Firewall Bloqueia WSUS de obter atualizações

1. Firewall Bloqueia WSUS de obter atualizações

Pedro Oliveira
bonner

(usa CentOS)

Enviado em 06/02/2012 - 16:38h

Pessoal boa tarde.
Tenho algumas semanas na empresa que atualmente trabalho e estou fazendo um estudo de toda a infra estrutura de redes e servidores.
Inicialmente, me deparei com um problema crítico:

Possuimos um servidor Windows server 2008 R2 que está totalmente integrado com o nosso servidor Proxy Squid com algumas regras para o Iptables.

O grande problema é que o WSUS não está obtendo atualizações pois a regra criada pela empresa que cuidava da segurança dos servidores não funcionou. Meu desafio é corrigir este problema e gradativamente realizar o update em todas as estações da empresa que a um bom tempo não recebe atualização alguma.

Segue uma cópia do meu script IPTABLES para análise de vocês e se possível, me passarem uma luz!

#!/bin/sh

IPT=/sbin/iptables
IGVT="ppp0" # link GVT
IWN="eth1" # link radio da WorldNet
IURBANA="eth3" # interface URBANA
IINT="eth2"
REDE_INT="172.16.4.0/24"
REDE_INT2="10.104.7.0/26"
PORTAS_LIBERADAS="25 110 123 143 2222 2631 5017 5022 2082 8088 8083 1433"

# Porta 2631 eh utilizada pelo Software da Caixa
# Porta 5017 eh utilizada pelo Software CAT - Comunicacao de Acidente de Trabalho

case "$1" in
start)


for i in $PORTAS_LIBERADAS; do
$IPT -A FORWARD -i $IINT -o $IGVT -p tcp --dport $i -j ACCEPT
$IPT -A FORWARD -i $IINT -o $IGVT -p udp --dport $i -j ACCEPT
$IPT -A FORWARD -o $IINT -i $IGVT -p tcp --dport $i -j ACCEPT
$IPT -A FORWARD -o $IINT -i $IGVT -p udp --dport $i -j ACCEPT

$IPT -A FORWARD -i $IINT -o $IWN -p tcp --dport $i -j ACCEPT
$IPT -A FORWARD -i $IINT -o $IWN -p udp --dport $i -j ACCEPT
$IPT -A FORWARD -o $IINT -i $IWN -p tcp --dport $i -j ACCEPT
$IPT -A FORWARD -o $IINT -i $IWN -p udp --dport $i -j ACCEPT
done

#SERVIDORES LINUX - 130 e 131
$IPT -A FORWARD -i $IINT -o $IGVT -s 172.16.4.130 -p tcp -m multiport --dport 20,21,80,443 -j ACCEPT
$IPT -A FORWARD -i $IINT -o $IGVT -s 172.16.4.130 -p udp -m multiport --dport 20,21,80,443 -j ACCEPT
$IPT -A FORWARD -i $IINT -o $IWN -s 172.16.4.130 -p tcp -m multiport --dport 20,21,80,443 -j ACCEPT
$IPT -A FORWARD -i $IINT -o $IWN -s 172.16.4.130 -p udp -m multiport --dport 20,21,80,443 -j ACCEPT
$IPT -A FORWARD -i $IINT -o $IGVT -s 172.16.4.131 -p tcp -m multiport --dport 20,21,80,443 -j ACCEPT
$IPT -A FORWARD -i $IINT -o $IGVT -s 172.16.4.131 -p udp -m multiport --dport 20,21,80,443 -j ACCEPT
$IPT -A FORWARD -i $IINT -o $IWN -s 172.16.4.131 -p tcp -m multiport --dport 20,21,80,443 -j ACCEPT
$IPT -A FORWARD -i $IINT -o $IWN -s 172.16.4.131 -p udp -m multiport --dport 20,21,80,443 -j ACCEPT

# Windows UpDate
$IPT -t nat -A POSTROUTING -s 172.16.4.0/24 -d microsoft.com -j MASQUERADE
$IPT -t nat -A POSTROUTING -s 172.16.4.0/24 -d windowsupdate.microsoft.com -j MASQUERADE
$IPT -t nat -A POSTROUTING -s 172.16.4.0/24 -d download.windowsupdate.com -j MASQUERADE
$IPT -t nat -A POSTROUTING -s 172.16.4.0/24 -d www.download.windowsupdate.com -j MASQUERADE
$IPT -t nat -A POSTROUTING -s 172.16.4.0/24 -d redir.metaservices.microsoft.com -j MASQUERADE
$IPT -t nat -A POSTROUTING -s 172.16.4.0/24 -d images.metaservices.microsoft.com -j MASQUERADE
$IPT -t nat -A POSTROUTING -s 172.16.4.0/24 -d c.microsoft.com -j MASQUERADE

# receita.fazenda.gov.br
$IPT -A FORWARD -i $IINT -o $IGVT -d 161.148.231.100 -p tcp --dport 80 -j ACCEPT
$IPT -A FORWARD -i $IINT -o $IWN -d 161.148.231.100 -p tcp --dport 80 -j ACCEPT

# Liberando SEFIP.
$IPT -I FORWARD -i $IINT -o $IGVT -s 172.16.4.69 -d 200.201.173.68 -j ACCEPT
$IPT -I FORWARD -i $IINT -o $IGVT -s 172.16.4.69 -d 200.201.174.204 -j ACCEPT
$IPT -I FORWARD -i $IINT -o $IGVT -s 172.16.4.69 -d 200.201.160/20 -j ACCEPT
$IPT -I FORWARD -i $IINT -o $IGVT -s 172.16.4.70 -d 200.201.173.68 -j ACCEPT
$IPT -I FORWARD -i $IINT -o $IGVT -s 172.16.4.70 -d 200.201.174.204 -j ACCEPT
$IPT -I FORWARD -i $IINT -o $IGVT -s 172.16.4.70 -d 200.201.160/20 -j ACCEPT

$IPT -I FORWARD -i $IINT -o $IWN -s 172.16.4.69 -d 200.201.173.68 -j ACCEPT
$IPT -I FORWARD -i $IINT -o $IWN -s 172.16.4.69 -d 200.201.174.204 -j ACCEPT
$IPT -I FORWARD -i $IINT -o $IWN -s 172.16.4.69 -d 200.201.160/20 -j ACCEPT
$IPT -I FORWARD -i $IINT -o $IWN -s 172.16.4.70 -d 200.201.173.68 -j ACCEPT
$IPT -I FORWARD -i $IINT -o $IWN -s 172.16.4.70 -d 200.201.174.204 -j ACCEPT
$IPT -I FORWARD -i $IINT -o $IWN -s 172.16.4.70 -d 200.201.160/20 -j ACCEPT

#Servidor da Urbana
$IPT -I FORWARD -i eth3 -o tun2 -j ACCEPT
$IPT -I FORWARD -o eth3 -i tun2 -j ACCEPT
$IPT -I FORWARD -o eth3 -i tun2 -p tcp --dport 5900 -j ACCEPT
$IPT -I FORWARD -i eth3 -o tun2 -p tcp --dport 5900 -j ACCEPT


# Liberando Porta 3456 para software da Receita - CEF e FTP
$IPT -A FORWARD -p tcp -s 172.16.4.1 -d 0/0 -i $IINT -o $IGVT -m multiport --dport 20,21,1049,3456 -j ACCEPT
$IPT -A FORWARD -p udp -s 172.16.4.1 -d 0/0 -i $IINT -o $IGVT -m multiport --dport 20,21,1049,3456 -j ACCEPT
$IPT -A FORWARD -p tcp -s 172.16.4.3 -d 0/0 -i $IINT -o $IGVT -m multiport --dport 20,21,1049,3456 -j ACCEPT
$IPT -A FORWARD -p udp -s 172.16.4.3 -d 0/0 -i $IINT -o $IGVT -m multiport --dport 20,21,1049,3456 -j ACCEPT
$IPT -A FORWARD -p tcp -s 172.16.4.4 -d 0/0 -i $IINT -o $IGVT -m multiport --dport 20,21,1049,3456 -j ACCEPT
$IPT -A FORWARD -p udp -s 172.16.4.4 -d 0/0 -i $IINT -o $IGVT -m multiport --dport 20,21,1049,3456 -j ACCEPT
$IPT -A FORWARD -p tcp -s 172.16.4.12 -d 0/0 -i $IINT -o $IGVT -m multiport --dport 20,21,1049,3456 -j ACCEPT
$IPT -A FORWARD -p udp -s 172.16.4.12 -d 0/0 -i $IINT -o $IGVT -m multiport --dport 20,21,1049,3456 -j ACCEPT

$IPT -A FORWARD -p tcp -s 172.16.4.1 -d 0/0 -i $IINT -o $IWN -m multiport --dport 20,21,1049,3456 -j ACCEPT
$IPT -A FORWARD -p udp -s 172.16.4.1 -d 0/0 -i $IINT -o $IWN -m multiport --dport 20,21,1049,3456 -j ACCEPT
$IPT -A FORWARD -p tcp -s 172.16.4.3 -d 0/0 -i $IINT -o $IWN -m multiport --dport 20,21,1049,3456 -j ACCEPT
$IPT -A FORWARD -p udp -s 172.16.4.3 -d 0/0 -i $IINT -o $IWN -m multiport --dport 20,21,1049,3456 -j ACCEPT
$IPT -A FORWARD -p tcp -s 172.16.4.4 -d 0/0 -i $IINT -o $IWN -m multiport --dport 20,21,1049,3456 -j ACCEPT
$IPT -A FORWARD -p udp -s 172.16.4.4 -d 0/0 -i $IINT -o $IWN -m multiport --dport 20,21,1049,3456 -j ACCEPT
$IPT -A FORWARD -p tcp -s 172.16.4.12 -d 0/0 -i $IINT -o $IWN -m multiport --dport 20,21,1049,3456 -j ACCEPT
$IPT -A FORWARD -p udp -s 172.16.4.12 -d 0/0 -i $IINT -o $IWN -m multiport --dport 20,21,1049,3456 -j ACCEPT


#LIberando o trafego do AD
$IPT -A FORWARD -i eth2 -o eth2 -s 172.16.4.129 -p tcp --dport 53 -j ACCEPT
$IPT -A FORWARD -i eth2 -o eth2 -s 172.16.4.129 -p udp --dport 53 -j ACCEPT
$IPT -A FORWARD -o eth2 -i eth2 -d 172.16.4.129 -p tcp --dport 53 -j ACCEPT
$IPT -A FORWARD -o eth2 -i eth2 -d 172.16.4.129 -p udp --dport 53 -j ACCEPT
$IPT -A FORWARD -i $IINT -o $IGVT -s 172.16.4.129 -p tcp --dport 53 -j ACCEPT
$IPT -A FORWARD -i $IINT -o $IGVT -s 172.16.4.129 -p udp --dport 53 -j ACCEPT
$IPT -A FORWARD -o $IINT -i $IGVT -s 172.16.4.129 -p tcp --dport 53 -j ACCEPT
$IPT -A FORWARD -o $IINT -i $IGVT -s 172.16.4.129 -p udp --dport 53 -j ACCEPT
$IPT -A FORWARD -i $IINT -o $IWN -s 172.16.4.129 -p tcp --dport 53 -j ACCEPT
$IPT -A FORWARD -i $IINT -o $IWN -s 172.16.4.129 -p udp --dport 53 -j ACCEPT
$IPT -A FORWARD -o $IINT -i $IWN -s 172.16.4.129 -p tcp --dport 53 -j ACCEPT
$IPT -A FORWARD -o $IINT -i $IWN -s 172.16.4.129 -p udp --dport 53 -j ACCEPT

CAGED_IP="172.16.4.69 172.16.4.70 172.16.4.71 172.16.4.72"
for s in $CAGED_IP; do
$IPT -A FORWARD -p tcp -i eth2 -o eth1 -s $s -d 200.152.33.1 -j ACCEPT
$IPT -A FORWARD -p udp -i eth2 -o eth1 -s $s -d 200.152.33.1 -j ACCEPT
$IPT -A FORWARD -p tcp -i eth2 -o ppp0 -s $s -d 200.152.33.1 -j ACCEPT
$IPT -A FORWARD -p udp -i eth2 -o ppp0 -s $s -d 200.152.33.1 -j ACCEPT
$IPT -A FORWARD -p tcp -o eth2 -i eth1 -d $s -s 200.152.33.1 -j ACCEPT
$IPT -A FORWARD -p udp -o eth2 -i eth1 -d $s -s 200.152.33.1 -j ACCEPT
$IPT -A FORWARD -p tcp -o eth2 -i ppp0 -d $s -s 200.152.33.1 -j ACCEPT
$IPT -A FORWARD -p udp -o eth2 -i ppp0 -d $s -s 200.152.33.1 -j ACCEPT
$IPT -A FORWARD -p tcp -i eth2 -o eth1 -s $s -d 200.152.32/20 -j ACCEPT
$IPT -A FORWARD -p udp -i eth2 -o eth1 -s $s -d 200.152.32/20 -j ACCEPT
$IPT -A FORWARD -p tcp -i eth2 -o ppp0 -s $s -d 200.152.32/20 -j ACCEPT
$IPT -A FORWARD -p udp -i eth2 -o ppp0 -s $s -d 200.152.32/20 -j ACCEPT
$IPT -A FORWARD -p tcp -o eth2 -i eth1 -d $s -s 200.152.32/20 -j ACCEPT
$IPT -A FORWARD -p udp -o eth2 -i eth1 -d $s -s 200.152.32/20 -j ACCEPT
$IPT -A FORWARD -p tcp -o eth2 -i ppp0 -d $s -s 200.152.32/20 -j ACCEPT
$IPT -A FORWARD -p udp -o eth2 -i ppp0 -d $s -s 200.152.32/20 -j ACCEPT
done


