Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Messages - echo_123

Pages1
#1
Intrusion Detection and Prevention / Re: Just ran out of space in queue - Suricata Crash
September 30, 2020, 06:08:16 PM
Hi everyone,

the same issue here:
2020-09-28T21:43:16   suricata[80031]   [100112] <Critical> -- [ERRCODE: SC_ERR_AHO_CORASICK(174)] - Just ran out of space in the queue.  Fatal Error.  Exiting.  Please file a bug report on this
2020-09-28T21:35:15   suricata[42527]   [100265] <Notice> -- This is Suricata version 5.0.3 RELEASE running in SYSTEM mode
2020-09-28T19:45:03   suricata[39423]   [100184] <Critical> -- [ERRCODE: SC_ERR_AHO_CORASICK(174)] - Just ran out of space in the queue.  Fatal Error.  Exiting.  Please file a bug report on this

Any hints that could lead to the solution or workaround? Thank you!
#2
Web Proxy Filtering and Caching / Re: Squid unreachable, daemon ports in CLOSED state, suid errors on cache.log
August 11, 2020, 05:26:06 PM
Resolved the issue by applying a configuration backup taken from before the upgrade. Restore config for ALL system. Squid is up and running. Cannot tell what caused the issue. Thank you.
#3
Web Proxy Filtering and Caching / Squid unreachable, daemon ports in CLOSED state, suid errors on cache.log
August 11, 2020, 05:00:39 PM
Squid unreachable, daemon ports in CLOSED state, suid errors on cache.log

hey everyone,

I am unable to use Squid (apparently after the upgrade OPNsense 20.7). I do only use the Squid Proxy as a simple caching proxy for some development systems, two days ago I've noticed it was not working.

I also have explicit firewall rules to allow all clients on network 10.1.0.0/24 to access the proxy ports (3128/tcp and 2121/tcp) on OPNsense. ACLs are also present on squid configuration to allow 10.1.0.0/24 to access the proxy.

Upon checking its service status on OPNsense console, I have (something new to me, never seen before!): both the http port 3128 and ftp proxy port 2121 have its state listed as 'CLOSED'

On OPNsense GUI the squid service can be started and stopped normally.

----
[root@OPNsense ~]# netstat -la4n -ptcp
Active Internet connections (including servers)
Proto Recv-Q Send-Q Local Address          Foreign Address        (state)
tcp4       0      0 10.1.0.1.443           10.1.0.149.59862       ESTABLISHED
tcp4       0      0 10.1.0.1.2121          *.*                    CLOSED
tcp4       0      0 10.1.0.1.3128          *.*                    CLOSED
----

Restarting the daemon works (apparently fine, config is ok)

Manually setting the 'debug_options ALL,3' directly in the file '/usr/local/etc/squid/squid.conf' also produces debug output that hints on problems with suid (setuid ?):

----
2020/08/11 14:20:52.610 kid1| 21,3| tools.cc(577) enter_suid: enter_suid: PID 32115 taking root privileges
2020/08/11 14:20:52.610 kid1| 21,3| tools.cc(581) enter_suid: enter_suid: setresuid failed: (1) Operation not permitted
----

Are there maybe any kind of rights problems, with the user squid not being allowed to setuid or maybe being unable a necessary folder/path as squid?

The squid.conf is attached.

Many thanks for any pointers on how to solve this!

Regards
J.

--

Additional Info:

