Proxy problems with a URL

Hi everyone!!!.

I have a problem with a URL and the Squid Proxy. With the Proxy enabled both transparently and non-transparently, when I try to access this URL or page, the Squid Proxy window appears.

The URL is: http://www.foke.es/NovedadesNomina/2021%20Bases%20Septiembre.pdf

But if I try to access www.foke.es, it also happens.

I have fixed it by modifying the file: /etc/sysconfig/firewall.local, but I guess it’s not normal. How can it be solved?

Greetings.

Hi,

this is caused by the detection of selectively announced networks:

Dec 16 17:24:23 squid-asnbl-helper[4166] WARN: Destination 'www.foke.es' resolves to IP addresses 'fe80::ccde:4cff:fea2:57ae' without corresponding ASN, probably selectively announced
Dec 16 17:24:23 squid-asnbl-helper[4166] INFO: Denying access to destination 'www.foke.es' due to suspected selective announcements

For some reason, the folks at www.foke.es decided to put an IPv6 address into the DNS pointing to a non-routable IPv6 range - similar to 127.0.0.0/8 for IPv4. This triggers the anomaly detection.

$ dig +short aaaa www.foke.es
fe80::ccde:4cff:fea2:57ae

Similar to this thread, you can either…

In addition, it might be a good thing to get in touch with the IT staff at www.foke.es, so they can fix or remove the faulty IPv6 address record - this is especially bad for people not having IPv4 connectivity anymore (and we all strive for that, don’t we :wink: ), since they cannot access this site at all.

Thanks, and best regards,
Peter Müller

5 Likes

Guau!!!. Great explanation. Thank you very much for explaining it so well.

Thanks a lot.

Regards.

1 Like

Peter @pmueller,

Out of curiosity I tried the ‘www.foke.es’ URL. And my IPFire box also showed up!

:scream:

Is this expected? Or should I panic?!?

Dec 16 14:19:00 squid-asnbl-helper[26233] WARN: Destination 'www.foke.es' resolves to IP addresses 'fe80::ccde:4cff:fea2:57ae' without corresponding ASN, probably selectively announced
Dec 16 14:19:00 squid-asnbl-helper[26233] INFO: Denying access to destination 'www.foke.es' due to suspected selective announcements
Dec 16 14:19:00 squid-asnbl-helper[26233] WARN: Destination 'ipfire.localdomain' resolves to IP addresses '192.168.60.1' without corresponding ASN, probably selectively announced
Dec 16 14:19:00 squid-asnbl-helper[26233] INFO: Denying access to destination 'ipfire.localdomain' due to suspected selective announcements

Hi Jon,

should we ever publish an IPFire handbook in a paperback version, “don’t panic” would be a great cover indeed - similar to The Hitchhikers Guide To The Galaxy. :slight_smile:

So, no, there is no need to panic, and this expected: The anomaly detection for selectively announced network basically triggers on any destination libloc does not find an Autonomous System to in the database currently present on the IPFire machine in question.

This includes IP space being not globally routable, such as RFC 1918 (192.168.0.0/16 et al.) - the idea behind this is people operating legitimate websites do host them on IP space that is globally announced. “Internal” sites, such as ipfire.localdomain, are some sort of collateral damage here. Sorry for causing confusion.

By the way: The ASNBL helper script, which performs both the Fast Flux detection and the detection for selectively announced networks, can be called interactively like this:

[root@maverick ~]# su -s /bin/bash squid
bash-5.1$ /usr/bin/asnbl-helper.py /var/ipfire/proxy/asnbl-helper.conf
Dec 16 22:18:49 squid-asnbl-helper[5101] WARN: No ASNBL configured. This is acceptable as long as this script is configured to do anything, you just have been warned...
Dec 16 22:18:49 squid-asnbl-helper[5101] INFO: ASN database operational - excellent. Waiting for input...

Changing to another user is necessary, since it won’t run as root for security reasons. Afterwards, you can query any FQDN or IP address, and it will result OK in case of a hit, and ERR if the destination is fine:

ipfire.org
ERR
www.foke.es
Dec 16 22:19:11 squid-asnbl-helper[5101] WARN: Destination 'www.foke.es' resolves to IP addresses 'fe80::ccde:4cff:fea2:57ae' without corresponding ASN, probably selectively announced
Dec 16 22:19:11 squid-asnbl-helper[5101] INFO: Denying access to destination 'www.foke.es' due to suspected selective announcements
OK
rcacademy[.]at
Dec 16 22:19:14 squid-asnbl-helper[5101] WARN: Destination 'rcacademy[.]at' exceeds ASN diversity threshold (9 > 5), possibly Fast Flux: [3786, 6400, 8151, 8452, 9318, 12252, 13124, 35819, 38932]
Dec 16 22:19:14 squid-asnbl-helper[5101] INFO: Denying access to possible Fast Flux destination 'rcacademy[.]at'
OK

ipfire.org is begin, the next one is the FQDN Roberto had issues with, while rcacademy[.]at (brackets inserted for preventing accidental access) is a real-world example of a malware domain being hosted on a Fast Flux network. See also its VirusTotal result.