FTP_IP="172.16.4.88 172.16.4.89 172.16.4.90 172.16.4.137 172.16.4.129"
for s in $FTP_IP; do
$IPT -A FORWARD -p tcp -i eth2 -o eth1 -s $s -d intranet.gcinet.com.br -m multiport --dport 20,21 -j ACCEPT
$IPT -A FORWARD -p udp -i eth2 -o eth1 -s $s -d intranet.gcinet.com.br -m multiport --dport 20,21 -j ACCEPT
$IPT -A FORWARD -p tcp -i eth2 -o ppp0 -s $s -d intranet.gcinet.com.br -m multiport --dport 20,21 -j ACCEPT
$IPT -A FORWARD -p udp -i eth2 -o ppp0 -s $s -d intranet.gcinet.com.br -m multiport --dport 20,21 -j ACCEPT
$IPT -A FORWARD -p tcp -o eth2 -i eth1 -d $s -s intranet.gcinet.com.br -m multiport --dport 20,21 -j ACCEPT
$IPT -A FORWARD -p udp -o eth2 -i eth1 -d $s -s intranet.gcinet.com.br -m multiport --dport 20,21 -j ACCEPT
$IPT -A FORWARD -p tcp -o eth2 -i ppp0 -d $s -s intranet.gcinet.com.br -m multiport --dport 20,21 -j ACCEPT
$IPT -A FORWARD -p udp -o eth2 -i ppp0 -d $s -s intranet.gcinet.com.br -m multiport --dport 20,21 -j ACCEPT

$IPT -A FORWARD -p tcp -i eth2 -o eth1 -s $s -d bgminformatica.com.br -m multiport --dport 20,21 -j ACCEPT
$IPT -A FORWARD -p udp -i eth2 -o eth1 -s $s -d bgminformatica.com.br -m multiport --dport 20,21 -j ACCEPT
$IPT -A FORWARD -p tcp -i eth2 -o ppp0 -s $s -d bgminformatica.com.br -m multiport --dport 20,21 -j ACCEPT
$IPT -A FORWARD -p udp -i eth2 -o ppp0 -s $s -d bgminformatica.com.br -m multiport --dport 20,21 -j ACCEPT
$IPT -A FORWARD -p tcp -o eth2 -i eth1 -d $s -s bgminformatica.com.br -m multiport --dport 20,21 -j ACCEPT
$IPT -A FORWARD -p udp -o eth2 -i eth1 -d $s -s bgminformatica.com.br -m multiport --dport 20,21 -j ACCEPT
$IPT -A FORWARD -p tcp -o eth2 -i ppp0 -d $s -s bgminformatica.com.br -m multiport --dport 20,21 -j ACCEPT
$IPT -A FORWARD -p udp -o eth2 -i ppp0 -d $s -s bgminformatica.com.br -m multiport --dport 20,21 -j ACCEPT

$IPT -A FORWARD -p tcp -i eth2 -o eth1 -s $s -d ftp.dmpbgmrodotec.com.br -m multiport --dport 20,21 -j ACCEPT
$IPT -A FORWARD -p udp -i eth2 -o eth1 -s $s -d ftp.dmpbgmrodotec.com.br -m multiport --dport 20,21 -j ACCEPT
$IPT -A FORWARD -p tcp -i eth2 -o ppp0 -s $s -d ftp.dmpbgmrodotec.com.br -m multiport --dport 20,21 -j ACCEPT
$IPT -A FORWARD -p udp -i eth2 -o ppp0 -s $s -d ftp.dmpbgmrodotec.com.br -m multiport --dport 20,21 -j ACCEPT
$IPT -A FORWARD -p tcp -o eth2 -i eth1 -d $s -s ftp.dmpbgmrodotec.com.br -m multiport --dport 20,21 -j ACCEPT
$IPT -A FORWARD -p udp -o eth2 -i eth1 -d $s -s ftp.dmpbgmrodotec.com.br -m multiport --dport 20,21 -j ACCEPT
$IPT -A FORWARD -p tcp -o eth2 -i ppp0 -d $s -s ftp.dmpbgmrodotec.com.br -m multiport --dport 20,21 -j ACCEPT
$IPT -A FORWARD -p udp -o eth2 -i ppp0 -d $s -s ftp.dmpbgmrodotec.com.br -m multiport --dport 20,21 -j ACCEPT
done

# Liberando Porta 3306 para Sistema Dadus S4
$IPT -A FORWARD -i $IINT -o $IGVT -p tcp -s 172.16.4.0/24 -d 0/0 --dport 3306 -j ACCEPT
$IPT -A FORWARD -i $IINT -o $IWN -p tcp -s 172.16.4.0/24 -d 0/0 --dport 3306 -j ACCEPT

# Liberando Porta para SDS-Secretaria Defesa Social-Delegacia Interativa
$IPT -A FORWARD -i $IINT -o $IGVT -d 200.238.83.9 -p tcp --dport 80 -j ACCEPT
$IPT -A FORWARD -i $IINT -o $IGVT -d 200.238.83.9 -p udp --dport 80 -j ACCEPT
$IPT -A FORWARD -i $IINT -o $IGVT -d 200.238.112.207 -p tcp --dport 8080 -j ACCEPT
$IPT -A FORWARD -i $IINT -o $IGVT -d 200.238.112.207 -p udp --dport 8080 -j ACCEPT

$IPT -A FORWARD -i $IINT -o $IWN -d 200.238.83.9 -p tcp --dport 80 -j ACCEPT
$IPT -A FORWARD -i $IINT -o $IWN -d 200.238.83.9 -p udp --dport 80 -j ACCEPT
$IPT -A FORWARD -i $IINT -o $IWN -d 200.238.112.207 -p tcp --dport 8080 -j ACCEPT
$IPT -A FORWARD -i $IINT -o $IWN -d 200.238.112.207 -p udp --dport 8080 -j ACCEPT

#Liberando porta para monitoramento BBC Vigilancia
#$IPT -A FORWARD -p tcp -s 10.1.1.238 --dport 8040 -j ACCEPT
#$IPT -A FORWARD -p tcp -s 10.1.1.147 --dport 8040 -j ACCEPT
#$IPT -A FORWARD -p tcp -s 10.1.1.204 --dport 8040 -j ACCEPT

#Teste liberacao de porta para DataCenter Urbana
$IPT -A FORWARD -p tcp -s 10.104.7.101 --dport 5007 -j ACCEPT

# Liberando porta para o rasnet
$IPT -A FORWARD -p tcp -s $REDE_INT -d 0/0 --dport 3007 -o $IGVT -j ACCEPT
$IPT -A FORWARD -p udp -s $REDE_INT -d 0/0 --dport 3007 -o $IGVT -j ACCEPT
$IPT -A FORWARD -p tcp -s $REDE_INT -d 0/0 --dport 3007 -o $IWN -j ACCEPT
$IPT -A FORWARD -p udp -s $REDE_INT -d 0/0 --dport 3007 -o $IWN -j ACCEPT


#Liberando porta para boleto Santa Clara
$IPT -A FORWARD -i $IINT -o $IGVT -p tcp --dport 7777 -j ACCEPT
$IPT -A FORWARD -i $IINT -o $IWN -p tcp --dport 7777 -j ACCEPT

# Liberando porta para o servidor de cameras.
#$IPT -A FORWARD -i $IGVT -o $IINT -d 10.1.1.211 -p tcp --dport 80 -j ACCEPT
#$IPT -A FORWARD -o $IGVT -i $IINT -s 10.1.1.211 -p tcp --dport 80 -j ACCEPT
#$IPT -A FORWARD -i $IGVT -o $IINT -d 10.1.1.212 -p tcp --dport 8080 -j ACCEPT
#$IPT -A FORWARD -o $IGVT -i $IINT -s 10.1.1.212 -p tcp --dport 8080 -j ACCEPT


#Liberando VPN
$IPT -I FORWARD -i tun0 -o $IINT -s 172.15.0.0/24 -d 172.16.4.0/24 -p tcp -j ACCEPT
$IPT -I FORWARD -i tun0 -o $IINT -s 172.15.0.0/24 -d 172.16.4.0/24 -p udp -j ACCEPT
$IPT -I FORWARD -o tun0 -i $IINT -s 172.16.4.0/24 -d 172.15.0.0/24 -p tcp -j ACCEPT
$IPT -I FORWARD -o tun0 -i $IINT -s 172.16.4.0/24 -d 172.15.0.0/24 -p udp -j ACCEPT
$IPT -I FORWARD -i tun0 -o $IINT -s 172.15.0.0/24 -d 172.16.4.0/24 -p icmp -j ACCEPT
$IPT -I FORWARD -i tun0 -o $IINT -s 172.15.0.0/24 -d 172.16.4.0/24 -p icmp -j ACCEPT
$IPT -I FORWARD -o tun0 -i $IINT -s 172.16.4.0/24 -d 172.15.0.0/24 -p icmp -j ACCEPT
$IPT -I FORWARD -o tun0 -i $IINT -s 172.16.4.0/24 -d 172.15.0.0/24 -p icmp -j ACCEPT

# LIBERANDO CONECTIVIDADE SOCIAL.

$IPT -A FORWARD -i $IINT -o $IGVT -s 172.16.4.54 -d 200.201.174.204 -m multiport -p tcp --dport 80,2631 -j ACCEPT
$IPT -A FORWARD -i $IINT -o $IGVT -s 172.16.4.54 -d 200.201.174.207 -m multiport -p tcp --dport 80,2631 -j ACCEPT
$IPT -A FORWARD -i $IINT -o $IGVT -s 172.16.4.54 -d 200.201.173.68 -m multiport -p tcp --dport 80,2631 -j ACCEPT
$IPT -A FORWARD -i $IINT -o $IGVT -s 172.16.4.55 -d 200.201.174.204 -m multiport -p tcp --dport 80,2631 -j ACCEPT
$IPT -A FORWARD -i $IINT -o $IGVT -s 172.16.4.55 -d 200.201.174.207 -m multiport -p tcp --dport 80,2631 -j ACCEPT
$IPT -A FORWARD -i $IINT -o $IGVT -s 172.16.4.55 -d 200.201.173.68 -m multiport -p tcp --dport 80,2631 -j ACCEPT
$IPT -A FORWARD -i $IINT -o $IGVT -s 172.16.4.56 -d 200.201.174.204 -m multiport -p tcp --dport 80,2631 -j ACCEPT
$IPT -A FORWARD -i $IINT -o $IGVT -s 172.16.4.56 -d 200.201.174.207 -m multiport -p tcp --dport 80,2631 -j ACCEPT
$IPT -A FORWARD -i $IINT -o $IGVT -s 172.16.4.56 -d 200.201.173.68 -m multiport -p tcp --dport 80,2631 -j ACCEPT
$IPT -A FORWARD -i $IINT -o $IGVT -s 172.16.4.69 -d 200.201.174.204 -m multiport -p tcp --dport 80,2631 -j ACCEPT
$IPT -A FORWARD -i $IINT -o $IGVT -s 172.16.4.69 -d 200.201.174.207 -m multiport -p tcp --dport 80,2631 -j ACCEPT
$IPT -A FORWARD -i $IINT -o $IGVT -s 172.16.4.69 -d 200.201.173.68 -m multiport -p tcp --dport 80,2631 -j ACCEPT
$IPT -A FORWARD -i $IINT -o $IGVT -s 172.16.4.70 -d 200.201.174.204 -m multiport -p tcp --dport 80,2631 -j ACCEPT
$IPT -A FORWARD -i $IINT -o $IGVT -s 172.16.4.70 -d 200.201.174.207 -m multiport -p tcp --dport 80,2631 -j ACCEPT
$IPT -A FORWARD -i $IINT -o $IGVT -s 172.16.4.70 -d 200.201.173.68 -m multiport -p tcp --dport 80,2631 -j ACCEPT