fstat produces the following output

----

[root@OPNsense ~]# fstat|grep squid
squid    unlinkd    90178 text /        5062157 -r-xr-xr-x  106376  r
squid    unlinkd    90178   wd /        3934321 drwxr-x---    1024  r
squid    unlinkd    90178 root /             2 drwxr-xr-x     512  r
squid    unlinkd    90178    0* pipe fffff80003bf7be0 <-> fffff80003bf7d48      0 rw
squid    unlinkd    90178    1* pipe fffff80003bf7460 <-> fffff80003bf72f8      0 rw
squid    unlinkd    90178    2 /dev         43 crw-rw-rw-    null rw
squid    squid      32115 text /        4976135 -r-xr-xr-x  7576448  r
squid    squid      32115   wd /        3934321 drwxr-x---    1024  r
squid    squid      32115 root /             2 drwxr-xr-x     512  r
squid    squid      32115    0 /dev         43 crw-rw-rw-    null rw
squid    squid      32115    1 /dev         43 crw-rw-rw-    null rw
squid    squid      32115    2 /dev         43 crw-rw-rw-    null rw
squid    squid      32115    3 /        3772252 -rw-r--r--  2458600 rw
squid    squid      32115    4 /dev         43 crw-rw-rw-    null rw
squid    squid      32115    5* internet6 dgram udp fffff800a5301b70
squid    squid      32115    6
squid    squid      32115    7 /        3772252 -rw-r--r--  2458600 rw
squid    squid      32115    8* internet dgram udp fffff800a53015b8
squid    squid      32115    9 -        3772219 -rw-r--r--       0  w
squid    squid      32115   10* pipe fffff80003bf72f8 <-> fffff80003bf7460      0 rw
squid    squid      32115   11* pipe fffff80003bf7460 <-> fffff80003bf72f8      0 rw
squid    squid      32115   12* pipe fffff80003bf7be0 <-> fffff80003bf7d48      0 rw
squid    squid      32115   13* pipe fffff80003bf7d48 <-> fffff80003bf7be0      0 rw
squid    squid      32115   14 -        3772275 -rw-r--r--       0  w
squid    squid      32115   15 -        3934065 -rwxr-x---      72  w
squid    squid      32115   16* internet stream tcp fffff800a874e000
squid    squid      32115   17* internet stream tcp fffff800139df7a0
squid    squid      32115   18* internet6 dgram udp fffff80013924d58
squid    squid      32115   19* internet6 dgram udp fffff80013922b70
squid    squid       3466 text /        4976135 -r-xr-xr-x  7576448  r
squid    squid       3466   wd /        3772526 drwxrwx---     512  r
squid    squid       3466 root /             2 drwxr-xr-x     512  r
squid    squid       3466    0 /dev         43 crw-rw-rw-    null rw
squid    squid       3466    1 /dev         43 crw-rw-rw-    null rw
squid    squid       3466    2 /dev         43 crw-rw-rw-    null rw
squid    squid       3466    3 /        3772252 -rw-r--r--  2458600 rw
squid    squid       3466    4 /dev         43 crw-rw-rw-    null rw
squid    squid       3466    5 /var/run/squid/cf__metadata.shm -rw-------       8 rw
squid    squid       3466    6 /var/run/squid/cf__queues.shm -rw-------    8216 rw
squid    squid       3466    7 /var/run/squid/cf__readers.shm -rw-------      36 rw

----

sockstat produces the following output


----
[root@OPNsense ~]# sockstat -l4
USER     COMMAND    PID   FD PROTO  LOCAL ADDRESS         FOREIGN ADDRESS
squid    squid      32115 5  udp46  *:50331               *:*
squid    squid      32115 8  udp4   *:52387               *:*
squid    squid      32115 16 tcp4   10.1.0.1:3128         *:*
squid    squid      32115 17 tcp4   10.1.0.1:2121         *:*
[..]
----


