[NCLUG] Fwd: A question about squid problem
Matt Taggart
matt at lackof.org
Sat Mar 4 12:36:07 MST 2006
James DeWitt writes...
> acl mydomain src 192.168.10.0/24
> http_access allow mydomain
>
> http_access deny !mydomain
First a comment: The way these statements work is that when a client connects
it steps through them until it find one that matches. I use
http_access allow mydomain
http_access deny all
Yours should be effectively the same thing, but might be more confusing.
Now a guess at the problem:
Found at http://www.squid-cache.org/Doc/FAQ/FAQ-14.html#ss14.5
============================================================================
When using Squid, some sites may give erorrs such as ``(111) Connection
refused'' or ``(110) Connection timed out'' although these sites work
fine without going through Squid.
Some versions of linux implement Explicit Congestion Notification (ECN)
and this can cause some TCP connections to fail when contacting some sites
with broken firewalls or broken TCP/IP implementations. A list of sites
to be broken can be found at ECN Hall of Shame.
To work around such broken sites you can disable ECN with the following
command:
echo 0 > /proc/sys/net/ipv4/tcp_ecn
============================================================================
I'm not totally convinced that is the problem (given the additional notes in
theabove URL), but given that the firewall changed it might be. Worth a shot I
think. I've also seen ECN cause problems talking to Linksys wrt54g's, and also
hotel networking setups.
One other question I had was if the client that's being denied is running on
the squid server itself? If so then you might need an acl for 127.0.0.0/8 if
you don't already have one.
--
Matt Taggart
matt at lackof.org
More information about the NCLUG
mailing list