-bin \?
   cache deny QUERY
cache_replacement_policy heap LFUDA
memory_replacement_policy heap GDSF
cache_mem 600 MB
   maximum_object_size 256000 KB
   minimum_object_size 4 KB
   maximum_object_size_in_memory 64 KB
cache_dir diskd /partition/squid/cache 5120 16 256 Q1=72 Q2=64
access_log /partition/squid/logs/access.log
cache_log /partition/squid/logs/cache.log
cache_store_log none

cache_effective_user nobody
cache_effective_group nogroup
pid_filename /var/run/squid.pid
half_closed_clients off
server_persistent_connections off
client_persistent_connections off
memory_pools on
buffered_logs on
pipeline_prefetch on

dns_retransmit_interval 15 seconds

#cache_swap_low 70
#cache_swap_high 90

#SquidCacheAux URL_REWRITE start
url_rewrite_program /etc/SquidCacheAux/redir.pl
url_rewrite_children 5
#SquidCacheAux URL_REWRITE end

#SquidCacheAux refresh_pattern start
refresh_pattern windowsupdate.com/.*\.(cab|exe) 4320 100% 43200 reload-into-ims
refresh_pattern download.microsoft.com/.*\.(cab|exe) 4320 100% 43200 reload-into-ims
refresh_pattern au.download.windowsupdate.com/.*\.(cab|exe) 4320 100% 43200 reload-into-ims
refresh_pattern orkut.com/.* 10080 100% 43200 override-expire override-lastmod reload-into-ims ignore-reload
refresh_pattern orkut.com.br/.* 10080 100% 43200 override-expire override-lastmod reload-into-ims ignore-reload
refresh_pattern (get_video\?|videoplayback\?|videodownload\?) 5259487 99999999% 5259487 override-expire override-lastmod reload-into-ims ignore-reload ignore-no-cache ignore-private
refresh_pattern (get_video\?|videoplayback\?|videodownload\?|\.flv?)    129600 999999% 129600 ignore-no-cache ignore-private override-expire override-lastmod reload-into-ims
refresh_pattern (get_video\?|videoplayback\?id|videoplayback.*id|videodownload\?|\.flv?)    129600 999999% 129600 ignore-no-cache ignore-private override-expire override-lastmod reload-into-ims
refresh_pattern -i (get_video\?|videoplayback\?id|videoplayback.*id||videodownload\?|\.flv?)      129600 999999% 129600 ignore-no-cache ignore-private override-expire override-lastmod reload-into-ims
refresh_pattern ytimg\.com.*\.jpg               129600 999999% 129600   override-expire ignore-reload
#SquidCacheAux refresh_pattern end

refresh_pattern -i ^http://.*\.(css|htm|html|ico|js|jsp|xml)$ 1440 80% 999999
refresh_pattern -i ^http://.*\.(bmp|gif|jpeg|jpg|png)$ 1440 80% 999999 ignore-reload
refresh_pattern -i ^http://.*\.(ace|adt|arj|asf|avi|bin|bz2|bzip|cab|dat|dll|doc|dot|exe|fla|flv|gz|iso|lha|log|lzh|mdb|mid|mov|mp3|mpeg|mpg|msi|mso|ogg|pps|ppt|rar|rm|rtf|shs|src|sys|swf|tgz|tif|ttf|wav|wma|wri|wmv|vpu|vpaa|vqf|vob|zip)$ 43200 100% 999999 ignore-reload

refresh_pattern ^ftp:   1440   20%   10080
refresh_pattern ^gopher:   1440   0%   1440
refresh_pattern .      0   20%   4320

acl all src 0.0.0.0/0.0.0.0
acl localhost src 127.0.0.1/255.255.255.255
#acl to_localhost dst 127.0.0.1/32

######Controle de Download######
acl controle1 url_regex -i src 192.168.0.0/24
acl controle2 url_regex -i \.exe$ \.mp3$ \.mp2$ \.mpeg$ \.mpg$ \.mov$ \.zip$ \.rar$ \.avi$ \.iso$ \.wav$ \.7z$ \.wma$ \.wmv$ \.mp4$ \.001$ \.002$ \.003$ \.3gp$ \.rm$ \.rmvb$
acl controle3 urlpath_regex get_video\? videoplayback\? videodownload\? watch\?
acl controle4 url_regex -i src 4shared.com
delay_pools 4
delay_class 1 2
delay_parameters 1 -1/-1 -1/-1
delay_access 1 allow controle1
delay_class 2 2
delay_parameters 2 -1/-1 10240/10240
delay_access 2 allow controle2
delay_class 3 2
delay_parameters 3 -1/-1 38000/38000
delay_access 3 allow controle3
delay_class 4 2
delay_parameters 4 -1/-1 10240/10240
delay_access 4 allow controle4
######Fim do Controle de Download######

