Squid and ICMP

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Squid and ICMP

Alex K
Hi all,

I have a box with fairly restrictive firewall.
I see that the box blocks connections of squid to the requested sites when squid tries to reach/send ICMP to them:

2018/08/07 16:51:57| Error sending to ICMP packet to 213.133.127.247. ERR: (1) Operation not permitted
2018/08/07 16:51:59| Error sending to ICMP packet to 194.55.30.166. ERR: (1) Operation not permitted
2018/08/07 16:52:00| Error sending to ICMP packet to 93.184.220.29. ERR: (1) Operation not permitted
2018/08/07 16:52:00| Error sending to ICMP packet to 72.21.202.25. ERR: (1) Operation not permitted
2018/08/07 16:52:02| Error sending to ICMP packet to 54.182.206.90. ERR: (1) Operation not permitted
2018/08/07 16:52:18| Error sending to ICMP packet to 54.239.220.40. ERR: (1) Operation not permitted
2018/08/07 16:52:18| Error sending to ICMP packet to 62.38.6.83. ERR: (1) Operation not permitted
2018/08/07 16:52:20| Error sending to ICMP packet to 13.32.16.243. ERR: (1) Operation not permitted

Anyone knows why squid is sending ICMP? Is this needed?
I am running 3.5.23 in tproxy mode with SSL splicing.


Thanx,
Alex

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid and ICMP

Amos Jeffries
Administrator
On 08/08/18 04:56, Alex K wrote:

> Hi all,
>
> I have a box with fairly restrictive firewall.
> I see that the box blocks connections of squid to the requested sites
> when squid tries to reach/send ICMP to them:
>
> 2018/08/07 16:51:57| Error sending to ICMP packet to 213.133.127.247.
> ERR: (1) Operation not permitted
> 2018/08/07 16:51:59| Error sending to ICMP packet to 194.55.30.166. ERR:
> (1) Operation not permitted
> 2018/08/07 16:52:00| Error sending to ICMP packet to 93.184.220.29. ERR:
> (1) Operation not permitted
> 2018/08/07 16:52:00| Error sending to ICMP packet to 72.21.202.25. ERR:
> (1) Operation not permitted
> 2018/08/07 16:52:02| Error sending to ICMP packet to 54.182.206.90. ERR:
> (1) Operation not permitted
> 2018/08/07 16:52:18| Error sending to ICMP packet to 54.239.220.40. ERR:
> (1) Operation not permitted
> 2018/08/07 16:52:18| Error sending to ICMP packet to 62.38.6.83. ERR:
> (1) Operation not permitted
> 2018/08/07 16:52:20| Error sending to ICMP packet to 13.32.16.243. ERR:
> (1) Operation not permitted
>
> Anyone knows why squid is sending ICMP?

To find the fastest route for its outbound HTTP messages when cache_peer
are used, and to bootstrap the ARP and MTU discovery processes before
server TCP connections have to use the information they provide.

> Is this needed?

Maybe. You can safely configure "pinger_enable off" if you don't care
about a small (few milli- or micro-seconds) latency increase on TCP
connection setup.

Please note however that ICMP is not an optional protocol. It is
mandatory for correct working of TCP. Only a few things like these echo
packets are safely blocked.

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid and ICMP

Alex K
Thanx Amos,

It is clear. 

Alex

On Tue, Aug 7, 2018 at 9:20 PM, Amos Jeffries <[hidden email]> wrote:
On 08/08/18 04:56, Alex K wrote:
> Hi all,
>
> I have a box with fairly restrictive firewall.
> I see that the box blocks connections of squid to the requested sites
> when squid tries to reach/send ICMP to them:
>
> 2018/08/07 16:51:57| Error sending to ICMP packet to 213.133.127.247.
> ERR: (1) Operation not permitted
> 2018/08/07 16:51:59| Error sending to ICMP packet to 194.55.30.166. ERR:
> (1) Operation not permitted
> 2018/08/07 16:52:00| Error sending to ICMP packet to 93.184.220.29. ERR:
> (1) Operation not permitted
> 2018/08/07 16:52:00| Error sending to ICMP packet to 72.21.202.25. ERR:
> (1) Operation not permitted
> 2018/08/07 16:52:02| Error sending to ICMP packet to 54.182.206.90. ERR:
> (1) Operation not permitted
> 2018/08/07 16:52:18| Error sending to ICMP packet to 54.239.220.40. ERR:
> (1) Operation not permitted
> 2018/08/07 16:52:18| Error sending to ICMP packet to 62.38.6.83. ERR:
> (1) Operation not permitted
> 2018/08/07 16:52:20| Error sending to ICMP packet to 13.32.16.243. ERR:
> (1) Operation not permitted
>
> Anyone knows why squid is sending ICMP?

To find the fastest route for its outbound HTTP messages when cache_peer
are used, and to bootstrap the ARP and MTU discovery processes before
server TCP connections have to use the information they provide.

> Is this needed?

Maybe. You can safely configure "pinger_enable off" if you don't care
about a small (few milli- or micro-seconds) latency increase on TCP
connection setup.

Please note however that ICMP is not an optional protocol. It is
mandatory for correct working of TCP. Only a few things like these echo
packets are safely blocked.

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users