Squid not right with "/etc/rc.d/init.d/firewall restart"

jon · 24 June 2022 21:34

I am seeing something that doesn’t quite make sense to me
(hey! lots of things fall into that category!)

When I run: /etc/rc.d/init.d/firewall restart I see in the iptables a few lines are missing:

-A SQUID -d 73.36.250.0/32 -i green0 -p tcp -m tcp --dport 80 -j RETURN
-A SQUID -i green0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
-A SQUID -d 73.36.250.0/32 -i blue0 -p tcp -m tcp --dport 80 -j RETURN
-A SQUID -i blue0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128

If I restart squid then all is OK. (I cannot do a reboot now since there are other people working.)

This is on: IPFire 2.27 (x86_64) - Core Update 168

Is this right? Or is it time for bugzilla?!?

EDIT: Earlier today I always did a WebGUI Web Proxy Save & Restart. But I tried a command line squid restart and saw this warning:

[root@ipfire ~] # /etc/rc.d/init.d/squid restart
Stopping Squid Proxy Server (this may take up to a few minutes)....                      [  OK  ]
Creating Squid swap directories...                                                       [  OK  ]
Starting Squid Proxy Server...
2022/06/24 16:37:43| WARNING: BCP 177 violation. Detected non-functional IPv6 loopback.  [  OK  ]
[root@ipfire ~] #

I am guessing this is OK since I don’t use IPv6.

pmueller · 25 June 2022 21:09

Hello Jon,

thanks for your post.

Yes, I can truly share the sentiment. In Germany, there is a bank which once used “der wie für mich gemachte Kredit” (the loan that has been made just for me) as an advertising slogan. At some point, I adopted that to “der wie für mich gemachte Seiteneffekt” (the side-effect that has been made just for me), since I sometimes seem to constantly bump into one edge case after another. Oh well - that keeps things interesting, I guess.

This is intentional, as the firewall initscript is always executed before the Squid initscript on boot:

[root@maverick ~]# ls -lah /etc/rc.d/rcsysinit.d/
total 8.0K
drwxr-xr-x 2 root root 4.0K Jun  6  2020 .
drwxr-xr-x 8 root root 4.0K Jun 23 22:51 ..
lrwxrwxrwx 1 root root   21 Aug 10  2019 S00mountkernfs -> ../init.d/mountkernfs
lrwxrwxrwx 1 root root   16 Aug 10  2019 S01sysctl -> ../init.d/sysctl
lrwxrwxrwx 1 root root   17 Aug 10  2019 S05modules -> ../init.d/modules
lrwxrwxrwx 1 root root   17 Feb  4  2020 S09lvmetad -> ../init.d/lvmetad
lrwxrwxrwx 1 root root   14 Aug 10  2019 S10udev -> ../init.d/udev
lrwxrwxrwx 1 root root   20 Aug 10  2019 S19waitdrives -> ../init.d/waitdrives
lrwxrwxrwx 1 root root   20 Aug 10  2019 S25partresize -> ../init.d/partresize
lrwxrwxrwx 1 root root   17 Aug 10  2019 S30checkfs -> ../init.d/checkfs
lrwxrwxrwx 1 root root   17 Aug 10  2019 S40mountfs -> ../init.d/mountfs
lrwxrwxrwx 1 root root   14 Aug 10  2019 S41swap -> ../init.d/swap
lrwxrwxrwx 1 root root   18 Aug 10  2019 S42fsresize -> ../init.d/fsresize
lrwxrwxrwx 1 root root   20 Aug 10  2019 S43mounttmpfs -> ../init.d/mounttmpfs
lrwxrwxrwx 1 root root   13 Aug 10  2019 S44smt -> ../init.d/smt
lrwxrwxrwx 1 root root   20 Aug 10  2019 S45udev_retry -> ../init.d/udev_retry
lrwxrwxrwx 1 root root   17 Aug 10  2019 S50cleanfs -> ../init.d/cleanfs
lrwxrwxrwx 1 root root   18 Aug 10  2019 S60setclock -> ../init.d/setclock
lrwxrwxrwx 1 root root   14 Aug 10  2019 S65rngd -> ../init.d/rngd
lrwxrwxrwx 1 root root   16 Aug 10  2019 S66random -> ../init.d/random
lrwxrwxrwx 1 root root   17 Aug 10  2019 S70console -> ../init.d/console
lrwxrwxrwx 1 root root   17 Aug 10  2019 S71pakfire -> ../init.d/pakfire
lrwxrwxrwx 1 root root   20 Aug 10  2019 S74cloud-init -> ../init.d/cloud-init
lrwxrwxrwx 1 root root   20 Aug 10  2019 S75firstsetup -> ../init.d/firstsetup
lrwxrwxrwx 1 root root   18 Aug 10  2019 S80localnet -> ../init.d/localnet
lrwxrwxrwx 1 root root   18 Aug 10  2019 S85firewall -> ../init.d/firewall