acl SSL_ports port 443 563
acl Safe_ports port 80
acl Safe_ports port 21
acl Safe_ports port 443 563
acl Safe_ports port 70
acl Safe_ports port 210
acl Safe_ports port 8180
acl Safe_ports port 1025-65535
acl Safe_ports port 280
acl Safe_ports port 488
acl Safe_ports port 591
acl Safe_ports port 777
acl Safe_ports port 901

acl manager proto cache_object
acl PURGE method PURGE
acl CONNECT method CONNECT

http_access allow PURGE localhost
http_access allow manager localhost
http_access deny PURGE
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
acl filterneg dstdom_regex "/usr/local/squid/etc/filter.flt"
acl internal_net src "/usr/local/squid/etc/ipaccess.yes"
acl no_proxy dstdom_regex -i "/usr/local/squid/etc/ipaccess.no"

#Access deny to Squid ident. header
header_access Via deny all
header_access X-Forwarded-For deny all
header_access Proxy-Connection deny all
header_access Accept-Encoding deny all
always_direct allow no_proxy
http_access deny filterneg
http_access allow internal_net
http_access deny all
#http_reply_access allow all
#icp_access allow all
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
visible_hostname brazilfw
   coredump_dir /partition/squid/cache
   error_directory /usr/local/squid/share/errors/Portuguese
#SquidCacheAux STOREURL start
storeurl_access allow store_rewrite_list
storeurl_access allow store_rewrite_list_orkut
storeurl_access deny all
storeurl_rewrite_program /etc/SquidCacheAux/storeurl.pl
storeurl_rewrite_children 5
storeurl_rewrite_concurrency 5
#SquidCacheAux STOREURL end

squid.conf com alteração:

Código: Selecionar todos

http_port 3128
icp_port 0

acl video_cache dstdomain -i "/usr/local/squid/etc/cache.flt"
cache allow video_cache
hierarchy_stoplist cgi-bin ?
   acl QUERY urlpath_regex cgi-bin \?
   cache deny QUERY
cache_replacement_policy heap LFUDA
memory_replacement_policy heap GDSF
cache_mem 600 MB
   maximum_object_size 256000 KB
   minimum_object_size 4 KB
   maximum_object_size_in_memory 64 KB
cache_dir diskd /partition/squid/cache 5120 16 256 Q1=72 Q2=64
access_log /partition/squid/logs/access.log
cache_log /partition/squid/logs/cache.log
cache_store_log none

cache_effective_user nobody
cache_effective_group nogroup
pid_filename /var/run/squid.pid
half_closed_clients off
server_persistent_connections off
client_persistent_connections off
memory_pools on
buffered_logs on
pipeline_prefetch on

dns_retransmit_interval 15 seconds

#cache_swap_low 70
#cache_swap_high 90

#SquidCacheAux URL_REWRITE start
url_rewrite_program /etc/SquidCacheAux/redir.pl
url_rewrite_children 5
#SquidCacheAux URL_REWRITE end

#SquidCacheAux refresh_pattern start
refresh_pattern windowsupdate.com/.*\.(cab|exe) 4320 100% 43200 reload-into-ims
refresh_pattern download.microsoft.com/.*\.(cab|exe) 4320 100% 43200 reload-into-ims
refresh_pattern au.download.windowsupdate.com/.*\.(cab|exe) 4320 100% 43200 reload-into-ims
refresh_pattern orkut.com/.* 10080 100% 43200 override-expire override-lastmod reload-into-ims ignore-reload
refresh_pattern orkut.com.br/.* 10080 100% 43200 override-expire override-lastmod reload-into-ims ignore-reload
refresh_pattern (get_video\?|videoplayback\?|videodownload\?) 5259487 99999999% 5259487 override-expire override-lastmod reload-into-ims ignore-reload ignore-no-cache ignore-private
refresh_pattern (get_video\?|videoplayback\?|videodownload\?|\.flv?)    129600 999999% 129600 ignore-no-cache ignore-private override-expire override-lastmod reload-into-ims
refresh_pattern (get_video\?|videoplayback\?id|videoplayback.*id|videodownload\?|\.flv?)    129600 999999% 129600 ignore-no-cache ignore-private override-expire override-lastmod reload-into-ims
refresh_pattern -i (get_video\?|videoplayback\?id|videoplayback.*id||videodownload\?|\.flv?)      129600 999999% 129600 ignore-no-cache ignore-private override-expire override-lastmod reload-into-ims
refresh_pattern ytimg\.com.*\.jpg               129600 999999% 129600   override-expire ignore-reload
#SquidCacheAux refresh_pattern end