$IPT -A FORWARD -i $IINT -o $IWN -s 172.16.4.54 -d 200.201.174.204 -m multiport -p tcp --dport 80,2631 -j ACCEPT
$IPT -A FORWARD -i $IINT -o $IWN -s 172.16.2.54 -d 200.201.174.207 -m multiport -p tcp --dport 80,2631 -j ACCEPT
$IPT -A FORWARD -i $IINT -o $IWN -s 172.16.4.54 -d 200.201.173.68 -m multiport -p tcp --dport 80,2631 -j ACCEPT
$IPT -A FORWARD -i $IINT -o $IWN -s 172.16.4.55 -d 200.201.174.204 -m multiport -p tcp --dport 80,2631 -j ACCEPT
$IPT -A FORWARD -i $IINT -o $IWN -s 172.16.2.55 -d 200.201.174.207 -m multiport -p tcp --dport 80,2631 -j ACCEPT
$IPT -A FORWARD -i $IINT -o $IWN -s 172.16.4.55 -d 200.201.173.68 -m multiport -p tcp --dport 80,2631 -j ACCEPT
$IPT -A FORWARD -i $IINT -o $IWN -s 172.16.4.56 -d 200.201.174.204 -m multiport -p tcp --dport 80,2631 -j ACCEPT
$IPT -A FORWARD -i $IINT -o $IWN -s 172.16.2.56 -d 200.201.174.207 -m multiport -p tcp --dport 80,2631 -j ACCEPT
$IPT -A FORWARD -i $IINT -o $IWN -s 172.16.4.56 -d 200.201.173.68 -m multiport -p tcp --dport 80,2631 -j ACCEPT
$IPT -A FORWARD -i $IINT -o $IWN -s 172.16.4.69 -d 200.201.174.204 -m multiport -p tcp --dport 80,2631 -j ACCEPT
$IPT -A FORWARD -i $IINT -o $IWN -s 172.16.4.69 -d 200.201.174.207 -m multiport -p tcp --dport 80,2631 -j ACCEPT
$IPT -A FORWARD -i $IINT -o $IWN -s 172.16.4.69 -d 200.201.173.68 -m multiport -p tcp --dport 80,2631 -j ACCEPT
$IPT -A FORWARD -i $IINT -o $IWN -s 172.16.4.70 -d 200.201.174.204 -m multiport -p tcp --dport 80,2631 -j ACCEPT
$IPT -A FORWARD -i $IINT -o $IWN -s 172.16.4.70 -d 200.201.174.207 -m multiport -p tcp --dport 80,2631 -j ACCEPT
$IPT -A FORWARD -i $IINT -o $IWN -s 172.16.4.70 -d 200.201.173.68 -m multiport -p tcp --dport 80,2631 -j ACCEPT

$IPT -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
#$IPT -A FORWARD -j LOG --log-prefix "TRAFEGO NAO PERMITIDO "

/sbin/service iptables save

##
## LOOPBACK
##

$IPT -A OUTPUT -o lo -j ACCEPT
$IPT -A INPUT -i lo -j ACCEPT

##
## POLITICA DAS TABELAS
##

$IPT -P FORWARD DROP
$IPT -P INPUT ACCEPT
$IPT -P OUTPUT ACCEPT

##
## DNAT
##

#$IPT -t nat -A PREROUTING -i ppp0 -p tcp --dport 80 -j DNAT --to-destination 10.1.1.211
#$IPT -t nat -A PREROUTING -i ppp0 -p tcp --dport 8080 -j DNAT --to-destination 10.1.1.212

##
## SNAT
##
$IPT -t nat -A POSTROUTING -o ppp0 -s 172.16.4.0/24 -d 0/0 -j MASQUERADE
$IPT -t nat -A POSTROUTING -o eth1 -s 172.16.4.0/24 -d 0/0 -j SNAT --to 187.1.172.162
$IPT -t nat -A POSTROUTING -o eth3 -d 10.104.7.101 -p tcp --dport 5900 -j SNAT --to 10.104.7.126

##
## MANGLE
##

echo "Firewall started..."

;;
stop)
$IPT -Z
$IPT -X
$IPT -F
$IPT -t nat -F
$IPT -P FORWARD ACCEPT
$IPT -P INPUT ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -t nat -P POSTROUTING ACCEPT
$IPT -t nat -P PREROUTING ACCEPT
$IPT -t nat -P OUTPUT ACCEPT

echo "Firewall stoped..."

;;
save)

/sbin/service iptables save

;;
*)
echo "Uso: firewall.sh [start|stop|save]"
;;
esac

exit 0



  


2. Agradecimentos

Pedro Oliveira
bonner

(usa CentOS)

Enviado em 06/02/2012 - 16:51h

Ficarei muito grato por qualquer tipo de sugestão que possa me ajudar a resolver tal problema!
Obrigado pessoal!


3. Tente

André Canhadas
andrecanhadas

(usa Debian)

Enviado em 06/02/2012 - 17:19h

bonner escreveu:

Ficarei muito grato por qualquer tipo de sugestão que possa me ajudar a resolver tal problema!
Obrigado pessoal!


Sua politica de forward esta em drop então precisa liberar os sites da M$.

Comente estas regras:
# Windows UpDate
$IPT -t nat -A POSTROUTING -s 172.16.4.0/24 -d microsoft.com -j MASQUERADE
$IPT -t nat -A POSTROUTING -s 172.16.4.0/24 -d windowsupdate.microsoft.com -j MASQUERADE
$IPT -t nat -A POSTROUTING -s 172.16.4.0/24 -d download.windowsupdate.com -j MASQUERADE
$IPT -t nat -A POSTROUTING -s 172.16.4.0/24 -d www.download.windowsupdate.com -j MASQUERADE
$IPT -t nat -A POSTROUTING -s 172.16.4.0/24 -d redir.metaservices.microsoft.com -j MASQUERADE
$IPT -t nat -A POSTROUTING -s 172.16.4.0/24 -d images.metaservices.microsoft.com -j MASQUERADE
$IPT -t nat -A POSTROUTING -s 172.16.4.0/24 -d c.microsoft.com -j MASQUERADE
### Fim ####

E adicione o forward para os dominios da M$

$IPT -I FORWARD -i $IINT -o $IGVT -s 172.16.4.0/24 -d microsoft.com -j ACCEPT
$IPT -I FORWARD -i $IINT -o $IGVT -s 172.16.4.0/24 -d windowsupdate.microsoft.com -j ACCEPT
$IPT -I FORWARD -i $IINT -o $IGVT -s 172.16.4.0/24 -d download.windowsupdate.com -j ACCEPT
$IPT -I FORWARD -i $IINT -o $IGVT -s 172.16.4.0/24 -d www.download.windowsupdate.com -j ACCEPT
$IPT -I FORWARD -i $IINT -o $IGVT -s 172.16.4.0/24 -d redir.metaservices.microsoft.com -j ACCEPT
$IPT -I FORWARD -i $IINT -o $IGVT -s 172.16.4.0/24 -d images.metaservices.microsoft.com -j ACCEPT
$IPT -I FORWARD -i $IINT -o $IGVT -s 172.16.4.0/24 -d c.microsoft.com -j ACCEPT
$IPT -I FORWARD -i $IINT -o $IGVT -s 172.16.4.0/24 -d download.microsoft.com -j ACCEPT

Dessa forma todas as maquinas da rede poderão acessar os sites do window update




4. Ainda persiste...

Pedro Oliveira
bonner

(usa CentOS)

Enviado em 07/02/2012 - 08:51h

Olá André, tudo bem?
Obrigado pela sua resposta e atenção ao meu tópico!

Vamos lá:

Difícil saber se realmente funcionou, pois ao tentar executar manualmente o windows update em uma estação local a máquina pede autenticação e mesmo inserindo um usuário do proxy válido ele torna a pedir a autenticação... Fica tipo em looping.
Como se meu usuário do proxy fosse inválido.

Preciso fazer algum outro ajuste?

-----Edit-----

Me esquecí de falar... Meu squid.conf é um pouco extenso, seria interessante colá-lo para uma análise mais apurada do ambiente?


5. Squid

André Canhadas
andrecanhadas

(usa Debian)

Enviado em 07/02/2012 - 10:47h

bonner escreveu:

Olá André, tudo bem?
Obrigado pela sua resposta e atenção ao meu tópico!

Vamos lá:

Difícil saber se realmente funcionou, pois ao tentar executar manualmente o windows update em uma estação local a máquina pede autenticação e mesmo inserindo um usuário do proxy válido ele torna a pedir a autenticação... Fica tipo em looping.
Como se meu usuário do proxy fosse inválido.

Preciso fazer algum outro ajuste?

-----Edit-----

Me esquecí de falar... Meu squid.conf é um pouco extenso, seria interessante colá-lo para uma análise mais apurada do ambiente?


Bom ai já vamos precisar realmente do seu squid.conf para ver onde esta barrando e o que podemos fazer.



6. Squid.conf

Pedro Oliveira
bonner

(usa CentOS)

Enviado em 07/02/2012 - 17:18h

Cara o squid.conf que a galera tem é o padrão, só que com algumas linhas descomentadas e outras alteradas!
Dá uma sacada e vê se ajuda:


# WELCOME TO SQUID 3.0.STABLE10
# ----------------------------
#
# This is the default Squid configuration file. You may wish
# to look at the Squid home page (http://www.squid-cache.org/)
# for the FAQ and other documentation.
#
# The default Squid config file shows what the defaults for
# various options happen to be. If you don't need to change the
# default, you shouldn't uncomment the line. Doing so may cause
# run-time problems. In some cases "none" refers to no default
# setting at all, while in other cases it refers to a valid
# option - the comments for that keyword indicate if this is the
# case.
#


# Configuration options can be included using the "include" directive.
# Include takes a list of files to include. Quoting and wildcards is
# supported.
#
# For example,
#
# include /path/to/included/file/squid.acl.config
#
# Includes can be nested up to a hard-coded depth of 16 levels.
# This arbitrary restriction is to prevent recursive include references
# from causing Squid entering an infinite loop whilst trying to load
# configuration files.