Perhaps this makes things more transparent. As always, feel free to play around with /usr/bin/asnbl-helper.py, and drop me a line in case of any questions or quirks. :slight_smile:

Thanks, and best regards,
Peter Müller

3 Likes

Thank you for the info! I was having a terrible time getting started with the Wiki. (I will probably need LOTS of help with the Wiki ← hint, hint)

Is this where asnbl-helper.py is from?

Time to play!



EDIT: Obvious cover art for the “Don’t Panic” book:

panic setting in again!
:scream:

I’ve been getting these error messages:



And I found many different local IP addresses and local hostnames in the cache.log.

All of the INFO/WARN messages are local to local devices. And all of them seem to be blocking my local to local web access.

I enabled the URL Filter and added a two lines 192.168.60.0/24 and 192.168.65.0/24. But that didn’t work.

So now I am adding one IP address (or hostname) at a time.

Is there an easy way to add a range of IP addresses?

Hi Jon,

yes, this bypass is not implemented for IP address due to technical constraints. Please refer to this post for a possible workaround.

Thanks, and best regards,
Peter Müller

I have been using the proxy for a short time.

I have noticed that from devices that need to use the proxy (iOS, AppleTV) there are problems when I want to access my Logitech Media Server (LMS) when “Anomaly Detection” is enabled. The LMS itself is running in a jail on TrueNAS CORE and is not yet configured for proxy. LMS is a Music Server.

Deny access to destinations hosted on selectively announced networks: => When I disable this, everything seems to work on the iOS device (App and Browser). On the AppleTV there are still problems (App). This gets a little better when I also disable “Deny access to destinations hosted on fast flux setups” (but still not as without proxy).

Devices (eg. PiCorePlayer) that don’t use or don’t need to use the proxy seem to run normally

Hi,

could you please post the log messages emitted by the anomaly detection?

There is very little legitimate reason for using a Fast Flux setup. I’d be truly surprised to learn Apple products rely on it…

Thanks, and best regards,
Peter Müller

I have just played around again briefly:

Jan 04 23:42:22 squid-asnbl-helper[6278] WARN: Destination ‘192.168.1.26’ resolves to IP addresses ‘192.168.1.26’ without corresponding ASN, probably selectively announced

Jan 04 23:42:22 squid-asnbl-helper[6278] INFO: Denying access to destination ‘192.168.1.26’ due to suspected selective announcements

I think that was access from Safari (iPhone) to the LMS.
The message in the log does not reappear (although I get the same message from IPFire in the browser and I get access to the LMS).

Jan 04 23:44:15 squid-asnbl-helper[6278] INFO: Unable to resolve A/AAAA record of queried destination ‘gate.hockeyapp.net’, returning ERR…

I think that was access with the app iPeng (iPhone) to the LMS.

With the app SlimLibrary (iPhone) there was a hint in the app its

After that I think I disabled the following:
Deny access to destinations hosted on selectively announced networks:

Jan 04 23:53:39 squid-asnbl-helper[8389] WARN: No ASNBL configured. This is acceptable as long as this script is configured to do anything, you just have been warned…

Jan 04 23:53:39 squid-asnbl-helper[8389] INFO: ASN database operational - excellent. Waiting for input…

Jan 04 23:53:39 squid-asnbl-helper[8391] WARN: No ASNBL configured. This is acceptable as long as this script is configured to do anything, you just have been warned…

Jan 04 23:53:39 squid-asnbl-helper[8391] INFO: ASN database operational - excellent. Waiting for input…

Jan 04 23:54:42 squid-asnbl-helper[8389] WARN: Destination ‘192.168.1.26’ resolves to IP addresses ‘192.168.1.26’ without corresponding ASN, probably selectively announced

Jan 04 23:55:23 squid-asnbl-helper[8389] INFO: Unable to resolve A/AAAA record of queried destination ‘gate.hockeyapp.net’, returning ERR…

Jan 04 23:58:15 squid-asnbl-helper[8389] INFO: Unable to resolve A/AAAA record of queried destination ‘settings.crashlytics.com’, returning ERR…

Jan 04 23:58:16 squid-asnbl-helper[8389] INFO: Unable to resolve A/AAAA record of queried destination ‘reports.crashlytics.com’, returning ERR…

This should have been SlimLibrary (AppleTV).

Do you have an idea?
I can post more if you need it.