Problems with Squid3-dev, Dansguardian, Snort



  • Hi there,

    I am running a pfsense for years now. To get a real fresh system, I want to rebuild completely.
    So running a "temp" pfsense in VM, just to do all the proper settings etc, before moveing config to live system.

    I did install on the new system, squid3-dev and Dansguardian with NAT redirect for port 80.
    Dansguardian then redirects to Squid.
    Everything works well, until I install Snort and activate the Snort interface WAN.
    I did set it up with the same rules and settings as on actual running live system, where btw. no Dansguardian is installed
    But when I then try to open a web site on port 80, I get the following error message in the browser (i.e.: www.computerwoche.de):

    Der folgende Fehler wurde beim Versuch die URL http://www.computerwoche.de/ zu holen festgestellt:

    Verbindung zu 2a01:138:a028:0:62:146:83:75 Fehlgeschlagen.

    Das System antwortete: (65) No route to host

    Der Zielhost oder das Zielnetzwerk ist momentan nicht verfügbar. Bitte wiederholen sie die Anfrage.

    Ihr Cache Administrator ist

    Basically it looks like there appears an IP6???
    I disabled IP6 on the pfsense and wonder now what is happening there.

    HTTPS sites work still fine as they are not redirected through Dansguardian.
    For testing, I did enforce in one browser to use squid directly as HTTPS proxy and also works fine.

    So I wonder, if there is anybody out having an idea about this issue???

    Disabling the Snort interface and all works well.
    It looks like to me like the combination of Snort and Dansguardian not loving each other…

    A push into the right direction would be really appreciated :)

    Thanks

    Holger



  • @HSeffers:

    Hi there,

    I am running a pfsense for years now. To get a real fresh system, I want to rebuild completely.
    So running a "temp" pfsense in VM, just to do all the proper settings etc, before moveing config to live system.

    I did install on the new system, squid3-dev and Dansguardian with NAT redirect for port 80.
    Dansguardian then redirects to Squid.
    Everything works well, until I install Snort and activate the Snort interface WAN.
    I did set it up with the same rules and settings as on actual running live system, where btw. no Dansguardian is installed
    But when I then try to open a web site on port 80, I get the following error message in the browser (i.e.: www.computerwoche.de):

    Der folgende Fehler wurde beim Versuch die URL http://www.computerwoche.de/ zu holen festgestellt:

    Verbindung zu 2a01:138:a028:0:62:146:83:75 Fehlgeschlagen.

    Das System antwortete: (65) No route to host

    Der Zielhost oder das Zielnetzwerk ist momentan nicht verfügbar. Bitte wiederholen sie die Anfrage.

    Ihr Cache Administrator ist

    Basically it looks like there appears an IP6???
    I disabled IP6 on the pfsense and wonder now what is happening there.

    HTTPS sites work still fine as they are not redirected through Dansguardian.
    For testing, I did enforce in one browser to use squid directly as HTTPS proxy and also works fine.

    So I wonder, if there is anybody out having an idea about this issue???

    Disabling the Snort interface and all works well.
    It looks like to me like the combination of Snort and Dansguardian not loving each other…

    A push into the right direction would be really appreciated :)

    Thanks

    Holger

    Did you have Snort in blocking mode?  If so, did you check the ALERTS and BLOCKED tabs in Snort to see if had blocked traffic?  Without some initial startup tuning, Snort can be very aggressive in blocking some web sites that send out quasi-malformed HTTP traffic.  Most of the time these are just false positives, but they result in a block anyway.  There is a thread here in the Packages sub-forum you can search for that includes a suggested SUPPRESS LIST setup for Snort that avoids the most common false positive events.

    Here is a link:  https://forum.pfsense.org/index.php?topic=56267.msg300473#msg300473

    Bill