# OPTIONS FOR AUTHENTICATION
# -----------------------------------------------------------------------------

# TAG: auth_param
# This is used to define parameters for the various authentication
# schemes supported by Squid.
#
# format: auth_param scheme parameter [setting]
#
# The order in which authentication schemes are presented to the client is
# dependent on the order the scheme first appears in config file. IE
# has a bug (it's not RFC 2617 compliant) in that it will use the basic
# scheme if basic is the first entry presented, even if more secure
# schemes are presented. For now use the order in the recommended
# settings section below. If other browsers have difficulties (don't
# recognize the schemes offered even if you are using basic) either
# put basic first, or disable the other schemes (by commenting out their
# program entry).
#
# Once an authentication scheme is fully configured, it can only be
# shutdown by shutting squid down and restarting. Changes can be made on
# the fly and activated with a reconfigure. I.E. You can change to a
# different helper, but not unconfigure the helper completely.
#
# Please note that while this directive defines how Squid processes
# authentication it does not automatically activate authentication.
# To use authentication you must in addition make use of ACLs based
# on login name in http_access (proxy_auth, proxy_auth_regex or
# external with %LOGIN used in the format tag). The browser will be
# challenged for authentication on the first such acl encountered
# in http_access processing and will also be re-challenged for new
# login credentials if the request is being denied by a proxy_auth
# type acl.
#
# WARNING: authentication can't be used in a transparently intercepting
# proxy as the client then thinks it is talking to an origin server and
# not the proxy. This is a limitation of bending the TCP/IP protocol to
# transparently intercepting port 80, not a limitation in Squid.
# Ports flagged 'transparent' or 'tproxy' have authentication disabled.
#
# === Parameters for the basic scheme follow. ===
#
# "program" cmdline
# Specify the command for the external authenticator. Such a program
# reads a line containing "username password" and replies "OK" or
# "ERR" in an endless loop. "ERR" responses may optionally be followed
# by a error description available as %m in the returned error page.
# If you use an authenticator, make sure you have 1 acl of type proxy_auth.
#
# By default, the basic authentication scheme is not used unless a
# program is specified.
#
# If you want to use the traditional NCSA proxy authentication, set
# this line to something like
#
# auth_param basic program /usr/libexec/ncsa_auth /usr/etc/passwd
#
# "children" numberofchildren
# The number of authenticator processes to spawn. If you start too few
# Squid will have to wait for them to process a backlog of credential
# verifications, slowing it down. When password verifications are
# done via a (slow) network you are likely to need lots of
# authenticator processes.
# auth_param basic children 5
#
# "concurrency" concurrency
# The number of concurrent requests the helper can process.
# The default of 0 is used for helpers who only supports
# one request at a time. Setting this changes the protocol used to
# include a channel number first on the request/response line, allowing
# multiple requests to be sent to the same helper in parallell without
# wating for the response.
# Must not be set unless it's known the helper supports this.
# auth_param basic concurrency 0
#
# "realm" realmstring
# Specifies the realm name which is to be reported to the
# client for the basic proxy authentication scheme (part of
# the text the user will see when prompted their username and
# password). There is no default.
# auth_param basic realm Squid proxy-caching web server
#
# "credentialsttl" timetolive
# Specifies how long squid assumes an externally validated
# username:password pair is valid for - in other words how
# often the helper program is called for that user. Set this
# low to force revalidation with short lived passwords. Note
# setting this high does not impact your susceptibility
# to replay attacks unless you are using an one-time password
# system (such as SecureID). If you are using such a system,
# you will be vulnerable to replay attacks unless you also
# use the max_user_ip ACL in an http_access rule.
#
# "casesensitive" on|off
# Specifies if usernames are case sensitive. Most user databases are
# case insensitive allowing the same username to be spelled using both
# lower and upper case letters, but some are case sensitive. This
# makes a big difference for user_max_ip ACL processing and similar.
# auth_param basic casesensitive off
#
# === Parameters for the digest scheme follow ===
#
# "program" cmdline
# Specify the command for the external authenticator. Such
# a program reads a line containing "username":"realm" and
# replies with the appropriate H(A1) value hex encoded or
# ERR if the user (or his H(A1) hash) does not exists.
# See rfc 2616 for the definition of H(A1).
# "ERR" responses may optionally be followed by a error description
# available as %m in the returned error page.
#
# By default, the digest authentication scheme is not used unless a
# program is specified.
#
# If you want to use a digest authenticator, set this line to
# something like
#
# auth_param digest program /usr/bin/digest_auth_pw /usr/etc/digpass
#
# "children" numberofchildren
# The number of authenticator processes to spawn (no default).
# If you start too few Squid will have to wait for them to
# process a backlog of H(A1) calculations, slowing it down.
# When the H(A1) calculations are done via a (slow) network
# you are likely to need lots of authenticator processes.
# auth_param digest children 5
#
# "realm" realmstring
# Specifies the realm name which is to be reported to the
# client for the digest proxy authentication scheme (part of
# the text the user will see when prompted their username and
# password). There is no default.
# auth_param digest realm Squid proxy-caching web server
#
# "nonce_garbage_interval" timeinterval
# Specifies the interval that nonces that have been issued
# to client_agent's are checked for validity.
#
# "nonce_max_duration" timeinterval
# Specifies the maximum length of time a given nonce will be
# valid for.
#
# "nonce_max_count" number
# Specifies the maximum number of times a given nonce can be
# used.
#
# "nonce_strictness" on|off
# Determines if squid requires strict increment-by-1 behavior
# for nonce counts, or just incrementing (off - for use when
# useragents generate nonce counts that occasionally miss 1
# (ie, 1,2,4,6)). Default off.
#
# "check_nonce_count" on|off
# This directive if set to off can disable the nonce count check
# completely to work around buggy digest qop implementations in
# certain mainstream browser versions. Default on to check the
# nonce count to protect from authentication replay attacks.
#
# "post_workaround" on|off
# This is a workaround to certain buggy browsers who sends
# an incorrect request digest in POST requests when reusing
# the same nonce as acquired earlier on a GET request.
#
# === NTLM scheme options follow ===
#
# "program" cmdline
# Specify the command for the external NTLM authenticator.
# Such a program reads exchanged NTLMSSP packets with
# the browser via Squid until authentication is completed.
# If you use an NTLM authenticator, make sure you have 1 acl
# of type proxy_auth. By default, the NTLM authenticator_program
# is not used.
#
# auth_param ntlm program /usr/bin/ntlm_auth
#
# "children" numberofchildren
# The number of authenticator processes to spawn (no default).
# If you start too few Squid will have to wait for them to
# process a backlog of credential verifications, slowing it
# down. When credential verifications are done via a (slow)
# network you are likely to need lots of authenticator
# processes.
#
# auth_param ntlm children 5
#
# "keep_alive" on|off
# If you experience problems with PUT/POST requests when using the
# Negotiate authentication scheme then you can try setting this to
# off. This will cause Squid to forcibly close the connection on
# the initial requests where the browser asks which schemes are
# supported by the proxy.
#
# auth_param ntlm keep_alive on
#
# === Options for configuring the NEGOTIATE auth-scheme follow ===
#
# "program" cmdline
# Specify the command for the external Negotiate authenticator.
# This protocol is used in Microsoft Active-Directory enabled setups with
# the Microsoft Internet Explorer or Mozilla Firefox browsers.
# Its main purpose is to exchange credentials with the Squid proxy
# using the Kerberos mechanisms.
# If you use a Negotiate authenticator, make sure you have at least one acl
# of type proxy_auth active. By default, the negotiate authenticator_program
# is not used.
# The only supported program for this role is the ntlm_auth
# program distributed as part of Samba, version 4 or later.
#
# auth_param negotiate program /usr/bin/ntlm_auth --helper-protocol=gss-spnego
#
# "children" numberofchildren
# The number of authenticator processes to spawn (no default).
# If you start too few Squid will have to wait for them to
# process a backlog of credential verifications, slowing it
# down. When crendential verifications are done via a (slow)
# network you are likely to need lots of authenticator
# processes.
# auth_param negotiate children 5
#
# "keep_alive" on|off
# If you experience problems with PUT/POST requests when using the
# Negotiate authentication scheme then you can try setting this to
# off. This will cause Squid to forcibly close the connection on
# the initial requests where the browser asks which schemes are
# supported by the proxy.
#
# auth_param negotiate keep_alive on
#
#Recommended minimum configuration per scheme:
#auth_param negotiate program <uncomment and complete this line to activate>
#auth_param negotiate children 5
#auth_param negotiate keep_alive on
#auth_param ntlm program <uncomment and complete this line to activate>
#auth_param ntlm children 5
#auth_param ntlm keep_alive on
#auth_param digest program <uncomment and complete this line>
#auth_param digest children 5
#auth_param digest realm Squid proxy-caching web server
#auth_param digest nonce_garbage_interval 5 minutes
#auth_param digest nonce_max_duration 30 minutes
#auth_param digest nonce_max_count 50
#auth_param basic program <uncomment and complete this line>
#auth_param basic children 5
#auth_param basic realm Squid proxy-caching web server
#auth_param basic credentialsttl 2 hours


#auth_param ntlm program /usr/lib64/squid/ntlm_auth CIDADEALTA/SR-CDA2 -d
auth_param ntlm program /usr/bin/ntlm_auth CIDADEALTA/SR-CDA2 --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 50

auth_param basic program /usr/bin/ntlm_auth CIDADEALTA/SR-CDA2 --helper-protocol=squid-2.5-basic
auth_param basic children 25
auth_param basic realm Digite LOGIN/SENHA
auth_param basic credentialsttl 2 hours

# TAG: authenticate_cache_garbage_interval
# The time period between garbage collection across the username cache.
# This is a tradeoff between memory utilization (long intervals - say
# 2 days) and CPU (short intervals - say 1 minute). Only change if you
# have good reason to.
#
#Default:
# authenticate_cache_garbage_interval 1 hour

# TAG: authenticate_ttl
# The time a user & their credentials stay in the logged in
# user cache since their last request. When the garbage
# interval passes, all user credentials that have passed their
# TTL are removed from memory.
#
#Default:
# authenticate_ttl 1 hour

# TAG: authenticate_ip_ttl
# If you use proxy authentication and the 'max_user_ip' ACL,
# this directive controls how long Squid remembers the IP
# addresses associated with each user. Use a small value
# (e.g., 60 seconds) if your users might change addresses
# quickly, as is the case with dialups. You might be safe
# using a larger value (e.g., 2 hours) in a corporate LAN
# environment with relatively static address assignments.
#
#Default:
# authenticate_ip_ttl 0 seconds


# ACCESS CONTROLS
# -----------------------------------------------------------------------------

# TAG: external_acl_type
# This option defines external acl classes using a helper program
# to look up the status
#
# external_acl_type name [options] FORMAT.. /path/to/helper [helper arguments..]
#
# Options:
#
# ttl=n TTL in seconds for cached results (defaults to 3600
# for 1 hour)
# negative_ttl=n
# TTL for cached negative lookups (default same
# as ttl)
# children=n Number of acl helper processes spawn to service
# external acl lookups of this type. (default 5)
# concurrency=n concurrency level per process. Only used with helpers
# capable of processing more than one query at a time.
# cache=n result cache size, 0 is unbounded (default)
# grace=n Percentage remaining of TTL where a refresh of a
# cached entry should be initiated without needing to
# wait for a new reply. (default 0 for no grace period)
# protocol=2.5 Compatibility mode for Squid-2.5 external acl helpers
#
# FORMAT specifications
#
# %LOGIN Authenticated user login name
# %EXT_USER Username from external acl
# %IDENT Ident user name
# %SRC Client IP
# %SRCPORT Client source port
# %URI Requested URI
# %DST Requested host
# %PROTO Requested protocol
# %PORT Requested port
# %PATH Requested URL path
# %METHOD Request method
# %MYADDR Squid interface address
# %MYPORT Squid http_port number
# %PATH Requested URL-path (including query-string if any)
# %USER_CERT SSL User certificate in PEM format
# %USER_CERTCHAIN SSL User certificate chain in PEM format
# %USER_CERT_xx SSL User certificate subject attribute xx
# %USER_CA_xx SSL User certificate issuer attribute xx
# %{Header} HTTP request header
# %{Hdr:member} HTTP request header list member
# %{Hdr:;member}
# HTTP request header list member using ; as
# list separator. ; can be any non-alphanumeric
# character.
#
# In addition to the above, any string specified in the referencing
# acl will also be included in the helper request line, after the
# specified formats (see the "acl external" directive)
#
# The helper receives lines per the above format specification,
# and returns lines starting with OK or ERR indicating the validity
# of the request and optionally followed by additional keywords with
# more details.
#
# General result syntax:
#
# OK/ERR keyword=value ...
#
# Defined keywords:
#
# user= The users name (login)
# password= The users password (for login= cache_peer option)
# message= Message describing the reason. Available as %o
# in error pages
# tag= Apply a tag to a request (for both ERR and OK results)
# Only sets a tag, does not alter existing tags.
# log= String to be logged in access.log. Available as
# %ea in logformat specifications
#
# If protocol=3.0 (the default) then URL escaping is used to protect
# each value in both requests and responses.
#
# If using protocol=2.5 then all values need to be enclosed in quotes
# if they may contain whitespace, or the whitespace escaped using \.
# And quotes or \ characters within the keyword value must be \ escaped.
#
# When using the concurrency= option the protocol is changed by
# introducing a query channel tag infront of the request/response.
# The query channel tag is a number between 0 and concurrency-1.
#
#Default:
# none