a section of cache.log

----
2020/08/11 14:20:52.610 kid1| 16,3| cache_manager.cc(66) registerProfile: registered profile: events
2020/08/11 14:20:52.610 kid1| 80,2| wccp.cc(113) wccpConnectionOpen: WCCPv1 disabled.
2020/08/11 14:20:52.610 kid1| 80,2| wccp2.cc(961) wccp2ConnectionOpen: WCCPv2 Disabled. No IPv4 Router(s) configured.
2020/08/11 14:20:52.610 kid1| 33,2| AsyncCall.cc(26) AsyncCall: The AsyncCall clientListenerConnectionOpened constructed, this=0x4a998678a0 [call4]
2020/08/11 14:20:52.610 kid1| 21,3| tools.cc(577) enter_suid: enter_suid: PID 32115 taking root privileges
2020/08/11 14:20:52.610 kid1| 21,3| tools.cc(581) enter_suid: enter_suid: setresuid failed: (1) Operation not permitted
2020/08/11 14:20:52.610 kid1| 50,3| comm.cc(350) comm_openex: comm_openex: Attempt open socket for: 10.1.0.1:3128
2020/08/11 14:20:52.610 kid1| 50,3| comm.cc(393) comm_openex: comm_openex: Opened socket local=10.1.0.1:3128 remote=[::] FD 16 flags=1 : family=2, type=1, protocol=6
2020/08/11 14:20:52.610 kid1| 51,3| fd.cc(198) fd_open: fd_open() FD 16 HTTP Socket
2020/08/11 14:20:52.610 kid1| 21,3| tools.cc(506) leave_suid: leave_suid: PID 32115 called
2020/08/11 14:20:52.610 kid1| 54,3| StartListening.cc(58) StartListening: opened listen local=10.1.0.1:3128 remote=[::] FD 16 flags=9
2020/08/11 14:20:52.610 kid1| 33,2| AsyncCall.cc(93) ScheduleCall: StartListening.cc(59) will call clientListenerConnectionOpened(local=10.1.0.1:3128 remote=[::] FD 16 flags=9, err=0, HTTP Socket port=0x4a99867900) [call4]
2020/08/11 14:20:52.610 kid1| 33,2| AsyncCall.cc(26) AsyncCall: The AsyncCall clientListenerConnectionOpened constructed, this=0x4a99867940 [call6]
2020/08/11 14:20:52.610 kid1| 21,3| tools.cc(577) enter_suid: enter_suid: PID 32115 taking root privileges
2020/08/11 14:20:52.610 kid1| 21,3| tools.cc(581) enter_suid: enter_suid: setresuid failed: (1) Operation not permitted
2020/08/11 14:20:52.610 kid1| 50,3| comm.cc(350) comm_openex: comm_openex: Attempt open socket for: 10.1.0.1:2121
2020/08/11 14:20:52.610 kid1| 50,3| comm.cc(393) comm_openex: comm_openex: Opened socket local=10.1.0.1:2121 remote=[::] FD 17 flags=1 : family=2, type=1, protocol=6
2020/08/11 14:20:52.610 kid1| 51,3| fd.cc(198) fd_open: fd_open() FD 17 FTP Socket
2020/08/11 14:20:52.610 kid1| 21,3| tools.cc(506) leave_suid: leave_suid: PID 32115 called
2020/08/11 14:20:52.610 kid1| 54,3| StartListening.cc(58) StartListening: opened listen local=10.1.0.1:2121 remote=[::] FD 17 flags=9
2020/08/11 14:20:52.610 kid1| 33,2| AsyncCall.cc(93) ScheduleCall: StartListening.cc(59) will call clientListenerConnectionOpened(local=10.1.0.1:2121 remote=[::] FD 17 flags=9, err=0, FTP Socket port=0x4a998679a0) [call6]
2020/08/11 14:20:52.610 kid1| HTCP Disabled.
2020/08/11 14:20:52.610 kid1| 50,3| comm.cc(350) comm_openex: comm_openex: Attempt open socket for: [::1]
2020/08/11 14:20:52.610 kid1| 50,3| comm.cc(393) comm_openex: comm_openex: Opened socket local=[::1] remote=[::] FD 18 flags=1 : family=28, type=2, protocol=0
2020/08/11 14:20:52.610 kid1| 51,3| fd.cc(198) fd_open: fd_open() FD 18 Pinger Socket
2020/08/11 14:20:52.610 kid1| 50,3| comm.cc(350) comm_openex: comm_openex: Attempt open socket for: [::1]
2020/08/11 14:20:52.610 kid1| 50,3| comm.cc(393) comm_openex: comm_openex: Opened socket local=[::1] remote=[::] FD 19 flags=1 : family=28, type=2, protocol=0
2020/08/11 14:20:52.610 kid1| 51,3| fd.cc(198) fd_open: fd_open() FD 19 Pinger Socket
2020/08/11 14:20:52.610 kid1| 54,3| ipc.cc(204) ipcCreate: ipcCreate: prfd FD 19
2020/08/11 14:20:52.610 kid1| 54,3| ipc.cc(205) ipcCreate: ipcCreate: pwfd FD 19
2020/08/11 14:20:52.610 kid1| 54,3| ipc.cc(206) ipcCreate: ipcCreate: crfd FD 18
2020/08/11 14:20:52.610 kid1| 54,3| ipc.cc(207) ipcCreate: ipcCreate: cwfd FD 18
2020/08/11 14:20:52.610 kid1| 54,3| ipc.cc(221) ipcCreate: ipcCreate: FD 19 sockaddr [::1]:60912
2020/08/11 14:20:52.610 kid1| 54,3| ipc.cc(238) ipcCreate: ipcCreate: FD 18 sockaddr [::1]:40241
2020/08/11 14:20:52.613 kid1| 5,3| comm.cc(859) _comm_close: comm_close: start closing FD 18
2020/08/11 14:20:52.613 kid1| 5,3| comm.cc(546) commUnsetFdTimeout: Remove timeout for FD 18
2020/08/11 14:20:52.613 kid1| 21,3| tools.cc(506) leave_suid: leave_suid: PID 93164 called
2020/08/11 14:20:52.613 kid1| 21,3| tools.cc(606) no_suid: no_suid: PID 93164 giving up root privileges forever
2020/08/11 14:20:52.613 kid1| sendto FD 18: (13) Permission denied
2020/08/11 14:20:52.613 kid1| ipcCreate: CHILD: hello write test failed
----
[/font]

#4
Web Proxy Filtering and Caching / Re: Pf blocks Squid listening port
June 16, 2020, 06:57:28 PM
Hi Wallachia,

apparently you have to create a firewall to allow the LAN clients to access the SQUID Proxy on default port 3128.

Action: Pass
Interface: LAN
Direction: in
TCP/IP Version: IPv4
Source: LAN net
Destination: This Firewall
Dest Port Range: 3128 - 3128
Category/Description: HTTP Proxy Access

That's how I made it work. Cheers
Pages1