squidGuard guide

Posted on March 21, 2012 by morsing

I have used squidGuard for years, but only a basic set-up based on cut-and-paste from their examples. The reason for this is that that is all there is… Examples! squidGuard appears to be impossible to find proper documentation for, as even their own website doesn’t explain how it works. Google doesn’t seem to know either…

It is actually very simple, so a quick description of the logic follows.

Within a block, say the default block, you must have a pass statement and if you want to block anything, you must have a redirect statement as well. If you want to rewrite a URL, you need a rewrite statement. You can have both redirect and/or rewrite in your ACL block but as said, without a redirect, you can’t block anything.

A block within an ACL, looks like this:

default {
                   pass    !violence !hacking any
                   rewrite facebook
                   redirect http://www.site.net/bad.html
              }

When the source hits a block, let’s assume default, it will first look for the pass statement. It will read from left to right and make a decision based on the first match and exit the pass statement after that. If the first match was none or a destination preceded by ‘!’, squidGuard will then return the redirect within the block. (If there is no redirect, squidGuard will do nothing and exit).

A destination is defined as:

dest violence {
        domainlist      violence/domains
        log     violence
        urllist violence/urls
}

and will match any URL in the file urls and any domain in the file domains. This directory structure and its files can be found under the directory specified with the dbhome directive, usually at the beginning of the configuration file. The log has any attempts to reach blocked sites listed.

If the match was either ‘any’, ‘all’, or a destination not preceded by ‘!’, squidGuard will execute any rewrite rules in the block on the URL, and exit returning the re-written URL. If there are no rewrite rules in the block, it will do nothing and exit. Both cases means allowing access to the requested URL.

If no destination in the pass statement matches, squidGuard will do nothing and exit, thus allowing squid to fetch the requested page.

So, the line:

pass none good !hacking any

will always block, as it executes the redirect as soon as it hits none. The line:

pass good any !hacking none

will always pass, as it exits when hitting any, if not before.

pass local none

will pass any local destinations listed in the local destination.

I think that was the main bit to get out, the magic within source blocks is what’s not documented. The rest is fairly straight forward. Good luck.

Posted in Software | Leave a comment

xpinfo and dyntrk – FSCSI_ERR10

Posted on March 3, 2012 by morsing

I had noticed lots of FSCSI_ERR10 ‘Configuration mismatch’ messages with identifier 1FB4FD21. The errpt entry had the PID as 12D0E4 hex in the sense data:

SENSE DATA
0000 0000 0000 00D3 0000 0016 0200 0000 0000 0000 0000 0000 0000 0000 0000 0000
0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 00C8 0800 0000 0000
0000 0000 0300 0000 0000 0003 0000 0000 0012 D0E4 0000 0000 00C8 2500 03FD 0000

Which translated to 1233124 decimal. I setup an ODM errnotify entry to dump the process table when the driver error occurred:

server–> odmget -q “en_name = mousetrap” errnotify

errnotify:
en_pid = 0
en_name = “mousetrap”
en_persistenceflg = 0
en_label = “FSCSI_ERR10″
en_crcid = 0
en_class = “”
en_type = “”
en_alertflg = “”
en_resource = “”
en_rtype = “”
en_rclass = “”
en_symptom = “”
en_err64 = “”
en_dup = “”
en_method = “/usr/bin/ps -efk >> /tmp/ps.out”

Wasn’t long before more errors showed up. The process turned out to be xpinfo an HP supplied command to list LUNs on an HP XParray storage system.

The misconfiguration was because the command used a legacy ioctl call that left the N-PORT ID blank, which isn’t supported when Dynamic Tracking (dyntrk) is enabled. The version of xpinfo was the latest:

AIX XPinfo, v 21.00.00 2010-02-21

I later realised this problem didn’t occur on another system which the same version of AIX. I need to check if RMLIB is installed correctly on both systems.

P.S. Have now checked RMLIB and it was version 5.1 on the problem system and 5.8 on the working system

Posted in AIX | Tagged , , , , , , | Leave a comment