# TAG: acl
# Defining an Access List
#
# Every access list definition must begin with an aclname and acltype,
# followed by either type-specific arguments or a quoted filename that
# they are read from.
#
# acl aclname acltype argument ...
# acl aclname acltype "file" ...
#
# When using "file", the file should contain one item per line.
#
# By default, regular expressions are CASE-SENSITIVE. To make
# them case-insensitive, use the -i option.
#
#
# ***** ACL TYPES AVAILABLE *****
#
# acl aclname src ip-address/netmask ... # clients IP address
# acl aclname src addr1-addr2/netmask ... # range of addresses
# acl aclname dst ip-address/netmask ... # URL host's IP address
# acl aclname myip ip-address/netmask ... # local socket IP address
#
# acl aclname arp mac-address ... (xx:xx:xx:xx:xx:xx notation)
# # The arp ACL requires the special configure option --enable-arp-acl.
# # Furthermore, the ARP ACL code is not portable to all operating systems.
# # It works on Linux, Solaris, Windows, FreeBSD, and some other *BSD variants.
# #
# # NOTE: Squid can only determine the MAC address for clients that are on
# # the same subnet. If the client is on a different subnet, then Squid cannot
# # find out its MAC address.
#
# acl aclname srcdomain .foo.com ... # reverse lookup, from client IP
# acl aclname dstdomain .foo.com ... # Destination server from URL
# acl aclname srcdom_regex [-i] \.foo\.com ... # regex matching client name
# acl aclname dstdom_regex [-i] \.foo\.com ... # regex matching server
# # For dstdomain and dstdom_regex a reverse lookup is tried if a IP
# # based URL is used and no match is found. The name "none" is used
# # if the reverse lookup fails.
#
# acl aclname src_as number ...
# acl aclname dst_as number ...
# # Except for access control, AS numbers can be used for
# # routing of requests to specific caches. Here's an
# # example for routing all requests for AS#1241 and only
# # those to mycache.mydomain.net:
# # acl asexample dst_as 1241
# # cache_peer_access mycache.mydomain.net allow asexample
# # cache_peer_access mycache_mydomain.net deny all
#
# acl aclname time [day-abbrevs] [h1:m1-h2:m2]
# # day-abbrevs:
# # S - Sunday
# # M - Monday
# # T - Tuesday
# # W - Wednesday
# # H - Thursday
# # F - Friday
# # A - Saturday
# # h1:m1 must be less than h2:m2
#
# acl aclname url_regex [-i] ^http:// ... # regex matching on whole URL
# acl aclname urlpath_regex [-i] \.gif$ ... # regex matching on URL path
#
# acl aclname port 80 70 21 ...
# acl aclname port 0-1024 ... # ranges allowed
# acl aclname myport 3128 ... # (local socket TCP port)
# acl aclname myportname 3128 ... # http(s)_port name
#
# acl aclname proto HTTP FTP ...
#
# acl aclname method GET POST ...
#
# acl aclname http_status 200 301 500- 400-403 ... # status code in reply
#
# acl aclname browser [-i] regexp ...
# # pattern match on User-Agent header (see also req_header below)
#
# acl aclname referer_regex [-i] regexp ...
# # pattern match on Referer header
# # Referer is highly unreliable, so use with care
#
# acl aclname ident username ...
# acl aclname ident_regex [-i] pattern ...
# # string match on ident output.
# # use REQUIRED to accept any non-null ident.
#
# acl aclname proxy_auth [-i] username ...
# acl aclname proxy_auth_regex [-i] pattern ...
# # list of valid usernames
# # use REQUIRED to accept any valid username.
# #
# # NOTE: when a Proxy-Authentication header is sent but it is not
# # needed during ACL checking the username is NOT logged
# # in access.log.
# #
# # NOTE: proxy_auth requires a EXTERNAL authentication program
# # to check username/password combinations (see
# # auth_param directive).
# #
# # NOTE: proxy_auth can't be used in a transparent/intercepting proxy
# # as the browser needs to be configured for using a proxy in order
# # to respond to proxy authentication.
#
# acl aclname snmp_community string ...
# # A community string to limit access to your SNMP Agent
# # Example:
# #
# # acl snmppublic snmp_community public
#
# acl aclname maxconn number
# # This will be matched when the client's IP address has
# # more than <number> HTTP connections established.
#
# acl aclname max_user_ip [-s] number
# # This will be matched when the user attempts to log in from more
# # than <number> different ip addresses. The authenticate_ip_ttl
# # parameter controls the timeout on the ip entries.
# # If -s is specified the limit is strict, denying browsing
# # from any further IP addresses until the ttl has expired. Without
# # -s Squid will just annoy the user by "randomly" denying requests.
# # (the counter is reset each time the limit is reached and a
# # request is denied)
# # NOTE: in acceleration mode or where there is mesh of child proxies,
# # clients may appear to come from multiple addresses if they are
# # going through proxy farms, so a limit of 1 may cause user problems.
#
# acl aclname req_mime_type [-i] mime-type ...
# # regex match against the mime type of the request generated
# # by the client. Can be used to detect file upload or some
# # types HTTP tunneling requests.
# # NOTE: This does NOT match the reply. You cannot use this
# # to match the returned file type.
#
# acl aclname req_header header-name [-i] any\.regex\.here
# # regex match against any of the known request headers. May be
# # thought of as a superset of "browser", "referer" and "mime-type"
# # ACLs.
#
# acl aclname rep_mime_type [-i] mime-type ...
# # regex match against the mime type of the reply received by
# # squid. Can be used to detect file download or some
# # types HTTP tunneling requests.
# # NOTE: This has no effect in http_access rules. It only has
# # effect in rules that affect the reply data stream such as
# # http_reply_access.
#
# acl aclname rep_header header-name [-i] any\.regex\.here
# # regex match against any of the known reply headers. May be
# # thought of as a superset of "browser", "referer" and "mime-type"
# # ACLs.
#
# acl aclname external class_name [arguments...]
# # external ACL lookup via a helper class defined by the
# # external_acl_type directive.
#
# acl aclname user_cert attribute values...
# # match against attributes in a user SSL certificate
# # attribute is one of DN/C/O/CN/L/ST
#
# acl aclname ca_cert attribute values...
# # match against attributes a users issuing CA SSL certificate
# # attribute is one of DN/C/O/CN/L/ST
#
# acl aclname ext_user username ...
# acl aclname ext_user_regex [-i] pattern ...
# # string match on username returned by external acl helper
# # use REQUIRED to accept any non-null user name.
#
#Examples:
#acl macaddress arp 09:00:2b:23:45:67
#acl myexample dst_as 1241
acl password proxy_auth REQUIRED
#acl fileupload req_mime_type -i ^multipart/form-data$
#acl javascript rep_mime_type -i ^application/x-javascript$
#
#Default:
# acl all src all
#
#Recommended minimum configuration:
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
acl purge method PURGE
#
# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src 172.16.4.0/24 # RFC1918 possible internal network
#acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
#acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
#
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT


##########################################################################
## ##
## POLITICA DE ACESSO ##
## ##
##########################################################################

external_acl_type nt_group children=25 %LOGIN /usr/lib64/squid/wbinfo_group.pl -d

acl blacklist urlpath_regex -i "/etc/squid/regras/blacklist.txt"
acl download_bloqueado urlpath_regex "/etc/squid/regras/download_bloqueado.txt"
acl sites_liberados urlpath_regex "/etc/squid/regras/sites_liberados.txt"
acl dominios_liberados dstdomain .hapvida.com.br bankline.itau.com.br .itau.com.br banklineplus.itau.com.br ww57.itau.com.br clickbanking.itau.com.br transfarq.itau.com.br

acl IP_alamis src 172.16.4.109

##########################################################################
## ##
## CONFIGURANDO OS GRUPOS DO AD ##
## ##
##########################################################################



acl grupo_antivirus external nt_group antivirus
acl grupo_livre0 external nt_group livre0

acl grupo_operacoes external nt_group operacoes
acl operacoes_bloqueado urlpath_regex "/etc/squid/regras/operacoes_bloqueado.txt"

acl grupo_diretoria external nt_group diretoria
acl diretoria_bloqueado urlpath_regex "/etc/squid/regras/diretoria_bloqueado.txt"

acl grupo_financeiro external nt_group financeiro
acl financeiro_bloqueado urlpath_regex "/etc/squid/regras/financeiro_bloqueado.txt"

acl grupo_manutencao external nt_group manutencao
acl manutencao_bloqueado urlpath_regex "/etc/squid/regras/manutencao_bloqueado.txt"

acl grupo_pessoal external nt_group pessoal
acl pessoal_bloqueado urlpath_regex "/etc/squid/regras/pessoal_bloqueado.txt"

acl grupo_rh external nt_group rh
acl rh_bloqueado urlpath_regex "/etc/squid/regras/rh_bloqueado.txt"

acl grupo_juridico external nt_group juridico
acl juridico_bloqueado urlpath_regex "/etc/squid/regras/juridico_bloqueado.txt"

acl grupo_sesmt external nt_group sesmt
acl sesmt_bloqueado urlpath_regex "/etc/squid/regras/sesmt_bloqueado.txt"

acl grupo_suprimentos external nt_group suprimentos
acl suprimentos_bloqueado urlpath_regex "/etc/squid/regras/suprimentos_bloqueado.txt"

acl grupo_tecnicos external nt_group tecnicos
acl tecnicos_bloqueado urlpath_regex "/etc/squid/regras/tecnicos_bloqueado.txt"

acl grupo_qualidade external nt_group qualidade
acl qualidade_bloqueado urlpath_regex "/etc/squid/regras/qualidade_bloqueado.txt"

acl grupo_coordenadores external nt_group coordenadores
acl coordenadores_bloqueado urlpath_regex "/etc/squid/regras/coordenadores_bloqueado.txt"

acl grupo_gps external nt_group gps
acl gps_bloqueado urlpath_regex "/etc/squid/regras/gps_bloqueado.txt"

acl grupo_monitoramento external nt_group monitoramento
acl monitoramento_bloqueado urlpath_regex "/etc/squid/regras/monitoramento_bloqueado.txt"

acl grupo_cco external nt_group cco
acl cco_bloqueado urlpath_regex "/etc/squid/regras/cco_bloqueado.txt"

acl grupo_tic external nt_group tic
acl tic_bloqueado urlpath_regex "/etc/squid/regras/tic_bloqueado.txt"


##########################################################################
## ##
## ACESSO A INTERNET ##
## ##
##########################################################################


http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny blacklist


http_access allow dominios_liberados
http_access allow sites_liberados
http_access allow grupo_antivirus
http_access allow grupo_livre0
http_access allow IP_alamis


##########################################################################
## ##
## LIBERANDO ACESSO AO GRUPOS ##
## ##
##########################################################################


http_access allow grupo_tic !tic_bloqueado !blacklist
http_access allow grupo_diretoria !diretoria_bloqueado !blacklist
http_access allow grupo_financeiro !financeiro_bloqueado !blacklist !download_bloqueado
http_access allow grupo_manutencao !manutencao_bloqueado !blacklist !download_bloqueado
http_access allow grupo_operacoes !operacoes_bloqueado !blacklist !download_bloqueado
http_access allow grupo_pessoal !pessoal_bloqueado !blacklist !download_bloqueado
http_access allow grupo_rh !rh_bloqueado !blacklist !download_bloqueado
http_access allow grupo_juridico !juridico_bloqueado !blacklist !download_bloqueado
http_access allow grupo_sesmt !sesmt_bloqueado !blacklist !download_bloqueado
http_access allow grupo_suprimentos !suprimentos_bloqueado !blacklist !download_bloqueado
http_access allow grupo_tecnicos !tecnicos_bloqueado !blacklist !download_bloqueado
http_access allow grupo_qualidade !qualidade_bloqueado !blacklist !download_bloqueado
http_access allow grupo_coordenadores !coordenadores_bloqueado !blacklist !download_bloqueado
http_access allow grupo_gps !gps_bloqueado !blacklist !download_bloqueado
http_access allow grupo_monitoramento !monitoramento_bloqueado !blacklist !download_bloqueado
http_access allow grupo_cco !cco_bloqueado !blacklist !download_bloqueado

http_access deny all



# TAG: http_reply_access
# Allow replies to client requests. This is complementary to http_access.
#
# http_reply_access allow|deny [!] aclname ...
#
# NOTE: if there are no access lines present, the default is to allow
# all replies
#
# If none of the access lines cause a match the opposite of the
# last line will apply. Thus it is good practice to end the rules
# with an "allow all" or "deny all" entry.
#
#Default:
# none

# TAG: icp_access
# Allowing or Denying access to the ICP port based on defined
# access lists
#
# icp_access allow|deny [!]aclname ...
#
# See http_access for details
#
#Default:
# icp_access deny all
#
#Allow ICP queries from local networks only
icp_access allow localnet
icp_access deny all

# TAG: htcp_access
# Allowing or Denying access to the HTCP port based on defined
# access lists
#
# htcp_access allow|deny [!]aclname ...
#
# See http_access for details
#
# NOTE: The default if no htcp_access lines are present is to
# deny all traffic. This default may cause problems with peers
# using the htcp or htcp-oldsquid options.
#
#Default:
# htcp_access deny all
#
#Allow HTCP queries from local networks only
htcp_access allow localnet
htcp_access deny all

# TAG: htcp_clr_access
# Allowing or Denying access to purge content using HTCP based
# on defined access lists
#
# htcp_clr_access allow|deny [!]aclname ...
#
# See http_access for details
#
##Allow HTCP CLR requests from trusted peers
#acl htcp_clr_peer src 172.16.1.2
#htcp_clr_access allow htcp_clr_peer
#
#Default:
# htcp_clr_access deny all

# TAG: miss_access
# Use to force your neighbors to use you as a sibling instead of
# a parent. For example:
#
# acl localclients src 172.16.0.0/16
# miss_access allow localclients
# miss_access deny !localclients
#
# This means only your local clients are allowed to fetch
# MISSES and all other clients can only fetch HITS.
#
# By default, allow all clients who passed the http_access rules
# to fetch MISSES from us.
#
#Default setting:
# miss_access allow all

# TAG: ident_lookup_access
# A list of ACL elements which, if matched, cause an ident
# (RFC 931) lookup to be performed for this request. For
# example, you might choose to always perform ident lookups
# for your main multi-user Unix boxes, but not for your Macs
# and PCs. By default, ident lookups are not performed for
# any requests.
#
# To enable ident lookups for specific client addresses, you
# can follow this example:
#
# acl ident_aware_hosts src 198.168.1.0/255.255.255.0
# ident_lookup_access allow ident_aware_hosts
# ident_lookup_access deny all
#
# Only src type ACL checks are fully supported. A src_domain
# ACL might work at times, but it will not always provide
# the correct result.
#
#Default:
# ident_lookup_access deny all