refresh_pattern -i ^http://.*\.(css|htm|html|ico|js|jsp|xml)$ 1440 80% 999999
refresh_pattern -i ^http://.*\.(bmp|gif|jpeg|jpg|png)$ 1440 80% 999999 ignore-reload
refresh_pattern -i ^http://.*\.(ace|adt|arj|asf|avi|bin|bz2|bzip|cab|dat|dll|doc|dot|exe|fla|flv|gz|iso|lha|log|lzh|mdb|mid|mov|mp3|mpeg|mpg|msi|mso|ogg|pps|ppt|rar|rm|rtf|shs|src|sys|swf|tgz|tif|ttf|wav|wma|wri|wmv|vpu|vpaa|vqf|vob|zip)$ 43200 100% 999999 ignore-reload

refresh_pattern ^ftp:   1440   20%   10080
refresh_pattern ^gopher:   1440   0%   1440
refresh_pattern .      0   20%   4320

acl all src 0.0.0.0/0.0.0.0
acl localhost src 127.0.0.1/255.255.255.255
#acl to_localhost dst 127.0.0.1/32

######Controle de Download######
acl controle1 url_regex -i src 192.168.0.0/24
acl controle2 url_regex -i \.exe$ \.mp3$ \.mp2$ \.mpeg$ \.mpg$ \.mov$ \.zip$ \.rar$ \.avi$ \.iso$ \.wav$ \.7z$ \.wma$ \.wmv$ \.mp4$ \.001$ \.002$ \.003$ \.3gp$ \.rm$ \.rmvb$
acl controle3 urlpath_regex get_video\? videoplayback\? videodownload\? watch\?
acl controle4 url_regex -i src 4shared.com
delay_pools 4
delay_class 1 2
delay_parameters 1 -1/-1 -1/-1
delay_access 1 allow controle1
delay_class 2 2
delay_parameters 2 -1/-1 10240/10240
delay_access 2 allow controle2
delay_class 3 2
delay_parameters 3 -1/-1 38000/38000
delay_access 3 allow controle3
delay_class 4 2
delay_parameters 4 -1/-1 10240/10240
delay_access 4 allow controle4
######Fim do Controle de Download######

acl SSL_ports port 443 563
acl Safe_ports port 80
acl Safe_ports port 21
acl Safe_ports port 443 563
acl Safe_ports port 70
acl Safe_ports port 210
acl Safe_ports port 8180
acl Safe_ports port 1025-65535
acl Safe_ports port 280
acl Safe_ports port 488
acl Safe_ports port 591
acl Safe_ports port 777
acl Safe_ports port 901

acl manager proto cache_object
acl PURGE method PURGE
acl CONNECT method CONNECT

http_access allow PURGE localhost
http_access allow manager localhost
http_access deny PURGE
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
acl filterneg dstdom_regex "/usr/local/squid/etc/filter.flt"
acl internal_net src "/usr/local/squid/etc/ipaccess.yes"
acl no_proxy dstdom_regex -i "/usr/local/squid/etc/ipaccess.no"

#Access deny to Squid ident. header
header_access Via deny all
header_access X-Forwarded-For deny all
header_access Proxy-Connection deny all
header_access Accept-Encoding deny all
always_direct allow no_proxy
http_access deny filterneg
http_access allow internal_net
http_access deny all
#http_reply_access allow all
#icp_access allow all
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
visible_hostname brazilfw
   coredump_dir /partition/squid/cache
   error_directory /usr/local/squid/share/errors/Portuguese

Geralmente são as linhas a partir de "#SquidCacheAux ACL start" até "#SquidCacheAux ACL end" e também da "#SquidCacheAux STOREURL start" até "#SquidCacheAux STOREURL end" que somem.
Lembrando que a única alteração que fiz no squid.conf é através do arquivo squid_2.tpl com as linha de Delay pool e que no BFW tenho marcado o "Não" para "Desabilitar criação do squid.conf:", ou seja, ele é criado automaticamente.

Se puderem me dá uma luz, agradeço!

[Rafael Marotto]

bom dia amigo , nao tenho muita experiencia no linux , mais aten onde eu sei , no squid 3.0 as aterações do squid.conf nao sao permitidas , qualquer implementação que voce quizer fazer, dever ser feita no arquivo squid.acl "etc/brazilfw/custom/squid.acl".

[Brow]

bom dia amigo , nao tenho muita experiencia no linux , mais aten onde eu sei , no squid 3.0 as aterações do squid.conf nao sao permitidas , qualquer implementação que voce quizer fazer, dever ser feita no arquivo squid.acl "etc/brazilfw/custom/squid.acl".

É, Rafael, vou guardar essa dica, mas o fato é que uso a 2.32.2 e não a 3. De qualquer forma já resolvi desabilitando a criação automática do squid.