These are all the initscripts that are executed unconditionally on boot, in the order of their S[digits] prefix. The firewall one will run as the last one.

Squid’s initscript is called while bringing the RED interface up, in the very same manner as /etc/rc.d/rcsysinit.d/:

[root@maverick ~]# ls -lah /etc/rc.d/init.d/networking/red.up/
total 64K
drwxr-xr-x 2 root root 4.0K Apr  8 17:28 .
drwxr-xr-x 4 root root 4.0K Jun  6 02:46 ..
-rwxr-xr-- 1 root root  727 Aug 10  2019 01-conntrack-cleanup
-rwxr-xr-- 1 root root  189 Aug 10  2019 10-multicast
-rwxr-xr-- 1 root root   83 Aug 10  2019 10-static-routes
-rwxr-xr-- 1 root root   47 Aug 10  2019 20-firewall
-rwxr-xr-- 1 root root 1.1K Dec 14  2019 23-suricata
lrwxrwxrwx 1 root root   36 Aug 10  2019 24-RS-qos -> ../../../../../usr/local/bin/qosctrl
-rwxr-xr-- 1 root root   80 Feb  4  2020 25-update-dns-forwarders
lrwxrwxrwx 1 root root   11 Aug 10  2019 27-RS-squid -> ../../squid
-rwxr-xr-- 1 root root   43 Aug 10  2019 30-ddns
-rwxr-xr-- 1 root root   72 Oct 31  2021 35-guardian
-rwxr-xr-- 1 root root   45 Aug 10  2019 50-ipsec
-rwxr-xr-- 1 root root  118 Aug 10  2019 50-ovpn
-rwxr-xr-- 1 root root   54 Aug 10  2019 98-leds
-rwxr-xr-- 1 root root   71 Dec 14  2019 99-beep
-rwxr-xr-- 1 root root  209 Aug 10  2019 99-fireinfo
-rwxr-xr-- 1 root root   76 Aug 10  2019 99-pakfire-update

So, the separation of these two is intentional, although it leads to side-effects on Squid if RED is unavailable for some reason during boot.

(Also, the 24-RS-qos symlink is broken on my machine, will fix that. )

This warning is emitted by Squid. It is okay, and safe to ignore, they seem to have added it just for the bad conscience of operators.

Thanks, and best regards,
Peter Müller

jon · 26 June 2022 02:16

Thank you! Thank you! Thank you! This all helps to know!

I’ve been experimenting with iptables to bypass squid (from local IP and to an external IP) and when I screw up I head for the restart.

so to reset things what command do I use? Is this right?

/etc/rc.d/init.d/firewall restart &&  /etc/rc.d/init.d/squid restart

Or is there a better way?

hjkl · 27 June 2022 17:38

Hello Peter and thank you for your explanation,
Why firewall is “up” twice?

1st -

/etc/rc.d/init.d/networking/red.up/20-firewall

Which contains:

#!/bin/bash

exec /etc/rc.d/init.d/firewall up

And second through

/etc/rc.d/rcsysinit.d/S85firewall -> ../init.d/firewall

pmueller · 9 July 2022 19:37

Hi,

for the records: Just checked, that symlink is okay. I was confused by broken symlinks being colored red on black, and symlinks to suid binaries being colored white on red.

Thanks, and best regards,
Peter Müller

pmueller · 9 July 2022 19:41

Hi,

this is a bit confusing indeed: With regards to the last part of the firewall initscript, up and start have different meanings. The latter initializes the firewall, i.e. populating all necessary iptables chains and whatnot, while the first one is executed once the internet connection is established, and conducts some other operations, such as resetting the conntrack table.

So, although these two files seem to do the same, they are not.

Hope to have this clarified a bit. If not, please let me know.

Thanks, and best regards,
Peter Müller