# TAG: reply_body_max_size size [acl acl...]
# This option specifies the maximum size of a reply body. It can be
# used to prevent users from downloading very large files, such as
# MP3's and movies. When the reply headers are received, the
# reply_body_max_size lines are processed, and the first line where
# all (if any) listed ACLs are true is used as the maximum body size
# for this reply.
#
# This size is checked twice. First when we get the reply headers,
# we check the content-length value. If the content length value exists
# and is larger than the allowed size, the request is denied and the
# user receives an error message that says "the request or reply
# is too large." If there is no content-length, and the reply
# size exceeds this limit, the client's connection is just closed
# and they will receive a partial reply.
#
# WARNING: downstream caches probably can not detect a partial reply
# if there is no content-length header, so they will cache
# partial responses and give them out as hits. You should NOT
# use this option if you have downstream caches.
#
# WARNING: A maximum size smaller than the size of squid's error messages
# will cause an infinite loop and crash squid. Ensure that the smallest
# non-zero value you use is greater that the maximum header size plus
# the size of your largest error page.
#
# If you set this parameter none (the default), there will be
# no limit imposed.
#
# Configuration Format is:
# reply_body_max_size SIZE UNITS [acl ...]
# ie.
# reply_body_max_size 10 MB
#
#
#Default:
# none


# NETWORK OPTIONS
# -----------------------------------------------------------------------------

# TAG: http_port
# Usage: port [options]
# hostname:port [options]
# 1.2.3.4:port [options]
#
# The socket addresses where Squid will listen for HTTP client
# requests. You may specify multiple socket addresses.
# There are three forms: port alone, hostname with port, and
# IP address with port. If you specify a hostname or IP
# address, Squid binds the socket to that specific
# address. This replaces the old 'tcp_incoming_address'
# option. Most likely, you do not need to bind to a specific
# address, so you can use the port number alone.
#
# If you are running Squid in accelerator mode, you
# probably want to listen on port 80 also, or instead.
#
# The -a command line option may be used to specify additional
# port(s) where Squid listens for proxy request. Such ports will
# be plain proxy ports with no options.
#
# You may specify multiple socket addresses on multiple lines.
#
# Options:
#
# transparent Support for transparent interception of
# outgoing requests without browser settings.
# NP: disables authentication on the port.
#
# tproxy Support Linux TPROXY for spoofing outgoing
# connections using the client IP address.
# NP: disables authentication on the port.
#
# accel Accelerator mode. Also needs at least one of
# vhost / vport / defaultsite.
#
# defaultsite=domainname
# What to use for the Host: header if it is not present
# in a request. Determines what site (not origin server)
# accelerators should consider the default.
# Implies accel.
#
# vhost Accelerator mode using Host header for virtual
# domain support. Implies accel.
#
# vport Accelerator with IP based virtual host support.
# Implies accel.
#
# vport=NN As above, but uses specified port number rather
# than the http_port number. Implies accel.
#
# protocol= Protocol to reconstruct accelerated requests with.
# Defaults to http.
#
# disable-pmtu-discovery=
# Control Path-MTU discovery usage:
# off lets OS decide on what to do (default).
# transparent disable PMTU discovery when transparent
# support is enabled.
# always disable always PMTU discovery.
#
# In many setups of transparently intercepting proxies
# Path-MTU discovery can not work on traffic towards the
# clients. This is the case when the intercepting device
# does not fully track connections and fails to forward
# ICMP must fragment messages to the cache server. If you
# have such setup and experience that certain clients
# sporadically hang or never complete requests set
# disable-pmtu-discovery option to 'transparent'.
#
# name= Specifies a internal name for the port. Defaults to
# the port specification (port or addr:port)
#
# If you run Squid on a dual-homed machine with an internal
# and an external interface we recommend you to specify the
# internal address:port in http_port. This way Squid will only be
# visible on the internal address.
#
# Squid normally listens to port 3128
http_port 172.16.4.128:3128

# TAG: https_port
# Usage: [ip:]port cert=certificate.pem [key=key.pem] [options...]
#
# The socket address where Squid will listen for HTTPS client
# requests.
#
# This is really only useful for situations where you are running
# squid in accelerator mode and you want to do the SSL work at the
# accelerator level.
#
# You may specify multiple socket addresses on multiple lines,
# each with their own SSL certificate and/or options.
#
# Options:
#
# accel Accelerator mode. Also needs at least one of
# defaultsite or vhost.
#
# defaultsite= The name of the https site presented on
# this port. Implies accel.
#
# vhost Accelerator mode using Host header for virtual
# domain support. Requires a wildcard certificate
# or other certificate valid for more than one domain.
# Implies accel.
#
# protocol= Protocol to reconstruct accelerated requests with.
# Defaults to https.
#
# cert= Path to SSL certificate (PEM format).
#
# key= Path to SSL private key file (PEM format)
# if not specified, the certificate file is
# assumed to be a combined certificate and
# key file.
#
# version= The version of SSL/TLS supported
# 1 automatic (default)
# 2 SSLv2 only
# 3 SSLv3 only
# 4 TLSv1 only
#
# cipher= Colon separated list of supported ciphers.
#
# options= Various SSL engine options. The most important
# being:
# NO_SSLv2 Disallow the use of SSLv2
# NO_SSLv3 Disallow the use of SSLv3
# NO_TLSv1 Disallow the use of TLSv1
# SINGLE_DH_USE Always create a new key when using
# temporary/ephemeral DH key exchanges
# See src/ssl_support.c or OpenSSL SSL_CTX_set_options
# documentation for a complete list of options.
#
# clientca= File containing the list of CAs to use when
# requesting a client certificate.
#
# cafile= File containing additional CA certificates to
# use when verifying client certificates. If unset
# clientca will be used.
#
# capath= Directory containing additional CA certificates
# and CRL lists to use when verifying client certificates.
#
# crlfile= File of additional CRL lists to use when verifying
# the client certificate, in addition to CRLs stored in
# the capath. Implies VERIFY_CRL flag below.
#
# dhparams= File containing DH parameters for temporary/ephemeral
# DH key exchanges.
#
# sslflags= Various flags modifying the use of SSL:
# DELAYED_AUTH
# Don't request client certificates
# immediately, but wait until acl processing
# requires a certificate (not yet implemented).
# NO_DEFAULT_CA
# Don't use the default CA lists built in
# to OpenSSL.
# NO_SESSION_REUSE
# Don't allow for session reuse. Each connection
# will result in a new SSL session.
# VERIFY_CRL
# Verify CRL lists when accepting client
# certificates.
# VERIFY_CRL_ALL
# Verify CRL lists for all certificates in the
# client certificate chain.
#
# sslcontext= SSL session ID context identifier.
#
# vport Accelerator with IP based virtual host support.
#
# vport=NN As above, but uses specified port number rather
# than the https_port number. Implies accel.
#
# name= Specifies a internal name for the port. Defaults to
# the port specification (port or addr:port)
#
#
#Default:
# none

# TAG: tcp_outgoing_tos
# Allows you to select a TOS/Diffserv value to mark outgoing
# connections with, based on the username or source address
# making the request.
#
# tcp_outgoing_tos ds-field [!]aclname ...
#
# Example where normal_service_net uses the TOS value 0x00
# and normal_service_net uses 0x20
#
# acl normal_service_net src 10.0.0.0/255.255.255.0
# acl good_service_net src 10.0.1.0/255.255.255.0
# tcp_outgoing_tos 0x00 normal_service_net
# tcp_outgoing_tos 0x20 good_service_net
#
# TOS/DSCP values really only have local significance - so you should
# know what you're specifying. For more information, see RFC2474 and
# RFC3260.
#
# The TOS/DSCP byte must be exactly that - a octet value 0 - 255, or
# "default" to use whatever default your host has. Note that in
# practice often only values 0 - 63 is usable as the two highest bits
# have been redefined for use by ECN (RFC3168).
#
# Processing proceeds in the order specified, and stops at first fully
# matching line.
#
# Note: The use of this directive using client dependent ACLs is
# incompatible with the use of server side persistent connections. To
# ensure correct results it is best to set server_persisten_connections
# to off when using this directive in such configurations.
#
#Default:
# none

# TAG: clientside_tos
# Allows you to select a TOS/Diffserv value to mark client-side
# connections with, based on the username or source address
# making the request.
#
#Default:
# none

# TAG: tcp_outgoing_address
# Allows you to map requests to different outgoing IP addresses
# based on the username or source address of the user making
# the request.
#
# tcp_outgoing_address ipaddr [[!]aclname] ...
#
# Example where requests from 10.0.0.0/24 will be forwarded
# with source address 10.1.0.1, 10.0.2.0/24 forwarded with
# source address 10.1.0.2 and the rest will be forwarded with
# source address 10.1.0.3.
#
# acl normal_service_net src 10.0.0.0/24
# acl good_service_net src 10.0.2.0/24
# tcp_outgoing_address 10.1.0.1 normal_service_net
# tcp_outgoing_address 10.1.0.2 good_service_net
# tcp_outgoing_address 10.1.0.3
#
# Processing proceeds in the order specified, and stops at first fully
# matching line.
#
# Note: The use of this directive using client dependent ACLs is
# incompatible with the use of server side persistent connections. To
# ensure correct results it is best to set server_persistent_connections
# to off when using this directive in such configurations.
#
#Default:
# none


# SSL OPTIONS
# -----------------------------------------------------------------------------

# TAG: ssl_unclean_shutdown
# Some browsers (especially MSIE) bugs out on SSL shutdown
# messages.
#
#Default:
# ssl_unclean_shutdown off

# TAG: ssl_engine
# The OpenSSL engine to use. You will need to set this if you
# would like to use hardware SSL acceleration for example.
#
#Default:
# none

# TAG: sslproxy_client_certificate
# Client SSL Certificate to use when proxying https:// URLs
#
#Default:
# none

# TAG: sslproxy_client_key
# Client SSL Key to use when proxying https:// URLs
#
#Default:
# none

# TAG: sslproxy_version
# SSL version level to use when proxying https:// URLs
#
#Default:
# sslproxy_version 1

# TAG: sslproxy_options
# SSL engine options to use when proxying https:// URLs
#
#Default:
# none

# TAG: sslproxy_cipher
# SSL cipher list to use when proxying https:// URLs
#
#Default:
# none

# TAG: sslproxy_cafile
# file containing CA certificates to use when verifying server
# certificates while proxying https:// URLs
#
#Default:
# none

# TAG: sslproxy_capath
# directory containing CA certificates to use when verifying
# server certificates while proxying https:// URLs
#
#Default:
# none

# TAG: sslproxy_flags
# Various flags modifying the use of SSL while proxying https:// URLs:
# DONT_VERIFY_PEER Accept certificates even if they fail to
# verify.
# NO_DEFAULT_CA Don't use the default CA list built in
# to OpenSSL.
#
#Default:
# none

# TAG: sslpassword_program
# Specify a program used for entering SSL key passphrases
# when using encrypted SSL certificate keys. If not specified
# keys must either be unencrypted, or Squid started with the -N
# option to allow it to query interactively for the passphrase.
#
#Default:
# none


# OPTIONS WHICH AFFECT THE NEIGHBOR SELECTION ALGORITHM
# -----------------------------------------------------------------------------

