PCLinuxOS and Squid netmask warnings…

Hi all.

I have downloaded and configured Squid using PCLinuxOS Control Center…

PCLinuxOS Control Center aka Configure Your Computer

All was well and everything was working just fine however I was receiving silly netmask warnings and some security notifications…

[root@icsserver andrzejl]# service squid restart
Stopping squid: 2012/01/14 19:31:49| WARNING: Netmasks are deprecated. Please use CIDR masks instead.
2012/01/14 19:31:49| WARNING: IPv4 netmasks are particularly nasty when used to compare IPv6 to IPv4 ranges.
2012/01/14 19:31:49| WARNING: For now we will assume you meant to write /24
2012/01/14 19:31:49| aclIpParseIpData: WARNING: Netmask masks away part of the specified IP in ‘192.168.0.1/255.255.255.0’
2012/01/14 19:31:49| ERROR: ‘0.0.0.0/0.0.0.0’ needs to be replaced by the term ‘all’.
2012/01/14 19:31:49| SECURITY NOTICE: Overriding config setting. Using ‘all’ instead.
2012/01/14 19:31:49| WARNING: (B) ‘::/0’ is a subnetwork of (A) ‘::/0’
2012/01/14 19:31:49| WARNING: because of this ‘::/0’ is ignored to keep splay tree searching predictable
2012/01/14 19:31:49| WARNING: You should probably remove ‘::/0’ from the ACL named ‘all’
2012/01/14 19:31:49| WARNING: Netmasks are deprecated. Please use CIDR masks instead.
2012/01/14 19:31:49| WARNING: IPv4 netmasks are particularly nasty when used to compare IPv6 to IPv4 ranges.
2012/01/14 19:31:49| WARNING: For now we will assume you meant to write /32
…. [ OK ]
init_cache_dir … Starting squid: . [ OK ]
[root@icsserver andrzejl]#

Squid worked as expected but the annoying warnings would not let me forget about the whole thing… So I have decided to investigate.

As it turns out those are the errors that occur when You are using squd 3 with a squid 2 config file…

PCLinuxOS has squid 3 in the repos…

[andrzejl@icsserver ~]$ rpm -qa | grep squid
squid-3.1.16-1pclos2011
[andrzejl@icsserver ~]$

BUT the beginning of it’s config file says…

# WELCOME TO SQUID 2

this calls for few changes in the squid config file which in PCLinuxOS can be found here:

/etc/squid/squid.conf

First we have to find out what CIDR is…

With this knowledge we can start editing squid config file as root.

This line:

acl mynetwork src 192.168.0.1/255.255.255.0

was changed to

acl mynetwork src 192.168.0.0/24

and the amount of warnings was reduced significantly:

[root@icsserver andrzejl]# service squid restart
Stopping squid: 2012/01/14 19:36:11| ERROR: ‘0.0.0.0/0.0.0.0’ needs to be replaced by the term ‘all’.
2012/01/14 19:36:11| SECURITY NOTICE: Overriding config setting. Using ‘all’ instead.
2012/01/14 19:36:11| WARNING: (B) ‘::/0’ is a subnetwork of (A) ‘::/0’
2012/01/14 19:36:11| WARNING: because of this ‘::/0’ is ignored to keep splay tree searching predictable
2012/01/14 19:36:11| WARNING: You should probably remove ‘::/0’ from the ACL named ‘all’
2012/01/14 19:36:11| WARNING: Netmasks are deprecated. Please use CIDR masks instead.
2012/01/14 19:36:11| WARNING: IPv4 netmasks are particularly nasty when used to compare IPv6 to IPv4 ranges.
2012/01/14 19:36:11| WARNING: For now we will assume you meant to write /32
…. [ OK ]
init_cache_dir … Starting squid: . [ OK ]
[root@icsserver andrzejl]#

Next I removed this line

acl all src 0.0.0.0/0.0.0.0

which is built in the Squid anyway…

This reduces the warning messages even more:

[root@icsserver andrzejl]# service squid restart
Stopping squid: 2012/01/14 19:39:14| WARNING: Netmasks are deprecated. Please use CIDR masks instead.
2012/01/14 19:39:14| WARNING: IPv4 netmasks are particularly nasty when used to compare IPv6 to IPv4 ranges.
2012/01/14 19:39:14| WARNING: For now we will assume you meant to write /32
…. [ OK ]
init_cache_dir … Starting squid: . [ OK ]
[root@icsserver andrzejl]#

Final step is to edit this line:

acl localhost src 127.0.0.1/255.255.255.255

to read

acl localhost src 127.0.0.1/32

After editing the config file squid is restarting without any warning and everything is “peachy”…

[root@icsserver andrzejl]# service squid restart
Stopping squid: …. [ OK ]
init_cache_dir … Starting squid: . [ OK ]
[root@icsserver andrzejl]#

My config file contains few extra modifications. Please use it if You feel like it after editing it to reflect Your network settings.

Hope this helps somebody someday.

Regards.

Andy

Advertisements