# TAG: cache_peer
# To specify other caches in a hierarchy, use the format:
#
# cache_peer hostname type http-port icp-port [options]
#
# For example,
#
# # proxy icp
# # hostname type port port options
# # -------------------- -------- ----- ----- -----------
# cache_peer parent.foo.net parent 3128 3130 proxy-only default
# cache_peer sib1.foo.net sibling 3128 3130 proxy-only
# cache_peer sib2.foo.net sibling 3128 3130 proxy-only
#
# type: either 'parent', 'sibling', or 'multicast'.
#
# proxy-port: The port number where the cache listens for proxy
# requests.
#
# icp-port: Used for querying neighbor caches about
# objects. To have a non-ICP neighbor
# specify '7' for the ICP port and make sure the
# neighbor machine has the UDP echo port
# enabled in its /etc/inetd.conf file.
# NOTE: Also requires icp_port option enabled to send/receive
# requests via this method.
#
# options: proxy-only
# weight=n
# basetime=n
# ttl=n
# no-query
# background-ping
# default
# round-robin
# weighted-round-robin
# carp
# userhash
# sourcehash
# multicast-responder
# closest-only
# no-digest
# no-netdb-exchange
# no-delay
# login=user:password | PASS | *:password
# connect-timeout=nn
# digest-url=url
# allow-miss
# max-conn=n
# htcp
# htcp-oldsquid
# originserver
# name=xxx
# forceddomain=name
# ssl
# sslcert=/path/to/ssl/certificate
# sslkey=/path/to/ssl/key
# sslversion=1|2|3|4
# sslcipher=...
# ssloptions=...
# front-end-https[=on|auto]
#
# use 'proxy-only' to specify objects fetched
# from this cache should not be saved locally.
#
# use 'weight=n' to affect the selection of a peer
# during any weighted peer-selection mechanisms.
# The weight must be an integer; default is 1,
# larger weights are favored more.
# This option does not affect parent selection if a peering
# protocol is not in use.
#
# use 'basetime=n' to specify a base amount to
# be subtracted from round trip times of parents.
# It is subtracted before division by weight in calculating
# which parent to fectch from. If the rtt is less than the
# base time the rtt is set to a minimal value.
#
# use 'ttl=n' to specify a IP multicast TTL to use
# when sending an ICP queries to this address.
# Only useful when sending to a multicast group.
# Because we don't accept ICP replies from random
# hosts, you must configure other group members as
# peers with the 'multicast-responder' option below.
#
# use 'no-query' to NOT send ICP queries to this
# neighbor.
#
# use 'background-ping' to only send ICP queries to this
# neighbor infrequently. This is used to keep the neighbor
# round trip time updated and is usually used in
# conjunction with weighted-round-robin.
#
# use 'default' if this is a parent cache which can
# be used as a "last-resort" if a peer cannot be located
# by any of the peer-selection mechanisms.
# If specified more than once, only the first is used.
#
# use 'round-robin' to define a set of parents which
# should be used in a round-robin fashion in the
# absence of any ICP queries.
#
# use 'weighted-round-robin' to define a set of parents
# which should be used in a round-robin fashion with the
# frequency of each parent being based on the round trip
# time. Closer parents are used more often.
# Usually used for background-ping parents.
#
# use 'carp' to define a set of parents which should
# be used as a CARP array. The requests will be
# distributed among the parents based on the CARP load
# balancing hash function based on their weight.
#
# use 'userhash' to load-balance amongst a set of parents
# based on the client proxy_auth or ident username.
#
# use 'sourcehash' to load-balance amongst a set of parents
# based on the client source ip.
#
# 'multicast-responder' indicates the named peer
# is a member of a multicast group. ICP queries will
# not be sent directly to the peer, but ICP replies
# will be accepted from it.
#
# 'closest-only' indicates that, for ICP_OP_MISS
# replies, we'll only forward CLOSEST_PARENT_MISSes
# and never FIRST_PARENT_MISSes.
#
# use 'no-digest' to NOT request cache digests from
# this neighbor.
#
# 'no-netdb-exchange' disables requesting ICMP
# RTT database (NetDB) from the neighbor.
#
# use 'no-delay' to prevent access to this neighbor
# from influencing the delay pools.
#
# use 'login=user:password' if this is a personal/workgroup
# proxy and your parent requires proxy authentication.
# Note: The string can include URL escapes (i.e. %20 for
# spaces). This also means % must be written as %%.
#
# use 'login=PASS' if users must authenticate against
# the upstream proxy or in the case of a reverse proxy
# configuration, the origin web server. This will pass
# the users credentials as they are to the peer.
# This only works for the Basic HTTP authentication scheme.
# Note: To combine this with proxy_auth both proxies must
# share the same user database as HTTP only allows for
# a single login (one for proxy, one for origin server).
# Also be warned this will expose your users proxy
# password to the peer. USE WITH CAUTION
#
# use 'login=*:password' to pass the username to the
# upstream cache, but with a fixed password. This is meant
# to be used when the peer is in another administrative
# domain, but it is still needed to identify each user.
# The star can optionally be followed by some extra
# information which is added to the username. This can
# be used to identify this proxy to the peer, similar to
# the login=username:password option above.
#
# use 'connect-timeout=nn' to specify a peer
# specific connect timeout (also see the
# peer_connect_timeout directive)
#
# use 'digest-url=url' to tell Squid to fetch the cache
# digest (if digests are enabled) for this host from
# the specified URL rather than the Squid default
# location.
#
# use 'allow-miss' to disable Squid's use of only-if-cached
# when forwarding requests to siblings. This is primarily
# useful when icp_hit_stale is used by the sibling. To
# extensive use of this option may result in forwarding
# loops, and you should avoid having two-way peerings
# with this option. (for example to deny peer usage on
# requests from peer by denying cache_peer_access if the
# source is a peer)
#
# use 'max-conn=n' to limit the amount of connections Squid
# may open to this peer.
#
# use 'htcp' to send HTCP, instead of ICP, queries
# to the neighbor. You probably also want to
# set the "icp port" to 4827 instead of 3130.
# You MUST also set htcp_access expicitly. The default of
# deny all will prevent peer traffic.
#
# use 'htcp-oldsquid' to send HTCP to old Squid versions
# You MUST also set htcp_access expicitly. The default of
# deny all will prevent peer traffic.
#
# 'originserver' causes this parent peer to be contacted as
# a origin server. Meant to be used in accelerator setups.
#
# use 'name=xxx' if you have multiple peers on the same
# host but different ports. This name can be used to
# differentiate the peers in cache_peer_access and similar
# directives.
#
# use 'forceddomain=name' to forcibly set the Host header
# of requests forwarded to this peer. Useful in accelerator
# setups where the server (peer) expects a certain domain
# name and using redirectors to feed this domain name
# is not feasible.
#
# use 'ssl' to indicate connections to this peer should
# be SSL/TLS encrypted.
#
# use 'sslcert=/path/to/ssl/certificate' to specify a client
# SSL certificate to use when connecting to this peer.
#
# use 'sslkey=/path/to/ssl/key' to specify the private SSL
# key corresponding to sslcert above. If 'sslkey' is not
# specified 'sslcert' is assumed to reference a
# combined file containing both the certificate and the key.
#
# use sslversion=1|2|3|4 to specify the SSL version to use
# when connecting to this peer
# 1 = automatic (default)
# 2 = SSL v2 only
# 3 = SSL v3 only
# 4 = TLS v1 only
#
# use sslcipher=... to specify the list of valid SSL ciphers
# to use when connecting to this peer.
#
# use ssloptions=... to specify various SSL engine options:
# NO_SSLv2 Disallow the use of SSLv2
# NO_SSLv3 Disallow the use of SSLv3
# NO_TLSv1 Disallow the use of TLSv1
# See src/ssl_support.c or the OpenSSL documentation for
# a more complete list.
#
# use sslcafile=... to specify a file containing
# additional CA certificates to use when verifying the
# peer certificate.
#
# use sslcapath=... to specify a directory containing
# additional CA certificates to use when verifying the
# peer certificate.
#
# use sslcrlfile=... to specify a certificate revocation
# list file to use when verifying the peer certificate.
#
# use sslflags=... to specify various flags modifying the
# SSL implementation:
# DONT_VERIFY_PEER
# Accept certificates even if they fail to
# verify.
# NO_DEFAULT_CA
# Don't use the default CA list built in
# to OpenSSL.
# DONT_VERIFY_DOMAIN
# Don't verify the peer certificate
# matches the server name
#
# use ssldomain= to specify the peer name as advertised
# in it's certificate. Used for verifying the correctness
# of the received peer certificate. If not specified the
# peer hostname will be used.
#
# use front-end-https to enable the "Front-End-Https: On"
# header needed when using Squid as a SSL frontend in front
# of Microsoft OWA. See MS KB document Q307347 for details
# on this header. If set to auto the header will
# only be added if the request is forwarded as a https://
# URL.
#
#Default:
# none

# TAG: cache_peer_domain
# Use to limit the domains for which a neighbor cache will be
# queried. Usage:
#
# cache_peer_domain cache-host domain [domain ...]
# cache_peer_domain cache-host !domain
#
# For example, specifying
#
# cache_peer_domain parent.foo.net .edu
#
# has the effect such that UDP query packets are sent to
# 'bigserver' only when the requested object exists on a
# server in the .edu domain. Prefixing the domainname
# with '!' means the cache will be queried for objects
# NOT in that domain.
#
# NOTE: * Any number of domains may be given for a cache-host,
# either on the same or separate lines.
# * When multiple domains are given for a particular
# cache-host, the first matched domain is applied.
# * Cache hosts with no domain restrictions are queried
# for all requests.
# * There are no defaults.
# * There is also a 'cache_peer_access' tag in the ACL
# section.
#
#Default:
# none

# TAG: cache_peer_access
# Similar to 'cache_peer_domain' but provides more flexibility by
# using ACL elements.
#
# cache_peer_access cache-host allow|deny [!]aclname ...
#
# The syntax is identical to 'http_access' and the other lists of
# ACL elements. See the comments for 'http_access' below, or
# the Squid FAQ (http://www.squid-cache.org/FAQ/FAQ-10.html).
#
#Default:
# none

# TAG: neighbor_type_domain
# usage: neighbor_type_domain neighbor parent|sibling domain domain ...
#
# Modifying the neighbor type for specific domains is now
# possible. You can treat some domains differently than the the
# default neighbor type specified on the 'cache_peer' line.
# Normally it should only be necessary to list domains which
# should be treated differently because the default neighbor type
# applies for hostnames which do not match domains listed here.
#
#EXAMPLE:
# cache_peer cache.foo.org parent 3128 3130
# neighbor_type_domain cache.foo.org sibling .com .net
# neighbor_type_domain cache.foo.org sibling .au .de
#
#Default:
# none

# TAG: dead_peer_timeout (seconds)
# This controls how long Squid waits to declare a peer cache
# as "dead." If there are no ICP replies received in this
# amount of time, Squid will declare the peer dead and not
# expect to receive any further ICP replies. However, it
# continues to send ICP queries, and will mark the peer as
# alive upon receipt of the first subsequent ICP reply.
#
# This timeout also affects when Squid expects to receive ICP
# replies from peers. If more than 'dead_peer' seconds have
# passed since the last ICP reply was received, Squid will not
# expect to receive an ICP reply on the next query. Thus, if
# your time between requests is greater than this timeout, you
# will see a lot of requests sent DIRECT to origin servers
# instead of to your parents.
#
#Default:
# dead_peer_timeout 10 seconds

# TAG: hierarchy_stoplist
# A list of words which, if found in a URL, cause the object to
# be handled directly by this cache. In other words, use this
# to not query neighbor caches for certain objects. You may
# list this option multiple times.
# Note: never_direct overrides this option.
#We recommend you to use at least the following line.
hierarchy_stoplist cgi-bin ?


# MEMORY CACHE OPTIONS
# -----------------------------------------------------------------------------

# TAG: cache_mem (bytes)
# NOTE: THIS PARAMETER DOES NOT SPECIFY THE MAXIMUM PROCESS SIZE.
# IT ONLY PLACES A LIMIT ON HOW MUCH ADDITIONAL MEMORY SQUID WILL
# USE AS A MEMORY CACHE OF OBJECTS. SQUID USES MEMORY FOR OTHER
# THINGS AS WELL. SEE THE SQUID FAQ SECTION 8 FOR DETAILS.
#
# 'cache_mem' specifies the ideal amount of memory to be used
# for:
# * In-Transit objects
# * Hot Objects
# * Negative-Cached objects
#
# Data for these objects are stored in 4 KB blocks. This
# parameter specifies the ideal upper limit on the total size of
# 4 KB blocks allocated. In-Transit objects take the highest
# priority.
#
# In-transit objects have priority over the others. When
# additional space is needed for incoming data, negative-cached
# and hot objects will be released. In other words, the
# negative-cached and hot objects will fill up any unused space
# not needed for in-transit objects.
#
# If circumstances require, this limit will be exceeded.
# Specifically, if your incoming request rate requires more than
# 'cache_mem' of memory to hold in-transit objects, Squid will
# exceed this limit to satisfy the new requests. When the load
# decreases, blocks will be freed until the high-water mark is
# reached. Thereafter, blocks will be used to store hot
# objects.
#
#Default:
# cache_mem 8 MB

# TAG: maximum_object_size_in_memory (bytes)
# Objects greater than this size will not be attempted to kept in
# the memory cache. This should be set high enough to keep objects
# accessed frequently in memory to improve performance whilst low
# enough to keep larger objects from hoarding cache_mem.
#
#Default:
# maximum_object_size_in_memory 8 KB

# TAG: memory_replacement_policy
# The memory replacement policy parameter determines which
# objects are purged from memory when memory space is needed.
#
# See cache_replacement_policy for details.
#
#Default:
# memory_replacement_policy lru


# DISK CACHE OPTIONS
# -----------------------------------------------------------------------------

# TAG: cache_replacement_policy
# The cache replacement policy parameter determines which
# objects are evicted (replaced) when disk space is needed.
#
# lru : Squid's original list based LRU policy
# heap GDSF : Greedy-Dual Size Frequency
# heap LFUDA: Least Frequently Used with Dynamic Aging
# heap LRU : LRU policy implemented using a heap
#
# Applies to any cache_dir lines listed below this.
#
# The LRU policies keeps recently referenced objects.
#
# The heap GDSF policy optimizes object hit rate by keeping smaller
# popular objects in cache so it has a better chance of getting a
# hit. It achieves a lower byte hit rate than LFUDA though since
# it evicts larger (possibly popular) objects.
#
# The heap LFUDA policy keeps popular objects in cache regardless of
# their size and thus optimizes byte hit rate at the expense of
# hit rate since one large, popular object will prevent many
# smaller, slightly less popular objects from being cached.
#
# Both policies utilize a dynamic aging mechanism that prevents
# cache pollution that can otherwise occur with frequency-based
# replacement policies.
#
# NOTE: if using the LFUDA replacement policy you should increase
# the value of maximum_object_size above its default of 4096 KB to
# to maximize the potential byte hit rate improvement of LFUDA.
#
# For more information about the GDSF and LFUDA cache replacement
# policies see http://www.hpl.hp.com/techreports/1999/HPL-1999-69.html
# and http://fog.hpl.external.hp.com/techreports/98/HPL-98-173.html.
#
#Default:
# cache_replacement_policy lru

# TAG: cache_dir
# Usage:
#
# cache_dir Type Directory-Name Fs-specific-data [options]
#
# You can specify multiple cache_dir lines to spread the
# cache among different disk partitions.
#
# Type specifies the kind of storage system to use. Only "ufs"
# is built by default. To enable any of the other storage systems
# see the --enable-storeio configure option.
#
# 'Directory' is a top-level directory where cache swap
# files will be stored. If you want to use an entire disk
# for caching, this can be the mount-point directory.
# The directory must exist and be writable by the Squid
# process. Squid will NOT cr


7. Linhas duplicadas

André Canhadas
andrecanhadas

(usa Debian)

Enviado em 07/02/2012 - 17:56h

Bom em primeiro lugar tem linhas duplicadas referentes a autenticação:
2 - Esta autenticando no AD correto qual a versão do seu server com AD 2003 ou 2008 ?

3 - Para autenticar no AD o samba e winbind devem estar instalados e devidamente configurados esta tudo OK?

4 - Remova os comentarios para facilitar sua vida

ex:
# Remove comentarios de arquivos de configuração
egrep -v "^#|^$" /etc/squid3/squid.conf > /etc/squid3/squid.conf.desc

Se não usar squid3 troque o caminho para squid
egrep -v "^#|^$" /etc/squid/squid.conf > /etc/squid/squid.conf.desc


Depois

cp /etc/squid/squid.conf /etc/squid/squid.conf.bak

mv /etc/squid/squid.conf.desc /etc/squid/squid.conf


Ai poste de novo seu squid.conf ta muito ruim de analizar assim

Não esqueça de falar sobre as perguntas citadas acima



8. Lá vai!

Pedro Oliveira
bonner

(usa CentOS)

Enviado em 07/02/2012 - 18:17h

Após remover os comentários, me foi retornado estas linhas apenas.
O servidor AD é o Windows server 2008 R2
O AD a empresa terceirizada o deixou devidamente configurado, com autenticação e tudo devidamente sincronizado.
Todos os usuários cadastrados no AD estão sincronizados com o proxy, 2 servidores de banco de dados firebird e 3 samba.
Tudo redondo, tudo funciona, mas o que dificulta pra mim é os updates no próprio servidor AD para poder liberar posteriormente via WSUS apenas o que quero para as estações! O pior de tudo é que temos o Kaspersky AV 6.0 Workstations com console de administração no Windows server 2008 R2 e o danado não atualiza, todas as estações com kaspersky pedem usuário e senha do próxy o tempo todo para atualizar e nenhum usuário válido funciona!
Agora internet e outras ferramentas funcionam pefeitamente!

Estou enrolado, peguei uma bomba para debulhar!


squid.conf:auth_param ntlm program /usr/bin/ntlm_auth CIDADEALTA/SR-CDA2 --helper-protocol=squid-2.5-ntlmssp
squid.conf:auth_param ntlm children 50
squid.conf:auth_param basic program /usr/bin/ntlm_auth CIDADEALTA/SR-CDA2 --helper-protocol=squid-2.5-basic
squid.conf:auth_param basic children 25
squid.conf:auth_param basic realm Digite LOGIN/SENHA
squid.conf:auth_param basic credentialsttl 2 hours
squid.conf:acl password proxy_auth REQUIRED
squid.conf:acl manager proto cache_object
squid.conf:acl localhost src 127.0.0.1/32
squid.conf:acl to_localhost dst 127.0.0.0/8
squid.conf:acl purge method PURGE
squid.conf:acl localnet src 172.16.4.0/24 # RFC1918 possible internal network
squid.conf:acl SSL_ports port 443
squid.conf:acl Safe_ports port 80 # http
squid.conf:acl Safe_ports port 21 # ftp
squid.conf:acl Safe_ports port 443 # https
squid.conf:acl Safe_ports port 70 # gopher
squid.conf:acl Safe_ports port 210 # wais
squid.conf:acl Safe_ports port 1025-65535 # unregistered ports
squid.conf:acl Safe_ports port 280 # http-mgmt
squid.conf:acl Safe_ports port 488 # gss-http
squid.conf:acl Safe_ports port 591 # filemaker
squid.conf:acl Safe_ports port 777 # multiling http
squid.conf:acl CONNECT method CONNECT
squid.conf:external_acl_type nt_group children=25 %LOGIN /usr/lib64/squid/wbinfo_group.pl -d
squid.conf:acl blacklist urlpath_regex -i "/etc/squid/regras/blacklist.txt"
squid.conf:acl download_bloqueado urlpath_regex "/etc/squid/regras/download_bloqueado.txt"
squid.conf:acl sites_liberados urlpath_regex "/etc/squid/regras/sites_liberados.txt"
squid.conf:acl dominios_liberados dstdomain .hapvida.com.br bankline.itau.com.br .itau.com.br banklineplus.itau.com.br ww57.itau.com.br clickbanking.itau.com.br transfarq.itau.com.br
squid.conf:acl IP_alamis src 172.16.4.109
squid.conf:acl grupo_antivirus external nt_group antivirus
squid.conf:acl grupo_livre0 external nt_group livre0
squid.conf:acl grupo_operacoes external nt_group operacoes
squid.conf:acl operacoes_bloqueado urlpath_regex "/etc/squid/regras/operacoes_bloqueado.txt"
squid.conf:acl grupo_diretoria external nt_group diretoria
squid.conf:acl diretoria_bloqueado urlpath_regex "/etc/squid/regras/diretoria_bloqueado.txt"
squid.conf:acl grupo_financeiro external nt_group financeiro
squid.conf:acl financeiro_bloqueado urlpath_regex "/etc/squid/regras/financeiro_bloqueado.txt"
squid.conf:acl grupo_manutencao external nt_group manutencao
squid.conf:acl manutencao_bloqueado urlpath_regex "/etc/squid/regras/manutencao_bloqueado.txt"
squid.conf:acl grupo_pessoal external nt_group pessoal
squid.conf:acl pessoal_bloqueado urlpath_regex "/etc/squid/regras/pessoal_bloqueado.txt"
squid.conf:acl grupo_rh external nt_group rh
squid.conf:acl rh_bloqueado urlpath_regex "/etc/squid/regras/rh_bloqueado.txt"
squid.conf:acl grupo_juridico external nt_group juridico
squid.conf:acl juridico_bloqueado urlpath_regex "/etc/squid/regras/juridico_bloqueado.txt"
squid.conf:acl grupo_sesmt external nt_group sesmt
squid.conf:acl sesmt_bloqueado urlpath_regex "/etc/squid/regras/sesmt_bloqueado.txt"
squid.conf:acl grupo_suprimentos external nt_group suprimentos
squid.conf:acl suprimentos_bloqueado urlpath_regex "/etc/squid/regras/suprimentos_bloqueado.txt"
squid.conf:acl grupo_tecnicos external nt_group tecnicos
squid.conf:acl tecnicos_bloqueado urlpath_regex "/etc/squid/regras/tecnicos_bloqueado.txt"
squid.conf:acl grupo_qualidade external nt_group qualidade
squid.conf:acl qualidade_bloqueado urlpath_regex "/etc/squid/regras/qualidade_bloqueado.txt"
squid.conf:acl grupo_coordenadores external nt_group coordenadores
squid.conf:acl coordenadores_bloqueado urlpath_regex "/etc/squid/regras/coordenadores_bloqueado.txt"
squid.conf:acl grupo_gps external nt_group gps
squid.conf:acl gps_bloqueado urlpath_regex "/etc/squid/regras/gps_bloqueado.txt"
squid.conf:acl grupo_monitoramento external nt_group monitoramento
squid.conf:acl monitoramento_bloqueado urlpath_regex "/etc/squid/regras/monitoramento_bloqueado.txt"
squid.conf:acl grupo_cco external nt_group cco
squid.conf:acl cco_bloqueado urlpath_regex "/etc/squid/regras/cco_bloqueado.txt"
squid.conf:acl grupo_tic external nt_group tic
squid.conf:acl tic_bloqueado urlpath_regex "/etc/squid/regras/tic_bloqueado.txt"
squid.conf:http_access allow manager localhost
squid.conf:http_access deny manager
squid.conf:http_access deny !Safe_ports
squid.conf:http_access deny CONNECT !SSL_ports
squid.conf:http_access deny blacklist
squid.conf:http_access allow dominios_liberados
squid.conf:http_access allow sites_liberados
squid.conf:http_access allow grupo_antivirus
squid.conf:http_access allow grupo_livre0
squid.conf:http_access allow IP_alamis
squid.conf:http_access allow grupo_tic !tic_bloqueado !blacklist
squid.conf:http_access allow grupo_diretoria !diretoria_bloqueado !blacklist
squid.conf:http_access allow grupo_financeiro !financeiro_bloqueado !blacklist !download_bloqueado
squid.conf:http_access allow grupo_manutencao !manutencao_bloqueado !blacklist !download_bloqueado
squid.conf:http_access allow grupo_operacoes !operacoes_bloqueado !blacklist !download_bloqueado
squid.conf:http_access allow grupo_pessoal !pessoal_bloqueado !blacklist !download_bloqueado
squid.conf:http_access allow grupo_rh !rh_bloqueado !blacklist !download_bloqueado
squid.conf:http_access allow grupo_juridico !juridico_bloqueado !blacklist !download_bloqueado
squid.conf:http_access allow grupo_sesmt !sesmt_bloqueado !blacklist !download_bloqueado
squid.conf:http_access allow grupo_suprimentos !suprimentos_bloqueado !blacklist !download_bloqueado
squid.conf:http_access allow grupo_tecnicos !tecnicos_bloqueado !blacklist !download_bloqueado
squid.conf:http_access allow grupo_qualidade !qualidade_bloqueado !blacklist !download_bloqueado
squid.conf:http_access allow grupo_coordenadores !coordenadores_bloqueado !blacklist !download_bloqueado
squid.conf:http_access allow grupo_gps !gps_bloqueado !blacklist !download_bloqueado
squid.conf:http_access allow grupo_monitoramento !monitoramento_bloqueado !blacklist !download_bloqueado
squid.conf:http_access allow grupo_cco !cco_bloqueado !blacklist !download_bloqueado
squid.conf:http_access deny all
squid.conf:icp_access allow localnet
squid.conf:icp_access deny all
squid.conf:htcp_access allow localnet
squid.conf:htcp_access deny all
squid.conf:http_port 172.16.4.128:3128
squid.conf:hierarchy_stoplist cgi-bin ?
squid.conf:cache_dir diskd /var/spool/squid 5120 16 256
squid.conf:access_log /var/log/squid/access.log squid
squid.conf:debug_options ALL,2
squid.conf:refresh_pattern ^ftp: 1440 20% 10080
squid.conf:refresh_pattern ^gopher: 1440 0% 1440
squid.conf:refresh_pattern (cgi-bin|\?) 0 0% 0
squid.conf:refresh_pattern . 0 20% 4320
squid.conf:icp_port 3130
squid.conf:coredump_dir /var/spool/squid



9. Inicio

André Canhadas
andrecanhadas

(usa Debian)

Enviado em 07/02/2012 - 18:44h

Estranho essas linhas iniciando por squid.conf:

Vamos la:
Cria o arquivo /etc/squid/regras/win_update.txt
dentro dele coloca os dominios do windows update que estão nas regras do Iptables (Um por linha)
Ex:
download.microsoft.com
update.microsoft.com

Cria a regra no seu squid.conf

squid.conf:acl win_update urlpath_regex "/etc/squid/regras/win_update.txt"

e libera ela: abaixo de:squid.conf:http_access allow dominios_liberados

squid.conf:http_access allow win_update






Patrocínio

Site hospedado pelo provedor RedeHost.
Linux banner

Destaques

Artigos

Dicas

Tópicos

Top 10 do mês

Scripts